[JBoss-user] [Security JAAS/JBoss] - Re: Negotiate Authentication SPNEGO Runtime Settings
Thanks a lot to Jochen, I am slowly understanding Negotiate Authentication. I am able to run Negotiate Authentication, I have Win XP workstation which is in Win 2000 Domain. My workstation is in India, our Win 2000 Domain Controller is in Toronto. So I could not see what are groupnames given to my username, I know every username in Active Directory will have a group called Domain Users, so I mentioned this as role-name in my web.xml and used the following code to display other group names(alloted for me) % | out.println(request.getRemoteUser()); | Subject userSubject=(Subject)PolicyContext.getContext(javax.security.auth.Subject.container); | out.println(br+userSubject); | % Wiki page says you have to replace attribute...WebCallbackHandler line with attribute...AdvancedWebCallbackHandler line. But there is no line as attribute...WebCallbackHandler. I just added the attribute... line for AdvancedWebCallbackHandler I am able to run on JBoss 4.0.2 with JDK 1.5. If I am trying to run on JDK 1.4.2, I am getting the following exception 14:52:17,665 ERROR [CoyoteAdapter] An exception or error occurred in the container during the req | uest processing | java.lang.NoClassDefFoundError: jcifs/ntlmssp/Type3Message | at org.jboss.web.tomcat.security.HttpServletRequestResponseValve.authenticate(HttpServlet | RequestResponseValve.java:97) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446) | | at org.jboss.web.tomcat.security.HttpServletRequestResponseValve.invoke(HttpServletReques | tResponseValve.java:70) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http | 11Protocol.java:744) | at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) | at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:11 | 2) | at java.lang.Thread.run(Thread.java:534) Please Let me know if anybody is able to run with JBoss 4.0.2 and JDK 1.4.2 But our project is on JBoss 3.2.3 (Porting into 4.0.2 will happen at 2007). But I have to implement Negotiate Authentication within one or two weeks time. Is there any solution which can run on JBoss 3.2.3, And it should be free. I have to do this for Websphere, Weblogic, SAP Netweaver also. If anyone is able run this(Negotiate Authentication) on JBoss 3.2.3, please tell me Thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3948738#3948738 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3948738 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Negotiate Authentication SPNEGO Runtime Settings
Hi, I want to use Negotiate Authentication, (silent authentication, ie my windows login credentials should be automatically silently taken to jboss) I read wiki page(http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos) I want to run that sample application, I need the runtime settings information, who already run please help me Can I run from my home pc ?(i have windows 2000 server and Internet connection) Or Do I need really 2 comptuers (one with windows 2000 server, and one with windows xp)? (i can try in my office) JDK 1.4 or JDK 1.5 ? what values i have to give for domainController (ip address of windows 2000 server?) and for defaultDomain(suppose i created domain like MYDOMAIN.LOCAL, so i have to give MYDOMAIN or MYDOMAIN.LOCAL ?) give me some links, so that i can understand what is spnego, and working things behind thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3947995#3947995 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3947995 --- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnkkid=107521bid=248729dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - security realm per application jboss, weblogic, websphere
In JBoss, we can configure multiple security realms, we can have multiple applications and each application can use different security realm. We are able to mention realm name in security-domain element in jboss-web.xml in our application In weblogic, websphere also we can create multiple security realms, but only one realm can be active realm. And all applications will use that same realm. I believe that there is no way to use different realms for different applications. I googled long time, and I could not find equivalent element(for security-domain) in weblogic and websphere. And their forums also poor. Is it possible in weblogic, websphere? I believe that JBoss server developers might know this([EMAIL PROTECTED], [EMAIL PROTECTED] [EMAIL PROTECTED], and many). Please tell me, If not, what is the use of enterprise products, platforms, jrocket, ibm jdk, studio, ... thanks View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3944979#3944979 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3944979 --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Using ADAM (Active Directory Application Mode) LdapExtLogi
Hi,
I am using ADAM(a mini version of Active Directory), and I want to use either
LdapLoginModule or LdapExtLoginModule. I am unable to logon my application. Its
repeatedly asking username, password
I wrote a standalone program to connect with ADAM, I am able to fetch
entries, Here are the properties to connect.
Hashtable hs=new Hashtable();
|
hs.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
|
hs.put(Context.PROVIDER_URL,ldap://localhost:389/OU=security,DC=ties,DC=teradata,DC=ncr,DC=com;);
| hs.put(Context.SECURITY_AUTHENTICATION,simple);
|
hs.put(Context.SECURITY_PRINCIPAL,CN=admin1,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com);
| hs.put(Context.SECURITY_CREDENTIALS,admin1);
|
| Under the OU=security context, I created groups and users like below
|
| anonymous wrote : CN=admin,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
| | CN=developer,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
| | CN=user,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
| |
| | CN=admin1,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
| | CN=developer1,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
| | CN=user1,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com
|
|
| Here is login module config
|
| application-policy name=myrealm
| |
| | login-module
code=org.jboss.security.auth.spi.LdapExtLoginModule flag=required
| | module-option
name=java.naming.provider.urlldap://localhost:389/module-option
| | module-option
name=bindDNCN=admin1,OU=security,DC=ties,DC=teradata,DC=ncr,DC=com/module-option
| | module-option
name=bindCredentialadmin1/module-option
| | module-option
name=baseCtxDNOU=security,DC=ties,DC=teradata,DC=ncr,DC=com/module-option
| | module-option
name=baseFilter(cn={0})/module-option
| |
| | module-option
name=rolesCtxDNOU=security,DC=ties,DC=teradata,DC=ncr,DC=com/module-option
| | module-option
name=roleFilter(member={0})/module-option
| | module-option
name=roleAttributeIDmemberOf/module-option
| | module-option
name=roleAttributeIsDNtrue/module-option
| | module-option
name=roleNameAttributeIDname/module-option
| |
| | module-option
name=roleRecursion-1/module-option
| | module-option
name=searchScopeONELEVEL_SCOPE/module-option
| | /login-module
| |
| | /application-policy
|
| where did I go wrong, Please help
|
|
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3943720#3943720
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3943720
---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Using ADAM (Active Directory Application Mode) LdapExt
I found where I made mistake.
wrong one
module-option name=roleFilter(member={0})/module-option
correct one
module-option name=roleFilter(member={1})/module-option
0 will by substituted by given user name
1 will by substituted by given user DN
Each group's member attribute have user DN as value and not username
So I have to give 1 only
(Sorry i did not read wiki knowledge base properly, there its cleary mentioned)
the full working one login module config is
application-policy name=myrealm
|
| login-module
code=org.jboss.security.auth.spi.LdapExtLoginModule flag=required
| module-option
name=java.naming.factory.initialcom.sun.jndi.ldap.LdapCtxFactory/module-option
| module-option
name=java.naming.provider.urlldap://localhost/module-option
| module-option
name=java.naming.security.authenticationsimple/module-option
| module-option
name=bindDNcn=admin1,ou=security,dc=ties,dc=teradata,dc=ncr,dc=com/module-option
| module-option
name=bindCredentialadmin1/module-option
|
| module-option
name=baseCtxDNou=security,dc=ties,dc=teradata,dc=ncr,dc=com/module-option
| module-option
name=baseFilter(cn={0})/module-option
|
| module-option
name=rolesCtxDNou=security,dc=ties,dc=teradata,dc=ncr,dc=com/module-option
| module-option
name=roleFilter(member={1})/module-option
| module-option
name=roleAttributeIDcn/module-option
| module-option
name=roleRecursion-1/module-option
| /login-module
|
| /application-policy
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3943727#3943727
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3943727
---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: How to get authenticated user's Subject from EJB
Hi,
First of all, Thanks NigelWhite scott stark .
Yes, We need to specify security-domain element in jboss.xml. Then only,
the PolicyContext.getContext method will return Subject otherwise it will
return null.
And it should have same value as security-domain element in jboss-web.xml.
And If you add security-domain element in jboss.xml, then you must specify
method-permission element for your EJBs, otherwise you can't access your EJBs
from servlet or jsp.
(First I wrongly understood, I thought to get Subject from EJB we must use
CustomLogin module, Sorry, Its not correct, the key thing is security-domain
element in jboss.xml)
For those who need sample code
The following is by my session bean's business method
public String sayHello() {
| try {
| Subject
mySubject=(Subject)PolicyContext.getContext(javax.security.auth.Subject.container);
| return mySubject.toString();
| }catch(Exception e) {
| throw new EJBException(sayHello method failed to get subject,e);
| }
| }
The following my jboss.xml assembly descriptor part
| assembly-descriptor
| method-permission
| unchecked/
| method
| ejb-nameHelloEJB/ejb-name
| method-name*/method-name
| /method
| /method-permission
| /assembly-descriptor
The following is my Hello.jsp code
%@ page import=javax.naming.InitialContext, javax.rmi.PortableRemoteObject,
hello.* %
| %
| InitialContext ctxt=new InitialContext();
| HelloHome
home=(HelloHome)PortableRemoteObject.narrow(ctxt.lookup(java:comp/env/ejb/HelloEJB),HelloHome.class);
| Hello hello=home.create();
| %
|
|
| html
| head
| style type=text/css
| body {
| font-family:'Comic Sans MS';
| font-size:11pt;
| }
| /style
| /head
| body
| %=hello.sayHello()%
| /body
| /html
and this is the output
Subject: Principal: user2 Principal: Roles(members:employee,manager)
Thanks again
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3934815#3934815
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3934815
---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: Error when getting Subject
Hi, We can get subject by using the following code in JSP or Servlet. Subject userSubject=(Subject)PolicyContext.getContext(javax.security.auth.Subject.container); |System.out.println(Subject is +userSubject); But getting Subject from EJB is little difficult (I feel). Any way, In your code ctxt.lookup(java:comp/env/security/SecurityMgr), first you are getting SubjectSecurityManager, then you are getting Subject. But I am getting NameNotFoundException for that lookup (means I have to say something to Jboss regarding for that lookup in jboss-web.xml or jboss.xml) How to say (or how to configure that lookup), Where you seen that code, Can you give working code, Thanks Senthil Kumar View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3934341#3934341 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3934341 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: How to get authenticated user's Subject from EJB
thanks, So I have to write Custom Login Module, I am new to JAAS, but i will try it thanks again, View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3934192#3934192 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3934192 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: How to get authenticated user's Subject from EJB
Thanks, but I am not able to get the Subject from EJB
It is always returning null, but JSP code is perfectly returning Subject
See the following code, and output
the following is session bean's business method
public String thanks() {
| try {
| Subject
userSubject=(Subject)PolicyContext.getContext(javax.security.auth.Subject.container);
| if(userSubject!=null)
| return userSubject.toString();
| else
| return save me;
| }catch(Exception e) {
| throw new EJBException(thanks method got exception,e);
| }
| }
the following is calling JSP
%@ page import=javax.naming.InitialContext, javax.rmi.PortableRemoteObject,
javax.security.auth.Subject, javax.security.jacc.PolicyContext,
prototypebeans.permission.*, prototype.QueryPermission %
| %
| InitialContext ctxt=new InitialContext();
| PermissionManagerHome
home=(PermissionManagerHome)PortableRemoteObject.narrow(ctxt.lookup(java:comp/env/ejb/PermissionManagerEJB),PermissionManagerHome.class);
| PermissionManager permissionManager=home.create();
| out.println(From EJB, +permissionManager.thanks());
| Subject
userSubject=(Subject)PolicyContext.getContext(javax.security.auth.Subject.container);
| out.println(brFrom JSP, subject is +userSubject);
| %
The following is output i got
From EJB, save me
| From JSP, subject is Subject: Principal: user1 Principal:
Roles(members:admin)
Did any one obtain Subject from EJB code?
Please help me
View the original post :
http://www.jboss.com/index.html?module=bbop=viewtopicp=3933934#3933934
Reply to the post :
http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3933934
---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - How to get authenticated user's Subject from EJB
Hi, In servlet or JSP, I am able to get Subject by using PolicyContext.getContext() method But in EJB (Session Bean), If I am trying the same code, it is returing null. But getCallerPrincipal(), isUserInRole() methods are working properly. Is there a way to authenticated user's Subject from EJB? And one more thing PolicyContext.getContext() is JBoss specific, will it work in other app servers? I am searching for this more than one week, Please help Advance thanks Regards Senthil Kumar View the original post : http://www.jboss.com/index.html?module=bbop=viewtopicp=3933362#3933362 Reply to the post : http://www.jboss.com/index.html?module=bbop=postingmode=replyp=3933362 --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
