Erik,
We have developed the authentication and portal using .net. we have implemented the .net security by implementing iHttpModule in .net. This .net authentication service validates the user and provide the applications and user profile based on the user object in NDS E-Directory. This .net authentication service also set the secure user cookie domain level (Like Websphere LTPA ) with encrypted token.
From the list of application icons once user selects J2EE application, we are validating the cookie time out, incrementing the cookie expire time out and user profile in Login filter and we are storing the user and user roles in session object and we are using this session user object in every servlet/jsp to check the user role against NDS E-directory .We have implemented this authorization logic in every servelts / tags in JSPs.(We don't like to embed this authorization logic in application code)
Now our objective is that once we authenticated the user in login filter, I would like to set this principal to the request object and then use the declarative security against NDS E-Directory. What I have observed in tomcat source code , setUserPrincipal is protected property of HttpRequestBase/HttpRequestFacade object which is set in AuthenticatorBase class. Is there any way can I set this setUserPrincipal() without implementing HttpServletRequest interface ?
If I implement the JAAS how it will help me to set the setUserPrincipal()?. But I can overwrite the container login implementation by implementing JAAS. Here I am not using any J2EE standard authentication types i.e FormBased/Digest/Basic authentication.In otherwords is it possible to implement the authorization only without implementing the authentication using JAAS in web container ? But From Java Applets, It is possible by using doAs(****) for an action that invokes the EJBs.
Can you please advise.
Thanks Ramana
Erik Hatcher <[EMAIL PROTECTED]> wrote:
It is possible if you write your own custom JAAS hooks and your
container supports the JAAS API properly. You'll find that it won't be
trivial to learn all the pieces, but your actual implementation will
likely be quite tiny and only a few lines of code.
Erik
On Friday, November 14, 2003, at 11:36 AM, RAMANAREDDY POSAM wrote:
> We have developed a portal to display all the applications once user is
> authenticated . This portal display Icons for .net as well as j2ee
> applications. Once user selects the J2EE web application we verify the
> secure domain cookie for time out and retrieve the user id that is
> authenticated. Now onwards I would like to use J2EE declararative
> security
> for J2EE application or programmatic security using
> request.getUserPrincipal(). I have verified the documentation, I
> didn't find
> how to programmatically set this principal in the servlet filter. I
> have
> found all the information that I need to do for creating the custom
> registry
> and login modules. But I don't think I need to develop a login module,
> I
> just want to set this principal in servlet filter, so that the servlet
> declarative security mechanism use this principal to validate against
> the
> custom registry. But .net supports this by associating the principal
> to the
> thread in program.
>
> Can you please advise.
>
>
>
>
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail
> AddressGuard_______________________________________________
> Juglist mailing list
> [EMAIL PROTECTED]
> http://trijug.org/mailman/listinfo/juglist_trijug.org
_______________________________________________
Juglist mailing list
[EMAIL PROTECTED]
http://trijug.org/mailman/listinfo/juglist_trijug.org
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
_______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
