Re: JAAS Auth
Costin Manolache wrote: Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). What about authorization :-) Righ now, the Realm implementation includes the 3 authorization methods: - hasRole - hasUserDataPermission - hasResourcePermission Those methods are currently implemented in RealmBase. Are you moving them also? If yes, then the autorization stuff I'm working on (based on our previous discussion) will have to move there (I'm slowly slowly coming with an implementation ;-) ). I never tried it in 4.x - but from the code and code I strongly doubt it works. There is one change I would like to make. As you know, JAAS login modules return a Subject and a set of Principals. There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals. In addition to that, I would like to support a different pattern - used in JBoss - which seems much cleaner and logical. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) +1 We will have to document this new feature. I see lot of question on tomcat-user. The other problem: I think we should move the catalina-indepedent JAAS code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc LoginModules if anyone has the time to make the conversion. It's not a big priority, but it'll clean up the code deps and maybe the code could be reused. +1 Opinions ? Votes ? +1 -- Jeanfrancois Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS Auth
Jeanfrancois Arcand wrote: Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). What about authorization :-) Righ now, the Realm implementation includes the 3 authorization methods: - hasRole - hasUserDataPermission - hasResourcePermission Those methods are currently implemented in RealmBase. Are you moving them also? I don't think so. Those are specific to tomcat - not to JAAS. My thinking was to have generic, common-like stuff that can be used with any app using JAAS. One of the requirements will be to return the Principals associated with the Subject in a certain way - i.e. in a Group named Roles. Or some other pattern we can support. hasRole can be implemented on top of this, the other 2 are a different story. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) +1 We will have to document this new feature. I see lot of question on tomcat-user. Actually - another idea would be to return a Group ( which extends Principal) from getUserPrincipal(). The name of the group will be the same as the primary identity ( the username ), so all code will get the same behavior as today ( when we return the GenericPrincipal - but nobody can call the methods since it can't cast ). Since it is a group and it can be cast, users will also be able to get info about the roles. Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS Auth
Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). I never tried it in 4.x - but from the code and code I strongly doubt it works. There is one change I would like to make. As you know, JAAS login modules return a Subject and a set of Principals. There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals. In addition to that, I would like to support a different pattern - used in JBoss - which seems much cleaner and logical. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) The other problem: I think we should move the catalina-indepedent JAAS code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc LoginModules if anyone has the time to make the conversion. It's not a big priority, but it'll clean up the code deps and maybe the code could be reused. Opinions ? Votes ? Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS Auth
Just an FYI: In JBoss JAAS doesn't really work as expected, if you log in under a context say mywar | -protected -unprotected then getPrincipal() returns null for the unprotected subcontext(directory), but returns the principal under the secured subcontext. we don't want that to happen to us, do we :)) Filip -Original Message- From: Costin Manolache [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 5:31 PM To: [EMAIL PROTECTED] Subject: JAAS Auth Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). I never tried it in 4.x - but from the code and code I strongly doubt it works. There is one change I would like to make. As you know, JAAS login modules return a Subject and a set of Principals. There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals. In addition to that, I would like to support a different pattern - used in JBoss - which seems much cleaner and logical. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) The other problem: I think we should move the catalina-indepedent JAAS code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc LoginModules if anyone has the time to make the conversion. It's not a big priority, but it'll clean up the code deps and maybe the code could be reused. Opinions ? Votes ? Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS Auth
Costin, Sorry to mail you directly, but this doesn't seem like a major group discussion kind of thing. At work I'm doing a project that has an interesting set of criteria for user authentication that I haven't really seen a way to do with JAAS readily. Basically it boils down to this, a user has a userid, a password, and a potential 'secondary' password. What I haven't been able to figure out is if there would be a way through realms to implement this type of authentication scheme. This is really just a wonder how it could be done question and if you have no time to possibly give me some thoughts no big deal. Thanks for any ideas on how this /might/ be done if you get some time. --Dave - Original Message - From: Costin Manolache [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 20:31 Subject: JAAS Auth Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). I never tried it in 4.x - but from the code and code I strongly doubt it works. There is one change I would like to make. As you know, JAAS login modules return a Subject and a set of Principals. There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals. In addition to that, I would like to support a different pattern - used in JBoss - which seems much cleaner and logical. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) The other problem: I think we should move the catalina-indepedent JAAS code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc LoginModules if anyone has the time to make the conversion. It's not a big priority, but it'll clean up the code deps and maybe the code could be reused. Opinions ? Votes ? Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS Auth
Filip Hanik wrote: Just an FYI: In JBoss JAAS doesn't really work as expected, if you log in under a context say mywar | -protected -unprotected then getPrincipal() returns null for the unprotected subcontext(directory), but returns the principal under the secured subcontext. we don't want that to happen to us, do we :)) I don't think we'll be affected :-), but it may fix the jboss bug ( if they switch to using the built-in tomcat JAAS realm ) Costin Filip -Original Message- From: Costin Manolache [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 5:31 PM To: [EMAIL PROTECTED] Subject: JAAS Auth Hi, I'm close to get JAAS realm and the memory LoginModule working - if I remember correctly we agreed to make JAAS the default for 5.0 ( I don't remember any objections ). I never tried it in 4.x - but from the code and code I strongly doubt it works. There is one change I would like to make. As you know, JAAS login modules return a Subject and a set of Principals. There is no clear way to decide which Principals are Roles - so we currently require the user to configure the realm with the list of classes that are role principals. In addition to that, I would like to support a different pattern - used in JBoss - which seems much cleaner and logical. If a Principal of type java.security.acl.Group is found - named Roles - we'll treat all the Principlas in that Group as roles. ( the old mechanism should still be supported, of course ) The other problem: I think we should move the catalina-indepedent JAAS code in a separate module, for example j-t-c/jaas. That would include SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc LoginModules if anyone has the time to make the conversion. It's not a big priority, but it'll clean up the code deps and maybe the code could be reused. Opinions ? Votes ? Costin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]