[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
You guys should check out this article on using JAAS with Struts: http://www.mooreds.com/jaas.html I think you'll find point 2.3.2 interesting. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3854399#3854399 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3854399 --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
I can confirm your troubles with JBoss 3.2.5 and Struts 1.2.4 - But I am not sure whose fault it is. The problem is very clear: JBoss forgets the user principal after the next http request. I haven't found any way to resolve that issue except reauthentification for each action. I have written myself an (AspectJ) aspect for constant reauthentification: public aspect WebAuthentificationAspect | { | public pointcut authOperations ( HttpServletRequest request ) : | within ( de.prilmeier.mysabom.web.action.* ) && | ! within ( de.prilmeier.mysabom.web.action.LoginAction ) && | args ( *, *, request, * ) && | execution ( * execute ( .., HttpServletRequest, .. ) ); | | before ( HttpServletRequest request ) throws Exception : authOperations ( request ) | { | HttpSession session = request.getSession ( false ); | String password = ( String ) session.getAttribute ( Constants.PASSWORD_KEY ); | String userName = ( String ) session.getAttribute ( Constants.USER_NAME_KEY ); | | LoginCallbackHandler lch = new LoginCallbackHandler ( userName, password ); | LoginContext lc = new LoginContext ( "mysabom", lch ); | lc.login (); | } | } That's no good programming style, but it works. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3852646#3852646 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3852646 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Hi, There are no calls clearing the SecurityAssosiation in my code between LoginContext.login() and SecurityAssociation.getSubject(). I am not using any RMIAdaptor. There might be something in the Struts framework code, but this seems unlikely (using Action and RequestProcessor) Could it be as suggested in the topic http://www.jboss.org/index.html?module=bb&op=viewtopic&t=38229: anonymous wrote : The ClientLoginModule places the principals and credentials which are aquired by the previous login module(s) in a magic way to a magic place where bean invocation mechanism passes them to the container resp. beans. I suppose the security information is associated with the Thread object. | | I can confirm that your assumptions are correct. Please note JKuhn that this can lead to suprising effects in your web application, because most servlet containers use thread-pooling ;-). So the next request might behave as not logged in, whereas requests that you are supposing are not logged in, seem to do Comments anyone? Anyhows, I found a workaround to the above mentioned problem. In the RequestProcessor subclass that is called before your Action classes get control, add a reauthentication. You will need to store the password in the Session object. In LoginAction add // Need the password for reauthentication in NotatbaseRequestProcessor | session.setAttribute("password", j_password); The RequestProcessor subclass looks like this: public class NotatbaseRequestProcessor extends RequestProcessor{ | private static final Logger logger = Logger.getLogger(NotatbaseRequestProcessor.class); | | /** | * Overriding RequestProcessor.processRoles to check permission for requested page | * @param request The servlet request we are processing | * @param response The servlet response we are creating | * @param mapping The mapping we are using | * @return Return true to continue normal processing, or false if returning to login page. | * @throws IOException if an input/output error occurs | * @throws ServletException if a servlet exception occurs | */ | protected boolean processRoles(HttpServletRequest request, HttpServletResponse response, ActionMapping mapping) throws IOException, ServletException { | String contextPath = request.getContextPath(); | String requestURI = request.getRequestURI(); | String loginPage = "login.do"; | if (request != null) { | Subject subject = (Subject)request.getSession().getAttribute("subject"); | if (subject != null) | { | // Get the Principal from Subject | Set principals = subject.getPrincipals(); | Iterator it = principals.iterator(); | String principal = ((Principal)it.next()).getName(); | | // Get the password from Session | String password = (String)request.getSession().getAttribute("password"); | | // Re authenticate the caller | try | { | SecurityAssociationHandler handler = new SecurityAssociationHandler(); | SimplePrincipal user = new SimplePrincipal(principal); | handler.setSecurityInfo(user, password); | LoginContext loginContext = new LoginContext("notatbase", (CallbackHandler)handler); | | loginContext.login(); | logger.debug("User reauthenticated..."); | } | catch (LoginException le) | { | logger.debug("Could not reauthenticate the user: "+le.getMessage()); | return false; | } | logger.debug("subject OK, returning true, " + subject); | return true; | } else if ( request.getRequestURI().equals("/notatbase/login.do")){ | logger.debug("login page, returning true"); | return true; | }else { | logger.debug("subject not OK, returning false"); | response.sendRedirect(contextPath + "/" + loginPage + "?requestedPage=" + removePrefix(requestURI, contextPath)); | return false; | } | } | logger
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Hi Scott Could you please show a little example for this? Thanks Martin View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3848534#3848534 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3848534 --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: Problems with JAAS authentication and Struts/EJB
Then something between the point of the LoginContext.login and the SecurityAssociation.getSubject() showing null is clearing the SecurityAssociation. A common source of this is trying to use the RMIAdaptor from jndi in the context of the invocation. The RMIAdaptor cannot be used like this because it clears the caller identity. You need to use the MBeanServer directly if that is what is happening. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3847912#3847912 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3847912 --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user