Re: [JBoss-user] Tomcat & JBoss Security
I think that this is all explained in the manual. See the JAAS "how to" for an explanation and example: http://www.jboss.org/documentation/HTML/ch13s70.html - Original Message - From: "storck" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 11, 2001 7:36 AM Subject: [JBoss-user] Tomcat & JBoss Security > I have a problem. > > How can I achieve that JBoss uses a database like MySql as > user/role-management? > How can I achieve that Tomcat uses a database like MySql as > user/role-management? > How do I achieve that both work togehter? > > Thanks! > ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
AW: [JBoss-user] Tomcat & JBoss Security
Look at the paper by Scott Stark http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas_p.html For jboss write your own ServerLoginModule or try to use DatabaseServerLoginModule, look at the examples at the end of the paper. Annegret > -Ursprüngliche Nachricht- > Von: storck [mailto:[EMAIL PROTECTED]] > Gesendet: Donnerstag, 11. Oktober 2001 15:36 > An: [EMAIL PROTECTED] > Betreff: [JBoss-user] Tomcat & JBoss Security > > I have a problem. > > How can I achieve that JBoss uses a database like MySql as > user/role-management? > How can I achieve that Tomcat uses a database like MySql as > user/role-management? > How do I achieve that both work togehter? > > Thanks! ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Tomcat & JBoss Security
I have a problem. How can I achieve that JBoss uses a database like MySql as user/role-management? How can I achieve that Tomcat uses a database like MySql as user/role-management? How do I achieve that both work togehter? Thanks! winmail.dat Description: application/ms-tnef
[JBoss-user] Tomcat JBoss security integration - problems resolved
Dain, Thanks for your clear instructions and the custom security interceptor that you provided. By following your example I know have my Tomcat security sucessfully drawing off the user.properties and roles.properties I have configured jBoss with and can logon either at the JSP layer or via a client that goes straight to the beans seemlessly. Long live open source ;-) (I continue my new crusade to get this message across to my bosses and our customers). Thanks also to the other responders on the mailing list (there aren't many lists with this level of traffic I'd want to keep receiving but I guess I'll stick around a while on this one), Pete -- Pete Bennett (mailto:[EMAIL PROTECTED]) Principal Architect, Synomics Ltd. http://www.synomics.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ivan Bolcina Sent: 03 May 2001 09:17 To: '[EMAIL PROTECTED]' Subject: RE: [JBoss-user] Tomcat JBoss security integration How-to Hello. I have trouble integrating jboss and tomcat. I have setup jaas on jboss, written client which uses jaas to get initial context and it works ok. How do I connect from JSP pages. Why can't I use "Context ctx=new InitialContext()"? If you have working setup of "conf" directory on "jboss" and "conf" stuff in tomcat, can you PLEASE post them here(maybe also application.xml and ejb-jar.xml).I thing it would be useful to a lot of people. bye and thanx, ivan bolcina -Original Message- From: Dain Sundstrom [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 03, 2001 5:57 AM To: '[EMAIL PROTECTED]' Subject: [JBoss-user] Tomcat JBoss security integration How-to Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and * authorization calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class HypothermicRealm extends Base
RE: [JBoss-user] Tomcat JBoss security integration How-to
Hello. I have trouble integrating jboss and tomcat. I have setup jaas on jboss, written client which uses jaas to get initial context and it works ok. How do I connect from JSP pages. Why can't I use "Context ctx=new InitialContext()"? If you have working setup of "conf" directory on "jboss" and "conf" stuff in tomcat, can you PLEASE post them here(maybe also application.xml and ejb-jar.xml).I thing it would be useful to a lot of people. bye and thanx, ivan bolcina -Original Message- From: Dain Sundstrom [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 03, 2001 5:57 AM To: '[EMAIL PROTECTED]' Subject: [JBoss-user] Tomcat JBoss security integration How-to Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and * authorization calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class HypothermicRealm extends BaseInterceptor { private String subjectKey = "j_subject"; private String loginContextName = "other"; /** * The key that is used to store the Subject in the session attributes. * @param subjectKey the key */ public void setSubjectKey(String subjectKey) { this.subjectKey = subjectKey; } /** * The name used by JAAS during Login for determining spi * @param loginContextName the name */ public void setLoginContextName(String loginContextName) { this.loginContextName = loginContextName; } /** * Authenticates user uning the JBoss JAAS code. * @param request the request * @param response the response */ public int authenticate(Request request, Response response){ HttpSession sessio
RE: [JBoss-user] Tomcat JBoss security integration How-to
Hello. I have trouble integrating jboss and tomcat. I have setup jaas on jboss, written client which uses jaas to get initial context and it works ok. How do I connect from JSP pages. Why can't I use "Context ctx=new InitialContext()"? If you have working setup of "conf" directory on "jboss" and "conf" stuff in tomcat, can you PLEASE post them here(maybe also application.xml and ejb-jar.xml).I thing it would be useful to a lot of people. bye and thanx, ivan bolcina -Original Message- From: Dain Sundstrom [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 03, 2001 5:57 AM To: '[EMAIL PROTECTED]' Subject: [JBoss-user] Tomcat JBoss security integration How-to Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and * authorization calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class HypothermicRealm extends BaseInterceptor { private String subjectKey = "j_subject"; private String loginContextName = "other"; /** * The key that is used to store the Subject in the session attributes. * @param subjectKey the key */ public void setSubjectKey(String subjectKey) { this.subjectKey = subjectKey; } /** * The name used by JAAS during Login for determining spi * @param loginContextName the name */ public void setLoginContextName(String loginContextName) { this.loginContextName = loginContextName; } /** * Authenticates user uning the JBoss JAAS code. * @param request the request * @param response the response */ public int authenticate(Request request, Response response){ HttpSession sessio
[JBoss-user] Tomcat JBoss security integration How-to
Recently, I have seen several posts asking how to integrate Tomcat and JBoss security. The current JBossRealm requires you to add users to both the tomcat and JBoss security systems or configure the tomcat JDBCRealm and JBoss DatabaseServerLoginModule to point to the same database table. This is all a big pain, so I wrote a new Tomcat interceptor which performs authentication and authorization via the JBoss JAAS code. The steps required to setup this interceptor follow. 1. Create the jar a. Copy the code (later in message) onto your machine. You can change the package if you like. b. Compile (requires servlet.jar webserver.jar jaas.jar jboss-jaas.jar jbosssx.jar) c. Jar it d. Copy it to jboss/lib/ext Here is the ant target I use. 2. Secure your EJBs. a. ejb-jar.xml Mark your EJBs as protected. user YourBean * b. jboss.xml Set the authentication and authorization manager. Standard CMP EntityBean java:/jaas/other java:/jaas/other YourBeanStandard CMP EntityBean 3. Secure your WAR (web.xml) util /protected/* user FORM /login.jsp /login.jsp 4. Setup Tomcat a. add interceptor to server.xml immediately before the LoadOnStartupInterceptor b. Comment out all other security interceptors (SimpleRealm JbossRealm JDBCRealm). 5. Add your users to JBoss I hope I didn't leave out any steps. If you find any bugs or have any enhancements, please email me. -Dain Sundstrom package com.hypothermic.security; import org.apache.tomcat.core.Request; import org.apache.tomcat.core.Response; import org.apache.tomcat.core.Context; import org.apache.tomcat.util.SecurityTools; import org.apache.tomcat.core.BaseInterceptor; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.UsernamePasswordHandler; import javax.servlet.http.HttpSession; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import java.security.Principal; import java.security.acl.Group; import java.util.Enumeration; import java.util.Iterator; import java.util.Set; import java.util.HashSet; import java.util.Hashtable; /** * Integrates Tomcat and Jboss security by redirecting Tomcat authentication and * authorization calls to the JBoss JAAS code. * @author Dain Sundstrom */ public class HypothermicRealm extends BaseInterceptor { private String subjectKey = "j_subject"; private String loginContextName = "other"; /** * The key that is used to store the Subject in the session attributes. * @param subjectKey the key */ public void setSubjectKey(String subjectKey) { this.subjectKey = subjectKey; } /** * The name used by JAAS during Login for determining spi * @param loginContextName the name */ public void setLoginContextName(String loginContextName) { this.loginContextName = loginContextName; } /** * Authenticates user uning the JBoss JAAS code. * @param request the request * @param response the response */ public int authenticate(Request request, Response response){ HttpSession session = request.getSession(true); session.removeAttribute(subjectKey); // get the username and password Hashtable credentials = getCredentials(request); String username = (String)credentials.get("username"); String password = (String)credentials.get("password"); if(username != null && password != null) { try { // attempt to login via JAAS CallbackHandler handler = new UsernamePasswordHandler(username, password.toCharArray()); LoginContext loginContext = new LoginContext(loginContextName, handler); loginContext.login(
Re: [JBoss-user] Tomcat jBoss security
It would help a lot if the JbossRealm line occured AFTER both the simple realm and the commented out JDBC realm sample. That way if newbies try to set upthe JDBCRealm we are less likely to here from them on this list. Now I will be quiet. :-) Darrin "Scott M Stark" <[EMAIL PROTECTED]> writes: > The bundled config uses the org.apache.tomcat.request.SimpleRealm as > there is no meaningful default setup for the org.apache.tomcat.request.JDBCRealm > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Tomcat jBoss security
The bundled config uses the org.apache.tomcat.request.SimpleRealm as there is no meaningful default setup for the org.apache.tomcat.request.JDBCRealm - Original Message - From: "root" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 18, 2001 12:16 PM Subject: Re: [JBoss-user] Tomcat jBoss security > FWIW, this is not the way it is set up in the preconfigured JBoss > 2.2/Tomcat 3.2.1 distro. Probably worth sticking in bugzilla. > > Darrin > > "Scott M Stark" <[EMAIL PROTECTED]> writes: > > > The JavaPetStore example uses JDBCRealm and JbossRealm successfully. The order > > of JDBCRealm and JbossRealm in the server.xml is significant and JbossRealm must > > follow JDBCRealm. > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Tomcat jBoss security
FWIW, this is not the way it is set up in the preconfigured JBoss 2.2/Tomcat 3.2.1 distro. Probably worth sticking in bugzilla. Darrin "Scott M Stark" <[EMAIL PROTECTED]> writes: > The JavaPetStore example uses JDBCRealm and JbossRealm successfully. The order > of JDBCRealm and JbossRealm in the server.xml is significant and JbossRealm must > follow JDBCRealm. > > - Original Message - > From: "Dug" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, April 17, 2001 9:34 AM > Subject: RE: [JBoss-user] Tomcat jBoss security > > > > Have you actually managed to get the servlet --> bean security working? > > > > Dug > > > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Tomcat jBoss security
Thanks for the help. Changing the order so that JbossRealm followed JDBCRealm did the trick. Thanks again Dug > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Scott M > Stark > Sent: 17 April 2001 20:17 > To: [EMAIL PROTECTED] > Subject: Re: [JBoss-user] Tomcat jBoss security > > > The JavaPetStore example uses JDBCRealm and JbossRealm > successfully. The order > of JDBCRealm and JbossRealm in the server.xml is significant and > JbossRealm must > follow JDBCRealm. > > - Original Message - > From: "Dug" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, April 17, 2001 9:34 AM > Subject: RE: [JBoss-user] Tomcat jBoss security > > > > Have you actually managed to get the servlet --> bean security working? > > > > Dug > > > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Tomcat jBoss security
The JavaPetStore example uses JDBCRealm and JbossRealm successfully. The order of JDBCRealm and JbossRealm in the server.xml is significant and JbossRealm must follow JDBCRealm. - Original Message - From: "Dug" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 17, 2001 9:34 AM Subject: RE: [JBoss-user] Tomcat jBoss security > Have you actually managed to get the servlet --> bean security working? > > Dug > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] Tomcat jBoss security
Yes I am also getting much thinner on top with this problem. I have tried using the JbossRealm AND my version of JDBCRealm (as well as the original) with the same affect (bean gets Principal=null). I think my web.xml is setup correctly: http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> Simple Webapp Protected Area /main/* DELETE GET POST PUT tomcat role1 FORM Example Form-Based Authentication Area /login/login.html /login/error.html Can you spot any mistakes/omissions? When I add the JDBCRealm (my own or the original) to server.xml I get my login form and he authentication works. In my auth.conf I have set 'other' to org.jboss.security.plugins.samples.DatabaseServerLoginModule which uses the same database. This all works when called directly by a client (with a callback). I have looked at the source for org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(MethodInv ocation mi, boolean home) This gets the principal from the MethodInvocation that is passed in which from the reported error is null. From a looking through the source, this appears to be set with the values from the static SecurityAssociation class which is set in the JbossRealm authentication code. I am wondering if either the pricipal is getting reset or if tomcat and the beans are loaded using different classloaders Have you actually managed to get the servlet --> bean security working? Dug > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Darrin > Thompson > Sent: 17 April 2001 17:56 > To: [EMAIL PROTECTED] > Subject: Re: [JBoss-user] Tomcat jBoss security > > > I about tore my hair out on this. I think the correct thing to do is have > the JbossRealm entry activated in server.xml, the jdbcrealm entry also > active, and the simplerealm entry commented out. I'm working through the > same problem presently so I might be wrong on this. Also, make sure you > have web.xml set up properly. You could put the simplerealm back into > server.xml to make sure that your web.xml is configured right. That works > reliably from tomcat-users.xml and is easy to dink with. I think you > should have to do zero security coding in your servlet if you get all the > configuration right. So no callbacks. That should all be handled before > your code is ever reached. Someone correct if I am wrong. > > Darrin > > On 4/17/01, 10:18:49 AM, Dug <[EMAIL PROTECTED]> wrote regarding > [JBoss-user] > Tomcat jBoss security: > > > > I am writing an application in which the beans need to use the callers > > Principal (from sessionContext.getCallerPrincipal() ). > > > I intend to use the beans from java clients and from servlets. > I have had > > success with the java clients but not from the servlets. > > > For the java clients I needed to set up a CallbackHandler to supply the > > username and password to the beans. Is this necessary for servlets? > > > I have tried various changes in tomcats server.xml. Using the > JbossRealm > by > > including > > > > > > in server.xml, no login challenge is issued. > > > I tried the JDBCRealm which issed a login challenge which worked but the > > caller principal was not passed to jBoss. Looking trough the JbossRealm > and > > JDBCRealm source I noticed that JbossRealm included this code > > > > SecurityAssociation.setPrincipal( new SimplePrincipal( user ) ); > > String pw=(String)cred.get("password"); > > if (null != pw) > > SecurityAssociation.setCredential( pw.toCharArray() ); > > > which does not exist in the JDBCRealm. I copied the JDBCRealm to my > > ownpackage and added the above code to the authenticate method. Using > > debugging information I confimed that this was being called and the > > principle being set in the SecurityAssociation correctly. The beans > however > > get a null Principal. The log from jboss reads: > > > [EmbeddedTomcat] Authenticating > > [EmbeddedTomcat] user dug passwd dug > > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Authentication > > successful fo > > r user dug > > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Auth ok, user=dug > > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Controled > access for > dug > > R( > > /simple + /main + null) Ct ( ) > > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: JDBCRealm.roles: > SELECT > > role > > FROM roles WHERE PrincipalID = ? > > 2001-04-17 05:16:48 - ContextMana
Re: [JBoss-user] Tomcat jBoss security
That is correct. The JbossRealm is simply taking the Tomcat user credentials and propagating them to JBoss. There has to be a Tomcat security realm that acquires the user credentials. - Original Message - From: "Darrin Thompson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 17, 2001 8:55 AM Subject: Re: [JBoss-user] Tomcat jBoss security I about tore my hair out on this. I think the correct thing to do is have the JbossRealm entry activated in server.xml, the jdbcrealm entry also active, and the simplerealm entry commented out. I'm working through the same problem presently so I might be wrong on this. Also, make sure you have web.xml set up properly. You could put the simplerealm back into server.xml to make sure that your web.xml is configured right. That works reliably from tomcat-users.xml and is easy to dink with. I think you should have to do zero security coding in your servlet if you get all the configuration right. So no callbacks. That should all be handled before your code is ever reached. Someone correct if I am wrong. Darrin ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Tomcat jBoss security
I about tore my hair out on this. I think the correct thing to do is have the JbossRealm entry activated in server.xml, the jdbcrealm entry also active, and the simplerealm entry commented out. I'm working through the same problem presently so I might be wrong on this. Also, make sure you have web.xml set up properly. You could put the simplerealm back into server.xml to make sure that your web.xml is configured right. That works reliably from tomcat-users.xml and is easy to dink with. I think you should have to do zero security coding in your servlet if you get all the configuration right. So no callbacks. That should all be handled before your code is ever reached. Someone correct if I am wrong. Darrin On 4/17/01, 10:18:49 AM, Dug <[EMAIL PROTECTED]> wrote regarding [JBoss-user] Tomcat jBoss security: > I am writing an application in which the beans need to use the callers > Principal (from sessionContext.getCallerPrincipal() ). > I intend to use the beans from java clients and from servlets. I have had > success with the java clients but not from the servlets. > For the java clients I needed to set up a CallbackHandler to supply the > username and password to the beans. Is this necessary for servlets? > I have tried various changes in tomcats server.xml. Using the JbossRealm by > including > > in server.xml, no login challenge is issued. > I tried the JDBCRealm which issed a login challenge which worked but the > caller principal was not passed to jBoss. Looking trough the JbossRealm and > JDBCRealm source I noticed that JbossRealm included this code > SecurityAssociation.setPrincipal( new SimplePrincipal( user ) ); > String pw=(String)cred.get("password"); > if (null != pw) > SecurityAssociation.setCredential( pw.toCharArray() ); > which does not exist in the JDBCRealm. I copied the JDBCRealm to my > ownpackage and added the above code to the authenticate method. Using > debugging information I confimed that this was being called and the > principle being set in the SecurityAssociation correctly. The beans however > get a null Principal. The log from jboss reads: > [EmbeddedTomcat] Authenticating > [EmbeddedTomcat] user dug passwd dug > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Authentication > successful fo > r user dug > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Auth ok, user=dug > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Controled access for dug > R( > /simple + /main + null) Ct ( ) > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: JDBCRealm.roles: SELECT > role > FROM roles WHERE PrincipalID = ? > 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Auth ok, first > role=tomcat > [SimpleSession] Authentication exception, principal=null > 2001-04-17 05:16:54 - Ctx( /simple ): IOException in: R( /simple + > /servlet/com. > easyejb.test.SimpleServlet + null) checkSecurityAssociation; nested > exception is > : > java.lang.SecurityException: Authentication exception > I am using jboss with embedded tomcat 2.2 running on NT using the sun 1.3 > JDK. > Any help would be most appreciated > Dug > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Tomcat jBoss security
I am writing an application in which the beans need to use the callers Principal (from sessionContext.getCallerPrincipal() ). I intend to use the beans from java clients and from servlets. I have had success with the java clients but not from the servlets. For the java clients I needed to set up a CallbackHandler to supply the username and password to the beans. Is this necessary for servlets? I have tried various changes in tomcats server.xml. Using the JbossRealm by including in server.xml, no login challenge is issued. I tried the JDBCRealm which issed a login challenge which worked but the caller principal was not passed to jBoss. Looking trough the JbossRealm and JDBCRealm source I noticed that JbossRealm included this code SecurityAssociation.setPrincipal( new SimplePrincipal( user ) ); String pw=(String)cred.get("password"); if (null != pw) SecurityAssociation.setCredential( pw.toCharArray() ); which does not exist in the JDBCRealm. I copied the JDBCRealm to my ownpackage and added the above code to the authenticate method. Using debugging information I confimed that this was being called and the principle being set in the SecurityAssociation correctly. The beans however get a null Principal. The log from jboss reads: [EmbeddedTomcat] Authenticating [EmbeddedTomcat] user dug passwd dug 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Authentication successful fo r user dug 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Auth ok, user=dug 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Controled access for dug R( /simple + /main + null) Ct ( ) 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: JDBCRealm.roles: SELECT role FROM roles WHERE PrincipalID = ? 2001-04-17 05:16:48 - ContextManager: EasyEJBRealm: Auth ok, first role=tomcat [SimpleSession] Authentication exception, principal=null 2001-04-17 05:16:54 - Ctx( /simple ): IOException in: R( /simple + /servlet/com. easyejb.test.SimpleServlet + null) checkSecurityAssociation; nested exception is : java.lang.SecurityException: Authentication exception I am using jboss with embedded tomcat 2.2 running on NT using the sun 1.3 JDK. Any help would be most appreciated Dug ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user