RE: JAAS and JBoss 5.1
Hi Bruno and Kevin,
Another idea would be to store the list of roles in the user principal (a
TomcatUser class extending org.restlet.security.User for example), so that
the Enroler can just pick-up this information and add the Role instances
without a second authentication.
Kevin, I think this could make a nice "org.restlet.ext.tomcat" module in the
JEE edition of the framework. Would you be interested in contributing your
work for Restlet 2.1?
Best regards,
Jerome Louvel
--
Restlet ~ Founder and Technical Lead ~ http://www.restlet.org
Noelios Technologies ~ http://www.noelios.com
-Message d'origine-
De : Bruno Harbulot [mailto:bruno.harbu...@manchester.ac.uk]
Envoyé : lundi 10 mai 2010 15:40
À : discuss@restlet.tigris.org
Objet : Re: JAAS and JBoss 5.1
Hi Kevin,
This sounds good.
One of the main reasons to separate the Enroler from the Verifier was to
give the ability to have two sources of information (for example, if
verifying the credentials is done via Kerberos and fetching the roles is
done via LDAP). I don't see using the Enroler as a strict requirement,
though. You could just as well put this into the TomcatVerifier to avoid
to log on another time (you would probably have to override
verify(Request,Response) too).
Best wishes,
Bruno.
On 10/05/10 06:09, kevinpauli wrote:
> My pleasure. I appreciate the elegant design of Restlet that made the
> integration so straightforward.
>
> BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as
> far as I could tell the Tomcat security api requires us to reauthenticate
to
> get a hold of the principal again to get his roles.
>
> package org.restlet.ext.tomcat;
>
> import java.util.HashSet;
> import java.util.Set;
>
> import org.apache.catalina.Context;
> import org.apache.catalina.Engine;
> import org.apache.catalina.Host;
> import org.apache.catalina.Realm;
> import org.apache.catalina.Server;
> import org.apache.catalina.ServerFactory;
> import org.apache.catalina.Service;
> import org.apache.catalina.realm.GenericPrincipal;
> import org.restlet.Application;
> import org.restlet.Request;
> import org.restlet.data.ClientInfo;
> import org.restlet.security.Enroler;
> import org.restlet.security.Role;
> import org.restlet.security.User;
>
> public class TomcatEnroler implements Enroler {
>
>private String serviceName;
>private String contextName;
>
>public void setServiceName(String serviceName) {
> this.serviceName = serviceName;
>}
>
>public void setContextName(String contextName) {
> this.contextName = contextName;
>}
>
>@Override
>public void enrole(ClientInfo clientInfo) {
> final Set userRoles = findRoles(clientInfo.getUser());
>
> for (Role role : userRoles)
>clientInfo.getRoles().add(role);
>}
>
>private Set findRoles(User user) {
> final String secret = new
> String(Request.getCurrent().getChallengeResponse().getSecret());
>
> final Server server = ServerFactory.getServer();
> final Service service = server.findService(serviceName);
> final Engine engine = (Engine) service.getContainer();
> final Host host = (Host) engine.findChild(engine.getDefaultHost());
> final Context context = (Context) host.findChild(contextName);
> final Realm realm = context.getRealm();
> final GenericPrincipal principal = (GenericPrincipal)
> realm.authenticate(identifier, secret);
>
> final Application application = Application.getCurrent();
> final Set result = new HashSet();
> for (String roleName : principal.getRoles()) {
>final Role role = application.getRole(roleName);
>if (role != null)
> result.add(role);
> }
>
> return result;
>}
> }
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=26068
36
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2617243
Re: JAAS and JBoss 5.1
Hi Kevin,
This sounds good.
One of the main reasons to separate the Enroler from the Verifier was to
give the ability to have two sources of information (for example, if
verifying the credentials is done via Kerberos and fetching the roles is
done via LDAP). I don't see using the Enroler as a strict requirement,
though. You could just as well put this into the TomcatVerifier to avoid
to log on another time (you would probably have to override
verify(Request,Response) too).
Best wishes,
Bruno.
On 10/05/10 06:09, kevinpauli wrote:
> My pleasure. I appreciate the elegant design of Restlet that made the
> integration so straightforward.
>
> BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as
> far as I could tell the Tomcat security api requires us to reauthenticate to
> get a hold of the principal again to get his roles.
>
> package org.restlet.ext.tomcat;
>
> import java.util.HashSet;
> import java.util.Set;
>
> import org.apache.catalina.Context;
> import org.apache.catalina.Engine;
> import org.apache.catalina.Host;
> import org.apache.catalina.Realm;
> import org.apache.catalina.Server;
> import org.apache.catalina.ServerFactory;
> import org.apache.catalina.Service;
> import org.apache.catalina.realm.GenericPrincipal;
> import org.restlet.Application;
> import org.restlet.Request;
> import org.restlet.data.ClientInfo;
> import org.restlet.security.Enroler;
> import org.restlet.security.Role;
> import org.restlet.security.User;
>
> public class TomcatEnroler implements Enroler {
>
>private String serviceName;
>private String contextName;
>
>public void setServiceName(String serviceName) {
> this.serviceName = serviceName;
>}
>
>public void setContextName(String contextName) {
> this.contextName = contextName;
>}
>
>@Override
>public void enrole(ClientInfo clientInfo) {
> final Set userRoles = findRoles(clientInfo.getUser());
>
> for (Role role : userRoles)
>clientInfo.getRoles().add(role);
>}
>
>private Set findRoles(User user) {
> final String secret = new
> String(Request.getCurrent().getChallengeResponse().getSecret());
>
> final Server server = ServerFactory.getServer();
> final Service service = server.findService(serviceName);
> final Engine engine = (Engine) service.getContainer();
> final Host host = (Host) engine.findChild(engine.getDefaultHost());
> final Context context = (Context) host.findChild(contextName);
> final Realm realm = context.getRealm();
> final GenericPrincipal principal = (GenericPrincipal)
> realm.authenticate(identifier, secret);
>
> final Application application = Application.getCurrent();
> final Set result = new HashSet();
> for (String roleName : principal.getRoles()) {
>final Role role = application.getRole(roleName);
>if (role != null)
> result.add(role);
> }
>
> return result;
>}
> }
>
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2606836
RE: JAAS and JBoss 5.1
My pleasure. I appreciate the elegant design of Restlet that made the
integration so straightforward.
BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as
far as I could tell the Tomcat security api requires us to reauthenticate to
get a hold of the principal again to get his roles.
package org.restlet.ext.tomcat;
import java.util.HashSet;
import java.util.Set;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.Realm;
import org.apache.catalina.Server;
import org.apache.catalina.ServerFactory;
import org.apache.catalina.Service;
import org.apache.catalina.realm.GenericPrincipal;
import org.restlet.Application;
import org.restlet.Request;
import org.restlet.data.ClientInfo;
import org.restlet.security.Enroler;
import org.restlet.security.Role;
import org.restlet.security.User;
public class TomcatEnroler implements Enroler {
private String serviceName;
private String contextName;
public void setServiceName(String serviceName) {
this.serviceName = serviceName;
}
public void setContextName(String contextName) {
this.contextName = contextName;
}
@Override
public void enrole(ClientInfo clientInfo) {
final Set userRoles = findRoles(clientInfo.getUser());
for (Role role : userRoles)
clientInfo.getRoles().add(role);
}
private Set findRoles(User user) {
final String secret = new
String(Request.getCurrent().getChallengeResponse().getSecret());
final Server server = ServerFactory.getServer();
final Service service = server.findService(serviceName);
final Engine engine = (Engine) service.getContainer();
final Host host = (Host) engine.findChild(engine.getDefaultHost());
final Context context = (Context) host.findChild(contextName);
final Realm realm = context.getRealm();
final GenericPrincipal principal = (GenericPrincipal)
realm.authenticate(identifier, secret);
final Application application = Application.getCurrent();
final Set result = new HashSet();
for (String roleName : principal.getRoles()) {
final Role role = application.getRole(roleName);
if (role != null)
result.add(role);
}
return result;
}
}
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p5028931.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2606527
RE: JAAS and JBoss 5.1
Hi Kevin,
Thanks for sharing this experience. It could indeed be useful, maybe to add
a Tomcat specific extension. I've entered a RFE:
"Add Tomcat extension"
http://restlet.tigris.org/issues/show_bug.cgi?id=1097
Best regards,
Jerome Louvel
--
Restlet ~ Founder and Technical Lead ~ http://www.restlet.org
Noelios Technologies ~ http://www.noelios.com
-Message d'origine-
De : kevinpauli [mailto:ke...@thepaulis.com]
Envoyé : mercredi 21 avril 2010 16:29
À : discuss@restlet.tigris.org
Objet : Re: JAAS and JBoss 5.1
Turns out that JBoss web only indirectly relies on JAAS; there's layers of
jboss and tomcat security in between. What a mess. Here is what I have
come up with that works. Anyone interested, enjoy.
package org.restlet.ext.tomcat;
import java.security.Principal;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.Realm;
import org.apache.catalina.Server;
import org.apache.catalina.ServerFactory;
import org.apache.catalina.Service;
import org.restlet.security.SecretVerifier;
public class TomcatVerifier extends SecretVerifier {
private String serviceName;
private String contextName;
public String getServiceName() {
return serviceName;
}
public void setServiceName(String serviceName) {
this.serviceName = serviceName;
}
public String getContextName() {
return contextName;
}
public void setContextName(String contextName) {
this.contextName = contextName;
}
@Override
public boolean verify(String identifier, char[] secret) {
final Server server = ServerFactory.getServer();
final Service service = server.findService(serviceName);
final Engine engine = (Engine) service.getContainer();
final Host host = (Host) engine.findChild(engine.getDefaultHost());
final Context context = (Context) host.findChild(contextName);
final Realm realm = context.getRealm();
final Principal principal = realm.authenticate(identifier, new
String(secret));
return principal != null;
}
}
And then the spring config:
--
View this message in context:
http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4937297.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=25916
61
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2605104
Re: JAAS and JBoss 5.1
Turns out that JBoss web only indirectly relies on JAAS; there's layers of
jboss and tomcat security in between. What a mess. Here is what I have
come up with that works. Anyone interested, enjoy.
package org.restlet.ext.tomcat;
import java.security.Principal;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.Realm;
import org.apache.catalina.Server;
import org.apache.catalina.ServerFactory;
import org.apache.catalina.Service;
import org.restlet.security.SecretVerifier;
public class TomcatVerifier extends SecretVerifier {
private String serviceName;
private String contextName;
public String getServiceName() {
return serviceName;
}
public void setServiceName(String serviceName) {
this.serviceName = serviceName;
}
public String getContextName() {
return contextName;
}
public void setContextName(String contextName) {
this.contextName = contextName;
}
@Override
public boolean verify(String identifier, char[] secret) {
final Server server = ServerFactory.getServer();
final Service service = server.findService(serviceName);
final Engine engine = (Engine) service.getContainer();
final Host host = (Host) engine.findChild(engine.getDefaultHost());
final Context context = (Context) host.findChild(contextName);
final Realm realm = context.getRealm();
final Principal principal = realm.authenticate(identifier, new
String(secret));
return principal != null;
}
}
And then the spring config:
--
View this message in context:
http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4937297.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2591661
JAAS and JBoss 5.1
Anyone integrated the JaasVerifier into a JBoss 5.1 environment? Looking for an example... otherwise I'll hack on it and post my findings here later. -- View this message in context: http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4904649.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2582956
