from:"Mayo, Eric"

RE: [JBoss-user] JBossRealm Security Bug

2001-05-15 Thread Mayo, Eric


Is this fix going to be in the next release of JBoss?   (I don't need to
worry about this yet as our project is far from deployment, but eventually
it will become an issue.)

Eric

-Original Message-
From: Shotton Mark MMUk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 15, 2001 9:13 AM
To: '[EMAIL PROTECTED]'
Subject: [JBoss-user] JBossRealm Security Bug


Hello there

There is an omission in the version of org.jboss.tomcat.security.JbossRealm
that I checked out of CVS from the contrib/tomcat area. The principal and
credentials propogated from Tomcat are stored in ThreadLocal objects in
org.jboss.security.SecurityAssociation. However these ThreadLocal variables
are never reset to null. So the threads are returned to the pool and can be
used again with the principal and credentials still set (not very secure!).

The JbossRealm should implement a method to reset the principal and
credentials to null. I have done this as below:

package org.jboss.tomcat.security;

import java.security.Principal;
import java.util.Hashtable;

import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;

import org.apache.tomcat.util.SecurityTools;
import org.apache.tomcat.core.BaseInterceptor;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;

/**
 * This maps Tomcat credintials to jBoss credintials.  It can probably be
placed after
 * many other Tomcat realms to map that realm into jBoss.
 * @author mailto:[EMAIL PROTECTED]";>Kevin Lewis
 * @version $Revision: 1.3 $
 *
 * changed imports to reflect new org.jboss.security structure
 * @author mailto:[EMAIL PROTECTED]";>Dewayne McNair
 * @version $Revision: 1.3 $
 *
 */
public class JbossRealm  extends  BaseInterceptor {

public int authenticate( Request req, Response response ){
Hashtable cred=new Hashtable();
SecurityTools.credentials( req, cred );
String user=(String)cred.get("username");
SecurityAssociation.setPrincipal( new SimplePrincipal( user
) );
String pw=(String)cred.get("password");
if (null != pw)
SecurityAssociation.setCredential( pw.toCharArray() );
return 0;
}

public int afterBody( Request req, Response response ){
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
return 0;
}

}

Mark


Dr M.W. Shotton
MICROMASS UK LIMITED
Floats Road
Wythenshawe
Manchester M23 9LZ
UK

+44 (0) 161 718 4548



___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

RE: [JBoss-user] JNDI Lookup of Datasources

2001-05-10 Thread Mayo, Eric


Try precluding the data source name with "java:/", that is, try 
javax.sql.DataSource source =
(javax.sql.DataSource)jndiContext.lookup("java:/defaultDS");

I believe I had that problem in the past and that fixed it.

Cheers,

Eric

-Original Message-
From: Nikhil Patil [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 10, 2001 3:26 PM
To: jboss
Subject: [JBoss-user] JNDI Lookup of Datasources


Hi
I have set a datasource called "workflowDS" in JBOSS. I am trying to do a
client lookup from a client and this how my code looks like.

Properties env = new Properties();
  env.setProperty("java.naming.factory.initial",
"org.jnp.interfaces.NamingContextFactory");
  env.setProperty("java.naming.provider.url",  "localhost:1099");

  try
  {
// Get a naming context
InitialContext jndiContext = new InitialContext(env);
System.out.println("Got context");
javax.sql.DataSource source =
(javax.sql.DataSource)jndiContext.lookup("defaultDS");

  }
  catch(Exception e)
  {
 System.out.println(e.toString());
  }

I get a NameNotFoundException. Any reason. I know that workflowDS is getting
bound to the jndi tree for the console says so.

Thanks
Nikhil


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] tomcat-service.jar

2001-05-10 Thread Mayo, Eric


Hi all,

If anyone is authenticating with tomcat and passing the credentials through
to jboss, there is a problem with the latest tomcat/jboss bundle:
JBoss-2.2.1 + Tomcat-3.2.1

(9671204) [APR-19-2001] 

It seems that the tomcat-service.jar in the lib/ext directory is older than
the one on the previous release, which is causing an error when jboss goes
to authenticate (the function that retrieves the user password is getting a
null pointer exception). 
At any rate, copying the newer tomcat-service.jar from the previous release
and restarting jboss seems to fix this problem.

Eric



___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

RE: [JBoss-user] JBossRealm Security Bug

RE: [JBoss-user] JNDI Lookup of Datasources

[JBoss-user] tomcat-service.jar

3 matches

Site Navigation

Mail list logo

Footer information