All,
Please find attached my securityfilter realm adaptor. The other code I
was waiting for hasn't materialised, so I couldn't do any comparison -
but it seems to work for me... Good luck, and any probs just shout.
And nope, I have know idea if the extra functionality is to be resolved
in the near future within an updated container specification. Any one
know how we could 'force' the issue?
Regards,
Sean
--
Dr. Sean Radford, MBBS, MSc
<[EMAIL PROTECTED]>
http://bladesys.demon.co.uk/
Blade Systems
On Wed, 2003-07-09 at 15:33, Erez Efrati wrote:
> Sean,
>
> many thanks for keeping up with my questions - appreciate it. And yes
> you are correct. I am using JBoss 3.0.7 / Tomcat 4.1.24. By the way have
> you got any idea if this issue is about to be resolved at the Servlet
> Container Spec ?
>
> Thanks,
> Erez
>
>
>
> -----Original Message-----
> From: Sean Radford [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 09, 2003 11:19 AM
> To: Struts Users Mailing List
> Subject: RE: Login Form
>
> On Tue, 2003-07-08 at 20:34, Erez Efrati wrote:
> > Thanks Sean,
> >
> > I looked at it and it does avoid the BIG limitation posed by the
> > standard spec in fact. Still I cannot use it since it disables the
> > passing of the principal identity through calls to EJB methods.
> >
> That's what it says in the introductory documentation, but...
>
> You're using JBoss/Tomcat right? Well give me a day and I'll email you a
> class that should do all you want... It's a RealmAdaptor for
> securityfilter/Jboss that uses the JBoss security extension and so
> correctly instantiates the Principal for the EJB layer. It works for me
> with JBoss4/Jetty, so you should give it a try. (I'm waiting on some
> code from another guy whose done similar and so just want to compare -
> if his stuff doesn't arrive shortly, I'll send mine as it)
>
>
> > Now, I am new to the web development and it amazes me that such a
> basic
> > feature is missing from the Servlet spec and is not addressed. Why is
> it
> > that way? Is it so unusual to want to have the login fields on the
> start
> > page??
>
> Not unusual at all... And many Java sites have it that way, but they
> don't necessarily use container authentication and they probably don't
> use EJB's (many people steer clear - deep seated reservations from 1.0
> are still abound).
>
> If I get time I'm going to try and get the Jetty guys to 'surface' their
> web Authenticators to allow developers to roll their own... I've looked
> at the code and shouldn't be too difficult - one or two areas I'm not
> sure about, but...
>
>
> >
> > Thanks,
> > Erez
> >
> >
> > -----Original Message-----
> > From: Sean Radford [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, July 08, 2003 8:21 PM
> > To: Struts Users Mailing List
> > Subject: RE: Login Form
> >
> > Have a look at this (you may find what you want):
> >
> > http://sourceforge.net/projects/securityfilter/
> >
> > Sean
> >
> >
> > > -----Original Message-----
> > > From: Erez Efrati [mailto:[EMAIL PROTECTED]
> > > Sent: July 8, 2003 10:11 AM
> > > To: 'Struts Users Mailing List'
> > > Subject: Login Form
> > >
> > >
> > > Hi,
> > >
> > > My question is a bit off Struts but still since I am using Struts
> and
> > > it's too urgent for me I thought to try my luck here, maybe someone
> > had
> > > stumbled on this issue too.
> > >
> > > I am running JBoss/Tomcat/Struts using the JAAS for handling the
> > > application security aspects. I have used the
> > > <auth-method>FORM</auth-method> clauses inside the Web.xml file.
> > >
> > > In my web site I want to have the site home page to have also a
> small
> > > login form where the user could enter username and password and
> login
> > to
> > > the site. The home page, contains other links as well, which lead to
> > > other parts of the site or even to external pages on other sites.
> > >
> > > >From what I've read so far, it seems to me that the FORM method is
> > > activated only when the web user tries to access a protected page.
> > Then
> > > the Web Server (Tomcat in my case) returns the loginPage stated in
> the
> > > Web.xml file, and only after the login is performed
> (j_security_check)
> > > the Tomcat then redirects the web user to the original portected
> page.
> > >
> > > Is it possible to have the site home page as the login page still
> > using
> > > mechanisms of FORM and JAAS? If so I would really appreciate any
> help
> > on
> > > how to do it, and what are the configurations required.
> > >
> > > Thanks,
> > > Erez
> > >
> > >
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
/*
* @author sradford
* <p>Created 07-Jul-2003</p>
* <p>Copyright © 2002-2003, Aegeus Technology Limited.
* <p>All rights reserved.</p>
* <p>Use at you desire with no liability to the author.</p>
*/
package com.aegeus.securityfilter
import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SubjectSecurityManager;
import org.securityfilter.realm.SecurityRealmInterface;
/**
* @author sradford
*
*/
public class JBossRealmAdapter implements SecurityRealmInterface {
private static final Log log = LogFactory.getLog(JBossRealmAdapter.class);
private InitialContext iniCtx = null;
private Context securityCtx = null;
/* (non-Javadoc)
* @see org.securityfilter.realm.SecurityRealmInterface#authenticate(java.lang.String, java.lang.String)
*/
public Principal authenticate(String username, String password) {
try {
SubjectSecurityManager subSecMgr = getSecurityManager();
SimplePrincipal p = new SimplePrincipal(username);
char[] pChars = password.toCharArray();
if (subSecMgr.isValid(p, pChars)) {
SecurityAssociation.setPrincipal(p);
SecurityAssociation.setCredential(pChars);
return p;
}
} catch (Exception e) {
log.debug(e);
}
return null;
}
/* (non-Javadoc)
* @see org.securityfilter.realm.SecurityRealmInterface#isUserInRole(java.security.Principal, java.lang.String)
*/
public boolean isUserInRole(Principal principal, String rolename) {
Set set = new HashSet();
set.add(new SimplePrincipal(rolename));
try {
return getRealmMapping().doesUserHaveRole(principal, set);
} catch (NamingException e) {
log.debug(e);
return false;
}
}
private SubjectSecurityManager getSecurityManager()
throws NamingException {
try {
AuthenticationManager authMgr =
(AuthenticationManager) getSecurityContext().lookup(
"securityMgr");
if (authMgr instanceof SubjectSecurityManager) {
return (SubjectSecurityManager) authMgr;
}
throw new IllegalStateException(
"java:comp/env/security is not of type SubjectSecurityManager: "
+ authMgr.getClass().getName());
} catch (NamingException e) {
log.error(
"java:comp/env/security does not appear to be correctly set up",
e);
throw e;
}
}
private RealmMapping getRealmMapping() throws NamingException {
try {
return (RealmMapping) getSecurityContext().lookup("realmMapping");
} catch (NamingException e) {
log.error(
"java:comp/env/security does not appear to be correctly set up",
e);
throw e;
}
}
private synchronized InitialContext getInitialContext()
throws NamingException {
if (iniCtx == null) {
iniCtx = new InitialContext();
}
return iniCtx;
}
private synchronized Context getSecurityContext() throws NamingException {
if (securityCtx == null) {
securityCtx =
(Context) getInitialContext().lookup("java:comp/env/security");
}
return securityCtx;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
