[JBoss-user] [Security JAAS/JBoss] - Share session
Is there any way I can share my principal/session across different war files within the same ear? or even in didn't ear files? I want to break up my huge web application into different war modules. I think websphere already have something like that. I wouldn't be suprise if jboss has and I don''t know about it. http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/tips0215.html?Open View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3873098#3873098 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3873098 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Share session
I just lookup the servlet specIt looks like this isn't working with tomcat..? Anyone know how can I share the users principal in different web application in the same security domain without re-authenticate again? SRV.12.6 Server Tracking of Authentication Information As the underlying security identities (such as users and groups) to which roles are mapped in a runtime environment are environment specific rather than application specific, it is desirable to: 1. Make login mechanisms and policies a property of the environment the web application is deployed in. 2. Be able to use the same authentication information to represent a principal to all applications deployed in the same container, and 3. Require re-authentication of users only when a security policy domain boundary has been crossed. Therefore, a servlet container is required to track authentication information at the container level (rather than at the web application level). This allows users authenticated for one web application to access other resources managed by the container permitted to the same security identity. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3873108#3873108 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3873108 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - CachingLoginCredentials
From my understanding of the document, all the user principals can be cache and obtains from here. | MBeanServer server = ...; | String jaasMgrName = jboss.security:service=JaasSecurityManager; | ObjectName jaasMgr = new ObjectName(jaasMgrName); | Object[] params = {domainName}; | String[] signature = {java.lang.String}; | List users = (List) server.invoke(jaasMgr, getAuthenticationCachePrincipals, | params, signature); | However, I still don't understand how can I just remove one of the user by username and principals. I noticed there is a flushAuthenticationCache option, but it will flush all the users away. I am new to JAAS and don't know what will be the best way of retrieving the cached principals. Thanks, Michael View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3872243#3872243 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3872243 --- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: CachingLoginCredentials
public Principal getPrincipal(String securityDomain, Principal principal); Maybe I should just use this to get the principal and logout()? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3872244#3872244 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3872244 --- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: CachingLoginCredentials
Never mind, I found it | String domain = jmx-console; | Principal user = new SimplePrincipal(javaduke); | ObjectName jaasMgr = new ObjectName(jboss.security:service=JaasSecurityManager); | Object[] params = {domain, user}; | String[] signature = {java.lang.String, Principal.class}; | MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0); | server.invoke(jaasMgr, flushAuthenticationCache, params, signature); | View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3872258#3872258 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3872258 --- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: CachingLoginCredentials
This code work fine. I just wonder if flushing the user cache is equal to logging out? How can I log out the user? | | private void logout(Principal user) { | | try { | | String domainName = domain; | | MBeanServer server = (MBeanServer) MBeanServerFactory | .findMBeanServer(null).get(0); | String jaasMgrName = jboss.security:service=JaasSecurityManager; | ObjectName jaasMgr = new ObjectName(jaasMgrName); | Object[] params = { domainName }; | String[] signature = { java.lang.String }; | List users = (List) server.invoke(jaasMgr, | getAuthenticationCachePrincipals, params, signature); | | for (int i = 0; i users.size(); i++) { | SimplePrincipal principal = (SimplePrincipal) users.get(i); | | log.info(user = + principal); | | if (user.equals(principal)) { | | log.info(Logging out); | | Object[] pParams = { domainName, user }; | String[] pSignature = { java.lang.String, java.security.Principal}; | server.invoke(jaasMgr, flushAuthenticationCache, pParams, | pSignature); | | } | } | } catch (MalformedObjectNameException e) { | log.error(Malformed Object, e); | } catch (NullPointerException e) { | log.error(Null Pointer, e); | } catch (InstanceNotFoundException e) { | log.error(Instance not found, e); | } catch (MBeanException e) { | log.error(MBean Exception, e); | } catch (ReflectionException e) { | log.error(Reflection Exception, e); | } | | } | View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3872260#3872260 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3872260 --- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: CachingLoginCredentials
I am so stupid... HttpSession session = request.getSession(); session.invalidate(); it is all you need to log out the session. I thought i need to clear the cache or something. So how come even I clear the cache, I am still in the session? View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3872276#3872276 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3872276 --- This SF.net email is sponsored by Demarc: A global provider of Threat Management Solutions. Download our HomeAdmin security software for free today! http://www.demarc.com/info/Sentarus/hamr30 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - j_security_check
Hey, Where can we find out more information about j_security_check servlet? Is there any way to wrap this so when it won't expose to the users when I am doing jaas login in jsp? I know that response.sendRedirect(/j_security_check) will not work, what is the alternative solution? Thanks, Michael View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3871088#3871088 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3871088 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Prinicpal = null
Can anyone point out what is the problem here? I followed the jaashowto, but I still can't get the principal to work. After I do the loginContext.login(), my user and role are set. If I do a forward(), I can get to the restricted resources. But if I do a request.sendRedirect, I will lost all the principal. So I tested it by getting it out from request.getUserPrincipal(), and it didn't suprise me for returning me a null. I am tested it jboss 4.0.1 RC1 and RC2, and both of them doesn't work. Thanks, --- LoginServlet --- String username = request.getParameter(username); String password = request.getParameter(password); try { if (username != null password != null) { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(username); handler.setSecurityInfo(user, password.toCharArray()); LoginContext loginContext = new LoginContext(equilar-login, (CallbackHandler) handler); loginContext.login(); Subject subject = loginContext.getSubject(); Set principals = subject.getPrincipals(); principals.add(user); Principal p = request.getUserPrincipal(); if (p != null) log.info(Principal = + p.getName()); else log.info(Principal is null); try { response.sendRedirect(/index.jsp); return; } catch (IOException e) { log.error(sendRedirect failed, e); } } else { try { response.sendRedirect(/login.jsp); return; } catch (IOException e) { log.error(Failed redirecting, e); } } } catch (LoginException e) { log.info(Login failed for + username +. Reason: + e.getMessage()); try { response.sendRedirect(/login.jsp?login=failed); return; } catch (IOException ee) { log.error(Failed redirecting, ee); } } --- Auth.conf in jboss/server/default/conf --- client-login { org.jboss.security.ClientLoginModule required; }; equilar-login { org.jboss.security.ClientLoginModule required ; org.jboss.security.auth.spi.UsersRolesLoginModule required usersProperties=users.properties rolesProperties=roles.properties unauthenticatedIdentity=nobody ; }; --- Auth.conf in jboss/client --- client-login { org.jboss.security.ClientLoginModule required; }; equilar-login { org.jboss.security.ClientLoginModule required ; org.jboss.security.auth.spi.UsersRolesLoginModule required unauthenticatedIdentity=nobody ; }; --- login-config.xml --- application-policy name=equilar-login login-module code = org.jboss.security.ClientLoginModule flag = required /login-module login-module code=org.jboss.security.auth.spi.UsersRolesLoginModule flag = required module-option name=usersPropertiesusers.properties/module-option module-option name=rolesPropertiesroles.properties/module-option module-option name=unauthenticatedIdentitynobody/module-option /login-module /application-policy View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3869788#3869788 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3869788 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net
[JBoss-user] [Security JAAS/JBoss] - Re: Prinicpal = null
I got it to work. Instead using my servlet to login, i use form method=POST action='%= response.encodeURL( j_security_check ) %' Username: Password: View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3869793#3869793 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3869793 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Prinicpal = null
form method=POST action='%= response.encodeURL( j_security_check ) %' | table | tr | thUsername:/th | tdinput type=text name=j_username size=15//td | /tr | tr | thPassword:/th | tdinput type=password name=j_password size=15//td | /tr | tr/ | tr | td colspan=2 align=right | input type=submit value=Submit/ | /td | /tr | /table | /form View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3869797#3869797 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3869797 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Prinicpal = null
what would be the best practice for using JAAS model in web application? If I don't want to use j_security_check in the jsp form for user to log in, and I wouldn't want to save the username and password in session to do the authentication everytime, can anyone point me to the right direction? | public void MasterServlet extends HttpServlet{ | | public abstract void onService(HttpServletRequest request, HttpServletResponse response); | | public void service(HttpServletRequest request, HttpServletResponse response){ | |doSecurityCheck(); // this is where I do authentication |onService(); | } | | } | View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3869844#3869844 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3869844 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user