RE: JAAS and JBoss 5.1
Hi Bruno and Kevin, Another idea would be to store the list of roles in the user principal (a TomcatUser class extending org.restlet.security.User for example), so that the Enroler can just pick-up this information and add the Role instances without a second authentication. Kevin, I think this could make a nice "org.restlet.ext.tomcat" module in the JEE edition of the framework. Would you be interested in contributing your work for Restlet 2.1? Best regards, Jerome Louvel -- Restlet ~ Founder and Technical Lead ~ http://www.restlet.org Noelios Technologies ~ http://www.noelios.com -Message d'origine- De : Bruno Harbulot [mailto:bruno.harbu...@manchester.ac.uk] Envoyé : lundi 10 mai 2010 15:40 À : discuss@restlet.tigris.org Objet : Re: JAAS and JBoss 5.1 Hi Kevin, This sounds good. One of the main reasons to separate the Enroler from the Verifier was to give the ability to have two sources of information (for example, if verifying the credentials is done via Kerberos and fetching the roles is done via LDAP). I don't see using the Enroler as a strict requirement, though. You could just as well put this into the TomcatVerifier to avoid to log on another time (you would probably have to override verify(Request,Response) too). Best wishes, Bruno. On 10/05/10 06:09, kevinpauli wrote: > My pleasure. I appreciate the elegant design of Restlet that made the > integration so straightforward. > > BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as > far as I could tell the Tomcat security api requires us to reauthenticate to > get a hold of the principal again to get his roles. > > package org.restlet.ext.tomcat; > > import java.util.HashSet; > import java.util.Set; > > import org.apache.catalina.Context; > import org.apache.catalina.Engine; > import org.apache.catalina.Host; > import org.apache.catalina.Realm; > import org.apache.catalina.Server; > import org.apache.catalina.ServerFactory; > import org.apache.catalina.Service; > import org.apache.catalina.realm.GenericPrincipal; > import org.restlet.Application; > import org.restlet.Request; > import org.restlet.data.ClientInfo; > import org.restlet.security.Enroler; > import org.restlet.security.Role; > import org.restlet.security.User; > > public class TomcatEnroler implements Enroler { > >private String serviceName; >private String contextName; > >public void setServiceName(String serviceName) { > this.serviceName = serviceName; >} > >public void setContextName(String contextName) { > this.contextName = contextName; >} > >@Override >public void enrole(ClientInfo clientInfo) { > final Set userRoles = findRoles(clientInfo.getUser()); > > for (Role role : userRoles) >clientInfo.getRoles().add(role); >} > >private Set findRoles(User user) { > final String secret = new > String(Request.getCurrent().getChallengeResponse().getSecret()); > > final Server server = ServerFactory.getServer(); > final Service service = server.findService(serviceName); > final Engine engine = (Engine) service.getContainer(); > final Host host = (Host) engine.findChild(engine.getDefaultHost()); > final Context context = (Context) host.findChild(contextName); > final Realm realm = context.getRealm(); > final GenericPrincipal principal = (GenericPrincipal) > realm.authenticate(identifier, secret); > > final Application application = Application.getCurrent(); > final Set result = new HashSet(); > for (String roleName : principal.getRoles()) { >final Role role = application.getRole(roleName); >if (role != null) > result.add(role); > } > > return result; >} > } > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=26068 36 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2617243
Re: JAAS and JBoss 5.1
Hi Kevin, This sounds good. One of the main reasons to separate the Enroler from the Verifier was to give the ability to have two sources of information (for example, if verifying the credentials is done via Kerberos and fetching the roles is done via LDAP). I don't see using the Enroler as a strict requirement, though. You could just as well put this into the TomcatVerifier to avoid to log on another time (you would probably have to override verify(Request,Response) too). Best wishes, Bruno. On 10/05/10 06:09, kevinpauli wrote: > My pleasure. I appreciate the elegant design of Restlet that made the > integration so straightforward. > > BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as > far as I could tell the Tomcat security api requires us to reauthenticate to > get a hold of the principal again to get his roles. > > package org.restlet.ext.tomcat; > > import java.util.HashSet; > import java.util.Set; > > import org.apache.catalina.Context; > import org.apache.catalina.Engine; > import org.apache.catalina.Host; > import org.apache.catalina.Realm; > import org.apache.catalina.Server; > import org.apache.catalina.ServerFactory; > import org.apache.catalina.Service; > import org.apache.catalina.realm.GenericPrincipal; > import org.restlet.Application; > import org.restlet.Request; > import org.restlet.data.ClientInfo; > import org.restlet.security.Enroler; > import org.restlet.security.Role; > import org.restlet.security.User; > > public class TomcatEnroler implements Enroler { > >private String serviceName; >private String contextName; > >public void setServiceName(String serviceName) { > this.serviceName = serviceName; >} > >public void setContextName(String contextName) { > this.contextName = contextName; >} > >@Override >public void enrole(ClientInfo clientInfo) { > final Set userRoles = findRoles(clientInfo.getUser()); > > for (Role role : userRoles) >clientInfo.getRoles().add(role); >} > >private Set findRoles(User user) { > final String secret = new > String(Request.getCurrent().getChallengeResponse().getSecret()); > > final Server server = ServerFactory.getServer(); > final Service service = server.findService(serviceName); > final Engine engine = (Engine) service.getContainer(); > final Host host = (Host) engine.findChild(engine.getDefaultHost()); > final Context context = (Context) host.findChild(contextName); > final Realm realm = context.getRealm(); > final GenericPrincipal principal = (GenericPrincipal) > realm.authenticate(identifier, secret); > > final Application application = Application.getCurrent(); > final Set result = new HashSet(); > for (String roleName : principal.getRoles()) { >final Role role = application.getRole(roleName); >if (role != null) > result.add(role); > } > > return result; >} > } > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2606836
RE: JAAS and JBoss 5.1
My pleasure. I appreciate the elegant design of Restlet that made the integration so straightforward. BTW, since I posted that I also wrote a TomcatEnroler. Unfortunately, as far as I could tell the Tomcat security api requires us to reauthenticate to get a hold of the principal again to get his roles. package org.restlet.ext.tomcat; import java.util.HashSet; import java.util.Set; import org.apache.catalina.Context; import org.apache.catalina.Engine; import org.apache.catalina.Host; import org.apache.catalina.Realm; import org.apache.catalina.Server; import org.apache.catalina.ServerFactory; import org.apache.catalina.Service; import org.apache.catalina.realm.GenericPrincipal; import org.restlet.Application; import org.restlet.Request; import org.restlet.data.ClientInfo; import org.restlet.security.Enroler; import org.restlet.security.Role; import org.restlet.security.User; public class TomcatEnroler implements Enroler { private String serviceName; private String contextName; public void setServiceName(String serviceName) { this.serviceName = serviceName; } public void setContextName(String contextName) { this.contextName = contextName; } @Override public void enrole(ClientInfo clientInfo) { final Set userRoles = findRoles(clientInfo.getUser()); for (Role role : userRoles) clientInfo.getRoles().add(role); } private Set findRoles(User user) { final String secret = new String(Request.getCurrent().getChallengeResponse().getSecret()); final Server server = ServerFactory.getServer(); final Service service = server.findService(serviceName); final Engine engine = (Engine) service.getContainer(); final Host host = (Host) engine.findChild(engine.getDefaultHost()); final Context context = (Context) host.findChild(contextName); final Realm realm = context.getRealm(); final GenericPrincipal principal = (GenericPrincipal) realm.authenticate(identifier, secret); final Application application = Application.getCurrent(); final Set result = new HashSet(); for (String roleName : principal.getRoles()) { final Role role = application.getRole(roleName); if (role != null) result.add(role); } return result; } } -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p5028931.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2606527
RE: JAAS and JBoss 5.1
Hi Kevin, Thanks for sharing this experience. It could indeed be useful, maybe to add a Tomcat specific extension. I've entered a RFE: "Add Tomcat extension" http://restlet.tigris.org/issues/show_bug.cgi?id=1097 Best regards, Jerome Louvel -- Restlet ~ Founder and Technical Lead ~ http://www.restlet.org Noelios Technologies ~ http://www.noelios.com -Message d'origine- De : kevinpauli [mailto:ke...@thepaulis.com] Envoyé : mercredi 21 avril 2010 16:29 À : discuss@restlet.tigris.org Objet : Re: JAAS and JBoss 5.1 Turns out that JBoss web only indirectly relies on JAAS; there's layers of jboss and tomcat security in between. What a mess. Here is what I have come up with that works. Anyone interested, enjoy. package org.restlet.ext.tomcat; import java.security.Principal; import org.apache.catalina.Context; import org.apache.catalina.Engine; import org.apache.catalina.Host; import org.apache.catalina.Realm; import org.apache.catalina.Server; import org.apache.catalina.ServerFactory; import org.apache.catalina.Service; import org.restlet.security.SecretVerifier; public class TomcatVerifier extends SecretVerifier { private String serviceName; private String contextName; public String getServiceName() { return serviceName; } public void setServiceName(String serviceName) { this.serviceName = serviceName; } public String getContextName() { return contextName; } public void setContextName(String contextName) { this.contextName = contextName; } @Override public boolean verify(String identifier, char[] secret) { final Server server = ServerFactory.getServer(); final Service service = server.findService(serviceName); final Engine engine = (Engine) service.getContainer(); final Host host = (Host) engine.findChild(engine.getDefaultHost()); final Context context = (Context) host.findChild(contextName); final Realm realm = context.getRealm(); final Principal principal = realm.authenticate(identifier, new String(secret)); return principal != null; } } And then the spring config: -- View this message in context: http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4937297.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=25916 61 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2605104
Re: JAAS and JBoss 5.1
Turns out that JBoss web only indirectly relies on JAAS; there's layers of jboss and tomcat security in between. What a mess. Here is what I have come up with that works. Anyone interested, enjoy. package org.restlet.ext.tomcat; import java.security.Principal; import org.apache.catalina.Context; import org.apache.catalina.Engine; import org.apache.catalina.Host; import org.apache.catalina.Realm; import org.apache.catalina.Server; import org.apache.catalina.ServerFactory; import org.apache.catalina.Service; import org.restlet.security.SecretVerifier; public class TomcatVerifier extends SecretVerifier { private String serviceName; private String contextName; public String getServiceName() { return serviceName; } public void setServiceName(String serviceName) { this.serviceName = serviceName; } public String getContextName() { return contextName; } public void setContextName(String contextName) { this.contextName = contextName; } @Override public boolean verify(String identifier, char[] secret) { final Server server = ServerFactory.getServer(); final Service service = server.findService(serviceName); final Engine engine = (Engine) service.getContainer(); final Host host = (Host) engine.findChild(engine.getDefaultHost()); final Context context = (Context) host.findChild(contextName); final Realm realm = context.getRealm(); final Principal principal = realm.authenticate(identifier, new String(secret)); return principal != null; } } And then the spring config: -- View this message in context: http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4937297.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2591661
JAAS and JBoss 5.1
Anyone integrated the JaasVerifier into a JBoss 5.1 environment? Looking for an example... otherwise I'll hack on it and post my findings here later. -- View this message in context: http://n2.nabble.com/JAAS-and-JBoss-5-1-tp4904649p4904649.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2582956