On Wed, 2002-08-21 at 21:31, Craig R. McClanahan wrote:
>
>
> On Wed, 21 Aug 2002, Max Cooper wrote:
>
> > Date: Wed, 21 Aug 2002 13:07:47 -0700
> > From: Max Cooper <[EMAIL PROTECTED]>
> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> > To: Struts Users Mailing List <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED]
> > Subject: Re: Container-managed authentication not possible
> >
> > Brandon,
> >
> > SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and
> > getRemoteUser(). By "mimics" I mean that your app (or Tiles and Struts) will
> > not be able to distinguish between SecurityFilter and Container Managed
> > Security. It behaves the same, and it looks the same to the code running on
> > top of it. One of the major design goals of the project is to allow you to
> > switch between container-managed and filter-based security without changing
> > your application's code. SecurityFilter also shares the same configuration
> > syntax and features, except that you put the info in a
> > securityfilter-config.xml file rather than web.xml.
> >
>
> I haven't had time to check your docs for myself :-), but I hope you do
> point out one critical place where the application *does* have to care
> about whether it is "real" container managed security or not -- EJB
> access. From the point of view of an EJB container, requests protected by
> any sort of mimicing security filter will appear to be coming from an
> unauthenticated web user (which might or might not be ok, depending on
> your security policies and application design).
>
> > -Max
>
> Craig
If the filter used JAAS authentication, what would it need to do in
order to integrate the Subject into the container's environment so that
EJB access wouldn't seem unauthorized? Would it be container specific?
In what ways? It seems like the request would also NOT need to be
wrapped if the Subject was properly established (i.e. had the right
~type~ of principals, and was stored in the container correctly [but
where would that be?]), does that sound right?
Troy
>
>
> >
> > ----- Original Message -----
> > From: "Brandon Goodin" <[EMAIL PROTECTED]>
> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]>;
> > <[EMAIL PROTECTED]>
> > Sent: Wednesday, August 21, 2002 12:52 PM
> > Subject: RE: Container-managed authentication not possible
> >
> >
> > > That is a cool project. But, it only "mimics". It has the same terminology
> > > associated with it. But it is NOT container managed security. Nor does it
> > > integrate (at this point) with many projects that use the container based
> > > security check methods like isUserInRole(). so, for example if you are
> > using
> > > role checking with tiles it will not be able to locate the role and user
> > > information generated by SecurityFilter because it does not use container
> > > managed security. I wrote a SecurityFilter that interacts with an action
> > to
> > > take advantage of container based security. It allows for auto-login,
> > login
> > > from any page, and url based security. But the code is not very clean and
> > is
> > > Tomcat specific. I am waiting for the ServletSpec to come up to par.
> > > Meanwhile my "SecurityFilter" is working and using container based
> > security
> > > and I would rather stay tied to container managed security with all it's
> > > inflexibilities because it allows me to abstract my security from my app.
> > >
> > > Just my rambling thoughts,
> > > Brandon Goodin
> > > Phase Web and Multimedia
> > > P(406)862-2245
> > > F(406)862-0354
> > > http://www.phase.ws
> > >
> > > -----Original Message-----
> > > From: Todd G. Nist [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, August 21, 2002 2:46 PM
> > > To: 'Struts Users Mailing List'
> > > Subject: RE: Container-managed authentication not possible
> > >
> > >
> > > You may want to take a look at the SecurityFilter project on
> > SourceForge.net
> > > by Max Cooper. Summary form site:
> > >
> > > "SecurityFilter is a Java Servlet Filter that mimics the behavior and
> > > configuration format of container managed security, with several
> > > development and deployment advantages."
> > >
> > > See the Home Page http://securityfilter.sourceforge.net at for more
> > > details.
> > >
> > > Regards,
> > >
> > > Todd G. Nist
> > >
> > >
> > > -----Original Message-----
> > > From: Brandon Goodin [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, August 21, 2002 2:48 PM
> > > To: Struts Users Mailing List
> > > Subject: RE: Container-managed authentication not possible
> > >
> > >
> > > You can implement container managed security in web.xml only if it has
> > been
> > > setup within the server.xml under your host settings.
> > >
> > > Brandon Goodin
> > > Phase Web and Multimedia
> > > P(406)862-2245
> > > F(406)862-0354
> > > http://www.phase.ws
> > >
> > > -----Original Message-----
> > > From: Elderclei R Reami [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, August 21, 2002 3:44 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Container-managed authentication not possible
> > >
> > >
> > > Hi Friends,
> > >
> > > It's been a month developing in struts, and the party's been pretty good.
> > > I'm just finishing my first application
> > > (30 jsps, actions, and so on), and now I'm including some security in it.
> > >
> > > I'm in trouble regarding authentication, because my client's ISP does not
> > > let me change server.xml configs,
> > > probably because they use virtual hosting. My question is: is it possible
> > to
> > > configure container-managed
> > > authentication using the web.xml? Or must I implement my own
> > authentication?
> > >
> > > Cheers,
> > > Elderclei R Reami
> > > Vertis Tecnologia
> > > +55 11 3887-0835
> > > www.vertisnet.com.br
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
