The other route it seems you could go is to use a container-managed login as you suggest, and enjoy using the methods such as request.isUserInRole instead of invoking security methods on a hand-rolled component, but I think you will have to give up the JBoss/Tomcat stack to do this for now (someone please correct me if I am wrong), because I think there is a security integration problem there, as I described earlier. I'm guessing Tomcat as stand alone might be a good way to go though. I have not done this and couldn't say whether it is "common and usual".
I have tried to write my role-checking methods so that in the future if I port an application to JAAS I can just refactor them to invoke the standard methods instead of my own. But like I say, I'm far from an expert in this area.
Hope that helps,
Erik
Leandro Melo wrote:
So Erik, is it a common and usual aproach to do login outside of Struts (ordinary jsps), and then use Struts afterwards???
--- Erik Weber <[EMAIL PROTECTED]> escreveu:
Leandro, search the archives of this List for=== message truncated ===
"JAAS". I participated in a thread about this within the last two months.
I'm not sure if I understand exactly what you want
to do, but if you want to use container-managed security, I don't know
of a way to have your login screen be part of Struts. As far as I
know, you have to let the container process the request that results from
the login screen's form submittal (I tried having an Action intercept
this request and then attempt to login with the JBoss JAAS module manually
but gave up when I realized problem # 2 -- below).
Another problem you are probably going to run into
is that the JBoss security context is not propagated to Tomcat, and
vice versa, as far as I know. So if you authenticate using JBoss JAAS,
Tomcat won't know about it, and the methods such as request.isUserInRole
aren't going to do you any good (although you would presumably be able to
use the similar methods on EJBs, because they are running within the
JBoss security context).
I found JAAS to be a nightmare, though a couple
people gave me possible solutions to the problems I mentioned in the thread
(one would be intercepting the login screen request and then
manually logging in with both JBoss JAAS as well as Tomcat JAAS modules --
but I don't know if this has been done). I presume it's a much easier
endeavor if you are just using Tomcat stand alone, but I'll let Craig
address that if he wants, because I've never tried it.
Erik
Leandro Melo wrote:
Or i just extend the DatabaseServerLoginModuleclass
org.jboss.security.auth.spi.DatabaseServerLoginModuleand leave an empty class????
--- Leandro Melo <[EMAIL PROTECTED]>
escreveu:
Just complementing my question...
Would it be fair if i copy JBoss' DatabaseServerLoginModule code and place it inside an Action???
This way, i'll have an Action (for example, MyLoginAction) that does exactly what DatabaseServerLoginModule does.
--- Leandro Melo <[EMAIL PROTECTED]>
escreveu:
/>Please help me out here! I'm very new with jaas, so i need some help.
I got a simple login that is working fine for me, here it is:
...
<FORM action='<%=
response.encodeURL("j_security_check")%>' method="get">
<!-- esses nomes tem q ser assim ->
j_username
-->
NOME:<INPUT type="text" name="j_username"
<!-- tem q ser j_password -->a
SENHA: <INPUT type="password"
name="j_password"
/>
<INPUT type="submit" value="Login" />
</FORM> ...
I'm using JBoss' default stuff (LoginModule,
CallbackHandler, etc...) to make it works. Here's
piece of my configuration file (for jboss).
... example2 {
whole
submitsrequired dsJndiName="java:/DefaultDS" principalsQuery="Select Password from Principals where PrincipalID =?" rolesQuery="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID =?" ; }; ...
As i said, this works fine for me. I only made
configuration and login.jsp, after the user
data from login.jsp, JBoss takes care of the
Strutsthing and already directs the user to index.jsp(in
case of sucessful login).
NOW, i want to do the exact same thing with
handles(myset
enviroment is all setup, the only thing i didn't
have
was the login module, i already have everything
and working with Tiles).because
The problem is that i don't know what to do,
i'll probably have to write a Servlet that
<web-resource-name>Restricted</web-resource-name>this request won't i???
Here's in my web.xml
<security-constraint>
<web-resource-collection>
<description>Declarative security
tests</description>
<url-pattern>/jaas_tests/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Echo</role-name>
<!--<role-name>Java</role-name>-->
</auth-constraint>
<user-data-constraint>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
