I am also doing custom form-based authentication with JRun 3.0 and IIS, but with mixed results.
I had put my custom authentication class in the Web-Inf/classes directory, but JRun cannot locate that file.
So after going thru Madhav's reply, I put it in the server's lib directory. That class is now loaded correctly.
The JRun documentation seems to skips this issue. Thanks for your input, Madhav.
Is there a way I can put it in the Web-inf/classes dir. of my app ?
But I have another question as well.
Where should I put the login.html file ?
It works only if I put the file in the InetPub/wwwroot directory.
If I put it in my application root directory, it does not load and I get a 404 Jrun exception.
Why ? Is this a bug ?
What works:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginerror.html</form-error-page>
</form-login-config>
</login-config>
with login.html in my IIS root directory. But I do not want to cluuter the the IIS root dir.
My preferred way is Solution 1 below:
Solution 1: ( fails)
But this is my preferred solution, because '/WebC' is my application mapping name.
==================================================================================
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WebC/login.html</form-login-page>
<form-error-page>/WebC/loginerror.html</form-error-page>
</form-login-config>
</login-config>
============================================================
Solution 2: Also fails
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WebCAuth/login.html</form-login-page>
<form-error-page>/WebCAuth/loginerror.html</form-error-page>
</form-login-config>
</login-config>
where WebCAuth is 'physically' off the IIS root directory.
How come this fails, if "/login.html" works in wwwroot ?
Any ideas ?
Thanks in advance for your help.
- Venky
-----Original Message-----
From: Madhav [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 29, 2000 12:37 AM
To: JRun-Talk
Subject: Re: Pet Store SecurityAdapter implementation examples?
I hope u r asking for Custom Authentication in JRun. I could help u in some
way. These are the steps to be followed if u want implement the RDBMS part
1. Edit your Web.xml file of the application. It will be in <application
folder>/WEB-INF/
2. Based on ur mode i.e Basic or Form u have add the follwing line to the
file. I am giving for Form based
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Store Application</web-resource-name>
<url-pattern>/store/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<description>Sales Info Resource</description>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
<description>Managers only</description>
</auth-constraint>
</security-constraint>
...
</web-app>
The above lines implement the access restriction and roles defining on a
particular resource in your application
<login-config>
<auth-method>
BASIC
</auth-method>
<realm-name>
Sales
</realm-name>
</login-config>
The above lines are for basic authentication
<login-config>
<auth-method>
FORM
</auth-method>
<form-login-config>
<form-login-page>
/login.htm
</form-login-page>
<form-error-page>
/loginerror.htm
</form-error-page>
</form-login-config>
</login-config>
The above code is for Form Method.
Remember when using the form mode u need to take care of the follwing
The form that you use must contain the following settings:
Action: The form must be submitted (POST only) using an action of
j_security_check. The server executing the application recognizes this
action
and processes the form.
User name: The user name must be stored in a field named j_username.
Password: The password must be stored in a field named j_password.
Once u have done this u need to edit the local.properties of ur server where
u have implemented ur application
and over ride the defaultauthentication mechanism by adding these line
# authentication
authentication.service=myauth
authentication.myauth.class=classFileName
The class should be placed in the server lib directory. In the class file u
can implement the code for checking the user stored in the RDMS
The class should implement the Authentication Interface . I am also
enclosing the sample code\
public class TI_CustomAuthentication implements AuthenticationInterface
{
// Our simple in-memory database
Hashtable users;
Hashtable roles;
/**
* Initialize the authentication service
* @param props The properties for the service
*/
public void init(OrderedProperties props) throws Exception
{
// Setup our list of user names and passwords
users = new Hashtable();
users.put("XYN", "abcd");
// Setup our list of role names and the users in each role
roles = new Hashtable();
roles.put("user", "XYN");
}
/**
* Destroy the service
*/
public void destroy()
{
// Shut down
}
/**
* Authenticate the given user with the given credentials (such
* as a password).
* @param req The servlet request
* @param username The username to authenticate
* @param method The type of authentication method (BASIC, DIGEST, FORM,
* or CLIENT-CERT)
* @param credentials Password and/or other credentials necessary
* in authenticating the user
* @return The Principal associated with the given username, or null
* if authentication failed
*/
public Principal authenticate(HttpServletRequest req, String username,
String method,
String credentials)
{
Principal principal = null;
String password = null;
boolean isValidUser = false;
// Figure out what type of method is being used. We only understand
// BASIC and FORM
if (method.equals("BASIC")) {
// For BASIC the username and password are encrypted using
Base64
// in the credentials
// Ensure that this is basic authentication
if ((credentials == null) ||
!credentials.toUpperCase().startsWith("BASIC")) {
return null;
}
// Decode the rest of the string which will be the
// username and password
String decoded =
PropertyFileAuthentication.decodeBase64(credentials.substring(6));
// We should now have a string with the username and
// password separated by a colon, such as:
// goofy:dog
int idx = decoded.indexOf(":");
if (idx > 0) {
username = decoded.substring(0, idx);
password = decoded.substring(idx + 1);
}
}
else if (method.equals("FORM")) {
// For FORM the credentials are the password entered in the
j_password
// input field by the user
password = credentials;
}
// If we have a password, attempt to validate it
if (password != null) {
// Lookup in our table. A "real" provider would perform some
type
// of query
String databasePassword = (String) users.get(username);
System.out.println("username="+username);
System.out.println("password="+password);
// if ((databasePassword != null) &&
// (databasePassword.equals(password)))
// TI_LoginBO ti_loginbo = new TI_LoginBO();
try
{
Class.forName("Driver Name");
Connection con = DriverManager.getConnection("URL String");
Statement stmt = con.createStatement();
String str = " SQl String'" ;
ResultSet rs = stmt.executeQuery(str);
if(rs.next())
{
isValidUser = true;
}
}
catch(Exception e)
{
System.out.println(e.toString());
}
file://boolean isValidUser = ti_loginbo.isValidUser(username,password);
if(isValidUser)
{
// Passwords match! Create a new Principal object
principal = new AuthenticatedPrincipal(username);
}
}
return principal;
}
/**
* Authenticate the given user with the given credentials (such
* as a password).
* @param req The servlet request
* @param username The username to authenticate
* @param method The type of authentication method (BASIC, DIGEST, FORM,
* or CLIENT-CERT)
* @param credentials Password and/or other credentials necessary
* in authenticating the user
* @return The Principal associated with the given username, or null
* if authentication failed
*/
public Principal authenticate(HttpServletRequest req, String username,
String method,
byte[] credentials)
{
// Assume we are getting string data. This will be true for BASIC
and FORM,
// which is all this example demonstrates
return authenticate(req, username, method, new String(credentials));
}
/**
* Determines if the given principal (user) has been granted the
* given role within this authentication realm.
* @param principal The principal (user) to verify
* @param role The role to verify
* @return true if the principal is part of the given role
*/
public boolean isPrincipalInRole(Principal principal, String role)
{
boolean inRole = false;
// Get the role name from our in-memory list
String list = (String) roles.get(role);
System.out.println("role in security ="+role);
if (list != null) {
// Got a list. See if the user is in the given role
// just by a simple match
inRole = (list.indexOf(principal.getName()) >= 0);
}
return inRole;
}
}
I hope this solves ur problem
Bye
Madhav.M
________________________________________________________________________
----- Original Message -----
From: "Rhodes, Phillip C." <[EMAIL PROTECTED]>
To: "JRun-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, September 28, 2000 11:14 PM
Subject: Pet Store SecurityAdapter implementation examples?
I am looking for some examples of custom implementations of SecurityAdapter
in the Pet Store. Want to see how someone would do LDAP and RDBMS table
based authentication.
Thanks!
Phillip Rhodes
[EMAIL PROTECTED]
Alcoa eCommerce
https://www.ALCOADIRECT.COM
826B Two Allegheny Center Pittsburgh, PA 15212
(412) 553-4900 (phone) (412) 553-2484 (fax)
------------------------------------------------------------------------------
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
