RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Sorry for the late response Does this process only work if we try to access a restricted resource? That is, if the first screen in my Flex app is the login page, can I post the form to one of my own services (remote object), manually do the handler/loginContext process as described in login.jsp below? Or does it need to be posted to this j_security_check? You need to access a secure resource. The container will respond with a redirect to your login page where you have a form that submits to j_security_check. If this login module/context succeeds (login/commit), does it matter whether this was called through my own code or from this mysterious j_security_check? (BTW, what is j_security_check? A jsp, url to servlet handled by container, I can do the search on this myself, but if you want to answer, I'd certainly read it :-)) After a successful login, the server will redirect the user to the originally requested secure resource. j_security_check is a token in J2EE web applications that represents the server's page for processing a form based authentication request. It's not something you write. When the server gets a request for it, it gets the value for j_username and j_password and attempts to authenticate the user based on whatever authentication scheme you have configured for the server/web app. Is there some standard way of handling an app that requires the user to login prior to doing anything? For example, I see the app being launched from a link/button on our web site. I want the login page to display. Do we have this link/button point to some fake (or real) protected resource to kick off the auth process? That's exactly correct. The login link points to a secure page. In the case of an unauthenticated session, the user will get the login form. In the case of a previously authenticated session, the user will be taken right to the page. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 11:28 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Thanks for the info. First, let me clarify that this is not how we intend to do login/auth. I was merely trying to get the LoginModule to fire without going through any server-side/flex/proxy. Does this process only work if we try to access a restricted resource? That is, if the first screen in my Flex app is the login page, can I post the form to one of my own services (remote object), manually do the handler/loginContext process as described in login.jsp below? Or does it need to be posted to this j_security_check? If this login module/context succeeds (login/commit), does it matter whether this was called through my own code or from this mysterious j_security_check? (BTW, what is j_security_check? A jsp, url to servlet handled by container, I can do the search on this myself, but if you want to answer, I'd certainly read it :-)) Is there some standard way of handling an app that requires the user to login prior to doing anything? For example, I see the app being launched from a link/button on our web site. I want the login page to display. Do we have this link/button point to some fake (or real) protected resource to kick off the auth process? As always, thanks for the education. Jim - Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Wednesday, February 15, 2006 12:41 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Actually, this doesn't look correct at all. You're trying to go about this manually and that is not how J2EE security works. For this to work, you have to integrate with the container which means configuring your servlet container to delegate all J2EE authentication/authorization to your JAAS module. After that, you then have to secure resources within your web application however that's done in your container. For things like Tomcat, this is done directly in web.xml. Your situation here will likely be different. If you are using form auth, you then point your flex form to post to j_security_check passing in j_username and j_password. If you are using basic auth, you will simply be prompted by the browser for userid/password. Regardless of which you choose, the order of operations in the J2EE world is the following. 1. User requests a secure resource 2. Server responds with either the page you have configured for credentials (Form auth) or with a request to the client(browser) to garner then login information (Basic auth
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Thanks for the responses. Sorry for my ignorance, but are you suggesting that the JSP simulate a login (invoking the loginContext/loginModule)? Or are you suggesting that the JSP set the UserPrincipal in the HTTP request (although I don't see a setter in the request interface API, which makes me wonder how JAAS injects the UserPrincipal into the request, but I can probably find that somewhere). To answer Matt's questions, no, I'm not sure JAAS successfully stores the principal, yes, the login module is being called, but I'll look at it more closely. Thanks again, Jim - Jim Schneider EyeCodeRight, LLC 1-877-370-6906 1-612-605-5399 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wolf Sent: Wednesday, February 15, 2006 8:37 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) We have, as Carson mentioned, definately seen issues where the j_session_id is not properly propogated through the proxy. I would want to see, as Matt alludes to, do the credentials get propogated when we take the proxy out of the picture. I would create a simple JSP page which itself returns the UserPrincipal. Call that JSP from within your Flex app and read the value. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, Matt Chotin [EMAIL PROTECTED] wrote: You sure that JAAS successfully stores the Principal back in the user request? If you did something similar via JSP would everything come through correctly? I haven't played with JBoss but WebSphere for example failed to store the authenticated principal in the request even when I went through JAAS to login my user in. You traced to see that your login module is called? From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Tuesday, February 14, 2006 2:12 PM To: flexcoders@yahoogroups.com Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce) No one has any thoughts/ideas on this? - Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Saturday, February 04, 2006 12:01 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] setUsernamePassword and J2EE login I finally got back to looking at this. I Instrumented my code to look at flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and getRemoteUser(). RemoteUser is empty and remote principal is null. I see the userid/password credentials in the amf trace from the client (setting UsernamePassword on the service), but nothing in the service. I'm using remote objects. Remote object is a spring bean. I've implemented a JAAS login module that appears to be functioning correctly (loginContext succeeds). Using JBoss 4.0.x. Any thoughts? Thanks, Jim From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Saturday, January 21, 2006 10:22 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] setUsernamePassword and J2EE login If you use standard J2EE auth to the container, you can get the remote user provided you are not using the proxy. There is currently an issue with the proxy not forwarding the cookie in most ( all that we've seen ) circumstances. We have received a fix from Adobe on this that we are in the process of testing. This being said, if you don't use the proxy, you'll be able to acccess the user without issue from within your service implementations. Here's the kicker. The AS2 VM doesn't not handle HTTP status code 500. It stops parsing the HTTP response when it sees a 500 which means that you will never be able to get at any data that occurs due to a SOAP Fault. Per the web services spec, the container is required to return an HTTP 500 status code when returning a fault. Effectively, you can't handle SOAP faults when you don't use the proxy and you get that meaningless error message that looks like it simply couldn't connect to the service. This issue is handled by the proxy. It changes that HTTP status code to 200 so that the flash player can parse the request. This is a kludge if you ask me but that's where we are today. As a note, this is being addressed in FP8.5 but the fix will very likely not ( according to Adobe ) be fixed in earlier versions due to backward compatibility. Carson Carson Hager Cynergy Systems, Inc. http
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
He's actually not suggesting either. He's suggesting creating a test JSP that returns the user principal objec to verify that the JSP is within an authenticated session. %=request.getUserPrincipal().getName()% It looks like you're going through a proxy which is using another session. As I mentioned earlier, there are issues with the proxy and forwarding credentials from an existing session. Our context was the use of web services but this could very well be what you're seeing as well. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 8:49 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Thanks for the responses. Sorry for my ignorance, but are you suggesting that the JSP simulate a login (invoking the loginContext/loginModule)? Or are you suggesting that the JSP set the UserPrincipal in the HTTP request (although I don't see a setter in the request interface API, which makes me wonder how JAAS injects the UserPrincipal into the request, but I can probably find that somewhere). To answer Matt's questions, no, I'm not sure JAAS successfully stores the principal, yes, the login module is being called, but I'll look at it more closely. Thanks again, Jim - Jim Schneider EyeCodeRight, LLC 1-877-370-6906 1-612-605-5399 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wolf Sent: Wednesday, February 15, 2006 8:37 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) We have, as Carson mentioned, definately seen issues where the j_session_id is not properly propogated through the proxy. I would want to see, as Matt alludes to, do the credentials get propogated when we take the proxy out of the picture. I would create a simple JSP page which itself returns the UserPrincipal. Call that JSP from within your Flex app and read the value. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, Matt Chotin [EMAIL PROTECTED] wrote: You sure that JAAS successfully stores the Principal back in the user request? If you did something similar via JSP would everything come through correctly? I haven't played with JBoss but WebSphere for example failed to store the authenticated principal in the request even when I went through JAAS to login my user in. You traced to see that your login module is called? From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Tuesday, February 14, 2006 2:12 PM To: flexcoders@yahoogroups.com Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce) No one has any thoughts/ideas on this? - Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Saturday, February 04, 2006 12:01 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] setUsernamePassword and J2EE login I finally got back to looking at this. I Instrumented my code to look at flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and getRemoteUser(). RemoteUser is empty and remote principal is null. I see the userid/password credentials in the amf trace from the client (setting UsernamePassword on the service), but nothing in the service. I'm using remote objects. Remote object is a spring bean. I've implemented a JAAS login module that appears to be functioning correctly (loginContext succeeds). Using JBoss 4.0.x. Any thoughts? Thanks, Jim From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Saturday, January 21, 2006 10:22 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] setUsernamePassword and J2EE login If you use standard J2EE auth to the container, you can get the remote user provided you are not using the proxy. There is currently an issue with the proxy not forwarding the cookie in most ( all that we've seen ) circumstances. We have received a fix from Adobe on this that we are in the process of testing. This being said, if you don't use the proxy, you'll be able to acccess the user without issue from within your service implementations. Here's the kicker. The AS2 VM doesn't
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Right, basically attempt to remove Flex from the equation for the moment, get your JAAS module to fire using credentials you pass in using the JSP. Then after you've authenticated use the JSP to see if that newly created authenticated Principal is stored in the request. If it isn't there then the problem is bigger than RemoteObject. Matt -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Wednesday, February 15, 2006 9:05 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) He's actually not suggesting either. He's suggesting creating a test JSP that returns the user principal objec to verify that the JSP is within an authenticated session. %=request.getUserPrincipal().getName()% It looks like you're going through a proxy which is using another session. As I mentioned earlier, there are issues with the proxy and forwarding credentials from an existing session. Our context was the use of web services but this could very well be what you're seeing as well. Carson Carson Hager Cynergy Systems, Inc. http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY Mobile: 1.703.489.6466 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Wednesday, February 15, 2006 8:49 AM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) Thanks for the responses. Sorry for my ignorance, but are you suggesting that the JSP simulate a login (invoking the loginContext/loginModule)? Or are you suggesting that the JSP set the UserPrincipal in the HTTP request (although I don't see a setter in the request interface API, which makes me wonder how JAAS injects the UserPrincipal into the request, but I can probably find that somewhere). To answer Matt's questions, no, I'm not sure JAAS successfully stores the principal, yes, the login module is being called, but I'll look at it more closely. Thanks again, Jim - Jim Schneider EyeCodeRight, LLC 1-877-370-6906 1-612-605-5399 -Original Message- From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wolf Sent: Wednesday, February 15, 2006 8:37 AM To: flexcoders@yahoogroups.com Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce) We have, as Carson mentioned, definately seen issues where the j_session_id is not properly propogated through the proxy. I would want to see, as Matt alludes to, do the credentials get propogated when we take the proxy out of the picture. I would create a simple JSP page which itself returns the UserPrincipal. Call that JSP from within your Flex app and read the value. -- Dave Wolf Cynergy Systems, Inc. Macromedia Flex Alliance Partner http://www.cynergysystems.com Email: [EMAIL PROTECTED] Office: 866-CYNERGY --- In flexcoders@yahoogroups.com, Matt Chotin [EMAIL PROTECTED] wrote: You sure that JAAS successfully stores the Principal back in the user request? If you did something similar via JSP would everything come through correctly? I haven't played with JBoss but WebSphere for example failed to store the authenticated principal in the request even when I went through JAAS to login my user in. You traced to see that your login module is called? From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Tuesday, February 14, 2006 2:12 PM To: flexcoders@yahoogroups.com Subject: FW: [flexcoders] setUsernamePassword and J2EE login (bounce) No one has any thoughts/ideas on this? - Jim Schneider KJ Interactive, Inc. 1-877-370-6906 1-612-605-5399 From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Jim Schneider Sent: Saturday, February 04, 2006 12:01 PM To: flexcoders@yahoogroups.com Subject: RE: [flexcoders] setUsernamePassword and J2EE login I finally got back to looking at this. I Instrumented my code to look at flashgateway.Gateway.getHttpRequest().getRemotePrincipal() and getRemoteUser(). RemoteUser is empty and remote principal is null. I see the userid/password credentials in the amf trace from the client (setting UsernamePassword on the service), but nothing in the service. I'm using remote objects. Remote object is a spring bean. I've implemented a JAAS login module that appears to be functioning correctly (loginContext succeeds). Using JBoss 4.0.x. Any thoughts? Thanks, Jim From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Carson Hager Sent: Saturday, January 21, 2006 10:22 PM
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Is this a valid test for this? I've verified that the login.jsp fires the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null. (BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own to
check for differences. None)
Can we conclude from this that the JBoss JAAS module is not setting the
principal information?
Logintest.mxml
{
mx:Application xmlns:mx=http://www.macromedia.com/2003/mxml; xmlns=*
mx:Panel width=100% height=100% title=Login Test
mx:VBox height=100% width=100%
mx:Button label=Login click=getUrl('login.jsp', 'LoginTest')/
mx:Button label=Verify click=getUrl('verify.jsp',
'LoginTest')/
/mx:VBox
/mx:Panel
/mx:Application
}
Login.jsp (snippet)
{
%
Subject subject = new Subject();
UsernamePasswordHandler handler = new UsernamePasswordHandler(username,
password.toCharArray());
LoginContext loginContext = new LoginContext(employee, subject,
handler);
loginContext.login();
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
}
%
Login Remote User: %= user %br
Login Principal: %= principal %
}
Verify.jsp
{
%
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
%
Verify Remote User: %= user %br
Verify Principal: %= principal %
}
-
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Chotin
Sent: Wednesday, February 15, 2006 11:19 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Right, basically attempt to remove Flex from the equation for the
moment, get your JAAS module to fire using credentials you pass in using
the JSP. Then after you've authenticated use the JSP to see if that
newly created authenticated Principal is stored in the request. If it
isn't there then the problem is bigger than RemoteObject.
Matt
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 9:05 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
He's actually not suggesting either. He's suggesting creating a test
JSP that returns the user principal objec to verify that the JSP is
within an authenticated session.
%=request.getUserPrincipal().getName()%
It looks like you're going through a proxy which is using another
session. As I mentioned earlier, there are issues with the proxy and
forwarding credentials from an existing session. Our context was the
use of web services but this could very well be what you're seeing as
well.
Carson
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
Mobile: 1.703.489.6466
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 8:49 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Thanks for the responses.
Sorry for my ignorance, but are you suggesting that the JSP simulate a
login
(invoking the loginContext/loginModule)? Or are you suggesting that the
JSP
set the UserPrincipal in the HTTP request (although I don't see a setter
in
the request interface API, which makes me wonder how JAAS injects the
UserPrincipal into the request, but I can probably find that somewhere).
To answer Matt's questions, no, I'm not sure JAAS successfully stores
the
principal, yes, the login module is being called, but I'll look at it
more
closely.
Thanks again,
Jim
-
Jim Schneider
EyeCodeRight, LLC
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Dave Wolf
Sent: Wednesday, February 15, 2006 8:37 AM
To: flexcoders@yahoogroups.com
Subject: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
We have, as Carson mentioned, definately seen issues where the
j_session_id is not properly propogated through the proxy. I would
want to see, as Matt alludes to, do the credentials get propogated
when we take the proxy out of the picture. I would create a simple
JSP page which itself returns the UserPrincipal. Call that JSP from
within your Flex app and read the value.
--
Dave Wolf
Cynergy Systems, Inc.
Macromedia Flex Alliance Partner
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Actually, this doesn't look correct at all. You're trying to go about
this manually and that is not how J2EE security works. For this to
work, you have to integrate with the container which means configuring
your servlet container to delegate all J2EE authentication/authorization
to your JAAS module. After that, you then have to secure resources
within your web application however that's done in your container. For
things like Tomcat, this is done directly in web.xml. Your situation
here will likely be different. If you are using form auth, you then
point your flex form to post to j_security_check passing in j_username
and j_password. If you are using basic auth, you will simply be
prompted by the browser for userid/password. Regardless of which you
choose, the order of operations in the J2EE world is the following.
1. User requests a secure resource
2. Server responds with either the page you have configured for
credentials (Form auth) or with a request to the client(browser) to
garner then login information (Basic auth).
3. User enters credentials.
4. If successful, you now have an authenticated session that the server
is intimately familiar with.
To answer the next question, you cannot force these credentials into
J2EE authentication session manually. You have to go through the
server's provided interfaces. Unfortunately, J2EE security is much too
broad a subject to get into in this medium. I've atttempted to give you
a brief outline of the process here so that you can pursue it within the
context of your container and its capabilities. Given the frequency of
the questions surrounding this topic, we have submitted this topic as a
candidate for an upcoming DevNet article.
Carson
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
Mobile: 1.703.489.6466
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 10:31 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Is this a valid test for this? I've verified that the login.jsp fires
the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null.
(BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own
to
check for differences. None)
Can we conclude from this that the JBoss JAAS module is not setting the
principal information?
Logintest.mxml
{
mx:Application xmlns:mx=http://www.macromedia.com/2003/mxml;
xmlns=*
mx:Panel width=100% height=100% title=Login Test
mx:VBox height=100% width=100%
mx:Button label=Login click=getUrl('login.jsp',
'LoginTest')/
mx:Button label=Verify click=getUrl('verify.jsp',
'LoginTest')/
/mx:VBox
/mx:Panel
/mx:Application
}
Login.jsp (snippet)
{
%
Subject subject = new Subject();
UsernamePasswordHandler handler = new
UsernamePasswordHandler(username,
password.toCharArray());
LoginContext loginContext = new LoginContext(employee, subject,
handler);
loginContext.login();
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
}
%
Login Remote User: %= user %br
Login Principal: %= principal %
}
Verify.jsp
{
%
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
%
Verify Remote User: %= user %br
Verify Principal: %= principal %
}
-
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Chotin
Sent: Wednesday, February 15, 2006 11:19 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Right, basically attempt to remove Flex from the equation for the
moment, get your JAAS module to fire using credentials you pass in using
the JSP. Then after you've authenticated use the JSP to see if that
newly created authenticated Principal is stored in the request. If it
isn't there then the problem is bigger than RemoteObject.
Matt
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 9:05 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
He's actually not suggesting either. He's suggesting creating a test
JSP that returns the user principal objec to verify that the JSP is
within an authenticated session.
%=request.getUserPrincipal().getName()%
It looks like you're going through a proxy which
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Thanks for the info.
First, let me clarify that this is not how we intend to do login/auth. I was
merely trying to get the LoginModule to fire without going through any
server-side/flex/proxy.
Does this process only work if we try to access a restricted resource? That
is, if the first screen in my Flex app is the login page, can I post the
form to one of my own services (remote object), manually do the
handler/loginContext process as described in login.jsp below? Or does it
need to be posted to this j_security_check? If this login module/context
succeeds (login/commit), does it matter whether this was called through my
own code or from this mysterious j_security_check? (BTW, what is
j_security_check? A jsp, url to servlet handled by container, I can do
the search on this myself, but if you want to answer, I'd certainly read it
:-))
Is there some standard way of handling an app that requires the user to
login prior to doing anything? For example, I see the app being launched
from a link/button on our web site. I want the login page to display. Do we
have this link/button point to some fake (or real) protected resource to
kick off the auth process?
As always, thanks for the education.
Jim
-
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 12:41 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Actually, this doesn't look correct at all. You're trying to go about
this manually and that is not how J2EE security works. For this to
work, you have to integrate with the container which means configuring
your servlet container to delegate all J2EE authentication/authorization
to your JAAS module. After that, you then have to secure resources
within your web application however that's done in your container. For
things like Tomcat, this is done directly in web.xml. Your situation
here will likely be different. If you are using form auth, you then
point your flex form to post to j_security_check passing in j_username
and j_password. If you are using basic auth, you will simply be
prompted by the browser for userid/password. Regardless of which you
choose, the order of operations in the J2EE world is the following.
1. User requests a secure resource
2. Server responds with either the page you have configured for
credentials (Form auth) or with a request to the client(browser) to
garner then login information (Basic auth).
3. User enters credentials.
4. If successful, you now have an authenticated session that the server
is intimately familiar with.
To answer the next question, you cannot force these credentials into
J2EE authentication session manually. You have to go through the
server's provided interfaces. Unfortunately, J2EE security is much too
broad a subject to get into in this medium. I've atttempted to give you
a brief outline of the process here so that you can pursue it within the
context of your container and its capabilities. Given the frequency of
the questions surrounding this topic, we have submitted this topic as a
candidate for an upcoming DevNet article.
Carson
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
Mobile: 1.703.489.6466
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 10:31 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Is this a valid test for this? I've verified that the login.jsp fires
the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null.
(BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own
to
check for differences. None)
Can we conclude from this that the JBoss JAAS module is not setting the
principal information?
Logintest.mxml
{
mx:Application xmlns:mx=http://www.macromedia.com/2003/mxml;
xmlns=*
mx:Panel width=100% height=100% title=Login Test
mx:VBox height=100% width=100%
mx:Button label=Login click=getUrl('login.jsp',
'LoginTest')/
mx:Button label=Verify click=getUrl('verify.jsp',
'LoginTest')/
/mx:VBox
/mx:Panel
/mx:Application
}
Login.jsp (snippet)
{
%
Subject subject = new Subject();
UsernamePasswordHandler handler = new
UsernamePasswordHandler(username,
password.toCharArray());
LoginContext loginContext = new LoginContext(employee, subject,
handler);
loginContext.login();
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName
Re: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
I would also suggest looking in your flex install directory for
examples on this. Look in resources\security.
DK
On 2/15/06, Carson Hager [EMAIL PROTECTED] wrote:
Actually, this doesn't look correct at all. You're trying to go about
this manually and that is not how J2EE security works. For this to
work, you have to integrate with the container which means configuring
your servlet container to delegate all J2EE authentication/authorization
to your JAAS module. After that, you then have to secure resources
within your web application however that's done in your container. For
things like Tomcat, this is done directly in web.xml. Your situation
here will likely be different. If you are using form auth, you then
point your flex form to post to j_security_check passing in j_username
and j_password. If you are using basic auth, you will simply be
prompted by the browser for userid/password. Regardless of which you
choose, the order of operations in the J2EE world is the following.
1. User requests a secure resource
2. Server responds with either the page you have configured for
credentials (Form auth) or with a request to the client(browser) to
garner then login information (Basic auth).
3. User enters credentials.
4. If successful, you now have an authenticated session that the server
is intimately familiar with.
To answer the next question, you cannot force these credentials into
J2EE authentication session manually. You have to go through the
server's provided interfaces. Unfortunately, J2EE security is much too
broad a subject to get into in this medium. I've atttempted to give you
a brief outline of the process here so that you can pursue it within the
context of your container and its capabilities. Given the frequency of
the questions surrounding this topic, we have submitted this topic as a
candidate for an upcoming DevNet article.
Carson
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
Mobile: 1.703.489.6466
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 10:31 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Is this a valid test for this? I've verified that the login.jsp fires
the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null.
(BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own
to
check for differences. None)
Can we conclude from this that the JBoss JAAS module is not setting the
principal information?
Logintest.mxml
{
mx:Application xmlns:mx=http://www.macromedia.com/2003/mxml;
xmlns=*
mx:Panel width=100% height=100% title=Login Test
mx:VBox height=100% width=100%
mx:Button label=Login click=getUrl('login.jsp',
'LoginTest')/
mx:Button label=Verify click=getUrl('verify.jsp',
'LoginTest')/
/mx:VBox
/mx:Panel
/mx:Application
}
Login.jsp (snippet)
{
%
Subject subject = new Subject();
UsernamePasswordHandler handler = new
UsernamePasswordHandler(username,
password.toCharArray());
LoginContext loginContext = new LoginContext(employee, subject,
handler);
loginContext.login();
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
}
%
Login Remote User: %= user %br
Login Principal: %= principal %
}
Verify.jsp
{
%
String user = request.getRemoteUser();
String principal = null;
if (request.getUserPrincipal() != null)
principal = request.getUserPrincipal().getName();
%
Verify Remote User: %= user %br
Verify Principal: %= principal %
}
-
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Chotin
Sent: Wednesday, February 15, 2006 11:19 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Right, basically attempt to remove Flex from the equation for the
moment, get your JAAS module to fire using credentials you pass in using
the JSP. Then after you've authenticated use the JSP to see if that
newly created authenticated Principal is stored in the request. If it
isn't there then the problem is bigger than RemoteObject.
Matt
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 9:05 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
He's
RE: [flexcoders] Re: setUsernamePassword and J2EE login (bounce)
Based on your results (and without me trying anything or digging too
much) it does seem like when JBoss uses your module it is not storing
the principal. For JBoss are you using Tomcat as the web container?
Check the resources we shipped with 1.5 and see if the Tomcat login
adapter might provide what you need rather than approaching with JAAS?
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 11:28 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Thanks for the info.
First, let me clarify that this is not how we intend to do login/auth. I
was
merely trying to get the LoginModule to fire without going through any
server-side/flex/proxy.
Does this process only work if we try to access a restricted resource?
That
is, if the first screen in my Flex app is the login page, can I post the
form to one of my own services (remote object), manually do the
handler/loginContext process as described in login.jsp below? Or does it
need to be posted to this j_security_check? If this login module/context
succeeds (login/commit), does it matter whether this was called through
my
own code or from this mysterious j_security_check? (BTW, what is
j_security_check? A jsp, url to servlet handled by container, I can
do
the search on this myself, but if you want to answer, I'd certainly read
it
:-))
Is there some standard way of handling an app that requires the user to
login prior to doing anything? For example, I see the app being launched
from a link/button on our web site. I want the login page to display. Do
we
have this link/button point to some fake (or real) protected resource to
kick off the auth process?
As always, thanks for the education.
Jim
-
Jim Schneider
KJ Interactive, Inc.
1-877-370-6906
1-612-605-5399
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Carson Hager
Sent: Wednesday, February 15, 2006 12:41 PM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Actually, this doesn't look correct at all. You're trying to go about
this manually and that is not how J2EE security works. For this to
work, you have to integrate with the container which means configuring
your servlet container to delegate all J2EE authentication/authorization
to your JAAS module. After that, you then have to secure resources
within your web application however that's done in your container. For
things like Tomcat, this is done directly in web.xml. Your situation
here will likely be different. If you are using form auth, you then
point your flex form to post to j_security_check passing in j_username
and j_password. If you are using basic auth, you will simply be
prompted by the browser for userid/password. Regardless of which you
choose, the order of operations in the J2EE world is the following.
1. User requests a secure resource
2. Server responds with either the page you have configured for
credentials (Form auth) or with a request to the client(browser) to
garner then login information (Basic auth).
3. User enters credentials.
4. If successful, you now have an authenticated session that the server
is intimately familiar with.
To answer the next question, you cannot force these credentials into
J2EE authentication session manually. You have to go through the
server's provided interfaces. Unfortunately, J2EE security is much too
broad a subject to get into in this medium. I've atttempted to give you
a brief outline of the process here so that you can pursue it within the
context of your container and its capabilities. Given the frequency of
the questions surrounding this topic, we have submitted this topic as a
candidate for an upcoming DevNet article.
Carson
Carson Hager
Cynergy Systems, Inc.
http://www.cynergysystems.com
Email: [EMAIL PROTECTED]
Office: 866-CYNERGY
Mobile: 1.703.489.6466
-Original Message-
From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On
Behalf Of Jim Schneider
Sent: Wednesday, February 15, 2006 10:31 AM
To: flexcoders@yahoogroups.com
Subject: RE: [flexcoders] Re: setUsernamePassword and J2EE login
(bounce)
Is this a valid test for this? I've verified that the login.jsp fires
the
JAAS login module and I do get the principal object back. In both jsps
(login.jsp and verify.jsp), the user/principal information is null.
(BTW,
I've tried using the JBoss-supplied DatabaseServerLoginModule and my own
to
check for differences. None)
Can we conclude from this that the JBoss JAAS module is not setting the
principal information?
Logintest.mxml
{
mx:Application xmlns:mx=http://www.macromedia.com/2003/mxml;
xmlns=*
mx:Panel width=100% height=100% title=Login Test
mx:VBox height=100% width=100%
mx:Button label
