OK here is a working Authenticator EJB for use by fat clients. You should
modify AuthenticatorBean to do the appropriate query against your
accounts/logins schema. Note that it uses the standard
JonasSecurityReceiver/Sender, SSHandler, and TomcatSender classes used in
the Tomcat security example.
Instructions for use:
a) Set up Jonas as per the security example. Note that
jonas-users.properties still needs to be present, but it doesn't need to
contain any users.
b) Place tomcat-jonathan.prop in a location that is in your *client's*
classpath, and rename it to jonathan.prop (as per the instructions for
Tomcat in the security example).
Now use this code in your client to achieve authentication:
AuthenticatorHome home = getItSomehow();
Authenticator auth = home.create();
SecurityContext ctx =
auth.authenticate("joe.bloggs","secretpassword");
if (ctx==null)
System.out.println("Authentication failed!");
else
{
// Set the security context in SecurityCurrent.
// TomcatSender will pick the security context up from this
when sending.
SecurityCurrent current = SecurityCurrent.getCurrent();
current.setSecurityContext(ctx);
}
I hear you asking: what's stopping the client constructing its own
SecurityContext with the right principal name? The answer is,
AuthenticatorBean.authenticate() suffixes the username with a *big* random
number on successful authentication, and uses that as the name of the
principal. If the client were to do, say,
SecurityContext ctx = new SecurityContext("joe.bloggs")
and try to use that, it wouldn't match the name of the principal stored in
RoleMechanism, which will be something like
"joe.bloggs1434369784828597603028593060". One problem with this approach is
that currently there is no way to remove a principal from RoleMechanism, so
this principal will stick around for the lifetime of the server.
(Subsequent authentications by the same user will of course generate
different principal names). Could we have a removeMapping() in
RoleMechanism please?
Please do critique/flame/pick holes in this approach. I'd like to know if I
have made a howler! One problem I can see is that it's conceivable a
hostile client could bombard the server with fake SecurityContexts,
incrementing the number suffixed to the principal name each time. But it
would take a long time...
Finally, I found this document very useful for understanding how security
context propagation works in Jonas:
http://www.enhydra.org/project/workingGroups/securityGroup/doc/seccontex
t.pdf
It's by Jeff Mesnil who wrote the Jonas-Tomcat-Enhydra security coupling.
Joe
=====================================================================
Joe Gittings, Royal Botanic Gardens, Kew
Hanover House, Kew, Richmond, Surrey TW9 3AB
[EMAIL PROTECTED]
+44 20 8332 5712
fax: +44 20 8332 5736
begin 600 AuthenticatorBean.java
M+R\@1FEL93H)"0E!=71H96YT:6-A=&]R0F5A;BYJ879A"B\O($-O;7!A;GDZ
M"0E2;WEA;"!";W1A;FEC($=A<F1E;G,@2V5W"B\O($%U=&AO<CH)"4IO92!'
M:71T:6YG<PT*#0HO+R!4;R!F:6YD(&]U="!A8F]U="!315!!4T%,+"!T:&4@
M:6YF;W)M871I;VX@:70@8V]N=&%I;G,@;VX@=7-E9G5L(&1R>6QA;F0@<&QA
M;G1S+ T*+R\@86YD('=H>2!T:&ES(&EN9F]R;6%T:6]N(&ES(&YE961E9"P@
M<&QE87-E('9I<VET.@T*+R\@:'1T<#HO+W=W=RYR8F=K97<N;W)G+G5K+V-E
M8B]S97!A<V%L+PT*"G!A8VMA9V4@=6LN;W)G+G)B9VME=RYS97!A<V%L+F5J
M8BYS96-U<FET>3L*"FEM<&]R="!J879A+G)M:2XJ.PII;7!O<G0@:F%V82YS
M<6PN*CL*:6UP;W)T(&IA=F$N=71I;"XJ.PII;7!O<G0@:F%V87@N96IB+BH[
M"FEM<&]R="!O<F<N96YH>61R82YS96-U<FET>2YA=G,N87!I+BH["FEM<&]R
M="!O<F<N;V)J96-T=V5B+FIO;F%S+G-E8W5R:71Y+BH["@T*:6UP;W)T('5K
M+F]R9RYR8F=K97<N<V5P87-A;"YU=&EL+F5J8BXJ.PH*+RHJ26UP;&5M96YT
M871I;VX@;V8@075T:&5N=&EC871O<B!%2D(N"CT]/5=!4DY)3D<Z(%1H:7,@
M:6UP;&5M96YT871I;VX@:7,@:&EG:&QY('-P96-I9FEC('1O($IO;F%S(#(N
M,2XQ(3T]/2HO"G!U8FQI8R!C;&%S<R!!=71H96YT:6-A=&]R0F5A;B!E>'1E
M;F1S(%-I;7!L95-E<W-I;VY"96%N"GL*"7!R;W1E8W1E9"!S=&%T:6,@4F%N
M9&]M(&U?4F%N9&]M.PH*(" @<W1A=&EC"B @('L*"0EI9B H;5]286YD;VT]
M/6YU;&PI"B @(" @('L*(" @(" @"5-Y<W1E;2YO=70N<')I;G1L;B@B26YI
M=&EA;&EZ:6YG(')A;F1O;2!N=6UB97(@9V5N97)A=&]R(&EN($%U=&AE;G1I
M8V%T;W)"96%N(BD["B @(" @( EM7U)A;F1O;2 ](&YE=R!286YD;VTH*3L*
M(" @(" @?0H@("!]"@H@("!P=6)L:6,@4V5C=7)I='E#;VYT97AT(&%U=&AE
M;G1I8V%T92A3=')I;F<@<U5S97)N86UE+%-T<FEN9R!S4&%S<W=O<F0I"B @
M('L*(" @"71R>0H@(" @("!["B @(" @(" @($-O;FYE8W1I;VX@8V]N(#T@
M9V5T0V]N;F5C=&EO;E-O;65H;W<H*3L*(" @(" @(" @4W1A=&5M96YT(',@
M/2!C;VXN8W)E871E4W1A=&5M96YT*"D["@H@(" @(" @("!3=')I;F<@<U-1
M3" ](#QC96YS;W)E9#X*(" @(" @(" @4F5S=6QT4V5T(')S(#T@<RYE>&5C
M=71E475E<GDH<U-13"D["@H@(" @(" @("!I9B H<G,N;F5X="@I*0H@(" @
M(" @("!["B @(" @(" @( DO+R!4;R!P<F5V96YT(&$@<F5M;W1E(&-L:65N
M="!F86)R:6-A=&EN9R!T:&5I<B!O=VX@4V5C=7)I='E#;VYT97AT+ H@(" @
M(" @(" @(" O+R!S=69F:7@@=&AE('5S97)N86UE('=I=&@@='=O(')A;F1O
M;2!L;VYG<R H9F]R(&=O;V0@;65A<W5R92DN"B @(" @(" @( E3=')I;F<@
M<U-E8W5R9615<V5R;F%M92 ]"B @(" @(" @(" @( ES57-E<FYA;64@*R!M
M7U)A;F1O;2YN97AT3&]N9R@I("L@;5]286YD;VTN;F5X=$QO;F<H*3L*"B @
M(" @(" @(" @("\O($%S<V]C:6%T92!T:&ES('5S97(@=VET:"!T:&4@87!P
M<F]P<FEA=&4@<F]L97,@=FEA($IO;F%S)W,*(" @(" @(" @(" @+R\@4F]L
M94UE8VAA;FES;2X@2&%R9"UC;V1E9"!R;VQE<R!F;W(@;F]W+BXN('-H;W5L
M9"!B92!P=6QL960@;W5T"B @(" @(" @(" @("\O(&]F(&%C8V]U;G1S('1A
M8FQE(&EN(&%B;W9E('-E;&5C="X*(" @(" @(" @(" @4W1R:6YG6UT@<F]L
M97,@/2![(G5S97(B?3L*(" @(" @(" @(" @4F]L94UE8VAA;FES;2YG971)
M;G-T86YC92@I+F%D9$UA<'!I;F<H<U-E8W5R9615<V5R;F%M92QR;VQE<RD[
M#0H*(" @(" @(" @(" @+R\@4F5T=7)N(&$@4V5C=7)I='E#;VYT97AT(&9O
M<B!T:&ES('5S97(N"B @(" @(" @(" @(')E='5R;B!N97<@4V5C=7)I='E#
M;VYT97AT*'-396-U<F5D57-E<FYA;64I.PH@(" @(" @("!]"B @(" @(" @
M(&5L<V4*(" @(" @(" @(" @<F5T=7)N(&YU;&P["B @(" @('T*(" @(" @
M8V%T8V@@*%-13$5X8V5P=&EO;B!E*2![=&AR;W<@;F5W(%-E<&%S86Q%2D)%
5>&-E<'1I;VXH92D[?0H@("!]"GT*
`
end
begin 600 Authenticator.java
M+R\@1FEL93H)"0E!=71H96YT:6-A=&]R+FIA=F$*+R\@0V]M<&%N>3H)"5)O
M>6%L($)O=&%N:6,@1V%R9&5N<R!+97<*+R\@075T:&]R.@D)2F]E($=I='1I
M;F=S#0H-"B\O(%1O(&9I;F0@;W5T(&%B;W5T(%-%4$%304PL('1H92!I;F9O
M<FUA=&EO;B!I="!C;VYT86EN<R!O;B!U<V5F=6P@9')Y;&%N9"!P;&%N=',L
M#0HO+R!A;F0@=VAY('1H:7,@:6YF;W)M871I;VX@:7,@;F5E9&5D+"!P;&5A
M<V4@=FES:70Z#0HO+R!H='1P.B\O=W=W+G)B9VME=RYO<F<N=6LO8V5B+W-E
M<&%S86PO#0H*<&%C:V%G92!U:RYO<F<N<F)G:V5W+G-E<&%S86PN96IB+G-E
M8W5R:71Y.PH*:6UP;W)T(&IA=F$N<FUI+BH["FEM<&]R="!J879A>"YE:F(N
M*CL*:6UP;W)T(&]R9RYE;FAY9')A+G-E8W5R:71Y+F%V<RYA<&DN*CL*"B\J
M*E-E<W-I;VX@8F5A;B!U<V5D('1O(&%U=&AE;G1I8V%T92!315!!4T%,('5S
M97)S+BHO"G!U8FQI8R!I;G1E<F9A8V4@075T:&5N=&EC871O<B!E>'1E;F1S
M($5*0D]B:F5C= I["@DO*BI2971U<FYS(&YO;BUN=6QL(&-O;G1E>'0@:68@
M875T:&5N=&EC871I;VX@<W5C8V5E9&5D+BHO"@EP=6)L:6,@4V5C=7)I='E#
M;VYT97AT(&%U=&AE;G1I8V%T92A3=')I;F<@<U5S97)N86UE+%-T<FEN9R!S
H4&%S<W=O<F0I"B @('1H<F]W<R!296UO=&5%>&-E<'1I;VX["GT*"FEN
`
end
begin 600 AuthenticatorHome.java
M+R\@1FEL93H)"0E!=71H96YT:6-A=&]R2&]M92YJ879A"B\O($-O;7!A;GDZ
M"0E2;WEA;"!";W1A;FEC($=A<F1E;G,@2V5W"B\O($%U=&AO<CH)"4IO92!'
M:71T:6YG<PT*#0HO+R!4;R!F:6YD(&]U="!A8F]U="!315!!4T%,+"!T:&4@
M:6YF;W)M871I;VX@:70@8V]N=&%I;G,@;VX@=7-E9G5L(&1R>6QA;F0@<&QA
M;G1S+ T*+R\@86YD('=H>2!T:&ES(&EN9F]R;6%T:6]N(&ES(&YE961E9"P@
M<&QE87-E('9I<VET.@T*+R\@:'1T<#HO+W=W=RYR8F=K97<N;W)G+G5K+V-E
M8B]S97!A<V%L+PT*"G!A8VMA9V4@=6LN;W)G+G)B9VME=RYS97!A<V%L+F5J
M8BYS96-U<FET>3L*"FEM<&]R="!J879A>"YE:F(N*CL*:6UP;W)T(&IA=F$N
M<FUI+BH["@IP=6)L:6,@:6YT97)F86-E($%U=&AE;G1I8V%T;W)(;VUE(&5X
M=&5N9',@14I"2&]M90I["@EP=6)L:6,@075T:&5N=&EC871O<B!C<F5A=&4H
M*2!T:')O=W,@0W)E871E17AC97!T:6]N+%)E;6]T945X8V5P=&EO;CL*?0H*
`
end
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".
