[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Well, thanks a bunch JBoss gurus! (Not you elponderador, the developers who should know this, and should have helped!) After much searching, I randomly stumbled across the correct incantation: in jboss-web.xml | | | |java:/jaas/jbossweb-form-auth | | | So now, I can log out when they click the logout link. Great. Next up, how to programatically determine whether a URL is available to the current user. I'm of course using container-managed authorization, but it's no good outputting a link only to have the user click on it, and be tipped into the error page by JBoss. I want to have a custom tag for links which does not output any HTML if the URL is not accessible to the current user. Any ideas? No doubt, I'll find the incantation at some random site given enough searching... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913766#3913766 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913766 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
You're saying it should call login() and then immediately logout() on the first HTTP request?? That would be bizarre. I want to log out when then hit the logout link. Anyway, it's not diong that - it's never getting into my LoginModule's logout() method. The login() is being called fine, and I'm connecting to the backend server, caching the connection in the session, and the webapp then uses that. When they hit the logout link though, it does a session.invalidate(), and no logout() is called, and the connection to the backend server stays open, and consumes a licence seat (It's HORRIBLE legacy stuff, and that's how they're clinging to viability - licencing!) Now I could do the processing myself, but what if there were more login modules stacked up (as they may well be with JAAS authentication). It may be that more logout() methods in other modules may need to be called. The container must have some way of doing this! We need access to the LoginContext used by the container at authentication time! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913573#3913573 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913573 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
"NigelWhite" wrote : That doesn't work. | | I have debug statements in my LoginModule's logout() method, and they are not being executed. Well, it will only happen on the first request. The following requests they are just semi-authenticated (credential caching compared to provided data) and never hit the LoginModule, unless you have modified your caching settings. In this way authentication happens really only once per successful authentication. >From there, the real issue is authorization. At least that has been my >experience with jboss 4.0.3 and my understanding of the related documentation. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913569#3913569 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913569 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
That doesn't work. I have debug statements in my LoginModule's logout() method, and they are not being executed. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913564#3913564 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913564 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Nigel, To logout, just invalidate the session. Every request the user is logged in and logged out, that is why they cache the credentials. request.getSession().invalidate(); If you invalidate your session, the security associations will get disconnected from the client and then they will be "logged out". Hope that makes sense. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913561#3913561 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913561 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Well, there's still the problem if the web app not having access to the LoginContext created by the container's authentication process so that it can explicitly log out. This is another glaring omission for which there must be a solution somewhere. How does anyone ever log out of JAAS-secured web apps under JBoss? Also, the questions about why the user principal has to be a org.jboss.security.SimplePrincipal. Why? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913543#3913543 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913543 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Solved! http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication How come nobody, not even the JBoss staff knew this unlikely-looking incantation? If this is a standard part of a JACC-conforming container, then this gem of information should be made extremely prominent! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913528#3913528 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913528 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Also, how does one log out? After using the container's authentication to call through to my LoginModule, my web app's logout processing then doesn't have access to the LoginContext to call the logout() method. I suppose my LoginModule can put it into my user principal during login DOH! just looked, the LoginModule has no access to the LoginContext that called it! How can I possibly log out? Anyway... My user principal object (an application-specific Object which carries a lot of app-specific context) which goes into the "CallerPrincipal" Group of the Subject annoyingly has to extend org.jboss.security.SimplePrincipal. Why should this be? Surely, it just needs to implement java.security.Principal? Why does JBoss check that it's an instance of org.jboss.security.SimplePrincipal? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913520#3913520 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913520 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Adding public Principal authenticate(Header[] headers, Map data); To the Realm interface? Sounds good. How (under JBoss) would I instruct the embedded Tomcat to use my user-written Realm Object just for one webapp? Would you then also add new javax.security.auth.callback.Callback implementations so that my user-written LoginModule (which extends org.jboss.security.auth.spi.AbstractServerLoginModule - is that correct???) can ask it's CallbackHandler for the Header array and the parameter Map? Any timeframe on this more useful authentication ability being part of a downloadable JBoss? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913516#3913516 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913516 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Your frustrations are overlapping with the current focus in the Security Arena at JBoss. In addition, to the link Brian provided, an area that fits your needs are: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=73024 Unless the AuthenticatorBase is retrofitted, you will not achieve what you want. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913398#3913398 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913398 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
OK, that won't work. Any other ideas? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3913395#3913395 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3913395 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
It looks like we should be able to do this by using a custom Tomcat authenticator. I'd probably extend org.jboss.web.tomcat.security.AuthenticatorBase to make use of its existing logic, but override public boolean authenticate(Request request, Response response, LoginConfig config) throws IOException OK, now how do we specify that that class should be used for FORM based logins? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912658#3912658 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912658 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
In fact, it gets worse. To perform the athentication, I need parameters from the original URL. The client will go to http://foo.com/myapp/index.jsp?cic=IBM&srv=bigblue&port=2332 (or sometyhing similar) And the authentication needs the "cic" as the company code, and the "srv" and "port" (as host name and port number) to connect to the back end server to do the authentication. It also must register the connection to the server in the HttpSession for subsequent use. username+password is inadequate!. We need access to the HttpRequest, and HttpSession! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912647#3912647 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912647 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Yes, I just started a thread about this. I'm amazed that there's no standard J2EE way to provide your own authentication. I would have thought that JBoss might provide a way for you to supply your I just found http://jcp.org/en/jsr/detail?id=196 but that's just at the review stage. Do any JBoss people know when this will make it into a downloadable JBoss release? If it's available, how do we work it? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912590#3912590 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912590 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
I'm not aware of any standard way to do this, although I'm not fully up to speed on what all the security guys have been up to in terms of providing security hooks in the web tier (I'm in clustering). So, don't take my response as meaning there's no way (but I doubt it). See http://www.jboss.com/index.html?module=bb&op=viewtopic&t=73020 for a good discussion on the security dev list of work on adding flexibility to the Tomcat authentication mechanism. That's for the future though. Re: cross-browser javascript issues, if your javascript guys can't write cross-browser code to pull data out of a couple text fields, concat it and insert in a hidden form field, well, maybe you need some new javascript guys ;-). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912486#3912486 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912486 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
Good idea. It is something we had considered, but considering browser problems with javascript, its not a very attractive one. so are you really saying, there is no other, more standard way to do this? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912459#3912459 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912459 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Multi Credential Authentication
A quick and dirty way I've seen this kind of thing done with web app FORM authentication is to have javascript concat the access code and DOB together and send them as the j_password. Then your login module would parse them out. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3912457#3912457 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3912457 --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user