Re: [JBoss-user] Web Application Security Recipe?
Okay, makes sense, will do. Thanks for the clarification of this. I've always found that bit confusing. -Neal On December 13, 2003 01:10 am, Scott M Stark wrote: > Its a feature of the spec that the an authenticated user is not > available via getUserPrincipal on unsecured pages. Put the user > principal in the session and based the logic off of the existence > of the user in the session. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
Its a feature of the spec that the an authenticated user is not available via getUserPrincipal on unsecured pages. Put the user principal in the session and based the logic off of the existence of the user in the session. -- Scott Stark Chief Technology Officer JBoss Group, LLC Neal Sanche wrote: Ah, but, if a page is *not* secured, by it being inside a declared security-contraint url pattern, even if the user is authenticated, getUserPrincipal() will return null. So you cannot have a page that does not require authentication yet also have features that depend on getUserPrincipal returning something specific (or even any role checks). At least that was the behaviour in previous JBoss releases. I guess I should test to see if it still does that. Yep, it still does. Try making a web app with two pages, one that requires a login and one that doesn't and try to getUserPrincipal() in both. Even after authentication, the one not protected by a security-constraint will return null for getUserPrincipal(). Now, unless I'm missing something, like being able to declare a security-constraint around the entire web application that doesn't force a login, but allows the authentication context to be available from all pages... then I don't think J2EE declarative security can really do what I'm asking for. Unless it's something that JBoss just doesn't let me do. Am I making any sense? I'm really just trying to understand where the limitations lie. In the J2EE spec, or somewhere else? I'd love for you to tell me I'm missing something. :) Cheers. -Neal --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
Ah, but, if a page is *not* secured, by it being inside a declared security-contraint url pattern, even if the user is authenticated, getUserPrincipal() will return null. So you cannot have a page that does not require authentication yet also have features that depend on getUserPrincipal returning something specific (or even any role checks). At least that was the behaviour in previous JBoss releases. I guess I should test to see if it still does that. Yep, it still does. Try making a web app with two pages, one that requires a login and one that doesn't and try to getUserPrincipal() in both. Even after authentication, the one not protected by a security-constraint will return null for getUserPrincipal(). Now, unless I'm missing something, like being able to declare a security-constraint around the entire web application that doesn't force a login, but allows the authentication context to be available from all pages... then I don't think J2EE declarative security can really do what I'm asking for. Unless it's something that JBoss just doesn't let me do. Am I making any sense? I'm really just trying to understand where the limitations lie. In the J2EE spec, or somewhere else? I'd love for you to tell me I'm missing something. :) Cheers. -Neal On December 12, 2003 12:45 pm, Scott M Stark wrote: > That is a trival check based on is there an authenticated user as > indicated by the getUserPrincipal() method returning null. If that > is all you want j2ee declarative security will work fine. This is > not what I would call reauthentication as the user has not accessed > any secured pages. When they do, the will at that point be > authenticated and the getUserPrincipal() will return who they are. > > > Scott Stark > Chief Technology Officer > JBoss Group, LLC > > > Neal Sanche wrote: > > Okay, I've seen such applications, including that on JBoss.org. > > When you initially arrive at the site, you are 'guest' which > > means you have been given a session, but have not authenticated. > > Then you can 'login' and then see other features of the > > application that weren't there when you weren't logged in. I'm > > guessing that none of this is done with J2EE and JAAS base > > authentication. This is simple session based stuff instead. > > > > I'm just wondering if J2EE security can be used to get the same > > effect in JBoss, or not. > > > > -Neal > > --- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for > IBM's Free Linux Tutorials. Learn everything from the bash shell > to sys admin. Click now! > http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
That is a trival check based on is there an authenticated user as indicated by the getUserPrincipal() method returning null. If that is all you want j2ee declarative security will work fine. This is not what I would call reauthentication as the user has not accessed any secured pages. When they do, the will at that point be authenticated and the getUserPrincipal() will return who they are. Scott Stark Chief Technology Officer JBoss Group, LLC Neal Sanche wrote: Okay, I've seen such applications, including that on JBoss.org. When you initially arrive at the site, you are 'guest' which means you have been given a session, but have not authenticated. Then you can 'login' and then see other features of the application that weren't there when you weren't logged in. I'm guessing that none of this is done with J2EE and JAAS base authentication. This is simple session based stuff instead. I'm just wondering if J2EE security can be used to get the same effect in JBoss, or not. -Neal --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
Just use role based security. Certain URLs can be secured by
conventional declarative security. You can use
HttpServletRequest.isUserInRole("foo") in your view layer to
conditionally display view elements based on the server roles. When a
user has not authenticated, he will have no role. He will not be able
to access any secured resources in web.xml and isUserInRole() will
always return false.
--
Ryan Hoegg
ISIS Networks
http://www.isisnetworks.net
Neal Sanche wrote:
Okay, I've seen such applications, including that on JBoss.org. When
you initially arrive at the site, you are 'guest' which means you
have been given a session, but have not authenticated. Then you can
'login' and then see other features of the application that weren't
there when you weren't logged in. I'm guessing that none of this is
done with J2EE and JAAS base authentication. This is simple session
based stuff instead.
I'm just wondering if J2EE security can be used to get the same effect
in JBoss, or not.
-Neal
On December 11, 2003 11:12 am, Scott M Stark wrote:
Its not likely the j2ee declarative security fits here as there
is no notion of reauthentication, and frankly, I don't know what
it means here either. You would have to describe the user case in
more detail.
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
Okay, I've seen such applications, including that on JBoss.org. When you initially arrive at the site, you are 'guest' which means you have been given a session, but have not authenticated. Then you can 'login' and then see other features of the application that weren't there when you weren't logged in. I'm guessing that none of this is done with J2EE and JAAS base authentication. This is simple session based stuff instead. I'm just wondering if J2EE security can be used to get the same effect in JBoss, or not. -Neal On December 11, 2003 11:12 am, Scott M Stark wrote: > Its not likely the j2ee declarative security fits here as there > is no notion of reauthentication, and frankly, I don't know what > it means here either. You would have to describe the user case in > more detail. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Web Application Security Recipe?
Its not likely the j2ee declarative security fits here as there is no notion of reauthentication, and frankly, I don't know what it means here either. You would have to describe the user case in more detail. -- Scott Stark Chief Technology Officer JBoss Group, LLC Neal Sanche wrote: Hi All, One of the many mysteries that I haven't yet come to understand about securing web applications is the following: Is it possible, with default web container security and JAAS domains, to allow a user to automatically log into a web application as 'Guest' and then at some later time allow them to log into the application as a registered user to unlock certain features of the web application based on their 'roles'. So far, I've only been able to set a web security policy on an entire web application, or various parts of the web application, which forces the user to log in, showing either a FORM login, or a BASIC login whenever a user hits one of these 'barriers'. Is there a way to set up JAAS so that a user's identity is assumed to be 'guest' until such time as the user reauthenticates? Or is the J2EE built-in security model not used for this type of scenario? Is a custom security model (with cookies filters) the only way to write this type of security? Thanks for any pointers you can give me. -Neal --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
