RE: [JBoss-user] JAAS Security question - Getting pricipaldata...
> > This thema is in deed very confusing. Here my 2 > cents > > ( though I use it with tomcat ) > > lol, glad to hear that, im going nuts here :-) Happened to me too... :) But 2 weekends of code diving ( recompiling security stuff myself with adding a LOT of debug output to trace calls helped... ) > Did that, seems to work okay. Using a testclient > from the > prompt verifies that access to my ejb's are only > allowed > for the correct user/pass combo... That's the way it works. it's good so :) > hmmm perhaps im missing something here?! Do i have > to > specify allowed user/pass for both jetty ans jBoss?? > (sure hope not :-) It depends on what you like to have. I have brain dead securoty schema in my aplication ( big banks are paranoid on security. ) I have EJB's , which manage users - one session bean, and couple of entities. And my login module goes to them to authenticate/authorize. Of course those beans like to have valid user/pass. I solved it following way: I Created login module just for the backend, which treats null principal/credential as "nobody"/"nobody", and alway adds role "nobody" to every user. ( Though JaasSecurityManager.java needed some patching, and I already forwarded this patch so Jboss team. Hope to see it inside next release. ) This allows also anonymous access to beans for non authenticated users ( they shall be able i.e. to access stock quotes ), and of course login. Then there is a separate login module ( and login context ) just for the web - where it authenticates against beans ( and has nobody/nobody permission on them ), and after successfull authentication it stores not the user name as credential ( it is not a primary key in my schema ), but ID of principal bean. and password. After it is stored on session somewhere, every access to beans gets those 2 things ( i.e 2/foobar ) attached, and it's authenticated against backend login module. Unfortunately, here I had to go to database directly, because trying to access those beans from login module caused very deep recursion and crash. ( maybe I'll find a way to overcome this problem ) This login module performs role mapping, and then it is stored in some kind of cache somewhere, and used on subsequent invocations. If you have simple setups, where you can go away with just login name/password pair, you coud use just one login module. BUt remember, tomcat/jetty uses assigned roles for web access only. Role mapping/authentication happens again on every bean invocation. I also used simplier schema for my JUnit tests - I created a FakeLogin class, which instantiates login context and logs me directly wiith desired user ID and password. ( it goes directly to backend login module ) [do you have more insight in problem nbow :) ? ] > Doing a session.invalidate has absolutely no effect! > Doing a simple refresh after the invalidate will > just > bring up the page again, without prompting for > user/pass! Maybe it was cache? > > You can also throw out any web-context login > stuff, > > and > > obtain login context yourselves, provide necessary > > callbacks and call login on context. > > (just like in java client examples) > > Well, that should of cource work, but i the other > thing > should work... (i think?!?) it does :) regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS Security question - Getting pricipaldata...
--- Torsten Terp <[EMAIL PROTECTED]> wrote: > Hi, > > Thanks for replying Are you saying that the > session should > have attributes j_username ans j_password? Doing a > session.getAttributeNames() > reveals none?! I have also tried > HttpSevletRequest.getRemoteUser() and > HttpSevletRequest.getUserPrincipal() both return > null !? > Also, trying a session.invalidate() or > response.sendError(401,"") does not > seem to have any influence, since a refresh will > refresh the page, just > as if i had passed the user and pass? I dont quite > get it! > > I seems as though the page is'nt secured at all, but > i cant get to it without > passing user and pass? hm... I recomend to start reading source in contrib/tomcat directory. Especially JBossSecurityMgrRealm.java ( or like it ) This will give you more insight. And maybe check your deployment descriptors... regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
I am sorry, I was not very clear. OK. I do not know about jetty. I will be tomcat specific. first you have to force your servlet engine to authticate your window/browser, that will force you to enter username and password. After that, it will save j_username and j_password and link you have requested to the session. I have feeling you are testing all these before forcing authentication from servlet engine. I could be wrong. I am 90% on the way to setup a application with four roles, sixteen ejbs and tons of servlets. Scott Starks security tutorial helped me lot. Thanks Scott. If you try to access the ejbs before authenticating from servlet engine, it will throw exceptions big time. Basically you have to access your ejbs from the servlets behind your protected area. Do not use same name for the principalid and roles, that will confuse you more. (user-employer and role employer) hope this helps anil ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS Security question - Getting pricipaldata...
Hi, Thanks for replying... > This thema is in deed very confusing. Here my 2 cents > ( though I use it with tomcat ) lol, glad to hear that, im going nuts here :-) > To be able to verify user in ejb, you need to set > security context in bean descriptor > ( jboss.xml ) Did that, seems to work okay. Using a testclient from the prompt verifies that access to my ejb's are only allowed for the correct user/pass combo... > Whe you do login on web context, username and password > are verified > using login context you specified in web application > development descriptor. When your login module gives > OK, returned principal, credential and role sets are > stored away in tomcat ( or jetty ) and used primarily > to check access to web URL's. Did that, specified /xxx/* and access to any page below /xxx/ brings up the user/pass promt window! > When your servlet/jsp code tries access to ejb, those > credentials are propagated to jboss, and are verified > again using security settings specified for the beans > ( and those settings are not necessarily the same as > for web context ) > hmmm perhaps im missing something here?! Do i have to specify allowed user/pass for both jetty ans jBoss?? (sure hope not :-) > To perform logout off web context, you can just > invalidate current session. Doing a session.invalidate has absolutely no effect! Doing a simple refresh after the invalidate will just bring up the page again, without prompting for user/pass! > You can also throw out any web-context login stuff, > and > obtain login context yourselves, provide necessary > callbacks and call login on context. > (just like in java client examples) Well, that should of cource work, but i the other thing should work... (i think?!?) ^terp > regards, > > = > Konstantin Priblouda ( ko5tik )Freelance Software developer > < http://www.pribluda.de > < play java games -> http://www.yook.de > > < render charts online -> http://www.pribluda.de/povray/ > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS Security question - Getting pricipaldata...
Hi, Thanks for replying Are you saying that the session should have attributes j_username ans j_password? Doing a session.getAttributeNames() reveals none?! I have also tried HttpSevletRequest.getRemoteUser() and HttpSevletRequest.getUserPrincipal() both return null !? Also, trying a session.invalidate() or response.sendError(401,"") does not seem to have any influence, since a refresh will refresh the page, just as if i had passed the user and pass? I dont quite get it! I seems as though the page is'nt secured at all, but i cant get to it without passing user and pass? hm... ^terp > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of awc > Sent: Sunday, July 01, 2001 11:56 PM > To: [EMAIL PROTECTED] > Subject: Re: [JBoss-user] JAAS Security question - Getting > pricipaldata... > > > According to servlet spec 2.2. The username is j_username and password > is j_password. On tomcat this saved to user session with same name. I > guess jetty does the same thing, I do not know. I have not used jetty. > On log out you can do like response.sendError(401,"blabla"). That should > redirect to login window which clears the j_username and j_password or > you can invalidate the session and sendError(..) . That depends on what > you wanted to do, if you like to keep the session variables and elevate > the users login role you cannot invalidate the session. > > anil > > Torsten Terp wrote: > > > Hi, > > > > Im just starting to use the Jaas SecurityManager in my app. > > (JBoss-2.2.2_Jetty-3.1.RC5 release). > > > > Im using the DatabaseServerLoginModule, and it works quite well. > > When i go to my app in the browser i get the login screen, and > > username and password gets verified. This principal data is used > > by jBoss to verify access on my EJBs, great! > > > > Now i would like to save the name of the user which have logged > > on to the app, and also need to log the user out when the logout > > button is pressed. How do i do this? I.e., how do i get to the > > LoginContext or Subject in my ejb code, do i go through the > > JaasSecurityManager mbean?? I have a feeling this is a stupid > > question, but it has confused me a bit :-( > > > > Thanks... > > > > ^terp > > > > ___ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > http://lists.sourceforge.net/lists/listinfo/jboss-user > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
> Im using the DatabaseServerLoginModule, and it works > quite well. > When i go to my app in the browser i get the login > screen, and > username and password gets verified. This principal > data is used > by jBoss to verify access on my EJBs, great! > > Now i would like to save the name of the user which > have logged > on to the app, and also need to log the user out > when the logout > button is pressed. How do i do this? I.e., how do i > get to the > LoginContext or Subject in my ejb code, do i go > through the > JaasSecurityManager mbean?? I have a feeling this is > a stupid > question, but it has confused me a bit :-( This thema is in deed very confusing. Here my 2 cents ( though I use it with tomcat ) To be able to verify user in ejb, you need to set security context in bean descriptor ( jboss.xml ) Whe you do login on web context, username and password are verified using login context you specified in web application development descriptor. When your login module gives OK, returned principal, credential and role sets are stored away in tomcat ( or jetty ) and used primarily to check access to web URL's. When your servlet/jsp code tries access to ejb, those credentials are propagated to jboss, and are verified again using security settings specified for the beans ( and those settings are not necessarily the same as for web context ) To perform logout off web context, you can just invalidate current session. You can also throw out any web-context login stuff, and obtain login context yourselves, provide necessary callbacks and call login on context. (just like in java client examples) regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
> Im using the DatabaseServerLoginModule, and it works > quite well. > When i go to my app in the browser i get the login > screen, and > username and password gets verified. This principal > data is used > by jBoss to verify access on my EJBs, great! > > Now i would like to save the name of the user which > have logged > on to the app, and also need to log the user out > when the logout > button is pressed. How do i do this? I.e., how do i > get to the > LoginContext or Subject in my ejb code, do i go > through the > JaasSecurityManager mbean?? I have a feeling this is > a stupid > question, but it has confused me a bit :-( This thema is in deed very confusing. Here my 2 cents ( though I use it with tomcat ) To be able to verify user in ejb, you need to set security context in bean descriptor ( jboss.xml ) Whe you do login on web context, username and password are verified using login context you specified in web application development descriptor. When your login module gives OK, returned principal, credential and role sets are stored away in tomcat ( or jetty ) and used primarily to check access to web URL's. When your servlet/jsp code tries access to ejb, those credentials are propagated to jboss, and are verified again using security settings specified for the beans ( and those settings are not necessarily the same as for web context ) To perform logout off web context, you can just invalidate current session. You can also throw out any web-context login stuff, and obtain login context yourselves, provide necessary callbacks and call login on context. (just like in java client examples) regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
> Im using the DatabaseServerLoginModule, and it works > quite well. > When i go to my app in the browser i get the login > screen, and > username and password gets verified. This principal > data is used > by jBoss to verify access on my EJBs, great! > > Now i would like to save the name of the user which > have logged > on to the app, and also need to log the user out > when the logout > button is pressed. How do i do this? I.e., how do i > get to the > LoginContext or Subject in my ejb code, do i go > through the > JaasSecurityManager mbean?? I have a feeling this is > a stupid > question, but it has confused me a bit :-( This thema is in deed very confusing. Here my 2 cents ( though I use it with tomcat ) To be able to verify user in ejb, you need to set security context in bean descriptor ( jboss.xml ) Whe you do login on web context, username and password are verified using login context you specified in web application development descriptor. When your login module gives OK, returned principal, credential and role sets are stored away in tomcat ( or jetty ) and used primarily to check access to web URL's. When your servlet/jsp code tries access to ejb, those credentials are propagated to jboss, and are verified again using security settings specified for the beans ( and those settings are not necessarily the same as for web context ) To perform logout off web context, you can just invalidate current session. You can also throw out any web-context login stuff, and obtain login context yourselves, provide necessary callbacks and call login on context. (just like in java client examples) regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
> Im using the DatabaseServerLoginModule, and it works > quite well. > When i go to my app in the browser i get the login > screen, and > username and password gets verified. This principal > data is used > by jBoss to verify access on my EJBs, great! > > Now i would like to save the name of the user which > have logged > on to the app, and also need to log the user out > when the logout > button is pressed. How do i do this? I.e., how do i > get to the > LoginContext or Subject in my ejb code, do i go > through the > JaasSecurityManager mbean?? I have a feeling this is > a stupid > question, but it has confused me a bit :-( This thema is in deed very confusing. Here my 2 cents ( though I use it with tomcat ) To be able to verify user in ejb, you need to set security context in bean descriptor ( jboss.xml ) Whe you do login on web context, username and password are verified using login context you specified in web application development descriptor. When your login module gives OK, returned principal, credential and role sets are stored away in tomcat ( or jetty ) and used primarily to check access to web URL's. When your servlet/jsp code tries access to ejb, those credentials are propagated to jboss, and are verified again using security settings specified for the beans ( and those settings are not necessarily the same as for web context ) To perform logout off web context, you can just invalidate current session. You can also throw out any web-context login stuff, and obtain login context yourselves, provide necessary callbacks and call login on context. (just like in java client examples) regards, = Konstantin Priblouda ( ko5tik )Freelance Software developer < http://www.pribluda.de > < play java games -> http://www.yook.de > < render charts online -> http://www.pribluda.de/povray/ > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Security question - Getting pricipaldata...
According to servlet spec 2.2. The username is j_username and password is j_password. On tomcat this saved to user session with same name. I guess jetty does the same thing, I do not know. I have not used jetty. On log out you can do like response.sendError(401,"blabla"). That should redirect to login window which clears the j_username and j_password or you can invalidate the session and sendError(..) . That depends on what you wanted to do, if you like to keep the session variables and elevate the users login role you cannot invalidate the session. anil Torsten Terp wrote: > Hi, > > Im just starting to use the Jaas SecurityManager in my app. > (JBoss-2.2.2_Jetty-3.1.RC5 release). > > Im using the DatabaseServerLoginModule, and it works quite well. > When i go to my app in the browser i get the login screen, and > username and password gets verified. This principal data is used > by jBoss to verify access on my EJBs, great! > > Now i would like to save the name of the user which have logged > on to the app, and also need to log the user out when the logout > button is pressed. How do i do this? I.e., how do i get to the > LoginContext or Subject in my ejb code, do i go through the > JaasSecurityManager mbean?? I have a feeling this is a stupid > question, but it has confused me a bit :-( > > Thanks... > > ^terp > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user