I made same tests
Tomcat JAASReam creates a LoginContext in this way
//JAASRealm.java at line 372 on Tomcat trunk
loginContext = new LoginContext(appName, callbackHandler);
this constructor uses the JVM system wide JAAS configuration (default
JAAS Configuration)
so if you want to use your own LoginModule you have to modify Tomcat
global configuration....
Il 23/08/2012 11:40, Romain Manni-Bucau ha scritto:
i don't get it, you can define your LoginModule in the webapp i think, you
even have the useContextClassLoader parameter
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.com*
2012/8/23 Enrico Olivelli <eolive...@gmail.com>
Yes, the problem in Tomcat JAAS Realm is that you have to bundle your
LoginModule with the container
It would be very nice to let the app provide a LoginModule
do not drop LazyRealm, it fills a gap in Tomcat Realm standard
implementations (what about giving it, without CDI, to Tomcat directly?)
I can't understand why JavaEE specs does not cover this common case
I always developed Software as a Service apps, I could never use Container
Managed security !
Il 23/08/2012 09:58, Romain Manni-Bucau ha scritto:
hmm thinking a bit more, what about JAAS? it already works out of the box
and you are not tomcat dependent in the java files
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
*
2012/8/23 Enrico Olivelli <eolive...@gmail.com>
I love it
remember that Tomcat wants a "GenericPrincipal" not a simple Principal
so application code have to be proxyed according to this need
My goal is that the app only needs to provide an EJB or CDI Bean with a
"authenticate" method which takes username/password and answers with the
list of roles of the user
with your solution I will provide a bean with such a method
Principal authenticate(String username, String password)
that will be mapped to the Tomcat Realm authenticate(username,****
password)
method
some "magic" needs to be done to map application provided Principal with
the GenericPrincipal of Tomcat and the roles list
any idea ?
- Enrico
Il 23/08/2012 09:27, Romain Manni-Bucau ha scritto:
hmm that's another need.
Here how i see things:
1) the LazyRealm manage the classloader stuff
2) another realm (DelegatorRealm?) does the same using bean matching
(almost) signatures of realm using java types (java == not tomcat) and
uses
reflection to invoke the delegate
wdyt?
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.**
wordpress.com <http://rmannibucau.wordpress.com>>
*
2012/8/23 Enrico Olivelli <eolive...@gmail.com>
Because realmClass needs to be a implementation of
org.apache.catalina.Realm
and so in my app I will always need to add a compile time dep on tomcat
in
my app
I would like not to have any compile time dep neither on Tomcat nor on
OpenEJB/TomEE if possibile
Il 23/08/2012 08:48, Romain Manni-Bucau ha scritto:
Why is there a dep? That's just xml
Le 23 août 2012 07:55, "Enrico Olivelli" <eolive...@gmail.com> a
écrit
:
Thank you
Your impl is great!
But with this LazyRealm the app needs to depend compile-time from
tomcat-catalina "realm" interface (even if it can be created with
CDI,
so I
think that in this way devs can lookup EJBs)
I think it should be more powerful to provide a Realm that could call
directly one business method inside the app (as the EJB example or
the
EL
example)
the EL example is very powerfull, because devs who use JSF often
declare
<commandButton action="#{usermanager.login(..********....)" >
but I think that an EJB stub would be enough
maybe it would be useful to let the app provide a implementation of
JASS
LoginModule or some other "standard" way to authenticate the user
(without
deploying it in the container, that is sometimes out of the
possibilities
of the dev, IT rules!)
another idea
you can add a wrapper to the application "realm" in LazyRealm to
adapt
it
to the Realm interface, I think the only useful method is
authenticate(username,********password) method as the example I
sent,
Tomcat
wants it to return a Tomcat specific Principal impl that contains the
roles
list
Thanks
- Enrico
Il 22/08/2012 21:39, Romain Manni-Bucau ha scritto:
PS: the realm should be able to use cdi, simply add cdi="true" to
the
realm
definition (that's not the default)
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.********com<http://rmannibucau.
**
wordpress.com <http://rmannibucau.wordpress.****com<
http://rmannibucau.**wordpress.com<http://rmannibucau.wordpress.com>
*
2012/8/22 Romain Manni-Bucau <rmannibu...@gmail.com>
already looked it several times and the IDE was opened ;)
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.********com<
http://rmannibucau.**
wordpress.com <http://rmannibucau.wordpress.****com<
http://rmannibucau.**wordpress.com<http://rmannibucau.wordpress.com>
*
2012/8/22 Thiago Veronezi <thi...@veronezi.org>
Dude, you are incredibly fast!!! :O)
On Wed, Aug 22, 2012 at 2:21 PM, Romain Manni-Bucau
<rmannibu...@gmail.com>wrote:
https://issues.apache.org/********jira/browse/TOMEE-400<https://issues.apache.org/******jira/browse/TOMEE-400>
<https:**//issues.apache.org/****jira/**browse/TOMEE-400<https://issues.apache.org/****jira/browse/TOMEE-400>
<https://**issues.apache.org/****jira/**browse/TOMEE-400<http://issues.apache.org/**jira/**browse/TOMEE-400>
<https**://issues.apache.org/**jira/**browse/TOMEE-400<https://issues.apache.org/**jira/browse/TOMEE-400>
<https://**issues.apache.org/****jira/browse/**TOMEE-400<http://issues.apache.org/**jira/browse/**TOMEE-400>
<http:**//issues.apache.org/jira/**browse/**TOMEE-400<http://issues.apache.org/jira/browse/**TOMEE-400>
<https:**//issues.apache.org/**jira/**browse/TOMEE-400<http://issues.apache.org/jira/**browse/TOMEE-400>
<https:**//issues.apache.org/jira/**browse/TOMEE-400<https://issues.apache.org/jira/browse/TOMEE-400>
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.********com<
http://rmannibucau.
**
wordpress.com <http://rmannibucau.wordpress.****com<
http://rmannibucau.**wordpress.com<http://rmannibucau.wordpress.com>
*
2012/8/22 Enrico Olivelli <eolive...@gmail.com>
Il 22/08/2012 19:29, Romain Manni-Bucau ha scritto:
hmm, the point is you tomcat creates the realm before the
app
is
started
(== the webapp classloader is not available) so you have to put
your
realm
in the container
it is exactly the reason for I'm asking you to put this
kind
of
support
in
TomEE, because you cannot deploy a "Realm" implementation
directly
in
your
own application
My trick is just to let the developer of the app bundle in its
own
app
the
only "logic" that implements the real autentication,
leaving the
container
to "manage" security
in order to lookup beans you have to make a JNDI lookup only for
every
call to "autenticate", so the realm actually doesn't need to
have
access
to
the application context before initialization
FYI you can use the tomee maven plugin:
<plugin>
<groupId>org.apache.openejb.******
****maven</groupId>
<artifactId>tomee-maven-**********
plugin</artifactId>
<version>1.0.0-SNAPSHOT</**********version>
<configuration>
<libs>
<lib>examples:EJBRealm:1.0-*******
***SNAPSHOT</lib>
</libs>
</configuration>
</plugin>
I don't know if tomcat already have a kind of lazy realm
instantiator
but
we could add one in tomee to manage such cases
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.**********com<
http://rmannibucau.wordpress.********com <
http://rmannibucau.wordpress.******com<http://rmannibucau.**
wordpress.com
<http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
*
2012/8/22 Thiago Veronezi <thi...@veronezi.org>
Hmmmm... I like your idea!
I will try to implement something like that now.
[]s,
Thiago.
On Wed, Aug 22, 2012 at 1:12 PM, Enrico Olivelli <
eolive...@gmail.com
wrote:
This is not what I meant
I'm attaching an example
EJBRealm.zip is a simple Tomcat Realm that performs a JNDI
lookup
to
get
an application provided EJB and invokes a method to
authenticate
the
user
<Realm className="ejbrealm.EJBRealm"
beanname="java:global/**********
**localhost/MyAuth/AuthBean"
realmname="MyRealm" loginMethod="loginUser" />
MyAuth.zip is an example webapp which uses it
- Enrico
Il 22/08/2012 18:38, Romain Manni-Bucau ha scritto:
realm are typically managed by tomcat so tomcat
pacakging
should
work
the link between realm and ejbcontext is done through a
wrapper
realm
called tomeerealm (added automcatically on the snapshot) so
simply
define
the jaasrealm:
http://svn.apache.org/repos/****
********asf/openejb/trunk/**<http://svn.apache.org/repos/**********asf/openejb/trunk/**>
openejb/*<http://svn.apache.**org/repos/********asf/openejb/
**trunk/openejb/*<http://svn.apache.org/repos/********asf/openejb/trunk/openejb/*>
***<http://svn.apache.org/****
repos/******asf/openejb/trunk/****<http://svn.apache.org/**repos/******asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/******asf/openejb/
**trunk/openejb/**<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**>
<http://svn.apache.org/******repos/****asf/openejb/trunk/**<http://svn.apache.org/****repos/****asf/openejb/trunk/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
**>
openejb/**<http://svn.apache.***
*org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.**apache.org/repos/****asf/**
openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<
http://svn.apache.org/repos/******<http://svn.apache.org/repos/****>
****asf/openejb/trunk/openejb/******<http://svn.apache.org/
**repos/******asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**>
<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/**repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.**
org/repos/**asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/***
*********src/main/tomee/conf/****
server.**
**xml<
http://svn.apache.org/repos/********<http://svn.apache.org/repos/******>
<http://svn.apache.org/**repos/****<http://svn.apache.org/repos/****>
**asf/openejb/trunk/openejb/******<
http://svn.apache.org/repos/****
****asf/openejb/trunk/openejb/***<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/*>
***<http://svn.apache.org/**repos/****asf/openejb/trunk/**
openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/**repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.**
org/repos/**asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/***
*******src/main/tomee/conf/**
server.**
**xml<
http://svn.apache.org/repos/******<http://svn.apache.org/repos/****>
**asf/openejb/trunk/openejb/****<
http://svn.apache.org/repos/******asf/openejb/trunk/openejb/*
***<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/**repos/****asf/openejb/trunk/**
openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/********src/main/tomee/conf/**
server.**
**xml<
http://svn.apache.org/**repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/**asf/openejb/trunk/**>
<http://**svn.apache.org/**repos/asf/**openejb/trunk/**<http://svn.apache.org/**repos/asf/openejb/trunk/**>
openejb/examples/cdi-******ejbcontext-jaas/src/main/**
tomee/conf/server.xml<http://****svn.apache.org/repos/asf/**
openejb/trunk/openejb/****examples/cdi-ejbcontext-jaas/****
src/main/tomee/conf/server.**xml<http://svn.apache.org/**
repos/asf/openejb/trunk/**openejb/examples/cdi-**
ejbcontext-jaas/src/main/**tomee/conf/server.xml<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/src/main/tomee/conf/server.xml>
**>
here is a sample:
http://svn.apache.org/repos/************asf/openejb/trunk/**<http://svn.apache.org/repos/**********asf/openejb/trunk/**>
openejb/****<http://svn.**apache.org/repos/********asf/**
openejb/trunk/openejb/****<http://svn.apache.org/repos/********asf/openejb/trunk/openejb/****>
<http://svn.**apache.org/**repos/******asf/**<http://apache.org/repos/******asf/**>
openejb/trunk/openejb/**<http:**//svn.apache.org/repos/********
asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**>
<http://svn.apache.org/******repos/****asf/openejb/trunk/**<http://svn.apache.org/****repos/****asf/openejb/trunk/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
**>
openejb/**<http://svn.apache.****org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.**apache.org/repos/****asf/**
openejb/trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<
http://svn.apache.org/repos/******<http://svn.apache.org/repos/****>
****asf/openejb/trunk/openejb/******<http://svn.apache.org/
**repos/******asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**>
<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/**repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.**
org/repos/**asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/<
http://svn.apache.org/repos/******<http://svn.apache.org/repos/****>
****asf/openejb/trunk/openejb/******<http://svn.apache.org/**
repos/******asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/******asf/openejb/trunk/openejb/**>
<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/****repos/****asf/openejb/trunk/**<http://svn.apache.org/**repos/****asf/openejb/trunk/**>
openejb/**<http://svn.apache.**org/repos/****asf/openejb/**
trunk/openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/**repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.**
org/repos/**asf/openejb/trunk/**openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/<
http://svn.apache.org/repos/******<http://svn.apache.org/repos/****>
**asf/openejb/trunk/openejb/****<
http://svn.apache.org/repos/******asf/openejb/trunk/openejb/*
***<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
**<http://svn.apache.org/**repos/****asf/openejb/trunk/**
openejb/**<http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**>
<http://svn.apache.**org/repos/**asf/openejb/trunk/**
openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/<******http://svn.apache.org/**
repos/** <http://svn.apache.org/repos/**>
** <http://svn.apache.org/repos/****<http://svn.apache.org/repos/**>
asf/openejb/trunk/openejb/******examples/cdi-ejbcontext-jaas/<
****
http://svn.apache.org/repos/****asf/openejb/trunk/openejb/**<http://svn.apache.org/repos/**asf/openejb/trunk/openejb/**>
examples/cdi-ejbcontext-jaas/<**http://svn.apache.org/repos/**
asf/openejb/trunk/openejb/**examples/cdi-ejbcontext-jaas/<http://svn.apache.org/repos/asf/openejb/trunk/openejb/examples/cdi-ejbcontext-jaas/>
*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.************com<
http://rmannibucau.wordpress.**********com <
http://rmannibucau.wordpress.********com<
http://rmannibucau.**
wordpress.com <http://rmannibucau.wordpress.****com<
http://rmannibucau.**wordpress.com<http://rmannibucau.wordpress.com>
*
2012/8/22 Enrico Olivelli <eolive...@gmail.com>
I'd like to bundle my own "realm" implementation with
my
app,
because I
want to call an EJB method in order to authenticate
users
Tomcat comes with JDBCRealm which can be used to lookup
username/password
directly in the app DB bypassing application code
and Tomcat does like to "bundle" a Realm implementation
inside
the
app
The only "issue" I see is the security context to use to
access
this
"realm-EJB"
Did I miss something ?
Could you bundle a built-in Tomcat Realm that does the trick
?
some thing like
<Realm className="xxxx.EJBRealm"
beanLookup="java:comp/env/****
MyAuthBean"
authenticateMethod="**************authenticateUser"
runAs="superuser"
/>
or CDI-EL based
assuming the presence of a @Named("authbean")
<Realm className="xxxx.CDIRealm"
authenticateMethod="#{****
authbean.authenticateUser}"
runAs="superuser" />
Thanks
Enrico
