[JBoss-user] [Security JAAS/JBoss] - Re: Is SSL encryption available for JAAS?
Thank you fo your reply. My client configaration: other { | org.jboss.security.ClientLoginModule required; | }; The CallbackHandler I use sets only the username. As a password sends an empty char array. Server configaration: application-policy name=example1 | authentication | | login-module code=com.sun.security.auth.module.Krb5LoginModule flag=required | module-option name=keyTabC:/jboss-3.2.3/server/jaas_howto/conf/keytab.dat/module-option | module-option name=useKeyTabtrue/module-option | module-option name=debugtrue/module-option | /login-module | | login-module code=org.jboss.docs.jaas.howto.CustomLoginModule flag=required/ | !-- Setting up roles -- | | /authentication |/application-policy The keytab was exported from the Active Directory. The keytab contains the users password in an encrypted way. The Jboss is started with java.security.krb5.kdc | java.security.krb5.realm parameters to know where to find the Active Directory. That's what I did. The problem I'm facing now how to send some prove from the client side to the server login modules that the user who assigned in the ClientLoginModule really logged in the windows before. I tried JNI to determine the logged user name and domain in windows. Another problem is how to provide transport layer security for JAAS communication. Tibor View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3866014#3866014 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3866014 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Is SSL encryption available for JAAS?
Hi Everybody, I use JAAS on both the client and the server side. In the client configuration there is a ClientLoginModule. The server side use a Krb5LoginModule that authenticate against Active Directory. The Kerberos login module on the server use a keytab for authentication and the client side doesn't send password. The ClientLoginModule simple bind the currently logged Windows user name as the principal. My question is how to encrypt the user name? My only chance is the SRP or is it possible to use SSL somehow? I use the 3.2.3 version. Thanks in advance. Tibor View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3865901#3865901 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3865901 --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence CMP/JBoss] - Re: Foreign key referencing not the primary key
Thank you for your reply. View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3837247#3837247 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3837247 --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets JSP] - Filtering JSP page failed
Hi all! I use JBoss 3.2.3. I'd like to write a filter that removes the new lines from the result of a JSP page. Found an excelent article concerning this topic ( http://www-106.ibm.com/developerworks/java/library/j-tomcat/?openl=101,t=grj,p=TomcatTricks). The filter code is really simple: package com.ibm.devworks.filters; | | import java.io.*; | import javax.servlet.*; | import javax.servlet.http.*; | | | class ReplaceTextStream extends ServletOutputStream { | private OutputStream intStream; | private ByteArrayOutputStream baStream; | private boolean closed = false; | | private String origText; | private String newText; | | public ReplaceTextStream(OutputStream outStream, String searchText, String replaceText) { | intStream = outStream; | baStream = new ByteArrayOutputStream(); | origText = searchText; | newText = replaceText; | } | | public void write(int i) throws java.io.IOException { | baStream.write(i); | } | | public void close() throws java.io.IOException { | if (!closed) { | | processStream(); | intStream.close(); | closed = true; | } |} | | public void flush() throws java.io.IOException { | if (baStream.size() != 0) { | if (! closed) { | processStream(); // need to synchronize the flush! | baStream = new ByteArrayOutputStream(); | } |} | } | | public void processStream() throws java.io.IOException { | intStream.write(replaceContent(baStream.toByteArray())); | intStream.flush(); | } | | public byte [] replaceContent(byte [] inBytes) { | String retVal =; | String firstPart=; | | String tpString = new String(inBytes); | String srchString = (new String(inBytes)).toLowerCase(); | | int endBody = srchString.indexOf(origText); | | if (endBody != -1) { |firstPart = tpString.substring(0, endBody); |retVal = firstPart + newText + | tpString.substring(endBody + origText.length()); | | } else { | retVal=tpString; | } | | return retVal.getBytes(); | } | | } | class ReplaceTextWrapper extends HttpServletResponseWrapper { | private PrintWriter tpWriter; | private ReplaceTextStream tpStream; | | public ReplaceTextWrapper(ServletResponse inResp, String searchText, |String replaceText) throws java.io.IOException { | super((HttpServletResponse) inResp); | tpStream = new ReplaceTextStream(inResp.getOutputStream(), searchText, replaceText); | tpWriter = new PrintWriter(tpStream); | } | | public ServletOutputStream getOutputStream() throws java.io.IOException { | | return tpStream; | } | public PrintWriter getWriter() throws java.io.IOException { | | return tpWriter; | } | } | | public final class ReplaceTextFilter implements Filter { | private FilterConfig filterConfig = null; | private String searchText = .; | private String replaceText = .; | public void doFilter(ServletRequest request, ServletResponse response, | FilterChain chain) | throws IOException, ServletException { | | | ReplaceTextWrapper myWrappedResp = new ReplaceTextWrapper( response, searchText, replaceText); | chain.doFilter(request, myWrappedResp); | myWrappedResp.getOutputStream().close(); | | } | | public void destroy() { | } | | | public void init(FilterConfig filterConfig) { | | String tpString; | if (( tpString = filterConfig.getInitParameter(search) ) != null) |searchText = tpString; | if (( tpString = filterConfig.getInitParameter(replace) ) != null) |replaceText = tpString; | | this.filterConfig = filterConfig; | | } | | | } The filter works only when the requested page is a html. If is is renamed to jsp extension, this filter is failed. I get a !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN | HTMLHEAD | META http-equiv=Content-Type content=text/html; charset=iso-8859-1/HEAD | BODY/BODY/HTML content. I suppose that filters work that first perform the jsp page and its result content is filtered. What's wrong? Tibor View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3835499#3835499 Reply to the post :
[JBoss-user] [Security JAAS/JBoss] - isUserInRole and non secured pages
Hi all, I use the 3.2.3 release. In my web application there are some secured and non secured pages. I experienced that the request.isUserInRole() function doesn't work if there is a forwarding from a secured jsp page to a public one. I made a little example based on the jaas howto tutorial: WEB.XML: ?xml version=1.0 encoding=UTF-8? | !DOCTYPE web-app PUBLIC |-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN |http://java.sun.com/dtd/web-app_2_3.dtd; | | web-app | | !-- ### Security -- | security-constraint | web-resource-collection | web-resource-nameRestricted/web-resource-name | url-pattern/secured.jsp/url-pattern | url-pattern/securedTest.jsp/url-pattern | /web-resource-collection | auth-constraint | role-nameEcho/role-name | /auth-constraint | user-data-constraint | transport-guaranteeNONE/transport-guarantee | /user-data-constraint | /security-constraint | | login-config | auth-methodBASIC/auth-method | realm-nameJAAS Tutorial Servlets/realm-name | /login-config | | security-role | descriptionA user allowed to invoke echo methods/description | role-nameEcho/role-name | /security-role |security-role | descriptionA user with no permissions/description | role-namenobody/role-name |/security-role | | /web-app secured.jsp: %if (request.isUserInRole( Echo)) {% | h1member of a role/h1 | %} else {% | h1NOT member of a role/h1 | %}% | | a href=/SecurityWeb/securedTest.jspLink to a secured page/abr/ | a href=/SecurityWeb/test.jspLink to a public page/a securedTest.jsp: html | body | %if (request.isUserInRole( Echo)) {% | h1member of a role/h1 | %} else {% | h1NOT member of a role/h1 | %}% | /body | /html test.jsp: html | body | %if (request.isUserInRole( Echo)) {% | h1member of a role/h1 | %} else {% | h1NOT member of a role/h1 | %}% | /body | /html The securedTest.jsp and test.jsp are the same, the only defference is that the securedTest.jsp is listed under the security-constraint. Having tried the http://.../secure.jsp and logging in succesfully I can see the member of a role text and clicking to the Link to a secured page link the text remains the same. BUT clicking to the Link to a public page link the NOT member of a role text appears in the browser. How could I preserve the roles during my navigation between secured and non secured pages? Is there a standard method or is this a bug? Thanks for your reply in advance. Tibor View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3834854#3834854 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3834854 --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets JSP] - Re: error-page and Internet Explorer
Thank you very much for your reply. It works now. My error page contained only the three digit HTTP status code before. Paszti View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3830787#3830787 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3830787 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets JSP] - error-page and Internet Explorer
Hi All, I've got problems using the custom error-page feature with the Internet Explorer 6.0. My WEB.XML cotains the following lines: error-page | error-code404/error-code | location/p404.jsp/location | /error-page The custom error page doesn't appear when the Show Friendly HTTP error messages setting is checked. This is very unpleasant because this setting is checked by default after the setup. Is there a way to make the Explorer show the error page regardless of this browser setting. Thanks in advance Paszti View the original post : http://www.jboss.org/index.html?module=bbop=viewtopicp=3830532#3830532 Reply to the post : http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3830532 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence CMP/JBoss] - Why MIN/MAX functions work only on numbers?
Hi all! I use PostgreSQL and JBoss 3.2.3. I'd like to perform a JBoss ql select that search the maximum value of a timestamp typed column. This fails because I get a find exception reporting me that the current timestamp value is a Bad double. Do the newly introduced aggregate functions work only on number parameters? Another solution would be if I could create to each timestamp cmp field a pair containing the same value in long type. I don't want that these long fields become persistent fields, but I'd like that these fields can be used in a jboss ql select. Can I create these kind of fields? I saw that XDoclet has a @jboss.not-persisted-field tag, but there's no documentation concerning the purpose of this tag. Could anyone know the solution? Tibor a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3827587#3827587;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3827587Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Persistence CMP/JBoss] - UCASE and accented characters
Hi all, Has any of you tried the UCASE function with accented characters? Recently I had to use the 'UCASE' function in my jboss queries and I was surprised to find that the anonymous wrote : UCASE('') = '' expression used in the WHERE condition resulted FALSE, whereas anonymous wrote : UCASE('e') = 'E' resulted TRUE. Why UCASE doesn't work with accented characters? The toUpperCase() method of the java.lang.String object has no problems to perform such a simple conversion. I use jBoss 3.2.3. All advice is appreciated except that I should introduce another field to my database table that store the upper-case-converted version of the same string :-). Thanks in advance. Pszti a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825674#3825674;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825674Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user