Re: [JBoss-user] JAAS Tutorial for Jetty??
Hi Julian, Well, it looks like the main thing I would need is to figure out how to add the equivalent to a tomcat Request Interceptor to Jetty. All of the Tomcat examples seem to use this as a way of binding the Tomcat Realm to a Jboss realm. Below is an excerpt from an earlier message describing how to do this for tomcat, is there a similar configuration we can do with Jetty? Thanks, Joel ## To integrate the security with tomcat as well; Get the cvs download and copy contrib/tomcat/tomcat-service.jar to jboss2.2/lib/ext (there is a bug in the 2.2 distribution) Edit the tomcat/conf/server.xml file RequestInterceptor className=org.apache.tomcat.request.JDBCRealm debug=99 driverName=org.hsql.jdbcDriver connectionURL=jdbc:HypersonicSQL:hsql://localhost:1476 connectionName=sa connectionPassword= userTable=principals userNameCol=PrincipalID userCredCol=password userRoleTable=roles roleNameCol=role / RequestInterceptor className=org.jboss.tomcat.security.JbossRealm / --- Julian Gosnell [EMAIL PROTECTED] wrote: If you let me know exactly what you expect from JBoss-Jetty in this respect, I'll look at getting it into the next release. Jules Joel Boehland wrote: Hi-- I have seen the response to this question, and it seems the path is fairly clear for using jass + tomcat + jboss, but I was wondering if anyone has also done this with jaas + Jetty + Jboss... anyone?? Thanks, Joel --- John P. Coffey [EMAIL PROTECTED] wrote: I'm very new at using JBoss and my first task is to attempt to secure an existing set of EJB beans via roles and users. I intend using a database to store these in. __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS Tutorial
See JAAS Based Security in JBoss: http://www.jboss.org/documentation/HTML/ch11s78.html JBossSX Security Extension Framework: http://www.jboss.org/documentation/HTML/ch09.html - Original Message - From: John P. Coffey [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 28, 2001 1:25 AM Subject: [JBoss-user] JAAS Tutorial I'm very new at using JBoss and my first task is to attempt to secure an existing set of EJB beans via roles and users. I intend using a database to store these in. I am looking for a good staring point. I spent an inordinate amount of time looking for a step by step guide on how to enable the JBOSS server right out of the zip (so to speak) with the JAAS extensions. I have only been partially succesfull in identifying the steps required. Here is why I am confused. It seems like JBossSX is the part of the product, however it looks like this is separate code that one downloads as per the CVS source code (it is specified as a separate JBoss Project from the home page). I eventually tracked down a HowTo on the Security Walk Through - first cut, however the LoginModules and CD sample that are refereced are nowhere to be found in the vanilla off the shelf install. Where should I find these pieces to the puzzle and how can I build them? Does anybody out there have some examples on how to do this? An updated version of this howto would be invaluable Any help on this matter would be greatly appreciated John Coffey Pingtel Corporation ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
RE: [JBoss-user] JAAS Tutorial
There are a few things you need to do: I have not tried this with 2.2.1 but from the jboss-tomcat-2.2 download: To secure the beans for access from a java client edit $JBOSS/conf/default/auth.conf and add this entry other { org.jboss.security.plugins.samples.DatabaseServerLoginModule required dsJndiName=java:/DefaultDS principalsQuery=select Password from Principals where PrincipalID=? rolesQuery=select Role, RoleGroup from Roles where PrincipalID=?; }; Note that dsJndiName= is all one line This is using the default datasource (if you have not changed this it will be using the hypersonic database. You will need to create two tables to supply the users/password and the roles create table principals principalid varchar(64) primary key, password varchar(64) ) create table roles principalid varchar(64), role varchar(64), rolegroup varchar(64), primary key (principalid, role), foreign key (principalid) references principals (principalid) ) To add a user admin, password adm with the role administrator: insert into principals values ('admin', 'adm') insert into roles values ('admin', 'administrator', null) You will now need to tell the container to use this security setting. in the META-INF directory for you beans add a file called jboss.xml with the following content: ?xml version=1.0? jboss !-- All bean containers use this security manager by default -- security-domainjava:/jaas/other/security-domain container-configurations container-configuration container-nameStandard CMP EntityBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration container-configuration container-nameStandard Stateless SessionBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration container-configuration container-nameStandard Stateful SessionBean/container-name role-mapping-managerjava:/jaas/other/role-mapping-manager authentication-modulejava:/jaas/other/authentication-module /container-configuration /container-configurations /jboss This over rides the default container settings telling the container to use the 'other' config that was setup in the previous step. in your ejb-jar.xml you need to setup the method descriptions assembly-descriptor !-- Declare a security role called tomcat -- security-role role-nameadministrator/role-name /security-role !-- define the method permission for each bean. Below all the methods od SimpleSession and SimpleEntity are assigned the security role tomcat -- method-permission role-nameadministrator/role-name method ejb-nameSimpleSession/ejb-name method-name*/method-name /method /method-permission method-permission role-nameadministrator/role-name method ejb-nameSimpleEntity/ejb-name method-name*/method-name /method /method-permission /assembly-descriptor This means that all the methods on SimpleSession and SimpleEntity need the user to have a role administrator. Your java client needs to be able to supply the username and password. This is done using a callback. A simple java client looks like this: import java.io.IOException; import javax.naming.InitialContext; import javax.rmi.PortableRemoteObject; import javax.security.auth.callback.*; import javax.security.auth.login.*; public class SessionClient { static String getUserName() { System.out.print(Name: ); try { byte[] buf = new byte[256]; int read = System.in.read(buf, 0, buf.length); System.out.println(); return new String(buf, 0, read).trim(); } catch (IOException ex) { return null; } } static char[] getPassword() { System.out.print(Password: ); try { byte[] buf = new byte[256]; int read = System.in.read(buf, 0,