Just out of curiosity, are you using EJB3? On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <[EMAIL PROTECTED]> wrote:
> Ah, I see now. > > The default JSecurity SecurityManager implemenations are almost always > intended to reside in the business tier, not in the client. In an EJB3 > application, this means it should reside along side of (a peer to) your > Stateless Session Bean - in the server, not in the client gui. > > So, if you want to secure a web service, JSecurity has to be configured to > handle http communication - this is done by configuring JSecurity as a > servlet filter in web.xml, to intercept the webservice Servlet Requests that > will eventually call the underlying EJB. > > See this JavaDoc for how to configure the filter: > http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html > > So, for example, if all of your web service calls go > > http://your.host.ip/myapp/webservices > > you would configure the JSecurity filter to intercept all the > /webservices/** urls. For example: > > <filter> > <filter-name>JSecurityFilter</filter-name> > > <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class> > > <init-param> > <param-name>config</param-name> > <param-value> > # The JSecurityFilter configuration is very powerful and > flexible, while still remaining succinct. > # Please read the comprehensive example, with full comments > and explanations, in the JavaDoc: > # > # > http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html > > [filters] > jsecurity.loginUrl = /s/login > authc.successUrl = /s/index > > [urls] > # specify any of the above filters here, depending on the > type of security you want: > /webservices/**=authc > > </param-value> > </init-param> > > </filter> > > <filter-mapping> > <filter-name>JSecurityFilter</filter-name> > <url-pattern>*</url-pattern> > </filter-mapping> > > Does this help? > > > On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <[EMAIL PROTECTED]>wrote: > >> >> Hi Les, i don´t use servlet and don´t configure web.xml. >> >> I have three jar: >> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless >> session bean (god) which exposes all his methods as webservice and my jpa >> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso, >> Persona, Rol, Tratamiento, Usuario). >> 2. servicios.jar with the generated web service client from wsdl in >> glassfish using JAX-WS and JAXB. >> 3. cliente.jar the swing application that consumes the webservices (here i >> use JSecurity). >> >> My problem is in the webservices. I don´t know how to call them using a >> user >> and password. >> >> >> Les Hazlewood wrote: >> > >> > Hi Daniel, >> > >> > Have you configured JSecurity via a servlet filter in web.xml? I'm just >> > trying to see what your runtime environment is like first before I >> > recommend >> > a solution. >> > >> > Les >> > >> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[EMAIL PROTECTED]> >> > wrote: >> > >> >> >> >> I have implemented this class that inherited from AuthorizingRealm >> >> >> >> package presentacion; >> >> >> >> import java.util.LinkedHashSet; >> >> import java.util.Set; >> >> >> >> import org.jsecurity.authc.AccountException; >> >> import org.jsecurity.authc.AuthenticationException; >> >> import org.jsecurity.authc.AuthenticationInfo; >> >> import org.jsecurity.authc.AuthenticationToken; >> >> import org.jsecurity.authc.SimpleAuthenticationInfo; >> >> import org.jsecurity.authc.UnknownAccountException; >> >> import org.jsecurity.authc.UsernamePasswordToken; >> >> import org.jsecurity.authz.AuthorizationException; >> >> import org.jsecurity.authz.AuthorizationInfo; >> >> import org.jsecurity.authz.SimpleAuthorizationInfo; >> >> import org.jsecurity.realm.AuthorizingRealm; >> >> import org.jsecurity.subject.PrincipalCollection; >> >> >> >> import acciones.God; >> >> import acciones.Permiso; >> >> import acciones.Rol; >> >> import acciones.Usuario; >> >> >> >> public class EjbRealm extends AuthorizingRealm { >> >> private God servicios; >> >> >> >> public EjbRealm(God servicios) { >> >> this.servicios = servicios; >> >> } >> >> >> >> private Set<String> getRoles(Usuario u) { >> >> Set<String> roles = new LinkedHashSet<String>(); >> >> for (Rol rol : u.getRoles()) { >> >> roles.add(rol.getNombre()); >> >> } >> >> return roles; >> >> } >> >> >> >> private Set<String> getPermisos(Usuario u) { >> >> Set<String> permisos = new LinkedHashSet<String>(); >> >> for (Rol rol : u.getRoles()) { >> >> for (Permiso p : rol.getPermisos()) { >> >> permisos.add(p.getNombre()); >> >> } >> >> } >> >> return permisos; >> >> } >> >> >> >> @Override >> >> protected AuthorizationInfo doGetAuthorizationInfo( >> >> PrincipalCollection principals) { >> >> if (principals == null) { >> >> throw new AuthorizationException( >> >> "El parametro >> PrincipalCollection >> >> no >> >> puede ser null."); >> >> } >> >> String apodo = (String) >> >> principals.fromRealm(getName()).iterator() >> >> .next(); >> >> Usuario u = servicios.consultarUsuario(apodo); >> >> SimpleAuthorizationInfo info = new >> >> SimpleAuthorizationInfo(getRoles(u)); >> >> info.setStringPermissions(getPermisos(u)); >> >> return info; >> >> } >> >> >> >> @Override >> >> protected AuthenticationInfo doGetAuthenticationInfo( >> >> AuthenticationToken token) throws >> >> AuthenticationException { >> >> UsernamePasswordToken upToken = (UsernamePasswordToken) >> >> token; >> >> String apodo = upToken.getUsername(); >> >> if (apodo == null) { >> >> throw new AccountException( >> >> "No se permiten apodos Null en >> >> este >> >> realm."); >> >> } >> >> AuthenticationInfo info = null; >> >> String contrasenia = >> >> servicios.consultarContrasenia(apodo); >> >> if (contrasenia == null) { >> >> throw new UnknownAccountException("No se >> encontro >> >> el >> >> usuario [" >> >> + apodo + "]"); >> >> } >> >> info = new SimpleAuthenticationInfo(apodo, contrasenia, >> >> getName()); >> >> return info; >> >> } >> >> >> >> } >> >> >> >> And in my login window i have implemented in a button this code >> >> private GodService god = new GodService(); >> >> protected void button_actionPerformed(ActionEvent arg0) { >> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort()); >> >> ejbRealm.setCredentialsMatcher(new >> >> Sha256CredentialsMatcher()); >> >> DefaultSecurityManager securityManager = new >> >> DefaultSecurityManager( >> >> ejbRealm); >> >> UsernamePasswordToken token = new >> >> UsernamePasswordToken(apodoText >> >> .getText(), >> >> contraseniaText.getPassword()); >> >> try { >> >> Subject user = securityManager.login(token); >> >> if (user.isAuthenticated()) { >> >> MenuForm window = new MenuForm(god); >> >> window.show(); >> >> dispose(); >> >> } >> >> } catch (AuthenticationException e) { >> >> mostrarMensaje("Usuario o contraseña >> >> incorrectos"); >> >> } finally { >> >> securityManager.destroy(); >> >> } >> >> } >> >> >> >> But now i want to know how to secure my webservice (God) using >> JSecurity. >> >> What i need to do? >> >> >> >> >> >> daniel_asv wrote: >> >> > >> >> > Hi, i have a webservice from a stateless session bean running in a >> >> > GlassFish Application Server. The webservice is consumed by a swing >> >> > application, i want to agregate a login to the swing application, the >> >> user >> >> > and password will be stored in a SQL Server 2005 database managed by >> >> JPA >> >> > (Hibernate). >> >> > >> >> > What i need to do for use JSecurity in my login window using the >> >> > webservice? >> >> > >> >> >> >> -- >> >> View this message in context: >> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html >> >> Sent from the JSecurity User mailing list archive at Nabble.com. >> >> >> >> >> > >> > >> >> -- >> View this message in context: >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html >> Sent from the JSecurity User mailing list archive at Nabble.com. >> >> >
