Re: Container managed security and app provided Real implementation

Thu, 23 Aug 2012 00:16:22 -0700

Because realmClass needs to be a implementation of org.apache.catalina.Realm and so in my app I will always need to add a compile time dep on tomcat in my app I would like not to have any compile time dep neither on Tomcat nor on OpenEJB/TomEE if possibile 

Il 23/08/2012 08:48, Romain Manni-Bucau ha scritto:

Why is there a dep? That's just xml
Le 23 août 2012 07:55, "Enrico Olivelli" <[email protected]> a écrit :


Thank you
Your impl is great!

But with this LazyRealm the app needs to depend compile-time from
tomcat-catalina "realm" interface (even if it can be created with CDI, so I
think that in this way devs can lookup EJBs)
I think it should be more powerful to provide a Realm that could call
directly one business method inside the app (as the EJB example or the EL
example)
the EL example is very powerfull, because devs who use JSF often declare
<commandButton action="#{usermanager.login(..**....)" >
but I think that an EJB stub would be enough

maybe it would be useful to let the app provide a implementation of JASS
LoginModule or some other "standard" way to authenticate the user (without
deploying it in the container, that is sometimes out of the possibilities
of the dev, IT rules!)

another idea
you can add a wrapper to the application "realm" in LazyRealm to adapt it
to the Realm interface, I think the only useful method is
authenticate(username,**password) method as the example I sent, Tomcat
wants it to return a Tomcat specific Principal impl that contains the roles
list

Thanks
- Enrico


Il 22/08/2012 21:39, Romain Manni-Bucau ha scritto:


PS: the realm should be able to use cdi, simply add cdi="true" to the
realm
definition (that's not the default)

*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
*




2012/8/22 Romain Manni-Bucau <[email protected]>

  already looked it several times and the IDE was opened ;)

*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
*




2012/8/22 Thiago Veronezi <[email protected]>

  Dude, you are incredibly fast!!! :O)


On Wed, Aug 22, 2012 at 2:21 PM, Romain Manni-Bucau
<[email protected]>wrote:

  
https://issues.apache.org/**jira/browse/TOMEE-400<https://issues.apache.org/jira/browse/TOMEE-400>

*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
*




2012/8/22 Enrico Olivelli <[email protected]>

  Il 22/08/2012 19:29, Romain Manni-Bucau ha scritto:

   hmm, the point is you tomcat creates the realm before the app is


started
(== the webapp classloader is not available) so you have to put your

realm
in the container

  it is exactly the reason for I'm asking you to put this kind of

support
in


TomEE, because you cannot deploy a "Realm" implementation directly in


your


own application
My trick is just to let the developer of the app bundle in its own app


the


only "logic" that implements the real autentication, leaving the


container


to "manage" security

in order to lookup beans you have to make a JNDI lookup only for every
call to "autenticate", so the realm actually doesn't need to have


access
to


the application context before initialization



  FYI you can use the tomee maven plugin:

             <plugin>
               <groupId>org.apache.openejb.****maven</groupId>
               <artifactId>tomee-maven-****plugin</artifactId>
               <version>1.0.0-SNAPSHOT</****version>
               <configuration>
                 <libs>
                   <lib>examples:EJBRealm:1.0-****SNAPSHOT</lib>
                 </libs>
               </configuration>
             </plugin>

I don't know if tomcat already have a kind of lazy realm instantiator


but
we could add one in tomee to manage such cases

*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.****com<


http://rmannibucau.wordpress.**com <http://rmannibucau.wordpress.com>

*





2012/8/22 Thiago Veronezi <[email protected]>

   Hmmmm... I like your idea!


I will try to implement something like that now.


[]s,
Thiago.


On Wed, Aug 22, 2012 at 1:12 PM, Enrico Olivelli <


[email protected]

wrote:

This is not what I meant
I'm attaching an example

EJBRealm.zip is a simple Tomcat Realm that performs a JNDI lookup


to

get


an application provided EJB and invokes a method to authenticate

the

user

     <Realm className="ejbrealm.EJBRealm"

  beanname="java:global/******localhost/MyAuth/AuthBean"

  realmname="MyRealm" loginMethod="loginUser" />

MyAuth.zip is an example webapp which uses it

- Enrico


Il 22/08/2012 18:38, Romain Manni-Bucau ha scritto:

    realm are typically managed by tomcat so tomcat pacakging should


work

the link between realm and ejbcontext is done through a wrapper

realm

called tomeerealm (added automcatically on the snapshot) so simply

  define

the jaasrealm:


http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<


http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>

examples/cdi-ejbcontext-jaas/******src/main/tomee/conf/server.**

**xml<

  
http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>

examples/cdi-ejbcontext-jaas/****src/main/tomee/conf/server.**xml<


http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**

examples/cdi-ejbcontext-jaas/**src/main/tomee/conf/server.xml<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/src/main/tomee/conf/server.xml>


here is a sample:

http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<


http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>

examples/cdi-ejbcontext-jaas/<

  
http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>

examples/cdi-ejbcontext-jaas/<


http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**

examples/cdi-ejbcontext-jaas/<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/>


*Romain Manni-Bucau*

*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.******com<

  http://rmannibucau.wordpress.****com <

http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>

*



2012/8/22 Enrico Olivelli <[email protected]>

    I'd like to bundle my own "realm" implementation with my app,
because I

  want to call an EJB method in order to authenticate users

Tomcat comes with JDBCRealm which can be used to lookup

  username/password

directly in the app DB bypassing application code


and Tomcat does like to "bundle" a Realm implementation inside
the

app


The only "issue" I see is the security context to use to access

this

"realm-EJB"

Did I miss something ?

Could you bundle a built-in Tomcat Realm that does the trick ?
some thing like
     <Realm className="xxxx.EJBRealm"


beanLookup="java:comp/env/****

MyAuthBean"

authenticateMethod="********authenticateUser" runAs="superuser"
  />

or CDI-EL based
assuming the presence of a @Named("authbean")
     <Realm className="xxxx.CDIRealm" authenticateMethod="#{****
authbean.authenticateUser}"
runAs="superuser" />

Thanks
Enrico






























					Reply via email to