[JBoss-user] RE: [Security & JAAS/JBoss] - Using isUserInRole() on unsecured page
> always check the reference implementation -- Tomcat 4.1.29 standalone > returns the same values for these functions regardless of whether > invoked in the context of a secured or That's funny. I remember a long time back, I complained to the Tomcat team about the same issue. Their reply at the time was that the behavior we wanted wasn't defined in the Servlet spec and I told them it didn't make sense to do it the way they did because you can't hide parts of menus that are only available to Administrators. Guess they changed their minds :-) BTW, when I did my Domino/JBoss/Tomcat SSO plugin, that's the first thing I fixed ;-) ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] RE: A taste of things to come (Pete Beck)
Thanks for the informative post on your experience w/ Hibernate :-) Is there any part of your web site that you can see it in action? Looks like you actually have to log in to see anything. Also, it looks like you're using Java Server Faces pages already? Any comments on how you like it so far? You might want to look at this page: https://i3t.org/members/contact.jsf It puts up an error msg for me: "Error serving page" ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] admins, could you please fix the mailing list?
"James Higginbotham" <[EMAIL PROTECTED]> writes: > and it took me all of 2 min to create an email rule to chunk these > emails from the various lists I've been seeing them on, until the list > hosts can get around these wonderful worm issues. Worth a shot for a At least you're not in Digest mode. Lots of digests are unreadable because people continue to post MIME/HTML encoded crap into the list instead of using Plain Text as they should for all mailing lists. And the SF mail list server isn't smart enough to automatically strip out MIME like some of the commercial list servers can :-P For folks who have MIME turned on, set yourself to Digest mode for a day and see how many digests are actually readable :-( And you can't filter out the SoBig.F and MSBlaster junk in digest mode either :-O ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] any ETA on Tomcat5 package w/ JBoss 4?
> We hired Remy Maucherat the lead developer of Tomcat 5 on Monday Sounds like this will be an eventuality. I'm also curious how Tomcat5 compares w/ Jetty in terms of speed/robustness. I've heard a lot about how Jetty is much faster than Tomcat4, but have used Tomcat4 because it seems to be meeting new standards faster (a.k.a., the Tomcat5 effort). ken ___ Express Yourself - Share Your Mood in Emails! Visit www.SmileyCentral.com - the happiest place on the Web. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JBoss 4.0
snpe <[EMAIL PROTECTED]> writes: > Complete output is in attach (11k in bz2 format) 1) don't *ever* send attachments into a mailing list (sorry...I admin a few lists and this is one of my pet peeves and I banned it at the list server level). All listers will see is a bunch of garbage ASCII text 2) please just cut/paste a few of the WARN errors you think are problems and we can look at them 3) no clue what .bz2 format is (which makes the attachment and even worse thing to send into the list)-: ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JBoss 4.0
snpe <[EMAIL PROTECTED]> wrote: > can see file (return from list) on linux with kmail Try switching your list subscription to digest mode. Attachments and any rich text formatting (this includes most Outlook users or anything that sends MIME/HTML) looks like garbage text :-P > WARN [ServiceController] Problem stopping service I get lots of errors stopping JBoss too, but I thought it wouldn't matter since the server was shutting down anyways ;-) Are you having problems with the remoting service on JBoss startup or on shutdown? I'm not sure what port the remoting service uses, but you might want to make sure you don't have something running on it. ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] interesting articles from The Inquirer
In case any of you missed it :-) http://www.theinquirer.net/?article=9813 http://www.theinquirer.net/?article=9850 ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JBoss 4.0
snpe <[EMAIL PROTECTED]> wrote: > I try JBoss 4.0 (cvs 04.06.2003) and build with tomcat 4.1.24. > When JBoss start it have a lot errors in log output You should only get an exception the first time you run it (something is dropping database tables that don't exist). I only get a few warnings that look possibly harmful: 2003-06-04 19:57:18,078 WARN [org.jboss.web.catalina.EmbeddedCatalinaService41] Unable to invoke setDelegate on class loader:[EMAIL PROTECTED] url=file:/J:/Win32Dev/JBoss4/server/default/deploy/jboss-net.sar/ ,addedOrder=5} 2003-06-04 19:57:24,281 WARN [org.jboss.web.catalina.EmbeddedCatalinaService41] Unable to invoke setDelegate on class loader:[EMAIL PROTECTED] url=file:/J:/Win32Dev/JBoss4/server/default/deploy/jmx-console.war/ ,addedOrder=30} 2003-06-04 19:57:24,687 WARN [org.jboss.web.catalina.EmbeddedCatalinaService41] Unable to invoke setDelegate on class loader:[EMAIL PROTECTED] url=file:/J:/Win32Dev/JBoss4/server/default/tmp/deploy/server/default/deploy/ssodemo.war/37.ssodemo.war/ ,addedOrder=31} 2003-06-04 19:57:25,546 WARN [org.jboss.web.catalina.EmbeddedCatalinaService41] Unable to invoke setDelegate on class loader:[EMAIL PROTECTED] url=file:/J:/Win32Dev/JBoss4/server/default/tmp/deploy/server/default/deploy/web-console.war/38.web-console.war/ ,addedOrder=32} Rememeber to uncomment these lins in log4j.xml or you'll get insane log files of 6MB additions per server startup: After you add the lines, the log file addition is less than 100KB for each run of the server. Most of the log is from dumps of XML config files from org.apache parsers... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] FYI: JBoss 4 default server uses 50MB more memory than JBoss 3 default
"Sacha Labourey" wrote: > JMS was part of "default" in 3.x Thanks. I thought it was part of "all". Any idea why JBoss 4.0 DR1 uses more memory? Is it from the AOP stuff? I can't say JBoss is a lot less piggy than WAS now :-) ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] FYI: JBoss 4 default server uses 50MB more memory than JBoss 3 default
Still exploring DR1, but just wanted to let you folks that are still on 3.x that it uses more memory. Seems like JMS is now a standard part of the default server in 4.0 DR1 whereas it was part of the "all" config in 3.x. ken p.s., my custom authenticator is broken in 4.0 DR1...looks like you can't get the security context by doing a lookup of comp/env/security any more (claims "env" is not bound). Anyone know of a workaround for this? :-( ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Where to download JBoss 4.0 DR1?
"Jason Stortz" wrote: > You can get it from the jboss project at http://www.sourceforge.net Thanks, Jason. Didn't think to look there because I thought you'd have to build the code from CVS :-) Even the PDF news blurb on jboss.org mentions that you can download 4.0 from jboss.org... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Where to download JBoss 4.0 DR1?
Anyone know when the download for a JBoss/Tomcat 4.0 package will be available on JBoss' site? There is a link to download it in the news section, but clicking it brings you to the JBoss 4.0 Vision page. Nothing on the Downloads page either...only 3.0 and 3.2. BTW, someone should run the JBoss web site through a spellchecker: "Professinal" Open Source in the page title? ;-) ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] AOP vs. J2EE performance?
After I found out JBoss 4.0 is getting released on Monday, I read up on AOP a bit since that seemed like one of the biggest features. The AOP logging example on the JBoss site looked like a perfect way to add logging if you wanted to debug call traces. Has anyone tried benchmarking AOP vs. J2EE (CMP) performance? The 2nd AOP example seems to show you can use it to replace CMP beans. ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
RE: Re[3]: [JBoss-user] JBoss separate Tomcat and JAAS
--- On Tue 05/27, Miroslav Nachev < [EMAIL PROTECTED] > wrote: > If the application is developed to serve more than one organization You have a custom login page with a bit more info: the org. Because of this, your user's login validation info is actually composed of 3 pieces of info: username/password/org. Roles depend on these three bits of information. If you really want to use container managed security and don't want to write your own custom JAAS login module, the easiest way to handle this is probably to use the database login module and have your custom login page pass through the username as "_". > 'Jonh' has Administrative rolefor "apps/application1" and > User role for "apps/application2"? Separate .war files for application1 and application2. Each .war file has separate login/role information in separate databases. There is a way to configure JBoss to share credentials so the user doesn't have to log in multiple times if you synchronize password changes. How in the world are you doing this in Weblogic or Websphere? I can't imagine either of these cases is anything that would be handled by their normal authentication support... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: update on automatic login
"Simone Milani" <[EMAIL PROTECTED]> writes: > I think what Tomcat does after a post to j_security_check is look > inside theser session (private to the container - > org.apache.catalina.Session) for anttribute containing the > original page that the user was trying to access. > If it cannot find it throws an error 400. What you can do is have > a custom00 error page that redirects to somewhere. Thanks. After reviewing the code in FormAuthenticator.java, I can safely say authentication does take place before it checks this info. Since I'm simulating the call to the login page inside my autologin servlet, this is ok and I can safely ignore the error. I just have to add a querystring parameter to my autologin servlet to jump to the proper page after it finishes authenticating. I also have to come up w/ a pseudo-standard username/roles session variable names since these values aren't filled in when you access an unprotected part of your web site. Please let me know if you folks know of any standard naming convention besides just putting in variables named "UserName" and "Roles" in the session :-) ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Re: update on automatic login
Neal Sanche <[EMAIL PROTECTED]> writes: > Well, I've not actually tried using a servlet to do a POST to the > login page. In my old company, an applet was doing the POST, and the I've done posts from applets to upload files before too...just didn't think this would work for automatic login because I thought it'd do something weird under the hood. FYI, it does work in testing of a restricted URL to a servlet. The user and roles get loaded properly from JBoss. The only oddity is that I get a 400 error response from Tomcat when doing this. I think it sets some session variable to tag the login so it knows where to send the user after the login completes because there is no such value stored as a query or form variable. Time to test a restricted EJB method to see if it really logged into JBoss (the servlet test only tests login to Tomcat)... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Re: update on automatic login
FYI, if you access your form based login page (mine is called login.jsp) directly from a browser, you can submit it and Tomcat/JBoss complains that "Invalid direct reference to form login page" but the user is still logged in (I can access a restricted URL w/o a login prompt), so it looks like that "post to login page from automatic login" servlet workaround will work, but it may be depending on a bug in Tomcat/JBoss... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] update on automatic login
Hmm...now that's an interesting workaround. Better than my hack of mucking w/ the REMOTE_USER header and no ties to a specific web container Valve/Interceptor/Filter implementation. Only possible caveat is that you need to be able to look up the username/password from the "automatic login" cookie. In my case, I can only get the username, but perhaps I can pass in something else for the password so my custom login module will accept it. The other caveat is that the "automatic login" URL has to be to an unrestricted page/servlet. If a user who wants to use automatic login wants to jump to a protected URL directly, they'll get prompted for a username/password because the container will think they're not logged in yet... thanks, ken Message: 3 From: Neal Sanche Organization: No Such Device To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] update on automatic login Date: Wed, 5 Mar 2003 11:03:02 -0500 Reply-To: [EMAIL PROTECTED] Wouldn't it be possible for you to perform a POST from within a servlet using the same JSESSIONID cookie that the user's browser sent, then forward their browser back to the page? The POST would simulate a FORM login, and if the cookie is the same the web application would think it was the user's browser doing the authentication. If it doesn't work, the redirect of the user's browser will also fail, bringing them back to the login page anyway. I don't know if this will help, but I hope so. -Neal ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] update on automatic login
FYI, this technique doesn't work: copy code out of JBossSecurityMgrRealm for login and stick in servlet that is not restricted w/ declarative security log in using this code, set REMOTE_USER header and set j_subject to be the Subject in the session in case anyone else heads down this path. I didn't think it'd work, but I was hoping it would because it would have made it much easier to do :-) Looks like the right/only way to do it is to write a custom Tomcat Valve that is inserted before Tomcat's security valve. This custom valve will take the cookie and do the validation w/ the code in JBossSecurityMgrRealm and also call appropriate Tomcat routines to indicate that the user is authenticated. I also found an Apache FAQ that says REMOTE_USER is only set if you go to a restricted URL...it's not sent down if you hit an unrestricted URL. So, anyone trying to do that "show admin links if you have the Admin role" technique is out of luck because Apache doesn't support it. iPlanet has a configuration parameters that sends REMOTE_USER to unrestricted URLs. One quick question: where does JBossSecurityMgrRealm get inserted into the Tomcat valve list? It's not in the tomcat4.1\conf\server.xml file as I thought it would be. Off I go to stare at Tomcat source code for a while. I'll update w/ results... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] code for "is user authenticated" in JBoss?
Found JBossSecurityMgrRealm in the contrib module: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/contrib/tomcat41/src/main/org/jboss/web/catalina/security/ ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] code for "is user authenticated" in JBoss?
Hi Scott, I didn't realize you were on this list. I only see two solutions to the goal of adding automatic logons (a.k.a. "remember me" functionality) to a website w/ declarative security: 1) Use a servlet that is unrestricted and create a LoginContext to try to log into JBoss from the servlet. Issues include getting Tomcat 4.1 to see that you are logged on so that servlets/JSP/JSP Tags can see who you are as a user and what roles you have. I also couldn't get Tomcat to believe I was logged in my logging in a LoginContext. 2) Try to hook into JBossSecurityMgrRealm (not sure if this is even possible) so you can grab/insert cookies to implement the automatic login. This currently seems the only viable way to do it. The only negative I've seen is that if you log in to a restricted URL, then go to a non-restricted URL, Tomcat thinks you're no longer logged in and don't have any roles. This breaks any possibility of implementing a context-sensitive UI (e.g., show some admin features if you have the Admin role if you're on the home page). I found a posting that said the servlet spec is vague about whether logins/roles should persist between restricted and unrestricted URLs so this technically isn't a bug, but I think it's being done wrong right now because of the admin example above. 3) Punt and give up on container managed security because it's in its buggy infancy and use app managed security, which means no declarative security for servlets/JSPs/EJBs. :-P Sorry for being long winded. Any suggestions on the proper approach or whether (2) is viable? thanks, ken Original msg from HTML/MIME garbled digest: Message: 3 From: "Scott M Stark" To: Subject: Re: [JBoss-user] code for "is user authenticated" in JBoss? Date: Tue, 4 Mar 2003 10:21:25 -0800 Organization: JBoss Group, LLC Reply-To: [EMAIL PROTECTED] Its the web container that makes this determination and integration is specific to the web container. A valve in tomcat and an interceptor in jetty. The web container calls out to its security manager plugin which is where the JBoss security is integrated. See: org.jboss.web.catalina.security.JBossSecurityMgrRealm in the tomcat41 module and org.jboss.jetty.security.JBossUserRealm in the jetty module. Scott Stark Chief Technology Officer JBoss Group, LLC - Original Message - From: "Ken Yee" To: Sent: Tuesday, March 04, 2003 6:17 AM Subject: [JBoss-user] code for "is user authenticated" in JBoss? > > I'm still trying to figure out ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] code for "is user authenticated" in JBoss?
Thanks, Chris. Points me in a new direction. I was rummaging through the SecurityInterceptor portion of the JBoss source tree :-P The Tomcat 4.1 stuff seems to be yanked out of the tree according the comments I found where I expected to see it browsing the JBoss src tree on SourceForge: "Drop the jboss-all/tomcat41 files as jboss-all is not a real module" Any idea where the JBossSecurityMgrRealm.java file is in the source tree? ken p.s., in case you folks who have HTML/MIME mail turned on don't know, this is what the digest version of this list looks like if you send an HTML/MIME reply into it (all the msgs mash together): Jain --__--__-- Message: 10 Date: Tue, 4 Mar 2003 12:38:35 -0500 From: Chris Bonham To: [EMAIL PROTECTED] Subject: Re: Reply-To: [EMAIL PROTECTED] It depends on what web container you're using: Tomcat 4.0/Catalina: catalina/src/main/org/jboss/web/catalina/security/JBossSecurityMgrRealm.java Tomcat 4.1: tomcat41/src/main/org/jboss/web/catalina/security/JBossSecurityMgrRealm.java Jetty: jetty/src/main/org/jboss/jetty/security/JBossUserRealm.java Good luck! -- Chris Bonham President/CEO Third Eye Consulting, Inc. [EMAIL PROTECTED] http://www.thirdeyeconsulting.com 317.823.3686 317.823.0353 (FAX) Quoting Ken Yee ([EMAIL PROTECTED]): > > I'm still trying to figure out how to do autologin into JBoss > ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] code for "is user authenticated" in JBoss?
I'm still trying to figure out how to do autologin into JBoss declarative security using a persistent cookie :-) Would anyone happen to know where the source code for the decision of whether or not a user is logged in is? I'm looking for the code point just before it puts up the username/password dialog/form on the web; at this point, JBoss is deciding whether a user has access to a restricted servlet or EJB method...i.e., whether a user is logged in already. I'm wondering if I can hook into this decision process... I've been through most of the JBossSX source tree on sourceforge w/ no luck, but I think I might be in the wrong JBoss module :-( thanks, ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Please turn off HTML/MIME mail
Could folks who post to the list please turn off HTML/MIME mail? It totally garbles mail for those of us who are in digest mode :-( thanks, ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] RE: automatic login and iTracker
Well...after a bit of digging, I found that iTracker does *NOT* use container-based security. You can tell by looking at ejb-jar.xml where you won't find any security tags. What it does is let any EJB methods be called by anyone. Ditto with all servlets. It uses a classic Guard pattern by having all the JSP pages check for a user session object to indicate if someone is logged in. Because of this, doing automatic login via a cookie is trivial (though they could at least encrypt the cookie, but the cookie looks like a simple user id). This technique is used in ASP, CF, PHP, etc. designs. It also explains how iTracker can be cross-platform and work on JBoss, Weblogic, etc. For those curious, you can look at check-login.jsp which is included in all the JSP pages of this app. Anyone know of a JBoss custom login module god I can talk to? :-P ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] automatic login in JBoss app?
Rod Macpherson <[EMAIL PROTECTED]> wrote: > The cookies will be in the request header so if you have access to the > request in the custom login then a call to getCookies otta work fine. That's just it, I don't have access to the cookies in the custom login module. Ideally, the HTTP request object should be tucked away in one of the Subject properties so it can be accessed from within the custom login module, but it's not. I'll dig into ITracker and post what I find. Since it looks like it is cross-platform (not just JBoss), I suspect they use some sort of "stick username into session" hack instead of using container based authentication... ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] automatic login in JBoss app?
No luck digging in the archives for this list or on the security forum on jboss.org. Has anyone done the feature you find in a lot of web sites where you can click a checkbox next to your login info and a cookie is stored to automatically log you in the next time you visit the site? Somehow, it would have to hook into the authentication process but I can't figure out how to read a browser cookie in a custom login module... thanks, ken ___ Join Excite! - http://www.excite.com The most personalized portal on the Web! --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user