Hi All,
The company I work for is attempting to move from JRun 3/4 to Tomcat
5.0.19. So far it has been smooth sailing, and the migration is going
better than expected.
However, before the migration we were about to deploy a JAAS framework
on JRun 4. This framework doesn't seem to work at all well in Tomcat 5.
I've implemented a tailored JAAS framework with various types of
Principals that grant certain (custom) Permissions in my own Policy. To
enforce this onto the webapp, I used a Filter to establish a
LoginContext and then "wrap" the servlet in a Subject.doAsPrivileged
call. To clarify: I'm not looking for authentication through JAAS (I've
imlemented this in a minimal way), but I'm looking to JAAS for some more
elaborate authorization tricks.
In my doFilter (simplified):
LoginContext lc = new LoginContext("MyJaas", new MyHttpAuthCallbackHandler(request));
lc.login();
Subject.doAsPrivileged(lc.getSubject(),new FilteredAction(request,response,chain) ,
null);
where FilteredAction is an inner class:
-----------------------------------------------------------
class FilteredAction implements PrivilegedAction {
ServletRequest faRequest;
ServletResponse faResponse;
FilterChain faChain;
public FilteredAction(ServletRequest request, ServletResponse
response, FilterChain chain) {
this.faRequest=request;
this.faResponse=response;
this.faChain=chain;
}
public Object run() {
try {
faChain.doFilter(faRequest,
faResponse);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
-----------------------------------------------------------
I replace the default Policy with my own policy that adds permissions
based on principals assigned in the LoginContext. This is done in the
Filter's init:
-----------------------------------------------------------
public void init(FilterConfig config) throws ServletException {
Policy orgPolicy = Policy.getPolicy();
if (orgPolicy instanceof MyPolicy) {
// we already did this once upon a time..
} else {
Policy.setPolicy(new MyPolicy(orgPolicy));
}
}
-----------------------------------------------------------
This works like a charm on JRun (it's a "textbook" example on the web).
However, it fails miserably on Tomcat 5. It looks like the Filter is
being evaluated in a different security context by Tomcat than the
Servlet itself (based on evaluation of stacktraces generated in my
custom Policy class). Therefore, none of the Principals assigned to the
Subject in the Filter are available in the Servlet (when
MyPolicy.getPermissions() is called).
Does anyone have an idea how I should go about getting (something like)
this to work on Tomcat?
Any help would very much appreciated.
Cheers,
Michiel Toneman
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
