Re: [JBoss-user] Form based authentication
You can do quite a bit (if you authenticate via SQL database) with views to implement similar features while using container managed security. I have several criteria that go into deciding whether or not a user can authenticate to my app, and they all get accounted for with my view. The view presents the container with the simple user/role structure that it wants, but the underlying data is more complex than that and encompasses multiple tables. Dunno how this would work if you don't have a SQL DB though (like LDAP or other mechanism). gary. Rod Macpherson wrote: ... If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against yourself ? Here are some situations where container managed security is not necessarily the best choice: 1. It's 5:00 PM users in group X are forbade from posting. 2. Alice is in the penalty box for a week for violating the TOS. 3. Host foo.bar.com has exceeded its access quota for the day. 4. Bob is now listed in the Big Spenders table so enable high-markup pages. Using roll-your-own security can be developed using the same easy-to-manage aspect-oriented techniques as deployment descriptors but without the restrictions. Also, a lot of times you want a power user or manager to control security versus the application deployer. - Original Message - From: "Guy Rouillier" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 10:55 PM Subject: Re: [JBoss-user] Form based authentication - Original Message - From: "Silvester van der Bijl" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 8:45 PM Subject: Re: [JBoss-user] Form based authentication Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? Yes. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
... If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against yourself ? Here are some situations where container managed security is not necessarily the best choice: 1. It's 5:00 PM users in group X are forbade from posting. 2. Alice is in the penalty box for a week for violating the TOS. 3. Host foo.bar.com has exceeded its access quota for the day. 4. Bob is now listed in the Big Spenders table so enable high-markup pages. Using roll-your-own security can be developed using the same easy-to-manage aspect-oriented techniques as deployment descriptors but without the restrictions. Also, a lot of times you want a power user or manager to control security versus the application deployer. - Original Message - From: Guy Rouillier [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 10:55 PM Subject: Re: [JBoss-user] Form based authentication - Original Message - From: Silvester van der Bijl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 8:45 PM Subject: Re: [JBoss-user] Form based authentication Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? Yes. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
I can share what we do using form-based authentication. We've rolled our own authentication mechanism, and have JBoss and Tomcat on different servers. This may be what you mean by login form on each page - I'm not clear. At any rate, at the top of each page, the developer has %@ include file=/common/html/authenheader.jsp % and at the bottom is %@ include file=/common/html/authentrailer.jsp % The header opens a try block. In there, it checks the session to see if the user is logged on. If not, it stores request.getRequestURI in the session and redirects to login_form.jsp. In login_hdlr.jsp, if the userid and password validate, the session is updated and a redirect to the stored target is executed. authentrailer closes the try block and handles exceptions. - Original Message - From: Silvester van der Bijl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 24, 2003 8:22 PM Subject: Re: [JBoss-user] Form based authentication David, Thanks for the suggestion. I do have a login form on each page (that is until the user logs in :-) ). I did think of something like you're describing, but I just figured there had to be a better way. I found some more information on that AuthenticationInterceptor, but as far I can figure, you can't tell JBoss/Jetty to use a different interceptor for this. Besides, it seems kind of overkill to write a custom class just to allow direct requests to a login page Any other thoughts ? Silvester citaat van=David Ward Silvester, I'll share what I do. I have a single servlet that is a central controller that delegates processing and dispatches requests to jp's (based on pathInfo). However, *I have 2 servlet mappings to it*. /myapp/web/pathInfo - myapp is the context, web is the servlet, pathInfo (and request params) tell me how to process and where to request dispatch to. /myapp/sweb/pathInfo - same as above except sweb (notice the s) is a different mapping *to the same servlet*, except it also is a web protected resource. I have a dynamic login/logout link on each page (based on principal in request), which simply links back to itself except replacing web with sweb. After the user logs in, he/she ends up visually back to where he/she started, though the path in the url is a bit different. Now, it sounds like you have an actual login form on each of your pages. I've not done that, but I'm guessing you could do the same thing as me, except just pass along the username and password to a dummy login with no display that onLoad (JavaScript) simply submits for you. But 1) that seems hokey, and 2) you would want to make sure you're using SSL otherwise your username and password are plain-text'ing over the net. What do other people do in this circumstance? David -- Mensaje citado por Silvester van der Bijl [EMAIL PROTECTED]: Hi there, We've got a web application which on each page displays a login box if the user isn't authenticated, or otherwise his personal menu, etc... The problem is, that after succesfully authenticating a user (j_security_check target), jetty doesn't know where to redirect the user to since I made a direct request to the login page (sort of). Shouldn't there be an additional property for j_security_check, like j_onsuccess_redirect_to ? Does anyone know of a workaround for this problem ? I've read about using a custom AuthenticationInterceptor, only I can't find where this interceptor is configured ? Please help. Silvester --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? The reason why I want to do this, is because the web application is just one of the applications talking to session beans (all protected or using roles from a custom login module). Silvester citaat van=Guy Rouillier I can share what we do using form-based authentication. We've rolled our own authentication mechanism, and have JBoss and Tomcat on different servers. This may be what you mean by login form on each page - I'm not clear. At any rate, at the top of each page, the developer has %@ include file=/common/html/authenheader.jsp % and at the bottom is %@ include file=/common/html/authentrailer.jsp % The header opens a try block. In there, it checks the session to see if the user is logged on. If not, it stores request.getRequestURI in the session and redirects to login_form.jsp. In login_hdlr.jsp, if the userid and password validate, the session is updated and a redirect to the stored target is executed. authentrailer closes the try block and handles exceptions. - Original Message - From: Silvester van der Bijl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 24, 2003 8:22 PM Subject: Re: [JBoss-user] Form based authentication David, Thanks for the suggestion. I do have a login form on each page (that is until the user logs in :-) ). I did think of something like you're describing, but I just figured there had to be a better way. I found some more information on that AuthenticationInterceptor, but as far I can figure, you can't tell JBoss/Jetty to use a different interceptor for this. Besides, it seems kind of overkill to write a custom class just to allow direct requests to a login page Any other thoughts ? Silvester citaat van=David Ward Silvester, I'll share what I do. I have a single servlet that is a central controller that delegates processing and dispatches requests to jp's (based on pathInfo). However, *I have 2 servlet mappings to it*. /myapp/web/pathInfo - myapp is the context, web is the servlet, pathInfo (and request params) tell me how to process and where to request dispatch to. /myapp/sweb/pathInfo - same as above except sweb (notice the s) is a different mapping *to the same servlet*, except it also is a web protected resource. I have a dynamic login/logout link on each page (based on principal in request), which simply links back to itself except replacing web with sweb. After the user logs in, he/she ends up visually back to where he/she started, though the path in the url is a bit different. Now, it sounds like you have an actual login form on each of your pages. I've not done that, but I'm guessing you could do the same thing as me, except just pass along the username and password to a dummy login with no display that onLoad (JavaScript) simply submits for you. But 1) that seems hokey, and 2) you would want to make sure you're using SSL otherwise your username and password are plain-text'ing over the net. What do other people do in this circumstance? David -- Mensaje citado por Silvester van der Bijl [EMAIL PROTECTED]: Hi there, We've got a web application which on each page displays a login box if the user isn't authenticated, or otherwise his personal menu, etc... The problem is, that after succesfully authenticating a user (j_security_check target), jetty doesn't know where to redirect the user to since I made a direct request to the login page (sort of). Shouldn't there be an additional property for j_security_check, like j_onsuccess_redirect_to ? Does anyone know of a workaround for this problem ? I've read about using a custom AuthenticationInterceptor, only I can't find where this interceptor is configured ? Please help. Silvester --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
- Original Message - From: Silvester van der Bijl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 8:45 PM Subject: Re: [JBoss-user] Form based authentication Hello, You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? Yes. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
- Original Message - From: Silvester van der Bijl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 25, 2003 8:45 PM Subject: Re: [JBoss-user] Form based authentication You're doing exactly what I want to do, only I want to use container managed security. If I understand you correctly you don't use container managed security (web.xml) and you verify usernames and password against e.g. a dabase yourself ? The reason why I want to do this, is because the web application is just one of the applications talking to session beans (all protected or using roles from a custom login module). Yes, we've not addressed that issue at the moment. What happens if a command-line Java application attempts to invoke one of your EJBs? --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Form based authentication
Hi there, We've got a web application which on each page displays a login box if the user isn't authenticated, or otherwise his personal menu, etc... The problem is, that after succesfully authenticating a user (j_security_check target), jetty doesn't know where to redirect the user to since I made a direct request to the login page (sort of). Shouldn't there be an additional property for j_security_check, like j_onsuccess_redirect_to ? Does anyone know of a workaround for this problem ? I've read about using a custom AuthenticationInterceptor, only I can't find where this interceptor is configured ? Please help. Silvester --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Form based authentication
Silvester, I'll share what I do. I have a single servlet that is a central controller that delegates processing and dispatches requests to jp's (based on pathInfo). However, *I have 2 servlet mappings to it*. /myapp/web/pathInfo - myapp is the context, web is the servlet, pathInfo (and request params) tell me how to process and where to request dispatch to. /myapp/sweb/pathInfo - same as above except sweb (notice the s) is a different mapping *to the same servlet*, except it also is a web protected resource. I have a dynamic login/logout link on each page (based on principal in request), which simply links back to itself except replacing web with sweb. After the user logs in, he/she ends up visually back to where he/she started, though the path in the url is a bit different. Now, it sounds like you have an actual login form on each of your pages. I've not done that, but I'm guessing you could do the same thing as me, except just pass along the username and password to a dummy login with no display that onLoad (JavaScript) simply submits for you. But 1) that seems hokey, and 2) you would want to make sure you're using SSL otherwise your username and password are plain-text'ing over the net. What do other people do in this circumstance? David -- Mensaje citado por Silvester van der Bijl [EMAIL PROTECTED]: Hi there, We've got a web application which on each page displays a login box if the user isn't authenticated, or otherwise his personal menu, etc... The problem is, that after succesfully authenticating a user (j_security_check target), jetty doesn't know where to redirect the user to since I made a direct request to the login page (sort of). Shouldn't there be an additional property for j_security_check, like j_onsuccess_redirect_to ? Does anyone know of a workaround for this problem ? I've read about using a custom AuthenticationInterceptor, only I can't find where this interceptor is configured ? Please help. Silvester --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Form Based authentication not working
Hello I am using the form based authentication example provided in the examples sub directory of the JBoss-Tomcat installation. The authentication works correctly in tomcat alone but with JBoss I get the following error (stack trace below points to org.jboss.tomcat.security.JBossSecurityMgrRealm.authenticate doing something wrong. I cant even find this file under the src subfolder): [EmbeddedTomcatSX] Error during authenticate [EmbeddedTomcatSX] javax.naming.NameNotFoundException: env not bound [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getBinding(NamingServer.java:473) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getBinding(NamingServer.java:481) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getObject(NamingServer.java:487) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.lookup(NamingServer.java:253) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:349) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:457) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333) [EmbeddedTomcatSX] at javax.naming.InitialContext.lookup(Unknown Source) [EmbeddedTomcatSX] at org.jboss.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurit yMgrRealm.java:102) [EmbeddedTomcatSX] at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java: 837) [EmbeddedTomcatSX] at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341) Daljeet Singh ecExperts India Ph:- (O) +91-11-4670906 (R) +91-11-7125680 ICQ:- 75129600 Yahoo:- daljeetsinghmaken ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Form Based authentication not working
Hello I am using the form based authentication example provided in the examples sub directory of the JBoss-Tomcat installation. The authentication works correctly in tomcat alone but with JBoss I get the following error (stack trace below points to org.jboss.tomcat.security.JBossSecurityMgrRealm.authenticate doing something wrong. I cant even find this file under the src subfolder): [EmbeddedTomcatSX] Error during authenticate [EmbeddedTomcatSX] javax.naming.NameNotFoundException: env not bound [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getBinding(NamingServer.java:473) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getBinding(NamingServer.java:481) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.getObject(NamingServer.java:487) [EmbeddedTomcatSX] at org.jnp.server.NamingServer.lookup(NamingServer.java:253) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:349) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:457) [EmbeddedTomcatSX] at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:333) [EmbeddedTomcatSX] at javax.naming.InitialContext.lookup(Unknown Source) [EmbeddedTomcatSX] at org.jboss.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurit yMgrRealm.java:102) [EmbeddedTomcatSX] at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextManager.java: 837) [EmbeddedTomcatSX] at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341) Daljeet Singh ecExperts India Ph:- (O) +91-11-4670906 (R) +91-11-7125680 ICQ:- 75129600 Yahoo:- daljeetsinghmaken ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user