RE : RE : RE : RE : how to access Subject after authentification
The command line is ok !
But I have an exception :
Caused by: java.io.IOException: Impossible de trouver une configuration de
connexion
at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:95)
... 33 more
I set
JAVA_OPTS=-DJAVA_OPTS=-Djava.security.auth.login.config=%CATALINA_HOME%\conf
\Sample_jaas.config
The classe that instantiates the login context is located in common/classes
The standard Catalina.policy containts this permission
grant codeBase file:${catalina.home}/common/- {
permission java.security.AllPermission;
};
Any ideas ?
Thanks in advance!
-Message d'origine-
De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]
Envoyé : mardi 20 juillet 2004 19:52
À : Tomcat Users List
Objet : Re: RE : RE : RE : how to access Subject after authentification
LERBSCHER Jean-Pierre wrote:
Could you tell me what is the correct configuration to access the jaas
login
file with this security manager.
You need to start Tomcat using the -security
./catalina.sh start -security
-- Jeanfrancois
Thanks
-Message d'origine-
De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]
Envoyé : mardi 20 juillet 2004 18:42
À : Tomcat Users List
Objet : Re: RE : RE : how to access Subject after authentification
Are you both running with the security manager on? I think that's the
problem...
-- Jeanfrancois
LERBSCHER Jean-Pierre wrote:
Matt I am ok with you! I try the two methods and I have the same results
(null) !
Perhaps we have to configure properly tomcat (?) so that it can record the
subject in the session. Perhaps an authenticator ?
Jean François ! any ideas ?
The second method is
Subject.getSubject(java.security.AccessController.getContext());
-Message d'origine-
De : Matt Harrison [mailto:[EMAIL PROTECTED]
Envoyé : mardi 20 juillet 2004 17:42
À : 'Tomcat Users List'
Objet : RE: RE : how to access Subject after authentification
I have tried both of these and they both return null!
-Original Message-
From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]
Sent: 20 July 2004 16:30
To: Tomcat Users List
Subject: Re: RE : how to access Subject after authentification
Two ways:
httpSession.getAttribute(javax.security.auth.subject)
or
Subject.getSubject(AccessControl.getContext())
-- Jeanfrancois
Matt Harrison wrote:
Sorry for mis-reading your email
If anybody out there knows how to retrieve the Subject,
Jean-Pierre and I
would most appreciate it!
But, if, as I suspect, this is not part of the current
servlet spec, and
thus not part of Tomcat, can I make a request for this to be
included next
time round?
I work around this by concatenating all the information I
require from the
subject into the Principal's name in my JAAS login module, as a
java.security.Principal object is available from the request
object in
Tomcat. But I guess this isn't an option for this problem.
Matt
-Original Message-
From: LERBSCHER Jean-Pierre
[mailto:[EMAIL PROTECTED]
Sent: 20 July 2004 15:40
To: 'Tomcat Users List'
Subject: RE : how to access Subject after authentification
Thanks Matt !
My problem is that have to call EJB deployed in Weblogic
application server
from servlet components. I use the weblogic api to propagate
the security
information from tomcat to WLS. This api uses the subject!
Thus it is
necessary that I can reach it.
-Message d'origine-
De : Matt Harrison [mailto:[EMAIL PROTECTED]
Envoyé : mardi 20 juillet 2004 15:59
À : 'Tomcat Users List'
Objet : RE: how to access Subject after authentification
Hi
I had a similar question a while back and never really got it fully
resolved, but I found that Tomcat doesn't save the subject as
a session
attribute.
However in your case you don't need to access the subject. In
the web.xml
file for your app, you can define what roles have access to
each resource
(jsp, servlet) and have your JAAS login module assign these
roles to the
subject - i.e. container managed security.
e.g. add to web.xml (gives access to logins with role user
to all of your
application):
security-constraint
web-resource-collection
web-resource-namemyApplication/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
role-nameuser/role-name
/auth-constraint
/security-constraint
security-role
role-nameuser/role-name
/security-role
see the tomcat docs for more info
Matt
-Original Message-
From: LERBSCHER Jean-Pierre
[mailto:[EMAIL PROTECTED]
Sent: 20 July 2004 14:42
how to access Subject after authentification
Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks,
RE: how to access Subject after authentification
Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : how to access Subject after authentification
Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : how to access Subject after authentification
Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : how to access Subject after authentification
Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : how to access Subject after authentification
I have tried both of these and they both return null! -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 16:30 To: Tomcat Users List Subject: Re: RE : how to access Subject after authentification Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : RE : how to access Subject after authentification
Matt I am ok with you! I try the two methods and I have the same results (null) ! Perhaps we have to configure properly tomcat (?) so that it can record the subject in the session. Perhaps an authenticator ? Jean François ! any ideas ? The second method is Subject.getSubject(java.security.AccessController.getContext()); -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 17:42 À : 'Tomcat Users List' Objet : RE: RE : how to access Subject after authentification I have tried both of these and they both return null! -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 16:30 To: Tomcat Users List Subject: Re: RE : how to access Subject after authentification Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e
Re: RE : RE : how to access Subject after authentification
Are you both running with the security manager on? I think that's the problem... -- Jeanfrancois LERBSCHER Jean-Pierre wrote: Matt I am ok with you! I try the two methods and I have the same results (null) ! Perhaps we have to configure properly tomcat (?) so that it can record the subject in the session. Perhaps an authenticator ? Jean François ! any ideas ? The second method is Subject.getSubject(java.security.AccessController.getContext()); -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 17:42 À : 'Tomcat Users List' Objet : RE: RE : how to access Subject after authentification I have tried both of these and they both return null! -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 16:30 To: Tomcat Users List Subject: Re: RE : how to access Subject after authentification Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE : RE : RE : how to access Subject after authentification
Could you tell me what is the correct configuration to access the jaas login file with this security manager. Thanks -Message d'origine- De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 18:42 À : Tomcat Users List Objet : Re: RE : RE : how to access Subject after authentification Are you both running with the security manager on? I think that's the problem... -- Jeanfrancois LERBSCHER Jean-Pierre wrote: Matt I am ok with you! I try the two methods and I have the same results (null) ! Perhaps we have to configure properly tomcat (?) so that it can record the subject in the session. Perhaps an authenticator ? Jean François ! any ideas ? The second method is Subject.getSubject(java.security.AccessController.getContext()); -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 17:42 À : 'Tomcat Users List' Objet : RE: RE : how to access Subject after authentification I have tried both of these and they both return null! -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 16:30 To: Tomcat Users List Subject: Re: RE : how to access Subject after authentification Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: RE : RE : RE : how to access Subject after authentification
LERBSCHER Jean-Pierre wrote: Could you tell me what is the correct configuration to access the jaas login file with this security manager. You need to start Tomcat using the -security ./catalina.sh start -security -- Jeanfrancois Thanks -Message d'origine- De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 18:42 À : Tomcat Users List Objet : Re: RE : RE : how to access Subject after authentification Are you both running with the security manager on? I think that's the problem... -- Jeanfrancois LERBSCHER Jean-Pierre wrote: Matt I am ok with you! I try the two methods and I have the same results (null) ! Perhaps we have to configure properly tomcat (?) so that it can record the subject in the session. Perhaps an authenticator ? Jean François ! any ideas ? The second method is Subject.getSubject(java.security.AccessController.getContext()); -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 17:42 À : 'Tomcat Users List' Objet : RE: RE : how to access Subject after authentification I have tried both of these and they both return null! -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 16:30 To: Tomcat Users List Subject: Re: RE : how to access Subject after authentification Two ways: httpSession.getAttribute(javax.security.auth.subject) or Subject.getSubject(AccessControl.getContext()) -- Jeanfrancois Matt Harrison wrote: Sorry for mis-reading your email If anybody out there knows how to retrieve the Subject, Jean-Pierre and I would most appreciate it! But, if, as I suspect, this is not part of the current servlet spec, and thus not part of Tomcat, can I make a request for this to be included next time round? I work around this by concatenating all the information I require from the subject into the Principal's name in my JAAS login module, as a java.security.Principal object is available from the request object in Tomcat. But I guess this isn't an option for this problem. Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 15:40 To: 'Tomcat Users List' Subject: RE : how to access Subject after authentification Thanks Matt ! My problem is that have to call EJB deployed in Weblogic application server from servlet components. I use the weblogic api to propagate the security information from tomcat to WLS. This api uses the subject! Thus it is necessary that I can reach it. -Message d'origine- De : Matt Harrison [mailto:[EMAIL PROTECTED] Envoyé : mardi 20 juillet 2004 15:59 À : 'Tomcat Users List' Objet : RE: how to access Subject after authentification Hi I had a similar question a while back and never really got it fully resolved, but I found that Tomcat doesn't save the subject as a session attribute. However in your case you don't need to access the subject. In the web.xml file for your app, you can define what roles have access to each resource (jsp, servlet) and have your JAAS login module assign these roles to the subject - i.e. container managed security. e.g. add to web.xml (gives access to logins with role user to all of your application): security-constraint web-resource-collection web-resource-namemyApplication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint security-role role-nameuser/role-name /security-role see the tomcat docs for more info Matt -Original Message- From: LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Sent: 20 July 2004 14:42 To: '[EMAIL PROTECTED]' Subject: how to access Subject after authentification Hi, I am using JAAS authentification module to authenticate user within tomcat 5.0.27. After the authentification, I want to control access to resources (like ejb deployed in weblogic application server). To control access, I have to use weblogic api with the Subject instance delivred by authentification to tomcat. The problem is : how can I get the subject object.. I try session.getAttribute( javax.security.auth.subject ); but it seems that I can't access to this information ! Any ideas? Thanks, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
