[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
You guys should check out this article on using JAAS with Struts: http://www.mooreds.com/jaas.html I think you'll find point 2.3.2 interesting. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3854399#3854399 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3854399 --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
I can confirm your troubles with JBoss 3.2.5 and Struts 1.2.4 - But I am not sure
whose fault it is. The problem is very clear: JBoss forgets the user principal after
the next http request.
I haven't found any way to resolve that issue except reauthentification for each
action. I have written myself an (AspectJ) aspect for constant reauthentification:
public aspect WebAuthentificationAspect
| {
| public pointcut authOperations ( HttpServletRequest request ) :
| within ( de.prilmeier.mysabom.web.action.* ) &&
| ! within ( de.prilmeier.mysabom.web.action.LoginAction ) &&
| args ( *, *, request, * ) &&
| execution ( * execute ( .., HttpServletRequest, .. ) );
|
| before ( HttpServletRequest request ) throws Exception : authOperations (
request )
| {
| HttpSession session = request.getSession ( false );
| String password = ( String ) session.getAttribute ( Constants.PASSWORD_KEY
);
| String userName = ( String ) session.getAttribute (
Constants.USER_NAME_KEY );
|
| LoginCallbackHandler lch = new LoginCallbackHandler ( userName, password );
| LoginContext lc = new LoginContext ( "mysabom", lch );
| lc.login ();
| }
| }
That's no good programming style, but it works.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3852646#3852646
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3852646
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Hi,
There are no calls clearing the SecurityAssosiation in my code between
LoginContext.login() and SecurityAssociation.getSubject(). I am not using any
RMIAdaptor. There might be something in the Struts framework code, but this seems
unlikely (using Action and RequestProcessor)
Could it be as suggested in the topic
http://www.jboss.org/index.html?module=bb&op=viewtopic&t=38229:
anonymous wrote : The ClientLoginModule places the principals and credentials which
are aquired by the previous login module(s) in a magic way to a magic place where bean
invocation mechanism passes them to the container resp. beans. I suppose the security
information is associated with the Thread object.
|
| I can confirm that your assumptions are correct. Please note JKuhn that this can
lead to suprising effects in your web application, because most servlet containers use
thread-pooling ;-). So the next request might behave as not logged in, whereas
requests that you are supposing are not logged in, seem to do
Comments anyone?
Anyhows, I found a workaround to the above mentioned problem. In the RequestProcessor
subclass that is called before your Action classes get control, add a
reauthentication. You will need to store the password in the Session object.
In LoginAction add
// Need the password for reauthentication in NotatbaseRequestProcessor
| session.setAttribute("password", j_password);
The RequestProcessor subclass looks like this:
public class NotatbaseRequestProcessor extends RequestProcessor{
| private static final Logger logger =
Logger.getLogger(NotatbaseRequestProcessor.class);
|
| /**
| * Overriding RequestProcessor.processRoles to check permission for requested
page
| * @param request The servlet request we are processing
| * @param response The servlet response we are creating
| * @param mapping The mapping we are using
| * @return Return true to continue normal processing, or false if returning
to login page.
| * @throws IOException if an input/output error occurs
| * @throws ServletException if a servlet exception occurs
| */
| protected boolean processRoles(HttpServletRequest request, HttpServletResponse
response, ActionMapping mapping) throws IOException, ServletException {
| String contextPath = request.getContextPath();
| String requestURI = request.getRequestURI();
| String loginPage = "login.do";
| if (request != null) {
| Subject subject =
(Subject)request.getSession().getAttribute("subject");
| if (subject != null)
| {
| // Get the Principal from Subject
| Set principals = subject.getPrincipals();
| Iterator it = principals.iterator();
| String principal = ((Principal)it.next()).getName();
|
| // Get the password from Session
| String password =
(String)request.getSession().getAttribute("password");
|
| // Re authenticate the caller
| try
| {
| SecurityAssociationHandler handler = new
SecurityAssociationHandler();
| SimplePrincipal user = new
SimplePrincipal(principal);
| handler.setSecurityInfo(user, password);
| LoginContext loginContext = new
LoginContext("notatbase", (CallbackHandler)handler);
|
| loginContext.login();
| logger.debug("User reauthenticated...");
| }
| catch (LoginException le)
| {
| logger.debug("Could not reauthenticate the
user: "+le.getMessage());
| return false;
| }
| logger.debug("subject OK, returning true, " + subject);
| return true;
| } else if (
request.getRequestURI().equals("/notatbase/login.do")){
| logger.debug("login page, returning true");
| return true;
| }else {
| logger.debug("subject not OK, returning false");
| response.sendRedirect(contextPath + "/" + loginPage +
"?requestedPage=" + removePrefix(requestURI, contextPath));
| return false;
| }
| }
| logger
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Hi Scott Could you please show a little example for this? Thanks Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3848534#3848534 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3848534 --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Then something between the point of the LoginContext.login and the SecurityAssociation.getSubject() showing null is clearing the SecurityAssociation. A common source of this is trying to use the RMIAdaptor from jndi in the context of the invocation. The RMIAdaptor cannot be used like this because it clears the caller identity. You need to use the MBeanServer directly if that is what is happening. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3847912#3847912 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3847912 --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
