Tomcat - JAAS - getting users ip address
Hi all, to authentify a client I am using tomcat 5, j_security and JAAS. Is it possible to get the IP address of an acutally client within the JAAS module (like getRemoteAddress in jsp)? If not: Is it possible to extend j_security, in sort that my_j_security set a *callback* with the client IP address, so that I can grab the IP address in my JAAS module? Another question: In which scope is JAAS running (application, session, request) ? Thanks -- Franck - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS Configuration Issue
Hi there! I'm using Tomcat 5.5.9 and JDK 1.5.0 and I was probbing to implement a JAAS Authentication mechanism for may webapps. I followed some tutorials and the Tomcat 5.5 JAASRealm configuration and I did it in that way. I updated the java.policy file with the next lines: grant codeBase file:/usr/local/java/server/tomcat/* { permission java.security.AllPermission; }; Now I try to start tomcat with the -security flag and I get long stack trace of exceptions, this is how it begins: WARN - MethodUtils.getMatchingAccessibleMethod(583) | Cannot use JVM pre-1.4access bug workaround die to restrictive security manager. Sep 6, 2005 7:16:55 PM org.apache.catalina.core.StandardContext start SEVERE: Error filterStart Sep 6, 2005 7:16:55 PM org.apache.catalina.core.StandardContext start SEVERE: Context [/balancer] startup failed due to previous errors Sep 6, 2005 7:16:56 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Sep 6, 2005 7:16:56 PM org.apache.catalina.core.StandardPipelineregisterValve INFO: Can't register valve [EMAIL PROTECTED] org.apache.commons.logging.LogConfigurationException: java.lang.ExceptionInInitializerError (Caused by java.lang.ExceptionInInitializerError) at org.apache.commons.logging.impl.LogFactoryImpl.newInstance( LogFactoryImpl.java:538) at org.apache.commons.logging.impl.LogFactoryImpl.getInstance( LogFactoryImpl.java:235) at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:370) at org.apache.catalina.core.ContainerBase.getLogger(ContainerBase.java:380) at org.apache.catalina.valves.ValveBase.createObjectName(ValveBase.java:242) at org.apache.catalina.core.StandardPipeline.registerValve( StandardPipeline.java:296) at org.apache.catalina.core.StandardPipeline.start(StandardPipeline.java :233) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4045) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012) at org.apache.catalina.core.StandardHost.start(StandardHost.java:718) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442) at org.apache.catalina.core.StandardService.start(StandardService.java:450) at org.apache.catalina.core.StandardServer.start(StandardServer.java:683) at org.apache.catalina.startup.Catalina.start(Catalina.java:537) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java :39) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409) Caused by: java.lang.ExceptionInInitializerError at org.apache.log4j.Logger.getLogger(Logger.java:94) at org.apache.commons.logging.impl.Log4JLogger.getLogger(Log4JLogger.java :229) at org.apache.commons.logging.impl.Log4JLogger.init(Log4JLogger.java:65) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance( NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance( DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:494) at org.apache.commons.logging.impl.LogFactoryImpl.newInstance( LogFactoryImpl.java:529) ... 20 more Caused by: java.security.AccessControlException: access denied ( java.io.FilePermission /var/log/tomcat/www.interlogical.com.log write) at java.security.AccessControlContext.checkPermission( AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkWrite(SecurityManager.java:962) at java.io.FileOutputStream.init(FileOutputStream.java:169) at java.io.FileOutputStream.init(FileOutputStream.java:102) at org.apache.log4j.FileAppender.setFile(FileAppender.java:273) at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:152) at org.apache.log4j.DailyRollingFileAppender.activateOptions( DailyRollingFileAppender.java:206) at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:247) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java :123) at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java :87) at org.apache.log4j.PropertyConfigurator.parseAppender( PropertyConfigurator.java:645) at org.apache.log4j.PropertyConfigurator.parseCategory( PropertyConfigurator.java:603) at org.apache.log4j.PropertyConfigurator.configureRootCategory( PropertyConfigurator.java:500) at org.apache.log4j.PropertyConfigurator.doConfigure( PropertyConfigurator.java:406) at org.apache.log4j.PropertyConfigurator.doConfigure( PropertyConfigurator.java:432
Re: JAAS - public Credentials and ip address
Hi Wendy, Thanks for your answer. I am trying to implement a JAAS-module that can authenticate a user with username/password and his/her ip-address. To get the username and password is straightforward. My problem is that I don't know how to get the ip-address of the user. (I am newbee concerning JAAS, so please don't laugh if I say stupid things :-). Is it possible to use the public credentials to get the ip-address of the current user trying to authenticate? I believe this would be done with a n additional CallbackHandler. Unfortunately, the docs say that JAASRealm only recognizes 'NameCallback' and 'PasswordCallback' at present. http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm Yes, that's what I am founding too after reading a lot of material :-). -- Franck - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jaas configuration file environment vars
Hi, Does anyone know if the jaas configuration file can read parameters from the env (something like 'option=${var}'), if not, how can I acheive this effect (without recreating the file every time I launch) Thanx, Ittay -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS - public Credentials and ip address
Hi, I am trying to implement a JAAS-module that can authenticate a user with username/password and his/her ip-address. To get the username and password is straightforward. My problem is that I don't know how to get the ip-address of the user. (I am newbee concerning JAAS, so please don't laugh if I say stupid things :-). Is it possible to use the public credentials to get the ip-address of the current user trying to authenticate? Thanks for answer me -- Franck Borel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS - public Credentials and ip address
From: Franck Borel [EMAIL PROTECTED] I am trying to implement a JAAS-module that can authenticate a user with username/password and his/her ip-address. To get the username and password is straightforward. My problem is that I don't know how to get the ip-address of the user. (I am newbee concerning JAAS, so please don't laugh if I say stupid things :-). Is it possible to use the public credentials to get the ip-address of the current user trying to authenticate? I believe this would be done with a n additional CallbackHandler. Unfortunately, the docs say that JAASRealm only recognizes 'NameCallback' and 'PasswordCallback' at present. http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problems setting up jaas
I'm using Tomcat 5.5 and want to setup JAAS based authentication. I'm using jbosssx for the LoginModule implementations. The jboss implementation is activated when I try to login, but throws a NameNotFoundException: javax.security.auth.login.LoginException: javax.naming.NameNotFoundException: Name QrmDS is not bound in this Context Thanx for your help, Ittay my server.xml is: GlobalNamingResources !-- Test entry for demonstration purposes -- Environment name=simpleValue type=java.lang.Integer value=30/ !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / Resource name=QrmDS auth=Container type=javax.sql.DataSource maxActive=30 maxIdle=5 maxWait=15 username=qrm password=qrm_99 driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://localhost:3306/qrm zeroDateTimeBehavior=convertToNull useServerPrepStmts=false autoReconnect=true failOverReadOnly=false / /GlobalNamingResources !-- Define the top level container in our container hierarchy -- Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.JAASRealm debug=99 appName=qrm userClassNames=org.jboss.security.SimplePrincipal roleClassNames=org.jboss.security.SimpleGroup / and this is my jaas.config: qrm { org.jboss.security.auth.spi.DatabaseServerLoginModule required debug=true dsJndiName=java:/QrmDS principalsQuery=select user_password from qrm_users where user_name=? rolesQuery=select qrm_roles.role_name, 'Roles' from qrm_users,qrm_roles,qrm_users_roles where user_name=? and qrm_users.id = qrm_users_roles.user_id and qrm_roles.id = qrm_users_roles.role_id unauthenticatedIdentity=guest; }; client-login { org.jboss.security.ClientLoginModule required; }; -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
instructions for setting up jaas over db in tomcat
Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm It tooks some research, but I finally got it to work. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
btw, i also need authentication vs an ldap server thanx, ittay Ittay Dror wrote: Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
Have you read anything here? http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnOnly.html /robert Ittay Dror wrote: Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
From: Ittay Dror [EMAIL PROTECTED] btw, i also need authentication vs an ldap server I recently got JAASRealm and Sun's Krb5LoginModule (Kerberos Authentication) to work for the JSP examples that ship with Tomcat... this may save you some pain: http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJspExamples You'll have to figure out what to put in jaas.conf and find a LoginModule for LDAP, but other than that the pieces should fit together the same way. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: instructions for setting up jaas over db in tomcat
tomcat website has a server configuration link and it states for every element in the server.xml which sub elements are possible. along with knowledge of JAAS you have to acuire alone and the JAAS Realm configuration link you have been given, i would say you are set. -Original Message- From: Ittay Dror [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 10:48 PM To: Tomcat Users List Subject: Re: instructions for setting up jaas over db in tomcat Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: instructions for setting up jaas over db in tomcat
Guy Katz wrote: tomcat website has a server configuration link and it states for every element in the server.xml which sub elements are possible. along with knowledge of JAAS you have to acuire alone and the JAAS Realm configuration link you have been given, i would say you are set. can i put the Realm statement in Catalina/localhost/ROOT.xml? -Original Message- From: Ittay Dror [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 10:48 PM To: Tomcat Users List Subject: Re: instructions for setting up jaas over db in tomcat Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: instructions for setting up jaas over db in tomcat
if the Realm element can reside inside the elements in the root.xml (specifically the Context element) then yes. you can check this in the server.xml configuration docs on the tomcat website. -Original Message- From: Ittay Dror [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 30, 2005 7:49 AM To: Tomcat Users List Subject: Re: instructions for setting up jaas over db in tomcat Guy Katz wrote: tomcat website has a server configuration link and it states for every element in the server.xml which sub elements are possible. along with knowledge of JAAS you have to acuire alone and the JAAS Realm configuration link you have been given, i would say you are set. can i put the Realm statement in Catalina/localhost/ROOT.xml? -Original Message- From: Ittay Dror [mailto:[EMAIL PROTECTED] Sent: Monday, August 29, 2005 10:48 PM To: Tomcat Users List Subject: Re: instructions for setting up jaas over db in tomcat Robert Taylor wrote: I used the following link: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm doesn't contain whether i can put 'Realm' in ROOT.xml doesn't say anything about where to get a LoginModule implementation, or how to config jaas.config. It tooks some research, but I finally got it to work. my point exactly. i believe every person setting up tomcat does this research and i wondered if anyone created a guide. /robert Ittay Dror wrote: Hi, I haven't found anywhere a step-by-step instructions or reference code on how to set up jaas. Please help me with this as I'm very much lost. What I need: - authentication vs a DB - a ROOT webapp - tomcat 5.5 - where to put the 'Realm' element (can it be in conf/Catalina/localhost/ROOT.xml?) - what to put inside jaas.config - where to get an implementation of a login module. tagish isn't good for me since they require a specific db schema (i'm porting an existing application). Is there a standalone package with jboss's implementations? Thanx, Ittay - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === Ittay Dror ([EMAIL PROTECTED]) Application Team Leader, RD Qlusters Inc. +972-3-6081994 Fax: +972-3-6081841 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
howto configure JAAS+SSO
hello! I'm trying to configure two webapps (slide and jetspeed2) for single-sign-on in the same tomcat instance. Both apps use JAAS and come with their own JAAS login modules. Is it possible to configure these (any?) two apps to share login info with JAAS. I started reading the JAAS docs recently and I tried putting the two login modules into one JAAS login context, but that does not seem to work, because the login module classes won't instantiate properly due to dependencies to their respective webapps. Can SSO be achieved without having the apps share one login context? Will I have to write my own login module(s)? Should I use a (completely) different approach to get SSO? Thanks for any help/advice. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: howto configure JAAS+SSO
Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. -Original Message- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 13:14 To: Tomcat Users List Subject: howto configure JAAS+SSO hello! I'm trying to configure two webapps (slide and jetspeed2) for single-sign-on in the same tomcat instance. Both apps use JAAS and come with their own JAAS login modules. Is it possible to configure these (any?) two apps to share login info with JAAS. I started reading the JAAS docs recently and I tried putting the two login modules into one JAAS login context, but that does not seem to work, because the login module classes won't instantiate properly due to dependencies to their respective webapps. Can SSO be achieved without having the apps share one login context? Will I have to write my own login module(s)? Should I use a (completely) different approach to get SSO? Thanks for any help/advice. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO
Mark Benussi wrote: Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: howto configure JAAS+SSO [Apologies code attached]
1.Filter to go in web.xml /** * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the HttpServletRequest and * overide isUserInRole() using the * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper HttpServletRequestWrapper} * * @author Mark Benussi */ public class HttpServletRequestFilter implements Filter { /** * @see javax.servlet.Filter#destroy() */ public void destroy() { } /** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletRequestWrapper wrappedRequest = new HttpServletRequestWrapper( httpServletRequest); chain.doFilter(wrappedRequest, response); } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ public void init(FilterConfig config) throws ServletException { } } 2. Request wrapper /** * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} * @author Mark Benussi */ public class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper { /** * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ private HttpServletRequest request = null; /** * Helper to manage any common security methods */ private static SecurityHelper jaasHelper = null; /** * Default constructor * * @param request *The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ public HttpServletRequestWrapper(HttpServletRequest request) { super(request); if (jaasHelper == null) { jaasHelper = new SecurityHelper(); } this.request = request; } /** * @see javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String) */ public boolean isUserInRole(String role) { Subject subject = jaasHelper.getSessionSubject(request, false); return jaasHelper.isSubjectInRole(subject, role); } } 3. When you call youre LoginModule get the Subject and place in the session and then write your own code to validate the Subject has the role required. 4. As for passing the session to your LoginModule, which I wouldn't do in a puristic way as the LoginModule should be able to be used by a wing app just as much as a web app. Contstruct a CallBackHandler with the username and password but also with the session or request. Then in your loginmodule you will have access to the request/session when you invoke handle callback -Original Message- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 15:14 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO Mark Benussi wrote: Hi Edmund. I am sorry but I don't know much about SSO. However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak and others I can provide. thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO [Apologies code attached]
Mark Benussi wrote: 1.Filter to go in web.xml /** * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the HttpServletRequest and * overide isUserInRole() using the * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper HttpServletRequestWrapper} * * @author Mark Benussi */ public class HttpServletRequestFilter implements Filter { /** * @see javax.servlet.Filter#destroy() */ public void destroy() { } /** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletRequestWrapper wrappedRequest = new HttpServletRequestWrapper( httpServletRequest); chain.doFilter(wrappedRequest, response); } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ public void init(FilterConfig config) throws ServletException { } } 2. Request wrapper /** * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} * @author Mark Benussi */ public class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper { /** * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ private HttpServletRequest request = null; /** * Helper to manage any common security methods */ private static SecurityHelper jaasHelper = null; /** * Default constructor * * @param request *The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ public HttpServletRequestWrapper(HttpServletRequest request) { super(request); if (jaasHelper == null) { jaasHelper = new SecurityHelper(); } this.request = request; } /** * @see javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String) */ public boolean isUserInRole(String role) { Subject subject = jaasHelper.getSessionSubject(request, false); return jaasHelper.isSubjectInRole(subject, role); } } 3. When you call youre LoginModule get the Subject and place in the session and then write your own code to validate the Subject has the role required. 4. As for passing the session to your LoginModule, which I wouldn't do in a puristic way as the LoginModule should be able to be used by a wing app just as much as a web app. well. my login module would be for the very special purpose of making SSO of webapps possible, so i wouldn't have much of a problem with this. Contstruct a CallBackHandler with the username and password but also with the session or request. Then in your loginmodule you will have access to the request/session when you invoke handle callback wow. thanks a lot! the code looks much simpler than i would have expected. i think this will do nicely. :) Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: howto configure JAAS+SSO
From: Mark Benussi [EMAIL PROTECTED] However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. Can you explain more about this? I just _finally_ got the jsp-examples webapp that ships with Tomcat changed over to Kerberos authentication. Am I about to run into problems? What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak ... ... who took it from one of Craig's tomcat-user posts. ;) http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: howto configure JAAS+SSO
Hi Wendy, Sure I can explain what happens but not why. When you call the LoginModule with an optional Subject and CallBack the code works fine for me, i.e. it calls the LoginModule and I do everything I need, placing the Principals into the Subject. However... and this is where I don't want to say anything sweeping in case I have just simply misunderstood the Subject that is authenticated via the LoginModule has no visibility to Tomcat. If I could find a way to replace the session Subject with the one passed back from the LoginModule.getSubject() I would be ok, but I couldn't, so I placed the authorised Subject in the session and overrode the request.isUserInRole() to authorise against the Subject I placed in the session. One of these days I might ask the Tomcat dev list what I was doing wrong but got comments from other developers saying they had the same problem [All the JAAS examples do it the way I have described in some shape or form] Its not that bid a deal, and if you just use the Request wrapper I have attached you know that in the future you can remove the filter if you go to WebSphere or something like that. -Original Message- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 17:44 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO From: Mark Benussi [EMAIL PROTECTED] However I can tell you about JAAS in Tomcat. In 5 certainly there are issues. Essentially when you call the LoginModule to invoke your JAAS config it works but it does not authenticate the proper session Subject. Can you explain more about this? I just _finally_ got the jsp-examples webapp that ships with Tomcat changed over to Kerberos authentication. Am I about to run into problems? What you end up doing (Or what I did) was place a request filter in the app that wraps the request with an overridden RequestWrapper and you write your own inUserInRole against the Subject that the LoginModule returns (By placing it in the session) If you want some code, taken from Wendy Smoak ... .. who took it from one of Craig's tomcat-user posts. ;) http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Last question on JAAS I promise
OK I got JAAS working with form authentication. That worked a treat (After a bit of head banging). I then moved to invoking the login from Struts (Or a Servlet for Tomcat users who don't use Struts) The code still gets invoked correctly. IBTJAASCallbackHandler callbackHandler = new IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword()); LoginContext context = new LoginContext(IBTJAAS, callbackHandler); context.login(); However the request.remoteUser() is now null (Was populated correctly when I used form authentication) and the same for request.isUserInRole() (It returns false, even though the Principal was added to the subject). Any ideas...? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
My first JAAS implementation. A few questions.
I am implementing my first JAAS implementation and have some problems/questions. Firstly my commit method of my LoginModule does the following (User and Role both implement Principal) // Create a new User Principal with the user name retrieved from the NameCallback User user = new User(username); // Add the principal to the subject subject.getPrincipals().add(user); for (int i = 0; i roles.length; i++) { // Iterate the role names retrieved from the database lookup String roleName = roles[i]; // Create a new Role Principal with the role name Role role = new Role(roleName); // Add it to the public credentials to see if it works subject.getPublicCredentials().add(role); // Add it to the private credentials to see if it works subject.getPrivateCredentials().add(role); } return true; In the JSP that the application returns to after doing form based authentication the following occurs pSubject = %= Subject.getSubject(AccessController.getContext()) %/p pRemote User = %= request.getRemoteUser() %/p pUser Prinicipal = %= request.getUserPrincipal() %/p But this produces Subject = null Remote User = administrator User Prinicipal = GenericPrincipal[administrator()] Why is the subject null please? The request.isUserInRole() methods for the role names I added to the subject also return false... has anyone got some helpful ideas please? If more source is needed I can gladly provide it if will help - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS with EJB
Hi all, I am using JAAS with EJB, i.e. inside MyLoginModule i use an EJB in order to authenticate the user. When I try to get the Home Interface, I have the ClassCastException in the PortableRemoteObject.narrow method. I use Tomcat 5.0.28 and Jboss4.0.2 (EJB container) running in two separates JVM. Best Regards Amleto Di Salle -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.9.1/51 - Release Date: 18/07/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS
I've been trying to get the JavaWorld example located at http://www.javaworld.com/javaworld/jw-03-2005/jw-0307-captcha.html On tomcat v5.5.9 (JDK 1.5) on Linux without any luck. It goes through the authentication process and reports it's assigned the anonymous principle but when I go to access the protected directory again it prompts for the login.jsp page again. Any ideas guys Thanks Ron - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS LoginModule weird error
I've written a JAAS Login Module for my web application that authenticates against a third party (Documentum) content management server. It works fine but it seems to attempt to login once before the dialog is even presented to the user. The logs show: DfPrincipalException:: THREAD: http-443-Processor13; MSG: [DM_API_E_NOUSERNAME]error: No user name have been provided for a connection. ... (more authentication failed messages from LoginModule code) ... Yet I haven't even tried to login yet. I am able to login successfully after this error but it still bothers me that something is causing it to attempt a login before it even presents the dialog. Any suggestion, solutions would be appreciated. -Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS LoginModule weird error
Might be related to bug 22617 (which has been fixed in CVS). Mark Faine, Mark wrote: I've written a JAAS Login Module for my web application that authenticates against a third party (Documentum) content management server. It works fine but it seems to attempt to login once before the dialog is even presented to the user. The logs show: DfPrincipalException:: THREAD: http-443-Processor13; MSG: [DM_API_E_NOUSERNAME]error: No user name have been provided for a connection. ... (more authentication failed messages from LoginModule code) ... Yet I haven't even tried to login yet. I am able to login successfully after this error but it still bothers me that something is causing it to attempt a login before it even presents the dialog. Any suggestion, solutions would be appreciated. -Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Why is Tomcat trying to use JAAS?
I've just done a fresh install of Tomcat 5.5.9 and when I start it up I see the following in catalina.out: May 18, 2005 4:14:23 PM org.apache.catalina.realm.JAASRealm setContainer INFO: Set JAAS app name Catalina I haven't configured a JAASRealm anywhere -- doing: grep -i jaas $(find .) in $TOMCAT_HOME returns no relevant config entries. Why is Tomcat trying to use JAAS? Cheers, Brandon Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
slightly OT - JndiLoginModule, JAAS and user bind
Is it possible to use the JndiLoginModule class with JAAS to connect to LDAP when the LDAP server only supports user binds. The LDAP server that I am trying to connect to does not provide user information when connecting anonymously. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do I Logout using JAAS
I have JAAS implemented and working properly. Except when I attempt to invalidate the session it keeps me logged in. Is this because of SSO? What do I need to do to Logout the user in question. Thanks Scotchy __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS: LoginConfig file in webapp
The tomcat documentation about JAASRealm suggests to pass the location of the JAAS config file as a parameter to the JVM (with JAVA_OPTS=...). It also mentions that there are alternatives. Can anyone tell me how to place the config file under /WEB-INF of a specific webapp and how to reference it? I don't want to tweak webapp specific things in Tomcat. Jeroen - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS authentication and global realms
Once more, could you send those mails to the tomcat mailing-list and not directly to me ? It helps me to sort my mails and it can profit to more people ... On Friday 01 April 2005 18.26, you wrote: My problem is I am not able to understand how to assign roles to a particular user. For example ..After the user is authenticated in the commit() I try to add principal to the subject with the set for roles as.. subject.getPrincipals().add((principal)); That should be correct. Though the role shows up under principals for the subject, he fails to be authenticated. Can you please help me. it's a bit urgent. Hope the problem was clear enough) Ops I am trying to use JAAS in Borland Enterprise Server. How do you check that the roles shows up in the principal ? Do you have an authentication or an authorization problem ? What implementation of Principal are you using ? Could you send the relevant java code ? Sorry that I'm not able to help you more right now ... Guillaume -- Guillaume Lederrey Rte des Arsenaux 15 1700 Fribourg +41 76 / 573 32 40 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS authentication and global realms
Hello ! I'm trying to use a host wide JAAS Realm. I've written the LoginModule and tested it by declaring the Realm in the Context/ of one of my app. This app is not declared in server.xml, but in its own context.xml in /webapps. Everything is working just fine. My LoginModule logs using just System.out.println(), so I fiind its logs in logs/catalina.out. When I move the Realm decleration from the context.xml to server.xml (either in the host/ node or the Engine/ node) it stops working ... I dont see any logs of any kind ... What am I doing wrong ? The doc made me think I could just move this Realm around to change its visibility, but there would not need to do anything more ... Thanks for the help. Guillaume -- Guillaume Lederrey Informaticien Développement Tecost - Technology Consulting Studies Fribourg (Switzerland) http://www.tecost.ch/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : jaas with wlclient.jar returns no principals
Hi, You have to : configure your realm for example, Realm className=org.apache.catalina.realm.JAASRealm appName=Sample userClassNames=weblogic.security.principal.WLSUserImpl roleClassNames=weblogic.security.principal.WLSGroupImpl debug=99/ in this case your can't access easily to subject Configure your jaas config file. app { myLoginModule option debug=true params }; use the system property to declare jaas login file. -Djava.security.auth.login.config=your path Deploy your wlclient.jar in common/lib. Configure your webapp to secure urls. I think its all. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : lundi 7 février 2005 16:18 À : tomcat-user@jakarta.apache.org Objet : jaas with wlclient.jar returns no principals We are developing a j2ee app using tomcat for the web container and weblogic for the ejb container. We are using jaas for authentication with weblogic. When our war is deployed on tomcat, using the wlclient.jar, the jaas authentication returns no principals with the subject. When we deploy our war on weblogic (or test a jaas client using weblogic.jar), the jaas authentication returns principlas. What can we do to make the jaas authentication with a war deployed on tomcat work with weblogic? Using WLClient.jar: Subject is: Subject: Private Credential: [EMAIL PROTECTED] Private Credential: SubjectProxy[23994289] Size of Principals: 0 Principals: Using Weblogic.jar: Subject is: Subject: Principal: mjLDAP Private Credential: [EMAIL PROTECTED] Private Credential: [EMAIL PROTECTED] Size of Principals: 1 Principals: mjLDAP - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jaas with wlclient.jar returns no principals
We are developing a j2ee app using tomcat for the web container and weblogic for the ejb container. We are using jaas for authentication with weblogic. When our war is deployed on tomcat, using the wlclient.jar, the jaas authentication returns no principals with the subject. When we deploy our war on weblogic (or test a jaas client using weblogic.jar), the jaas authentication returns principlas. What can we do to make the jaas authentication with a war deployed on tomcat work with weblogic? Using WLClient.jar: Subject is: Subject: Private Credential: [EMAIL PROTECTED] Private Credential: SubjectProxy[23994289] Size of Principals: 0 Principals: Using Weblogic.jar: Subject is: Subject: Principal: mjLDAP Private Credential: [EMAIL PROTECTED] Private Credential: [EMAIL PROTECTED] Size of Principals: 1 Principals: mjLDAP
Problem with JAAS
I'm evaluating an ISP that uses Tomcat to host webapps, and am running into a security problem. Any webapp that uses FORM authentication triggers an error from JAAS, saying that it can't find a login configuration. I'm certainly not using JAAS, and have just been adding users to the tomcat-users.xml file. I've been able to confirm that this happens with even the simplest apps. Can anyone give me any idea of what's going on here? My guess is that somehow Tomcat is configured to use JAAS by default, but since I've not used JAAS before now, I'm not sure where to look... Thanks, julian in london - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Problem with JAAS
Use tomcat env JAVA_OPTS=-Djava.security.auth.login.config=java config file to declare your login module. -Message d'origine- De : Julian Templeman [mailto:[EMAIL PROTECTED] Envoyé : jeudi 2 décembre 2004 09:56 À : [EMAIL PROTECTED] Objet : Problem with JAAS I'm evaluating an ISP that uses Tomcat to host webapps, and am running into a security problem. Any webapp that uses FORM authentication triggers an error from JAAS, saying that it can't find a login configuration. I'm certainly not using JAAS, and have just been adding users to the tomcat-users.xml file. I've been able to confirm that this happens with even the simplest apps. Can anyone give me any idea of what's going on here? My guess is that somehow Tomcat is configured to use JAAS by default, but since I've not used JAAS before now, I'm not sure where to look... Thanks, julian in london - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : Problem with JAAS
On Thu, 2 Dec 2004 11:36:48 +0100, LERBSCHER Jean-Pierre [EMAIL PROTECTED] wrote: Use tomcat env JAVA_OPTS=-Djava.security.auth.login.config=java config file to declare your login module. Thanks... But what I want to know is *why* it wants to use JAAS at all. *I* certainly don't want to have to, because a simple form authentication will work fine for me... julian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : RE : Problem with JAAS
Perhaps because your configure your jaas realm in engine/host configuration. -Message d'origine- De : Julian Templeman [mailto:[EMAIL PROTECTED] Envoyé : jeudi 2 décembre 2004 11:53 À : Tomcat Users List Objet : Re: RE : Problem with JAAS On Thu, 2 Dec 2004 11:36:48 +0100, LERBSCHER Jean-Pierre [EMAIL PROTECTED] wrote: Use tomcat env JAVA_OPTS=-Djava.security.auth.login.config=java config file to declare your login module. Thanks... But what I want to know is *why* it wants to use JAAS at all. *I* certainly don't want to have to, because a simple form authentication will work fine for me... julian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with JAAS
On Thu, Dec 02, 2004 at 08:56:26AM +, Julian Templeman wrote: : I'm evaluating an ISP that uses Tomcat to host webapps, and am running : into a security problem. : : Any webapp that uses FORM authentication triggers an error from JAAS, : saying that it can't find a login configuration. I'm certainly not : using JAAS, and have just been adding users to the tomcat-users.xml : file. I've been able to confirm that this happens with even the : simplest apps. What does the ISP support team say? If they can't answer, it's time to find a new host. =) : Can anyone give me any idea of what's going on here? My guess is that : somehow Tomcat is configured to use JAAS by default, but since I've : not used JAAS before now, I'm not sure where to look... Are you in your own container? If not, you could be tripped up by an errant global setting. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem Locating JAAS Config File in Tomcat 5.5.x
Hi, We are having problems running a servlet providing JAAS to our web application. We are using Tomcat 5.5.x and JVM 1.4.2. We can't seem to make the JAAS servlet run because Tomcat can't find the JAAS config file which we've already specified in the JAVA_OPTS env variable. We are referring to this document to setup our JAAS servlet: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm regards, jOjO -- My Blogs http://www.jroller.com/page/jojopaderes/blog Pinoy Tech Scene http://pinoytechscene.mparaz.com PinoyJUG http://www.pinoyjug.ph - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FW: Configuring JAAS realm for a web appplication (Catalina c lass loader bug)
Quoting Reingold Genna [EMAIL PROTECTED]: Jake, Thanks for our reply. I have tried common/lib scenario. As a matter of fact I have started with that option. However it produces the same result. Well, not the same result when you remove the jar from WEB-INF/lib as I recommended as you seem to have later stated below. I have tried to move ejb-client jar out of of web app. But then I run into the problem when the application uses a class loaded by common class loader and if the class references another class in the WEB_INF/lib jar (a different jar) I get NoClassDefError. Effectively the only safe way to install my application in that scenario is to copy all application jars into common/lib and that is fundamently wrong. It sounds like you might have to re-think your circular dependencies. You need to make a decision which jars should depend on each other and whether the dependency direction is one way, both ways, or none at all. You can't get away from making this decision no matter the appserver. What I don't understand is why my set up works in 4.1.29 and doesn't work in 5.0.28. I can't explain that. However, I suspect that you tested 4.1.29 on some other machine than what you have 5.0.28 installed upon. I would investigate how the environment might be different. Different classpaths, different ways of starting the server (batch file -vs- a service), etc Make sure you try fresh installs of each version with your app and test both in exactly the same way. Then you will be comparing apples to apples and, therefore, getting rid of extraneous variables that might be clouding the investigation. Jake -Original Message- From: Jacob Kjome [mailto:[EMAIL PROTECTED] Sent: Monday, 8 November 2004 3:52 PM To: Tomcat Users List Subject: Re: FW: Configuring JAAS realm for a web appplication (Catalina class loader bug) Well, the short answer is, move it to common/lib, not server/lib. server/lib is for stuff that *only* Tomcat itself should see. common/lib is for stuff that both the server and applications should see (and shared/lib is the converse of server/lib, but different from WEB-INF/lib since it is global to all apps in the server). Even in the common/lib case, you may run into the same problem, though, because if you put the jar in WEB-INF/lib, that will be loaded, preferentially by the application because of child first classloading behavior that Tomcat implements. If JASS looks up this class as well, but loads it in a different classloader you will run into the same issue. In this case, you'll need to remove the jar from WEB-INF/lib and load it from common/lib only. I can't say for sure that it isn't bad behavior by Tomcat, but I doubt it. It is just a classloading issue you'll have to deal with. However, this is one reason why many appservers out there don't use child first classloading behavior by default, although in the server/lib situation you'd get the same result in this case. The common/lib case would have been taken care of in a server implementing normal parent first classloading behavior, but then it would be redundant to have the jar in WEB-INF/lib in that case anyway. Bottom line is that classloaders are tricky and different situations call for different solutions so I doubt there is anything fundamentally wrong with what Tomcat is doing. Jake At 09:31 AM 11/8/2004 +1100, you wrote: Hi, My company isusing Tomcat 4.1.29 and I'm investigating a transition to version 5.0.28. We use JAAS for authentication. The realm is decleared inside the web application context. The authentication code makes an EJB call to jBoss server (we are using stand alone Tomcat not jBoss bundled version). In verion 4.1 we have ejb-client code jar in both server/lib and Web Application lib directories. I have replicated the same structure in version 5 but I get ClassCastException inside my JAAS Authentication module. If I remove the copy of ejb-client jar from Web Application it all works fine which suggest to me that the ClassCastException related to the fact that the same class id loaded by different classloaders. Tomcat doco specifies that Catalina classloader is invisible to webapplications ( and that's why we use it in Tomcat 4) but it doesn't seem to be the case. The work-around (removing ejb-client code from web app) is not a solution because it has a lot of web app specific code. If I don't copy authentication code to server/lib directory and only keep it in web app Tomcat doesn't find it. That is the case for both versions - 4 and 5. To me it suggests a different problem - since JAAS realm declared in web app context it should apply to web application only and therefore it should be looking into webapp not server/lib directory. But that is a different discussion topic altogether. Thanks in advance Genna CAUTION - This message may contain privileged and confidential
FW: Configuring JAAS realm for a web appplication (Catalina class loader bug)
Title: FW: Configuring JAAS realm for a web appplication (Catalina classloader bug) Hi, My company isusing Tomcat 4.1.29 and I'm investigating a transition to version 5.0.28. We use JAAS for authentication. The realm is decleared inside the web application context. The authentication code makes an EJB call to jBoss server (we are using stand alone Tomcat not jBoss bundled version). In verion 4.1 we have ejb-client code jar in both server/lib and Web Application lib directories. I have replicated the same structure in version 5 but I get ClassCastException inside my JAAS Authentication module. If I remove the copy of ejb-client jar from Web Application it all works fine which suggest to me that the ClassCastException related to the fact that the same class id loaded by different classloaders. Tomcat doco specifies that Catalina classloader is invisible to webapplications ( and that's why we use it in Tomcat 4) but it doesn't seem to be the case. The work-around (removing ejb-client code from web app) is not a solution because it has a lot of web app specific code. If I don't copy authentication code to server/lib directory and only keep it in web app Tomcat doesn't find it. That is the case for both versions - 4 and 5. To me it suggests a different problem - since JAAS realm declared in web app context it should apply to web application only and therefore it should be looking into webapp not server/lib directory. But that is a different discussion topic altogether. Thanks in advance Genna CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee(s) named above. If you are not the intended recipient of this message you are notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Siemens Ltd., ABN 98 004 347 880, or Siemens (NZ) Limited immediately. No representation is made that this email or any attachments are free of viruses. Virus Scanning is recommended and is the responsibility of the recipient. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FW: Configuring JAAS realm for a web appplication (Catalina class loader bug)
Well, the short answer is, move it to common/lib, not server/lib. server/lib is for stuff that *only* Tomcat itself should see. common/lib is for stuff that both the server and applications should see (and shared/lib is the converse of server/lib, but different from WEB-INF/lib since it is global to all apps in the server). Even in the common/lib case, you may run into the same problem, though, because if you put the jar in WEB-INF/lib, that will be loaded, preferentially by the application because of child first classloading behavior that Tomcat implements. If JASS looks up this class as well, but loads it in a different classloader you will run into the same issue. In this case, you'll need to remove the jar from WEB-INF/lib and load it from common/lib only. I can't say for sure that it isn't bad behavior by Tomcat, but I doubt it. It is just a classloading issue you'll have to deal with. However, this is one reason why many appservers out there don't use child first classloading behavior by default, although in the server/lib situation you'd get the same result in this case. The common/lib case would have been taken care of in a server implementing normal parent first classloading behavior, but then it would be redundant to have the jar in WEB-INF/lib in that case anyway. Bottom line is that classloaders are tricky and different situations call for different solutions so I doubt there is anything fundamentally wrong with what Tomcat is doing. Jake At 09:31 AM 11/8/2004 +1100, you wrote: Hi, My company isusing Tomcat 4.1.29 and I'm investigating a transition to version 5.0.28. We use JAAS for authentication. The realm is decleared inside the web application context. The authentication code makes an EJB call to jBoss server (we are using stand alone Tomcat not jBoss bundled version). In verion 4.1 we have ejb-client code jar in both server/lib and Web Application lib directories. I have replicated the same structure in version 5 but I get ClassCastException inside my JAAS Authentication module. If I remove the copy of ejb-client jar from Web Application it all works fine which suggest to me that the ClassCastException related to the fact that the same class id loaded by different classloaders. Tomcat doco specifies that Catalina classloader is invisible to webapplications ( and that's why we use it in Tomcat 4) but it doesn't seem to be the case. The work-around (removing ejb-client code from web app) is not a solution because it has a lot of web app specific code. If I don't copy authentication code to server/lib directory and only keep it in web app Tomcat doesn't find it. That is the case for both versions - 4 and 5. To me it suggests a different problem - since JAAS realm declared in web app context it should apply to web application only and therefore it should be looking into webapp not server/lib directory. But that is a different discussion topic altogether. Thanks in advance Genna CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee(s) named above. If you are not the intended recipient of this message you are notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Siemens Ltd., ABN 98 004 347 880, or Siemens (NZ) Limited immediately. No representation is made that this email or any attachments are free of viruses. Virus Scanning is recommended and is the responsibility of the recipient. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FW: Configuring JAAS realm for a web appplication (Catalina c lass loader bug)
Title: RE: FW: Configuring JAAS realm for a web appplication (Catalina class loader bug) Jake, Thanks for our reply. I have tried common/lib scenario. As a matter of fact I have started with that option. However it produces the same result. I have tried to move ejb-client jar out of of web app. But then I run into the problem when the application uses a class loaded by common class loader and if the class references another class in the WEB_INF/lib jar (a different jar) I get NoClassDefError. Effectively the only safe way to install my application in that scenario is to copy all application jars into common/lib and that is fundamently wrong. What I don't understand is why my set up works in 4.1.29 and doesn't work in 5.0.28. -Original Message- From: Jacob Kjome [mailto:[EMAIL PROTECTED]] Sent: Monday, 8 November 2004 3:52 PM To: Tomcat Users List Subject: Re: FW: Configuring JAAS realm for a web appplication (Catalina class loader bug) Well, the short answer is, move it to common/lib, not server/lib. server/lib is for stuff that *only* Tomcat itself should see. common/lib is for stuff that both the server and applications should see (and shared/lib is the converse of server/lib, but different from WEB-INF/lib since it is global to all apps in the server). Even in the common/lib case, you may run into the same problem, though, because if you put the jar in WEB-INF/lib, that will be loaded, preferentially by the application because of child first classloading behavior that Tomcat implements. If JASS looks up this class as well, but loads it in a different classloader you will run into the same issue. In this case, you'll need to remove the jar from WEB-INF/lib and load it from common/lib only. I can't say for sure that it isn't bad behavior by Tomcat, but I doubt it. It is just a classloading issue you'll have to deal with. However, this is one reason why many appservers out there don't use child first classloading behavior by default, although in the server/lib situation you'd get the same result in this case. The common/lib case would have been taken care of in a server implementing normal parent first classloading behavior, but then it would be redundant to have the jar in WEB-INF/lib in that case anyway. Bottom line is that classloaders are tricky and different situations call for different solutions so I doubt there is anything fundamentally wrong with what Tomcat is doing. Jake At 09:31 AM 11/8/2004 +1100, you wrote: Hi, My company isusing Tomcat 4.1.29 and I'm investigating a transition to version 5.0.28. We use JAAS for authentication. The realm is decleared inside the web application context. The authentication code makes an EJB call to jBoss server (we are using stand alone Tomcat not jBoss bundled version). In verion 4.1 we have ejb-client code jar in both server/lib and Web Application lib directories. I have replicated the same structure in version 5 but I get ClassCastException inside my JAAS Authentication module. If I remove the copy of ejb-client jar from Web Application it all works fine which suggest to me that the ClassCastException related to the fact that the same class id loaded by different classloaders. Tomcat doco specifies that Catalina classloader is invisible to webapplications ( and that's why we use it in Tomcat 4) but it doesn't seem to be the case. The work-around (removing ejb-client code from web app) is not a solution because it has a lot of web app specific code. If I don't copy authentication code to server/lib directory and only keep it in web app Tomcat doesn't find it. That is the case for both versions - 4 and 5. To me it suggests a different problem - since JAAS realm declared in web app context it should apply to web application only and therefore it should be looking into webapp not server/lib directory. But that is a different discussion topic altogether. Thanks in advance Genna CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee(s) named above. If you are not the intended recipient of this message you are notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Siemens Ltd., ABN 98 004 347 880, or Siemens (NZ) Limited immediately. No representation is made that this email or any attachments are free of viruses. Virus Scanning is recommended and is the responsibility of the recipient. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] CAUTION - This message may contain privileged and confidential information intended only
JAAS in combination with WAR
Hi! I want to develop a webapp which should be easily deployable by using a WAR file. So, as I found out, I can place the context descriptor as context.xml in the META-INF directory. But I have some problems concerning the JAASRealm. First, the location of the jaas config file has to be set via a system property. How can I handle that by using a WAR?? Second, the my implementation of the LoginModule is bundled in a jar file. If the jar is placed in the WEB-INF/lib directory of my webapp, authentication with jaas doesn't succeed. If I put it into tomcat's common/lib directory, it starts working. Are there any possibilities to deploy the login jar within my webapp?? regards thanx, Ingo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
too many JAAS...
hi again, fiddled araound with JAASRealm in tomcat 5.0.28 but still did not succeed. so i`ll ask a few simple questions: (which actually seemed already answered to me while reading tons of faq/documentation - but it still does not work) is it possible to authenticate users via servlet, when the actual page does not include action-url 'j_security_check' e.g. form action=myservlet.do method=POST i need to do so, because 'MyCallbackHandler' needs more specific data if so, is it fuerthermore possible to do smthng like: LoginContext ctx = new LoginContext(logonDef, new MyCallbackHandler(user,pass,object)); ctx.login(); if so, why do i have loads of problems when i try to retrieve MyCallbackHandler in my custom LoginModule when simple doin: public class MyLoginModule implements LoginModule { private Subject subject; private CallbackHandler handler; private Map sharedState; private Map options; private Logger logger; public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,Map options) { this.subject = subject; this.handler = callbackHandler; this.sharedState = sharedState; this.options = options; this.logger = Logger.getLogger(MyLoginModule.class); } pubic boolean login() { MyCallbackHandler myhandler = (MyCallbackHandler) this.handler; // do something with it.. // but here the ClassCastException shows up ... } ... } thanks in advance.. insanely rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: too many JAAS...
Hi Rene, You can have a look at http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It contains a known-good approach so it may be of some use to you. Michiel Rene Paulokat wrote: hi again, fiddled araound with JAASRealm in tomcat 5.0.28 but still did not succeed. so i`ll ask a few simple questions: (which actually seemed already answered to me while reading tons of faq/documentation - but it still does not work) is it possible to authenticate users via servlet, when the actual page does not include action-url 'j_security_check' e.g. form action=myservlet.do method=POST i need to do so, because 'MyCallbackHandler' needs more specific data if so, is it fuerthermore possible to do smthng like: LoginContext ctx = new LoginContext(logonDef, new MyCallbackHandler(user,pass,object)); ctx.login(); if so, why do i have loads of problems when i try to retrieve MyCallbackHandler in my custom LoginModule when simple doin: public class MyLoginModule implements LoginModule { private Subject subject; private CallbackHandler handler; private Map sharedState; private Map options; private Logger logger; public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,Map options) { this.subject = subject; this.handler = callbackHandler; this.sharedState = sharedState; this.options = options; this.logger = Logger.getLogger(MyLoginModule.class); } pubic boolean login() { MyCallbackHandler myhandler = (MyCallbackHandler) this.handler; // do something with it.. // but here the ClassCastException shows up ... } ... } thanks in advance.. insanely rene -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: too many JAAS...
On Wed, Sep 22, 2004 at 03:47:08PM +0200, Michiel Toneman wrote: You can have a look at http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It contains a known-good approach so it may be of some use to you. hi michiel, yes, i found that already, but i thought this is not *very* different from my approach: in this example 'SecurityFilter' does the same thing like my Login-servlet: creates new LoginContext - passes over the CallBackhandler - here 'HttpAuthCallBackhandler' and finally calls login-method of loginModule. additionally it puts 'Subject' into user's Session, to be reused when needed. fine thing. i think i am missing some more basic thing - cause of my beloved ClassCastException, when my loginModule starts to act... or - is it the only way to accomplish the task with that kind of 'SecurityFilter' - which in the example acts upon every request? thanks for your hint, i'am gonna implement it test-wise... greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : too many JAAS...
Why do you have a ClassCastException exception ? Could you give us more detail on your realm configuration ? Do you configured a jass realm with custom userClassNames and roleClassNames attributes ? or any thing else. -Message d'origine- De : Rene Paulokat [mailto:[EMAIL PROTECTED] Envoyé : mercredi 22 septembre 2004 16:18 À : Tomcat Users List Objet : Re: too many JAAS... On Wed, Sep 22, 2004 at 03:47:08PM +0200, Michiel Toneman wrote: You can have a look at http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It contains a known-good approach so it may be of some use to you. hi michiel, yes, i found that already, but i thought this is not *very* different from my approach: in this example 'SecurityFilter' does the same thing like my Login-servlet: creates new LoginContext - passes over the CallBackhandler - here 'HttpAuthCallBackhandler' and finally calls login-method of loginModule. additionally it puts 'Subject' into user's Session, to be reused when needed. fine thing. i think i am missing some more basic thing - cause of my beloved ClassCastException, when my loginModule starts to act... or - is it the only way to accomplish the task with that kind of 'SecurityFilter' - which in the example acts upon every request? thanks for your hint, i'am gonna implement it test-wise... greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 04:26:44PM +0200, LERBSCHER Jean-Pierre wrote: Why do you have a ClassCastException exception ? Could you give us more detail on your realm configuration ? Do you configured a jass realm with custom userClassNames and roleClassNames attributes ? or any thing else. okay, my context configuration looks like: Realm className=org.apache.catalina.realm.JAASRealm verbosity=99 appName=dabRealm debug=99 useContextClassLoader=true userClassNames=com.warenform.ima_frontend.auth.DabPrincipal roleClassNames=com.warenform.ima_frontend.auth.DabRole/ my login.conf shows: dabRealm { com.warenform.ima_frontend.interf.DabLoginModule REQUIRED; }; loginModule/Role/Principal-classes are visible to $CATALINA_HOME/common/lib and the way i invoke the whole thing is via servlet which is called by url /login.do - creates my DabCallBackHandler , pushes this into new LoginContext module gets invoked - and creates exception like described in the thread-start. hm - am i lost? rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : too many JAAS...
Hi, I just committed a fairly big patch from Andrew Jaquith last night that addresses numerous issues encountered when using the JAASRealm with custom user and role class names. You may wish to build from CVS and see if this patch fixes your exception. The patch was in Bugzilla issue 28631 if you want to look it up. Yoav Shapira Millennium Research Informatics -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 11:00 AM To: Tomcat Users List Subject: Re: RE : too many JAAS... On Wed, Sep 22, 2004 at 04:26:44PM +0200, LERBSCHER Jean-Pierre wrote: Why do you have a ClassCastException exception ? Could you give us more detail on your realm configuration ? Do you configured a jass realm with custom userClassNames and roleClassNames attributes ? or any thing else. okay, my context configuration looks like: Realm className=org.apache.catalina.realm.JAASRealm verbosity=99 appName=dabRealm debug=99 useContextClassLoader=true userClassNames=com.warenform.ima_frontend.auth.DabPrincipal roleClassNames=com.warenform.ima_frontend.auth.DabRole/ my login.conf shows: dabRealm { com.warenform.ima_frontend.interf.DabLoginModule REQUIRED; }; loginModule/Role/Principal-classes are visible to $CATALINA_HOME/common/lib and the way i invoke the whole thing is via servlet which is called by url /login.do - creates my DabCallBackHandler , pushes this into new LoginContext module gets invoked - and creates exception like described in the thread-start. hm - am i lost? rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 11:01:28AM -0400, Shapira, Yoav wrote: Hi, I just committed a fairly big patch from Andrew Jaquith last night that addresses numerous issues encountered when using the JAASRealm with custom user and role class names. You may wish to build from CVS and see if this patch fixes your exception. The patch was in Bugzilla issue 28631 if you want to look it up. thanks for your advice. the good news: checked out, built, deployed. the bad news: same ClassCastException: i`ll give u the relevant parts: [DabLoginModule] ... (52) public boolean login() throws LoginException { (54) logger.debug(loginmodule loaded by: [ +this.getClass().getClassLoader()+]); (55) logger.debug(this.handler.getClass().getName()+ (initialized handler) loaded: +this.handler.getClass().getClassLoader()); (56) DabCallBackHandler handler = (DabCallBackHandler) this.handler; (57) logger.debug(name: [+handler.getClass().getName()+ ] loader: [+handler.getClass().getClassLoader()+]); (58) logger.debug(test if works:+handler.getUsername()); ... which results in a log of: DEBUG [http-8080-Processor25] (DabLoginModule.java:54) - loginmodule loaded by: [WebappClassLoader ... DEBUG [http-8080-Processor25] (DabLoginModule.java:55) - javax.security.auth.login.LoginContext$SecureCallbackHandler (initialized handler) loaded: null javax.security.auth.login.LoginException: java.lang.ClassCastException at com.warenform.ima_frontend.interf.DabLoginModule.login(DabLoginModule.java:56) any more hints? greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : too many JAAS...
Hi, I didn't follow the rest of your thread. Your callback handler is loaded from common/lib, not WEB-INF/lib, right? Yoav Shapira Millennium Research Informatics -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 2:25 PM To: Tomcat Users List Subject: Re: RE : too many JAAS... On Wed, Sep 22, 2004 at 11:01:28AM -0400, Shapira, Yoav wrote: Hi, I just committed a fairly big patch from Andrew Jaquith last night that addresses numerous issues encountered when using the JAASRealm with custom user and role class names. You may wish to build from CVS and see if this patch fixes your exception. The patch was in Bugzilla issue 28631 if you want to look it up. thanks for your advice. the good news: checked out, built, deployed. the bad news: same ClassCastException: i`ll give u the relevant parts: [DabLoginModule] ... (52) public boolean login() throws LoginException { (54) logger.debug(loginmodule loaded by: [ +this.getClass().getClassLoader()+]); (55) logger.debug(this.handler.getClass().getName()+ (initialized handler) loaded: +this.handler.getClass().getClassLoader()); (56) DabCallBackHandler handler = (DabCallBackHandler) this.handler; (57) logger.debug(name: [+handler.getClass().getName()+ ] loader: [+handler.getClass().getClassLoader()+]); (58) logger.debug(test if works:+handler.getUsername()); ... which results in a log of: DEBUG [http-8080-Processor25] (DabLoginModule.java:54) - loginmodule loaded by: [WebappClassLoader ... DEBUG [http-8080-Processor25] (DabLoginModule.java:55) - javax.security.auth.login.LoginContext$SecureCallbackHandler (initialized handler) loaded: null javax.security.auth.login.LoginException: java.lang.ClassCastException at com.warenform.ima_frontend.interf.DabLoginModule.login(DabLoginModule.j ava: 56) any more hints? greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 02:28:59PM -0400, Shapira, Yoav wrote: Hi, I didn't follow the rest of your thread. Your callback handler is loaded from common/lib, not WEB-INF/lib, right? Yoav Shapira if i call the handler on my servlet, the handler is loaded by StandardClassLoader from common/lib but i guess somewhere here is my problem - just that i dont see it. --- snip --- DEBUG [http-8080-Processor24] (DabLoginAction.java:177) - handler in servlet loaded : [EMAIL PROTECTED] [http-8080-Processor24] (DabLoginModule.java:43) - init: callbackHandler declared by class javax.security.auth.login.LoginContext DEBUG [http-8080-Processor24] (DabLoginModule.java:44) - init: callbackHandler is: javax.security.auth.login.LoginContext$SecureCallbackHandler DEBUG [http-8080-Processor24] (DabLoginModule.java:45) - init: callbackHandler loaded by: null DEBUG [http-8080-Processor24] (DabLoginModule.java:53) - loginmodule loaded by: [WebappClassLoader greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : too many JAAS...
Hi, Can you put the login module in common/lib as well, to see if it being loaded by the common classloader makes a difference? Yoav Shapira Millennium Research Informatics -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 3:15 PM To: Tomcat Users List Subject: Re: RE : too many JAAS... On Wed, Sep 22, 2004 at 02:28:59PM -0400, Shapira, Yoav wrote: Hi, I didn't follow the rest of your thread. Your callback handler is loaded from common/lib, not WEB-INF/lib, right? Yoav Shapira if i call the handler on my servlet, the handler is loaded by StandardClassLoader from common/lib but i guess somewhere here is my problem - just that i dont see it. --- snip --- DEBUG [http-8080-Processor24] (DabLoginAction.java:177) - handler in servlet loaded : [EMAIL PROTECTED] [http-8080-Processor24] (DabLoginModule.java:43) - init: callbackHandler declared by class javax.security.auth.login.LoginContext DEBUG [http-8080-Processor24] (DabLoginModule.java:44) - init: callbackHandler is: javax.security.auth.login.LoginContext$SecureCallbackHandler DEBUG [http-8080-Processor24] (DabLoginModule.java:45) - init: callbackHandler loaded by: null DEBUG [http-8080-Processor24] (DabLoginModule.java:53) - loginmodule loaded by: [WebappClassLoader greetings rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 03:16:17PM -0400, Shapira, Yoav wrote: Hi, Can you put the login module in common/lib as well, to see if it being loaded by the common classloader makes a difference? first: thanks a lot for your efforts. i can, i did change the location for the loginModule, so that it gets loaded by StandardClassLoader: DEBUG [http-8080-Processor25] (DabLoginAction.java:177) - handler in servlet loaded : [EMAIL PROTECTED] DEBUG [http-8080-Processor25] (DabLoginAction.java:183) - servlet classloader logincontext: null DEBUG [http-8080-Processor25] (DabLoginModule.java:44) - init: callbackHandler declared by class javax.security.auth.login.LoginContext DEBUG [http-8080-Processor25] (DabLoginModule.java:45) - init: callbackHandler is: javax.security.auth.login.LoginContext$SecureCallbackHandler DEBUG [http-8080-Processor25] (DabLoginModule.java:46) - init: callbackHandler loaded by: null DEBUG [http-8080-Processor25] (DabLoginModule.java:54) - loginmodule loaded by: [EMAIL PROTECTED] DEBUG [http-8080-Processor25] (DabLoginModule.java:55) - javax.security.auth.login.LoginContext$SecureCallbackHandler (initialized handler) loaded: null javax.security.auth.login.LoginException: java.lang.ClassCastExceptioni but same cce rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: RE : too many JAAS...
Hi, What's the stack trace for the ClassCastException? Yoav Shapira Millennium Research Informatics -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 22, 2004 3:33 PM To: Tomcat Users List Subject: Re: RE : too many JAAS... On Wed, Sep 22, 2004 at 03:16:17PM -0400, Shapira, Yoav wrote: Hi, Can you put the login module in common/lib as well, to see if it being loaded by the common classloader makes a difference? first: thanks a lot for your efforts. i can, i did change the location for the loginModule, so that it gets loaded by StandardClassLoader: DEBUG [http-8080-Processor25] (DabLoginAction.java:177) - handler in servlet loaded : [EMAIL PROTECTED] DEBUG [http-8080-Processor25] (DabLoginAction.java:183) - servlet classloader logincontext: null DEBUG [http-8080-Processor25] (DabLoginModule.java:44) - init: callbackHandler declared by class javax.security.auth.login.LoginContext DEBUG [http-8080-Processor25] (DabLoginModule.java:45) - init: callbackHandler is: javax.security.auth.login.LoginContext$SecureCallbackHandler DEBUG [http-8080-Processor25] (DabLoginModule.java:46) - init: callbackHandler loaded by: null DEBUG [http-8080-Processor25] (DabLoginModule.java:54) - loginmodule loaded by: [EMAIL PROTECTED] DEBUG [http-8080-Processor25] (DabLoginModule.java:55) - javax.security.auth.login.LoginContext$SecureCallbackHandler (initialized handler) loaded: null javax.security.auth.login.LoginException: java.lang.ClassCastExceptioni but same cce rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
beware: stackTrace was: Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 03:33:27PM -0400, Shapira, Yoav wrote: Hi, What's the stack trace for the ClassCastException? here it comes: rene -- javax.security.auth.login.LoginException: java.lang.ClassCastException at com.warenform.ima_frontend.interf.DabLoginModule.login(DabLoginModule.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:717) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:576) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:534) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:730) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
Re: beware: stackTrace was: Re: RE : too many JAAS...
Just checking, but in your original post you described your loginmodule as: public class MyLoginModule implements LoginModule { however, your ClassCastException mentions: com.warenform.ima_frontend.interf.DabLoginModule.login Can you check if you really are referring to the same classes (also in login.conf)? Michiel On Wed, Sep 22, 2004 at 03:33:27PM -0400, Shapira, Yoav wrote: Hi, What's the stack trace for the ClassCastException? here it comes: rene -- javax.security.auth.login.LoginException: java.lang.ClassCastException at com.warenform.ima_frontend.interf.DabLoginModule.login(DabLoginModule.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:106) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:717) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:576) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:534) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:730) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) at javax.security.auth.login.LoginContext.login(LoginContext.java:534) at com.warenform.ima_frontend.action.DabLoginAction.execute(DabLoginAction.java:185) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at
Re: beware: stackTrace was: Re: RE : too many JAAS...
On Wed, Sep 22, 2004 at 10:04:57PM +0200, [EMAIL PROTECTED] wrote: Just checking, but in your original post you described your loginmodule as: public class MyLoginModule implements LoginModule { however, your ClassCastException mentions: com.warenform.ima_frontend.interf.DabLoginModule.login Can you check if you really are referring to the same classes (also in login.conf)? Michiel jup - ;) doublechecked. my first post was more like an 'abstract' post. meanwhile its getting very specific. hope not to bother... rene -- gpg-key 8FC78254 http://www.so36.net/keys/rene.asc fingerprint: E883 D359 3F56 51AF 0294 8BEB 16B3 15BD 8FC7 8254 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS and Tomcat
Question - I have a webapp that does its own authentication. I use Tomcat as my servlet container. If I want to use JAAS for that application, with it doing authentication (and not Tomcat), I don't need to set Tomcat up for JAAS, do I? -- Lynn Hollerman. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS and Tomcat
Hi, No, you don't need to setup Tomcat for JAAS in that case. You can roll it yourself. This is also true for database connection pools and any other resources. You can even run your own little JNDI server inside your webapp if you wanted. The upside for this is that you're more portable more easily: you can just move your WAR around between servers and don't need to worry about container-specific configuration. This also frequently allows for easier unit testing. The downside is the same as with anything you roll yourself: are you spending time reinventing the wheel? Even if not, are you passing on a well-tested solution in favor of one that's less well-tested? Yoav Shapira Millennium Research Informatics -Original Message- From: Hollerman Geralyn M [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 21, 2004 10:09 AM To: Tomcat Users List Subject: JAAS and Tomcat Question - I have a webapp that does its own authentication. I use Tomcat as my servlet container. If I want to use JAAS for that application, with it doing authentication (and not Tomcat), I don't need to set Tomcat up for JAAS, do I? -- Lynn Hollerman. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS issue with Tomcat 5
I am trying to set up JAAS with Tomcat 5, using Axis to authenticate. My sample app using Axis works find in the common\lib directory (where all the jars for the JAAS authentication have been placed) but when I try to run it from Tomcat, I get the following error: - Factory org.apache.axis.configuration.EngineConfigurationFactoryServlet Ignored: missing required method: public static EngineConfigurationFactory newFactory(Object). - Factory org.apache.axis.configuration.EngineConfigurationFactoryDefault Ignored: missing required method: public static EngineConfigurationFactory newFactory(Object). - Unable to locate a valid EngineConfigurationFactory When I look into the jars, they have the methods in question. When I googled on this error someone seemed to think it was a classloading issue (although that was not Tomcat). Are there any special restrictions when using JAAS? I'm assuming any classes/jars I have should go into the common/classes and common/lib directory. When tracing the LoginModule, I am getting all the expected values- i.e. everything is fine unti it tries to use Axis. TIA -Clinton
JAASRealm reference to JAAS Subject
Hi! I'm using the Tomcat 5 JAASRealm for authenticating users with my own LoginModule. In my LoginModule I am populating the Subject object delivered by the Realm with Principals, Role Principals and Credentials. The authentication and the mapping of my user defined roles to tomcat roles work fine, but how can I get a reference to the Subject object in my servlets, JSPs etc. I need them to access the credentials added by my LoginModule. please help, thanks Ingo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAASRealm reference to JAAS Subject
This should do the job: import java.security.AccessController; import java.security.AccessControlContext; import javax.security.auth.Subject; ... AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); Regards, Martin [EMAIL PROTECTED] schrieb am 20.09.2004, 12:30:50: Hi! I'm using the Tomcat 5 JAASRealm for authenticating users with my own LoginModule. In my LoginModule I am populating the Subject object delivered by the Realm with Principals, Role Principals and Credentials. The authentication and the mapping of my user defined roles to tomcat roles work fine, but how can I get a reference to the Subject object in my servlets, JSPs etc. I need them to access the credentials added by my LoginModule. please help, thanks Ingo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Martin Schaefer NAXOS Software Solutions GmbH i.G. Herrenstr. 1 69502 Hemsbach Germany Phone:+49 (0) 6201 49298-2 Mobile: +49 (0) 172 6269246 Fax: +49 (0) 6201 49298-1 Mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : TR : [jaas integration between tomcat/weblogic]
Any responses? Does somebody think that it could be a bug or like an improvement? Thanks. -Message d'origine- De : LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Envoyé : mardi 27 juillet 2004 19:07 À : '[EMAIL PROTECTED]' Objet : [jaas integration between tomcat/weblogic] Hi, I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure environment (using j2ee roles). I configure a custom JAAS Realm that uses client side LoginModule connecting to WLS (weblogic.security.auth.login.UsernamePasswordLoginModule). I put weblogic.jar into common/lib directory and my login module classes in common/classes. I configure webapp context like this : Realm className=org.apache.catalina.realm.JAASRealm appName=Sample userClassNames=weblogic.security.principal.WLSUserImpl roleClassNames=weblogic.security.principal.WLSGroupImpl debug=99/ I grant all permission (for test only) in Catalina.policy. And I run Catalina with -security option. At this stage tomcat uses login module (and weblogic authentification provider) to authenticate the user. Everything works fine. The subject build by weblogic is used to create a GenericPrincipal used internally by Tomcat. My problem is that I need to use weblogic security api to propagate implicitly the subject when i call the ejb component with the security data provided by weblogic authentification provider (the subject). First I try to run Tomcat with the security option and the permission, enables me to get the tomcat subject (for example like this javax.security.auth.Subject mySubject = javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); ) and call the weblogic security api with that subject. However the Tomcat GenericPrincipal is not serializable and I get an exception [java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal]... Secondly I try to rebuild the weblogic subject with the subject generated by javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); I get an java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[my_username] exception generated by weblogic. It seems obviously that there are problems of integration! My suggestions are to keep a trace of original subject (for example in session with a specific key) or in a classe that is accessible to application classes (and not dependent on tomcat specific api). Do you have any others suggestions ? Environment: Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02 WLS 8 sp2, running on w2k, java 1.4.2_02 (= both on same machine, same environment) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TR : [jaas integration between tomcat/weblogic]
On 30 Jul, 2004, at 9:59 am, LERBSCHER Jean-Pierre wrote: (weblogic.security.auth.login.UsernamePasswordLoginModule). ... The subject build by weblogic is used to create a GenericPrincipal used internally by Tomcat. I got a bit further than this using our own custom-made JAASLoginModule to retrieve Principals from a database. We encountered the fact that Tomcat only returns a generic Principal (not the Principal that we created, despite it being configured that way in server.xml), so we did what you did... extracted the information from the GenericPrincipal (username and password), then made our own UserPrincipal, which we stored in a session. This was in Tomcat 5.0.19 and everything worked, although we had this nagging feeling that it wasn't quite right. Why weren't we receiving our own UserPrincipal? Then we tried upgrading to Tomcat 5.0.25 (and later). When we try to log in to a page configured to be protected, we get the following error: javax.servlet.ServletException: WILDCARD_PRINCIPAL_CLASS org.apache.jasper.servlet.JspServlet.service(JspServlet.java:244) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) ... root cause java.lang.ClassCircularityError: WILDCARD_PRINCIPAL_CLASS java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:219) sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1335) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1238) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1201) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1144) sun.security.provider.PolicyFile.implies(PolicyFile.java:1099) java.security.ProtectionDomain.implies(ProtectionDomain.java:189) ... This is pretty confusing. Has anyone seen this? What does it mean? I can't find any mention of anything that helps in the Tomcat documentation, and so far nothing in various JAAS and Security documentation. Does anyone have a working JAASRealm module, with example server.xml, catalina.policy, web.xml and other files? I'd give my right arm to have an answer to this. Currently, our only solution is to stick with 5.0.19. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
TR : [jaas integration between tomcat/weblogic]
Hi, Does somebody have more suggestions on this topic? Thanks. -Message d'origine- De : LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Envoyé : mardi 27 juillet 2004 19:07 À : '[EMAIL PROTECTED]' Objet : [jaas integration between tomcat/weblogic] Hi, I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure environment (using j2ee roles). I configure a custom JAAS Realm that uses client side LoginModule connecting to WLS (weblogic.security.auth.login.UsernamePasswordLoginModule). I put weblogic.jar into common/lib directory and my login module classes in common/classes. I configure webapp context like this : Realm className=org.apache.catalina.realm.JAASRealm appName=Sample userClassNames=weblogic.security.principal.WLSUserImpl roleClassNames=weblogic.security.principal.WLSGroupImpl debug=99/ I grant all permission (for test only) in Catalina.policy. And I run Catalina with -security option. At this stage tomcat uses login module (and weblogic authentification provider) to authenticate the user. Everything works fine. The subject build by weblogic is used to create a GenericPrincipal used internally by Tomcat. My problem is that I need to use weblogic security api to propagate implicitly the subject when i call the ejb component with the security data provided by weblogic authentification provider (the subject). First I try to run Tomcat with the security option and the permission, enables me to get the tomcat subject (for example like this javax.security.auth.Subject mySubject = javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); ) and call the weblogic security api with that subject. However the Tomcat GenericPrincipal is not serializable and I get an exception [java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal]... Secondly I try to rebuild the weblogic subject with the subject generated by javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); I get an java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[my_username] exception generated by weblogic. It seems obviously that there are problems of integration! My suggestions are to keep a trace of original subject (for example in session with a specific key) or in a classe that is accessible to application classes (and not dependent on tomcat specific api). Do you have any others suggestions ? Environment: Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02 WLS 8 sp2, running on w2k, java 1.4.2_02 (= both on same machine, same environment) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS setup
I'm not sure if this is the right place to ask this, so if someone can point me to a JAAS mailing list that would be great. If I put a jaas.config in my WEB-INF/classes/ directory, I have to have something that does System.setProperty( java.security.auth.login.config, jaasFile ); That's just fine, except that each webapp has their own jaas.config file. So the last webapp that loads wins and its jaas.config file is the one that the whole system uses. What we have now is one instance of the jaas.config file in jre/lib/ext/. It is not the easiest thing in the world to get our production servers to change things like the jass.config file, so it would be nicer if each webapp could carry their own. But alas, it seems like the only way to tell java where to find the jaas.config file is with a system property. So, does anyone know another way to let java know where it is besides the system property? Does anyone know where would be a good place to look? Thanks a lot. Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS problem ???
Hello, When I startup Tomcat with -Djava.security.auth.login.config=mylogin.config, I can use JAAS in JSP and Servlet. But if I did not use the -D options, and use System.setProperty(java.security.auth.login.config, /somepath/mylogin.config); It failed to locate the login module ?? Can I set the java.security.auth.login.config in run-time ??? Eric == If you know what you are doing, it is not called RESEARCH! == - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS question ??
Hello, Is there any example to use JAAS as the login mechanism in Tomcat? In the web.xml, I set some security-constraints or roles to some specific folder or page, if I use the Tomcat's UserDatabaseRealm, with j_security_check, in the JSP form, it works fine. Is it possible to use JAAS (client login module) in this case? Any simple example ??? Eric == If you know what you are doing, it is not called RESEARCH! == - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS question ??
An example is here: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Albeit using a servlet filter. HTH Ben -Original Message- From: Eric Chow [mailto:[EMAIL PROTECTED] Sent: 25 May 2004 10:04 To: Tomcat Users List Subject: JAAS question ?? Hello, Is there any example to use JAAS as the login mechanism in Tomcat? In the web.xml, I set some security-constraints or roles to some specific folder or page, if I use the Tomcat's UserDatabaseRealm, with j_security_check, in the JSP form, it works fine. Is it possible to use JAAS (client login module) in this case? Any simple example ??? Eric == If you know what you are doing, it is not called RESEARCH! == - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.btsyntegra.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help: Tomcat JAAS Authentication Help (How does j_security_check work?)
If anyone has any insights; could you CC me in the reply. It seems I am having problems receiving the mails from tomcat-user. Cheers, Ben -Original Message- From: HILL, Ben -Syntegra UK Sent: 18 May 2004 12:17 To: [EMAIL PROTECTED] Subject: Help: Tomcat JAAS Authentication Help (How does j_security_check work?) I'm trying to implement a servlet filter that intercepts requests to a servlet and if the user is not authenticated, run the supplied username and password through a JAAS authentication cycle. I would like to know how this process is done using the j_security_check as I'd like to implement the same functionality. I wish to be able to JAAS authenticate when the filter intercepts the request so that after the authentication I can call request.isUserInRole(), request.getUserPrincipal(), request.getRemoteUser() etc. After looking at the API docs at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/catalina/docs/ api/index.html I have found the org.apache.catalina.realm.JAASCallbackHandler and suspected that if I can find the realm, (set up as a JDBC realm in the server.xml), and then pass in the username and password to this callback handler - I can run the .login() method somehow. Any help would be appreciated, if you know of any howtos or docs, that would be great! Cheers, Ben This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.btsyntegra.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.btsyntegra.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help: Tomcat JAAS Authentication Help (How does j_security_check work?)
I'm trying to implement a servlet filter that intercepts requests to a servlet and if the user is not authenticated, run the supplied username and password through a JAAS authentication cycle. I would like to know how this process is done using the j_security_check as I'd like to implement the same functionality. I wish to be able to JAAS authenticate when the filter intercepts the request so that after the authentication I can call request.isUserInRole(), request.getUserPrincipal(), request.getRemoteUser() etc. After looking at the API docs at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/catalina/docs/api/index.html I have found the org.apache.catalina.realm.JAASCallbackHandler and suspected that if I can find the realm, (set up as a JDBC realm in the server.xml), and then pass in the username and password to this callback handler - I can run the .login() method somehow. Any help would be appreciated, if you know of any howtos or docs, that would be great! Cheers, Ben This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.btsyntegra.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using JAAS as for authorisation in Tomcat 5 tutorial
As promised a while back, I've written a small tutorial for getting JAAS working as an authorisation mechanism (rather than an authentication mechanism like in JAASRealm). The initial version van be found here: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html It does assume you can get a full JAAS implementation up and running outside of Tomcat (i.e. not for the faint-of-heart). If you have any comments or suggestions, please let me know! Cheers, Michiel P.S. This could also be interesting in regards to the thread javax.security.auth.subject disappears - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS, Cookie, Tomcat Managed Security problem
Hi, I am facing this problem while using Tomcat Managed security. I am using the JAASRealm and my own LoginModule ... works smoothly. It authenticates as well as authorizes. BUT, when a user has logged in from one computer, the another user cannot login unless the first user logs out first ... Cookies at work ! When I disable the cookies however, things stop working. If the Authentication fails at JAASRealm , I am thrown out to the proper error page I declared in Web.xml. But if the Authentication succeeds, (which I can ascertain from the logs) I get a 404 error saying... the resource http://myhost/myapp/j_security_check is not available. I cant find out why this happens since I can see the JSESSIONID being appended into the request when cookies are disabled. Plz help or point in the right direction if the same has happened with someone. Thanks in advance, -- Gagan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Oops, missed the How ;-) Subject subject = (Subject)session.getAttribute(javax.security.auth.subject); if (subject == null) { subject = new Subject(); } else { System.out.println(According to the Filter, the subject is: + subject); } and once we have logged in our subject: session.setAttribute(javax.security.auth.subject, subject); I'll write this up over the weekend Cheers, Michiel Alan Weissman wrote: Yes but how? :) What is the key that you use in the session? -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 12:51 PM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Michiel Toneman wrote: Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. I will appreciate if you post the link to or copy of this tutorial you are writing. By now I'm trying to drill into JAASRealm.java and find out what is really happening there. Maksim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Michiel, that would be the one that you put there, right? Adam On 04/23/2004 10:33 AM Michiel Toneman wrote: Oops, missed the How ;-) Subject subject = (Subject)session.getAttribute(javax.security.auth.subject); if (subject == null) { subject = new Subject(); } else { System.out.println(According to the Filter, the subject is: + subject); } and once we have logged in our subject: session.setAttribute(javax.security.auth.subject, subject); I'll write this up over the weekend Cheers, Michiel Alan Weissman wrote: Yes but how? :) What is the key that you use in the session? -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 12:51 PM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
another problem with JAAS
Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim.
Re: another problem with JAAS
Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Hello, strange error! I have looked inside the JAASRealm code and can't find a error. Subject result: You must have as your subject one Principal (java.security.Principa) for real user Than you can have one or more Group Principals with Name =Roles from class java.security.acl.Group for the real user roles! All member names from this groups are added to the tomcat role names. An option is you generate your own GenericPrincipal! regards Peter http://tomcat.objektpark.org Beloglazov Maksim schrieb: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: another problem with JAAS
Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: another problem with JAAS
Yes but how? :) What is the key that you use in the session? -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 12:51 PM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Alan, That's correct, I overwrite the subject. Michiel Alan Weissman wrote: Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own? Thanks, Alan -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use isUserInRole() to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: another problem with JAAS
The servlet container spec from Sun doesn't specify any integration requirements for JAAS. The JAAS support is basically fledgeling authentication, and that's it for servlet spec 2.4 - I would be interested myself in seeing the discussions and motivations behind the progress and changes on the road to 2.5, but I don't know whether it's public. On 04/22/2004 03:52 PM Peter Rossbach wrote: Hello, strange error! I have looked inside the JAASRealm code and can't find a error. Subject result: You must have as your subject one Principal (java.security.Principa) for real user Than you can have one or more Group Principals with Name =Roles from class java.security.acl.Group for the real user roles! All member names from this groups are added to the tomcat role names. An option is you generate your own GenericPrincipal! regards Peter http://tomcat.objektpark.org Beloglazov Maksim schrieb: Hello, I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it. server.xml: Realm className=org.apache.catalina.realm.JAASRealm appName=merx userClassNames=ru.mb.security.jaas.RdbmsPrincipal roleClassNames=ru.mb.security.jaas.RdbmsRole debug=99/ ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones? Any help is greatly appreciated. Beloglazov Maksim. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Jaas and Jndi problem
Hello, I'm stuck with the problem trying to get a way out for several hours: I have a database resource declared in server.xml in GlobalNamingResources part Also I have a JAAS login module which is intended to use this JNDI database resource. And I can't get access to this resource my JAAS login module. The error is ... javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:815) at org.apache.naming.NamingContext.lookup(NamingContext.java:198) at ru.mb.security.jaas.RDBMSJAASLoginModule.rdbmsValidate(Unknown Source) at ru.mb.security.jaas.RDBMSJAASLoginModule.login(Unknown Source) ... server.xml: GlobalNamingResources Resource name=jdbc/MerxDB auth=Container type=javax.sql.DataSource scope=Sharable/ ResourceParams name=jdbc/MerxDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value100/value /parameter parameter namemaxIdle/name value30/value /parameter parameter namemaxWait/name value1/value /parameter parameter nameusername/name valueSYSDBA/value /parameter parameter namepassword/name valuemasterkey/value /parameter parameter namedriverClassName/name valueorg.firebirdsql.jdbc.FBDriver/value /parameter parameter nameurl/name valuejdbc:firebirdsql:localhost/3050:/var/db/firebird/merx.gdb/value /parameter /ResourceParams ... /GlobalNamingResources code from login module: ... Context ctx = new InitialContext(); if (null==ctx) throw new Exception(No context); Context envCtx = (Context)ctx.lookup(java:comp/env); if (null==envCtx) throw new Exception(No context); DataSource ds = (DataSource)envCtx.lookup(jdbc/MerxDB); ... Is there any way out? Any help is greatly appreciated. Maksim Beloglazov - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jaas and Jndi problem
Ok, first I have no clue on JAAS as I have not used it. From the trace you are missing the resource link in the context declaration. With a global you have to provide a link in the context segment. Doug www.parsonstechnical.com - Original Message - From: Beloglazov Maksim [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 21, 2004 3:25 PM Subject: Jaas and Jndi problem Hello, I'm stuck with the problem trying to get a way out for several hours: I have a database resource declared in server.xml in GlobalNamingResources part Also I have a JAAS login module which is intended to use this JNDI database resource. And I can't get access to this resource my JAAS login module. The error is ... javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:815) at org.apache.naming.NamingContext.lookup(NamingContext.java:198) at ru.mb.security.jaas.RDBMSJAASLoginModule.rdbmsValidate(Unknown Source) at ru.mb.security.jaas.RDBMSJAASLoginModule.login(Unknown Source) ... server.xml: GlobalNamingResources Resource name=jdbc/MerxDB auth=Container type=javax.sql.DataSource scope=Sharable/ ResourceParams name=jdbc/MerxDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value100/value /parameter parameter namemaxIdle/name value30/value /parameter parameter namemaxWait/name value1/value /parameter parameter nameusername/name valueSYSDBA/value /parameter parameter namepassword/name valuemasterkey/value /parameter parameter namedriverClassName/name valueorg.firebirdsql.jdbc.FBDriver/value /parameter parameter nameurl/name valuejdbc:firebirdsql:localhost/3050:/var/db/firebird/merx.gdb/value /parameter /ResourceParams ... /GlobalNamingResources code from login module: ... Context ctx = new InitialContext(); if (null==ctx) throw new Exception(No context); Context envCtx = (Context)ctx.lookup(java:comp/env); if (null==envCtx) throw new Exception(No context); DataSource ds = (DataSource)envCtx.lookup(jdbc/MerxDB); ... Is there any way out? Any help is greatly appreciated. Maksim Beloglazov - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jaas and Jndi problem
Hello, your Login Module in the server env and you must access the GlobalNamingContext from server direct. import java.sql.Connection; import java.sql.SQLException; import javax.naming.Context; import javax.sql.DataSource; import org.apache.naming.ContextBindings; import org.apache.catalina.ServerFactory; import org.apache.catalina.core.StandardServer; public class xxx { public Connection open(String dataSouceName) { try { Context context = null; StandardServer server = (StandardServer) ServerFactory.getServer(); context = server.getGlobalNamingContext(); DataSource dataSource = (DataSource)context.lookup(dataSourceName); return dataSource.getConnection(); } catch (Exception e) { // ??? } return null; } } Only at your web application you have a comp/env JNDI Tree ( Look at resource-link server.xml configuration) regards peter http://tomcat.objektpark.org Beloglazov Maksim schrieb: Hello, I'm stuck with the problem trying to get a way out for several hours: I have a database resource declared in server.xml in GlobalNamingResources part Also I have a JAAS login module which is intended to use this JNDI database resource. And I can't get access to this resource my JAAS login module. The error is ... javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:815) at org.apache.naming.NamingContext.lookup(NamingContext.java:198) at ru.mb.security.jaas.RDBMSJAASLoginModule.rdbmsValidate(Unknown Source) at ru.mb.security.jaas.RDBMSJAASLoginModule.login(Unknown Source) ... server.xml: GlobalNamingResources Resource name=jdbc/MerxDB auth=Container type=javax.sql.DataSource scope=Sharable/ ResourceParams name=jdbc/MerxDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value100/value /parameter parameter namemaxIdle/name value30/value /parameter parameter namemaxWait/name value1/value /parameter parameter nameusername/name valueSYSDBA/value /parameter parameter namepassword/name valuemasterkey/value /parameter parameter namedriverClassName/name valueorg.firebirdsql.jdbc.FBDriver/value /parameter parameter nameurl/name valuejdbc:firebirdsql:localhost/3050:/var/db/firebird/merx.gdb/value /parameter /ResourceParams ... /GlobalNamingResources code from login module: ... Context ctx = new InitialContext(); if (null==ctx) throw new Exception(No context); Context envCtx = (Context)ctx.lookup(java:comp/env); if (null==envCtx) throw new Exception(No context); DataSource ds = (DataSource)envCtx.lookup(jdbc/MerxDB); ... Is there any way out? Any help is greatly appreciated. Maksim Beloglazov - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Jaas and Jndi problem
Thank you very much. It works. Peter Rossbach wrote: Hello, your Login Module in the server env and you must access the GlobalNamingContext from server direct. import java.sql.Connection; import java.sql.SQLException; import javax.naming.Context; import javax.sql.DataSource; import org.apache.naming.ContextBindings; import org.apache.catalina.ServerFactory; import org.apache.catalina.core.StandardServer; public class xxx { public Connection open(String dataSouceName) { try { Context context = null; StandardServer server = (StandardServer) ServerFactory.getServer(); context = server.getGlobalNamingContext(); DataSource dataSource = (DataSource)context.lookup(dataSourceName); return dataSource.getConnection(); } catch (Exception e) { // ??? }return null; } } Only at your web application you have a comp/env JNDI Tree ( Look at resource-link server.xml configuration) regards peter http://tomcat.objektpark.org Beloglazov Maksim schrieb: Hello, I'm stuck with the problem trying to get a way out for several hours: I have a database resource declared in server.xml in GlobalNamingResources part Also I have a JAAS login module which is intended to use this JNDI database resource. And I can't get access to this resource my JAAS login module. The error is ... javax.naming.NameNotFoundException: Name jdbc is not bound in this Context at org.apache.naming.NamingContext.lookup(NamingContext.java:815) at org.apache.naming.NamingContext.lookup(NamingContext.java:198) at ru.mb.security.jaas.RDBMSJAASLoginModule.rdbmsValidate(Unknown Source) at ru.mb.security.jaas.RDBMSJAASLoginModule.login(Unknown Source) ... server.xml: GlobalNamingResources Resource name=jdbc/MerxDB auth=Container type=javax.sql.DataSource scope=Sharable/ ResourceParams name=jdbc/MerxDB parameter namefactory/name valueorg.apache.commons.dbcp.BasicDataSourceFactory/value /parameter parameter namemaxActive/name value100/value /parameter parameter namemaxIdle/name value30/value /parameter parameter namemaxWait/name value1/value /parameter parameter nameusername/name valueSYSDBA/value /parameter parameter namepassword/name valuemasterkey/value /parameter parameter namedriverClassName/name valueorg.firebirdsql.jdbc.FBDriver/value /parameter parameter nameurl/name valuejdbc:firebirdsql:localhost/3050:/var/db/firebird/merx.gdb/value /parameter /ResourceParams ... /GlobalNamingResources code from login module: ... Context ctx = new InitialContext(); if (null==ctx) throw new Exception(No context); Context envCtx = (Context)ctx.lookup(java:comp/env); if (null==envCtx) throw new Exception(No context); DataSource ds = (DataSource)envCtx.lookup(jdbc/MerxDB); ... Is there any way out? Any help is greatly appreciated. Maksim Beloglazov - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS problems migrating from JRun
Michiel, you are programming your own login trigger in a filter - I don't this this will work (although I'm happy to be wrong). I think tomcat is only going to adopt your principals as authenticated if you protect whichever pages necessary via security-constraints in the deployment descriptor. You must set up a LoginModule that tomcat will find, and in this LoginModule tomcat gives you a call-back-handler which you use to do the authentication. You must then set your Subject, which is also passed to you by tomcat. Adam On 04/06/2004 01:39 AM Michiel Toneman wrote: Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy(); if (orgPolicy instanceof MyPolicy) { // we already did this once upon a time.. } else { Policy.setPolicy(new MyPolicy(orgPolicy)); } } --- This works like a charm on JRun (it's a textbook example on the web). However, it fails miserably on Tomcat 5. It looks like the Filter is being evaluated in a different security context by Tomcat than the Servlet itself (based on evaluation of stacktraces generated in my custom Policy class). Therefore, none of the Principals assigned to the Subject in the Filter are available in the Servlet (when MyPolicy.getPermissions() is called). Does anyone have an idea how I should go about getting (something like) this to work on Tomcat? Any help would very much appreciated. Cheers, Michiel Toneman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.2 + tomcat 5.0.19 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS problems migrating from JRun
Adam, I've been at this all day, and I seem to be banging my head against a really well-constructed wall. I followed your advice by going the security-constraints/Realm route. I've build a minimal JAAS implementation which, in combination with JAASRealm, works fine for *authentication*. However, when I want to access the Principals I've assigned in my LoginModule within my CustomPolicy for *authorization*, I get nothing. i.e. in my CustomPolicy: getPermissions(ProtectionDomain domain) { PermissionCollection pc = deferredPolicy.getPermissions(domain); // get principals associated with domain Principal[] principals = domain.getPrincipals(); . } domain.getPrincipals() returns no policies. Ok, so I go to the Subject (using a PrivilegedAction): Subject.getSubject(AccessController.getContext()).getPrincipals(); and again no Principals. The Subject is empty. I've confirmed this by calling a JSP which includes %= Subject.getSubject(AccessController.getContext()) % this just prints: Subject:, so it seems that the Subject I've worked so hard to create is lost. How can I get this to work? I need to access the Principals in my CustomPolicy, so that I can assign custom permissions to the PermissionCollection of the domain. Thanks, Michiel P.S. Just to show that the LoginModule / JAASRealm seem to be working: catalina_log: 2004-04-06 16:51:02 JAASRealm[Catalina]: Returning username bluppie catalina.out: Assigned principal bluppie of type security.UserPrincipal to user bluppie Assigned principal authenticateduser of type security.RolePrincipal to user bluppie Assigned principal developer of type security.CustomPrincipal to user bluppie Adam Hardy wrote: Michiel, you are programming your own login trigger in a filter - I don't this this will work (although I'm happy to be wrong). I think tomcat is only going to adopt your principals as authenticated if you protect whichever pages necessary via security-constraints in the deployment descriptor. You must set up a LoginModule that tomcat will find, and in this LoginModule tomcat gives you a call-back-handler which you use to do the authentication. You must then set your Subject, which is also passed to you by tomcat. Adam On 04/06/2004 01:39 AM Michiel Toneman wrote: Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy
Re: JAAS problems migrating from JRun
I'm no expert on the internals of tomcat, sorry. You might be looking at a hole in the implementation. I haven't used the JAAS authorization policy mechanism, I rely solely on roles. Adam On 04/06/2004 05:18 PM Michiel Toneman wrote: Adam, I've been at this all day, and I seem to be banging my head against a really well-constructed wall. I followed your advice by going the security-constraints/Realm route. I've build a minimal JAAS implementation which, in combination with JAASRealm, works fine for *authentication*. However, when I want to access the Principals I've assigned in my LoginModule within my CustomPolicy for *authorization*, I get nothing. i.e. in my CustomPolicy: getPermissions(ProtectionDomain domain) { PermissionCollection pc = deferredPolicy.getPermissions(domain); // get principals associated with domain Principal[] principals = domain.getPrincipals(); . } domain.getPrincipals() returns no policies. Ok, so I go to the Subject (using a PrivilegedAction): Subject.getSubject(AccessController.getContext()).getPrincipals(); and again no Principals. The Subject is empty. I've confirmed this by calling a JSP which includes %= Subject.getSubject(AccessController.getContext()) % this just prints: Subject:, so it seems that the Subject I've worked so hard to create is lost. How can I get this to work? I need to access the Principals in my CustomPolicy, so that I can assign custom permissions to the PermissionCollection of the domain. Thanks, Michiel P.S. Just to show that the LoginModule / JAASRealm seem to be working: catalina_log: 2004-04-06 16:51:02 JAASRealm[Catalina]: Returning username bluppie catalina.out: Assigned principal bluppie of type security.UserPrincipal to user bluppie Assigned principal authenticateduser of type security.RolePrincipal to user bluppie Assigned principal developer of type security.CustomPrincipal to user bluppie Adam Hardy wrote: Michiel, you are programming your own login trigger in a filter - I don't this this will work (although I'm happy to be wrong). I think tomcat is only going to adopt your principals as authenticated if you protect whichever pages necessary via security-constraints in the deployment descriptor. You must set up a LoginModule that tomcat will find, and in this LoginModule tomcat gives you a call-back-handler which you use to do the authentication. You must then set your Subject, which is also passed to you by tomcat. Adam On 04/06/2004 01:39 AM Michiel Toneman wrote: Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void
JAAS problems migrating from JRun
Hi All, The company I work for is attempting to move from JRun 3/4 to Tomcat 5.0.19. So far it has been smooth sailing, and the migration is going better than expected. However, before the migration we were about to deploy a JAAS framework on JRun 4. This framework doesn't seem to work at all well in Tomcat 5. I've implemented a tailored JAAS framework with various types of Principals that grant certain (custom) Permissions in my own Policy. To enforce this onto the webapp, I used a Filter to establish a LoginContext and then wrap the servlet in a Subject.doAsPrivileged call. To clarify: I'm not looking for authentication through JAAS (I've imlemented this in a minimal way), but I'm looking to JAAS for some more elaborate authorization tricks. In my doFilter (simplified): LoginContext lc = new LoginContext(MyJaas, new MyHttpAuthCallbackHandler(request)); lc.login(); Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) , null); where FilteredAction is an inner class: --- class FilteredAction implements PrivilegedAction { ServletRequest faRequest; ServletResponse faResponse; FilterChain faChain; public FilteredAction(ServletRequest request, ServletResponse response, FilterChain chain) { this.faRequest=request; this.faResponse=response; this.faChain=chain; } public Object run() { try { faChain.doFilter(faRequest, faResponse); } catch (Exception e) { e.printStackTrace(); } return null; } } --- I replace the default Policy with my own policy that adds permissions based on principals assigned in the LoginContext. This is done in the Filter's init: --- public void init(FilterConfig config) throws ServletException { Policy orgPolicy = Policy.getPolicy(); if (orgPolicy instanceof MyPolicy) { // we already did this once upon a time.. } else { Policy.setPolicy(new MyPolicy(orgPolicy)); } } --- This works like a charm on JRun (it's a textbook example on the web). However, it fails miserably on Tomcat 5. It looks like the Filter is being evaluated in a different security context by Tomcat than the Servlet itself (based on evaluation of stacktraces generated in my custom Policy class). Therefore, none of the Principals assigned to the Subject in the Filter are available in the Servlet (when MyPolicy.getPermissions() is called). Does anyone have an idea how I should go about getting (something like) this to work on Tomcat? Any help would very much appreciated. Cheers, Michiel Toneman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
NEWBIE question: JAAS- versus JDBC- versus MemoryRealms
Hi, I've got a question concerning the different REALM available for Tomcat 5.x. The main (basic) question is that I want to secure my context annex websites / jsp pages. I have some experience with JAAS (JBOSS) and was investigating the possibility to use / implement JAAS for Tomcat. After some efforts I stopped since I to noticed it would take me to much pain ;-( (I needed to create to much source code hence it would take me to much time). Then I investigated the JDBC Realm and was trying to use this for securing my website. The question: Tomcat 5 delivers a pre-installed security JSP example (/jsp-examples/security/protected) which (as stated in the documentation) only works with the MemoryRealm. Well, I want this to work with the JDBCRealm (or even my own implementation) as well. Does anyone can provide me some configurations of how to achieve this ? Basically, I think I need to change the default JNDI UserBase (MemoryRealm) with my own one (JDBCRealm for example). However, is this the only thing I need to do ? If so, please provide me a server.xml configuration T.i.a, Leonard Leonard Wolters JTeam B.V. E: [EMAIL PROTECTED] T: +31(0)20 486 20 36 M: +31(0)6 24 111 401 F: +31(0)8 48 370 000 W: www.jteam.nl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: NEWBIE question: JAAS- versus JDBC- versus MemoryRealms
Hi Leonard, this works for me: Context path= docBase=/home/user1/trustedfeed debug=0 ResourceLink name=jdbc/db global=jdbc/db type=javax.sql.DataSource / Realm className=org.apache.catalina.realm.DataSourceRealm debug=99 dataSourceName=jdbc/db userTable=users userNameCol=username userCredCol=password userRoleTable=roles roleNameCol=rolename/ /Context Of course, you have to define the jdbc/db Datasource in the GlobalNamingResources, too. hth Marco --- http://www.optik-preisvergleich.de http://www.kontaktlinsen-preisvergleich.de -Ursprüngliche Nachricht- Von: Leonard Wolters [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 23. März 2004 09:22 An: [EMAIL PROTECTED] Betreff: NEWBIE question: JAAS- versus JDBC- versus MemoryRealms Hi, I've got a question concerning the different REALM available for Tomcat 5.x. The main (basic) question is that I want to secure my context annex websites / jsp pages. I have some experience with JAAS (JBOSS) and was investigating the possibility to use / implement JAAS for Tomcat. After some efforts I stopped since I to noticed it would take me to much pain ;-( (I needed to create to much source code hence it would take me to much time). Then I investigated the JDBC Realm and was trying to use this for securing my website. The question: Tomcat 5 delivers a pre-installed security JSP example (/jsp-examples/security/protected) which (as stated in the documentation) only works with the MemoryRealm. Well, I want this to work with the JDBCRealm (or even my own implementation) as well. Does anyone can provide me some configurations of how to achieve this ? Basically, I think I need to change the default JNDI UserBase (MemoryRealm) with my own one (JDBCRealm for example). However, is this the only thing I need to do ? If so, please provide me a server.xml configuration T.i.a, Leonard Leonard Wolters JTeam B.V. E: [EMAIL PROTECTED] T: +31(0)20 486 20 36 M: +31(0)6 24 111 401 F: +31(0)8 48 370 000 W: www.jteam.nl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: NEWBIE question: JAAS- versus JDBC- versus MemoryRealms
Thanks marco, However, can I also set this datasource for the Engine element ? (I thought I read something about a bug, although I'm not quite sure). Then, after I specified this new datasource in the either context or engine element, how do i confiugre the UserDatabase in the JNDI lookup ? For example: GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources !-- Define the Tomcat Stand-Alone Service -- Service name=Catalina !-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -- Connector port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true/ !-- Define a Coyote/JK2 AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=8443 debug=0 protocol=AJP/1.3/ !-- Define the top level container in our container hierarchy -- Engine name=Catalina defaultHost=localhost debug=0 Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=org.gjt.mm.mysql.Driver connectionURL=jdbc:mysql://localhost/build_jplanner connectionName=*** connectionPassword=** userTable=JT_USER userNameCol=LOGINNAME userCredCol=PASSWORD userRoleTable=JT_GROUP roleNameCol=NAME/ Host name=localhost debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true/ /Host /Engine /Service How does the GlobalNamingResources relate to the REALM specified in the engine element ? Can someone tell me if the UserBase as specified in the GlobalNamingResources is being used by for the JSP security stuff ? (for example the /webapps/jsp-examples/security/protected/login.jsp) T.i.a, Leonard -Original Message- From: Marco Pöhler [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 10:45 AM To: Tomcat Users List Subject: AW: NEWBIE question: JAAS- versus JDBC- versus MemoryRealms Hi Leonard, this works for me: Context path= docBase=/home/user1/trustedfeed debug=0 ResourceLink name=jdbc/db global=jdbc/db type=javax.sql.DataSource / Realm className=org.apache.catalina.realm.DataSourceRealm debug=99 dataSourceName=jdbc/db userTable=users userNameCol=username userCredCol=password userRoleTable=roles roleNameCol=rolename/ /Context Of course, you have to define the jdbc/db Datasource in the GlobalNamingResources, too. hth Marco --- http://www.optik-preisvergleich.de http://www.kontaktlinsen-preisvergleich.de -Ursprüngliche Nachricht- Von: Leonard Wolters [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 23. März 2004 09:22 An: [EMAIL PROTECTED] Betreff: NEWBIE question: JAAS- versus JDBC- versus MemoryRealms Hi, I've got a question concerning the different REALM available for Tomcat 5.x. The main (basic) question is that I want to secure my context annex websites / jsp pages. I have some experience with JAAS (JBOSS) and was investigating the possibility to use / implement JAAS for Tomcat. After some efforts I stopped since I to noticed it would take me to much pain ;-( (I needed to create to much source code hence it would take me to much time). Then I investigated the JDBC Realm and was trying to use this for securing my website. The question: Tomcat 5 delivers a pre-installed security JSP example (/jsp-examples/security/protected) which (as stated in the documentation) only works with the MemoryRealm. Well, I want this to work with the JDBCRealm (or even my own implementation) as well. Does anyone can provide me some configurations of how to achieve this ? Basically, I think I need to change the default JNDI UserBase (MemoryRealm) with my own