[jboss-user] [Security & JAAS/JBoss] - Re: JAAS multi-threaded=true causing SecurityException princ
I was trying to get you to do some research so you understand your situation better and then you could see what you were doing wrong. In any case... Your problem is that ClientLoginModule only passes security data to JBoss invocation within the current thread. However, Tomcat uses thread pools to handle requests. So one request might work fine, but the other would not. When Tomcat is embedded in JBoss, a valve is added to pipeline that ensures the security data is present on each request thread. If you want to use Tomcat outside of JBoss, you need to make sure that this valve is used. Also, since Tomcat is not using JBossSecurityMgrRealm (or its newer relative) the security data does not get flushed in JBoss when HttpSession is invalidated. Does this help? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3965248#3965248 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3965248 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Explicit document source root using context/docbase
I have tried to get this to work too, but only been able to get static content to be made available. Sorry. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964669#3964669 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964669 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Explicit document source root using context/docbase
If you don't want my help, I'll be happy to move on. In past versions of Tomcat, context elements were added to the server.xml config file. Now that is discouraged in favor of web-app specific context.xml files. However, in your case, I think you should add your context configuration inside Tomcat's server.xml file. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964637#3964637 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964637 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problems with my security proxy
fosodquez, The ClientLoginModule does not have any authentication logic, so if that is your only login module, then you are not authenticating. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964627#3964627 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964627 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JAAS multi-threaded=true causing SecurityException princ
sdegenaar, anonymous wrote : We have setup a seperate tomcat installation How does Tomcat's security system interface with JBoss' in your environment? Also you may want to read security chapter of server guide at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964625#3964625 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964625 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JACC on the fly method permission changes not reflecting
I had started to digest the JACC spec and how JBoss implements it a few months back, but have not looked at it recently. So this is pure speculation on what I think I know. The point I was trying to make is that you have been modifying the PolicyContext specified by contextID "kr.jar". That does not mean that it is the same contextID set by container for your component. To be more specific, JBoss creates and configures the Policy at deployment time under a specific contextID. I am not sure what that is. Then your code comes along and tries to modify that context, but are you actually configuring the same context. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964621#3964621 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964621 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Explicit document source root using context/docbase
check out http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingContextDotXML cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964618#3964618 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964618 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JACC on the fly method permission changes not reflecting
P, What does JBoss use as contextID? I am wondering if you need to use "ear-name/bean-jar-name". cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964067#3964067 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964067 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Check access to bean methods from bean
matt10, I would say this is an interesting use case. The problem with making client unaware of buisness components is that you then have to come up with ways to configure your client to do stuff with abstract notions of business objects. In that case what you have done with annotation inspecting is a solution. Another might be to create a method that all your buisness beans can implement that returns this data to your client. If you find another solution, please let us know. I would be interested in hearing how it turns out. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964040#3964040 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964040 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JACC on the fly method permission changes not reflecting
P, Can you show us how you are attempting... anonymous wrote : | I try to change the role based ejb3 method permission on the fly | thanks cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964037#3964037 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964037 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Not able to authenticate against ActiveDirectory using L
I am no LDAP expert, but it looks like the LDAPLM is not providing correct credentials when connecting to AD. Thus authentication of user is not even attempted because connection to server is not authenticated. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964036#3964036 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964036 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: retry fails with form based authentication woth custom l
ppradhan, One thing that is not completely clear from your description is wether or not the user has actually authenticated to servlet container. Just because the login form is returned does not neccessarily mean authentication did not happen. To be more specific... Consider the case when a request is made to login form page direclty. The user fills out the form and submits. If the user authenticated correctly, then the container will redirect user back to originally requested page. Which in this case happens to be the login form. So I suggest trying one of two things. Either add some temporary code to your login form (jsp) to display something if user is authenticated (i.e. request.getUserPrincipal()). Or create and secure another page (well call it main). Then request main. If user has not authenticated, they should be forwarded to login form. Once authenticated, user should be forwarded back to main. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964032#3964032 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964032 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Check access to bean methods from bean
matt10, Wouldn't it be better if your fat client enabled/disabled menu items based on the roles the user has rather than the methods they can call. I mean really this is the same thing, only you do not have to go get method permissions. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963633#3963633 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963633 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: SSL With jboss-4.0.3SP1
I think this may help. http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html#d0e20970 cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963267#3963267 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963267 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Configure bundled Tomcat Manager
dheelus, With Tomcat bundled with JBoss, you deploy to JBoss not Tomcat. Then JBoss does the deployment into Tomcat container. So if your ant script just copies your war/ear int $YOUR_SERVER/deploy that's all she wrote. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963148#3963148 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963148 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Changing the name of the JSessionID cookie?
Jason, >From what I can tell this can not be configured. I did find this that backs >up my findings. >http://mail-archives.apache.org/mod_mbox/tomcat-users/200407.mbox/[EMAIL >PROTECTED] cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963146#3963146 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963146 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JDBC Realm
bjornn, You are making more work for yourself. I already told you that your query is not correct and pointed you to documentation on the LM. If the info you posted about your database is correct, and assuming your table names are USERS and ROLES, your queries should be as so... | ... | SELECT PASSWORD FROM USERS WHERE LOGIN=? | SELECT ROLE_NAME, 'Roles' FROM ROLES WHERE LOGIN=? | ... | The example for jms is just that, an example. You must customize the queries to match your database. Also, since you have gone down the road of changing your datasource, make sure your datasource points to your database. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963010#3963010 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3963010 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Eliminate multiple copies of Struts libraries?
javacodemonkey, Even the Struts folks say this is not a good idea. There are static memebers that would cause strange things to happen if shared accoss apps. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962956#3962956 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962956 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: why it is possible to login with old password in JAAS(Da
Baskar, After a password is changed, the user must be logged out of application (i.e. JBossSX cache flush). If your UI is web-based, this usually can occure by invalidating the web session. Is this step happening? You can verify what principals are in the cache via the jmx-console (mbean: jboss.security:service=JaasSecurityManager). cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962807#3962807 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962807 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Two questions about DatabaseServerLoginModule
EricYP, 1.) javax.servlet.HttpServletRequest.getUserPrinicpal() 2.)AFAIK, as long as your query returns the password in the first column, and only accepts one paramter (the username), you are good to go. I am not sure why you posted your login form. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962800#3962800 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962800 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JDBC Realm
bjornn, Your problem then is your query. As I already mentioned, the sql configured in your security-domain must be specific for you database. For more details about the DatabaseServerLoginModule see http://wiki.jboss.org/wiki/Wiki.jsp?page=DatabaseServerLoginModule. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962575#3962575 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962575 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JDBC Realm
bjornn, So far all your config looks good. The only thing that looks odd is your queries. These must be made specific to your database. Specifically, your query... | SELECT LOGIN, 'Roles' FROM ROLES WHERE LOGIN=? | just returns the login name. Is this correct? Other than checking these queries, you will want to look at trace logging output of the login event to see what is going on. good luck, griffith. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962564#3962564 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962564 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Why are some security domains visible in JNDIView and ot
fhh, I believe that the login-config.xml file is loaded by the server, but actual SecurityDomain/SecurityManagers are not instantiated and bound in JNDI until they are needed. An example of when one would be needed is when an application specifically says, "I am using security domain x" at deploy time. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962436#3962436 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962436 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Automatic redirect to primary domain name?
Frank, How many/what type of deployable components does your site/web-app have. More info about the basic organization of you applciation/site please. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962432#3962432 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962432 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: JBoss 4.0.2 and JDK 5.0
sasi2103, I think this is what you are looking for. http://www.jboss.com/index.html?module=bb&op=viewtopic&t=80296 cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962425#3962425 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962425 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Custom principal in Web application
Dear gang, This was an interesting hunt for me as I have not used client certs before. I think you have two options. 1.) Follow JBossSX Subject usage package in your custom login module and add a java.security.acl.Group with name "CallerPrincipal" to the authenticated Subject's principal set. In that group, add your custom Principal class. 2.) Have your custom principal extend org.jboss.security.CertificatePrincipal and set this as the "certificatePrincipal" attribute in Tomcat's server.xml file for JBossSecurityMgrRealm config. if you need more details or if you have problems, let us know. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961544#3961544 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3961544 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Custom principal in Web application
Bogdan, Please give details about which login modules you are using. If you are using a custom login module, please show how you set your custom principal. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961368#3961368 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3961368 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Security Roles On EJB3 Remote Interface Only
adogg, I am sure you can not add security role restrictions on a non-EJB3 class. Since the interface is not either a stateless/statefull session bean or a message driven bean, it is not a true EJB3 object. As such you can not add security restrictions. I would suggest you place the restrictions on methods of the bean class. Provide two implementations of the method (or call one from the other with run-as) then place a restriction on one method. Finally, put the restricted version in remote interface, and the non-restricted in local interface. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3960473#3960473 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3960473 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problem accessing EJB unchecked method from a servlet (w
Victor, I just want to further point out that the fine folks at jboss labs has a wonder EJB3.0 trial. I have not found any other info on the net to be quite so usefull. You can get to it at http://trailblazer.demo.jboss.com/EJB3Trail/ enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959561#3959561 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959561 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problem accessing EJB unchecked method from a servlet (w
Sorry, #3 is poppy-cock. I am still learning EJB3.0 spec and Jboss extensions. But I think it can be done with multiple interfaces. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959314#3959314 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959314 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problem accessing EJB unchecked method from a servlet (w
Victor, There are many options you can try. 1.) combine the "other" and "db_store" domains into one and use for webapp#1, webapp#2, and ejb. Thus if a user is not authenticated by DBSLM, the URLM will. 2.) Use a run-as role with the servlet 3.) Use EJB3.0. The ability to assign a security domain to a method of a bean is very usefull. Then you could have two accessors, one for each security domain. 4.)etc, etc, etc... I learned a long time ago, if I hit a brick wall trying to do something in JBoss, it is usually because it was the wrong way of doing it. enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959312#3959312 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959312 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problem accessing EJB unchecked method from a servlet (w
Victor, It is doing what you have configured it to do. Webapp#2 is secured using the "other" security domain. So when a user attempts to access a secured resource (i.e. your servlet), the conatainer performs BASIC authentication via the UsersRolesLoginModule. Thus you have set some principal username, and string password in the x.properties files that is referenced by the URLM. This is successfully, and a principal is established. Well call this principal "admin". The servlet then tries to access ModerEJB. This bean is secured via the "db_store" security domain. So the databaseServerLoginModule is used to authenticate "admin". However, "admin" is not in the database so an LoginException is being thrown. The method is marked unchecked, but see Q 1 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959229#3959229 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959229 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Problem accessing EJB unchecked method from a servlet (w
Victor, Is the principal used as identity (ie username) in web-app#2 during BASIC authentication in your database? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959118#3959118 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959118 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Multiple security domains in one EAR
Hi Jeff, Yes you can have more than one security-domain in an ear. However, you need to make sure that the roles that intersect the two security domains are defined in each. In other words, if EJB A in security domain A needs to communicate with EJB B in security domain B, then the run-as role defined for A must match that required by B. AFAIK! cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959109#3959109 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959109 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
Markus, I assume you got things working. Just a note, this forum is useful to keep track of now and in the future. Had you done some searching you may have found this http://www.jboss.com/index.html?module=bb&op=viewtopic&t=78329. let us know if you still have problems, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959104#3959104 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3959104 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: CLIENT-CERT configuration
Adam, see http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule , http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX , and http://wiki.jboss.org/wiki/Wiki.jsp?page=Logging. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958959#3958959 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958959 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: CLIENT-CERT configuration
Adam, First off, see my comments at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=86289. SSL vs. CLIENT-CERT authentication are two separate issues. That said, we would need to see some trace logging of JBoss security at the point when a user attempts to access secured resource to see what is going on. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958950#3958950 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958950 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
Markus, Since the SecurityDomain is a JBoss specific configuration, it does not go in the ejb-jar.xml. I figured you would have known how to configure JBoss. In this case, see the jboss.xml file and it's DTD for definitions. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958801#3958801 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958801 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
Hi Markus, Yes to all. I think it is important to note that ejb-jar.xml is the descriptor file for bean configuration (it has always been). The addition of annotations in EJB3 just makes that descriptor unecessary. Unless you want to use. If you use both, the descriptor should override annotations. enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958780#3958780 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958780 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Security chptr says ejb-jar.xml. But EJB3 has no ejb-jar
See the EJB3 wiki for documentation on how to use annotations to provide the same configurations as the ejb-jar.xml. http://wiki.jboss.org/wiki/Wiki.jsp?page=EJB3 cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958770#3958770 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958770 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: A few questions regarding JBoss 4.0.4_GA and LDAP setup
http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html#d0e18806 and http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958769#3958769 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958769 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, You need a better understanding of authentication/authorization. There is just too much stuff that is wrong here. See the resource I mentioned below. As well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX and wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat. However in an effort to point you in the right direction... 1.) you need to set up and configure container managed security for your web application (per j2ee spec.) I suggest using FORM based authentication. I suggest you combine the actions of both your com.jaas.RdbmsLoginModule and your bank.jaas.CustomServerLoginModule into one login module that is configured for the security domain covering the web app. 2.) Then you need to set up and configure container managed security for your EJB's (I think you have alread done this). In this case, make the security domain the same as that in step 1. The result will be that your user authenticates via the new CustomServerLoginModule for both the web application as well as the EJB components. Once authenticated you can just call the bean. Note that you do not need to perform any LoginContext.login()s in your application. Also, your custom login module should store the customer id and NHS# (so long as these are not restricted data) as custom Principals under the Subject. If the customerID is what you use internally to identify the user (rather than the "user" parameter entered in login form) Then follow JBoss' subject usage pattern and make this principal the "Caller Principal". Finally, you can get the customer id to use in method bankMgrDelegate.getCustomerData(custId).toString() by using EJBContext.getCallerPrincipal() method. There is just too much to say, hope this provides some direction. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958768#3958768 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958768 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: JAAS image problem
Is it http://localhost:8080/MyApp/images/company_logo.gif or http://localhost:8080/MyApp/images/company_logo.jpg? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958754#3958754 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958754 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
Hi Kearns, So you have a web-enabled client. I am still not clear on what is your identifing principal and what is your credential. What does the user enter in the form? My point is to determine how your authentication data can be used as a String/Principal identity and an Object credential. From there, we can talk about how to get this data to your server login module. In the mean time, also check out the server guide chapter 8 at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958535#3958535 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958535 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: JBossCacheService to Tomcat clustering not found
See tomcat's jboss-service.xml file that configures Tomcat as a JBoss service. $YOUR_SERVER/deploy/jbossweb-tomcatxx.ser/META-INF/jboss-service.xml cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958505#3958505 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958505 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Integration of Custom Client and Server Login Modules
kearns, There are still a few details I would need to understand your situation. 1.) It was not clear to me what data you need to be passed to your bank.jaas.CustomServerLoginModule. What is acting as the identity pricinpal and what is acting as the authentication data? What else do you need here? 2.) Is your client a standalone application or web-enabled? 3.) If your client is standalone, does it restrict the user from performing certain functions based on identity. For example, if user does not have right to modify another user, then a certain screen is not enabled. 4.) if your client is standalone, is it multithreaded? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958502#3958502 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958502 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Classloading PB with librairies in my servlet
clodeindustrie, I suspect ojdv14.jar and xdb.jar can work together, but that the problem is with xdb.jar and JNDI. Did you follow instructions at oracle's site about how to used JNDI to access XML DB Resource? They describe how to specify a JNDI provider to use. If you do not do this, then JBoss' JNDI service is used. This may cause a conflict. The following is link to one version of the API (not sure which version you are using) http://download-east.oracle.com/docs/cd/B10501_01/appdev.920/a96620/xdb21rja.htm#1656 let us know..., cgriffith[/url] View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958445#3958445 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958445 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Help regarding Role based authorisation
cool_bhanu, I would start by reading the security chapter in jboss server guide available at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958083#3958083 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3958083 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Creating new sessionID in the browser after application
dzhao00, There was no requirement to not re-use session ID in original question of sundartri. The problem was how to invalidate the session. The original poster was under the impression that the session was not being invalidated because the ID did not change. You mis-read the problem and added a solution that was unecessary. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957890#3957890 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957890 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Creating new sessionID in the browser after application
Why bother. There is no harm in re-using the session ID. The real issue is weather or not the session contents were getting trashed on invalidate. If that is occuring, then all is good. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957873#3957873 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957873 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Filter and servlet mappings
Adam, That is the behavior defined by the servlet spec. If you want a filter on that resource to be invoked, then you need to use re-direct, not forward. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957793#3957793 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957793 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: charset=ISO-8895-1 being added to response content type
thmix10 >From the HTTP 1.1 spec... anonymous wrote : | 3.4.1 Missing Charset | ... |HTTP/1.1 recipients MUST respect the charset label provided by |the sender; and those user agents that have a provision to "guess" |a charset MUST use the charset from the content-type field if they |support that charset, rather than the recipient's preference, when |initially displaying a document. | ... | Just FYI, I do not have any solutions. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957764#3957764 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957764 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Adding data to session after login
Paul, Warrenc6 is leading you in the wrong direction. Your idea to extend DatabaseServerLoginModule is a good choice. In order for you to access the HttpSession from you login module you will need to see http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication let us know if you need more help, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957713#3957713 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957713 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: auth-method Form and Subject access
atorres, Warren6 is just plain silly. There are at least two ways to get the Authenticated Subject. I think all of them are JBoss dependant; not sure if this is a problem for you. However... 1.) the way you have done it is a great way using JNDI 2.) tomcat service has an SubjectAttributeName option that will store the authenticated subject in request scope. Enjoy, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957709#3957709 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957709 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Apache mod_jk / JBoss SSL question
B, Isn't the redirect port set in tomcat's server.xml file... | | | cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957334#3957334 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957334 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
[jboss-user] [Security & JAAS/JBoss] - Re: Restricting Users Login From IP Adresses
Soheil, That mechanism has been deprecated. You should consider using http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication instead. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957329#3957329 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957329 ___ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user