RE: How to enable UserManager support for arbitrary user...
As noted in previous posts, You wouldn't need to make a lot of what you write. The User field of HTTPSessions is undocumented BECAUSE it should(as per the spec) be transparent. Orion usually creates a session implicitly, that is, a session exists even if you still haven't authenticated. However, resource constraints require authentication, and that auth is stored for convenience reasons into HTTP sessions. SOAP is really a good option. Apache's SOAP is based on soap4j, originally made in IBM by the same guy that did XML-RPC; Don Box, the ultimate COM evangelizer is behind it, it is a IETF controlled protocol (so there's less vendor lockout liability than with J2EE itself, as it's all the time under Sun's control). Anyway, I'd go for it if services to be provided are really complicated (number of services and parameters in them), and, SOAP or not, you'd be better off constructing some proof of concept samples. Here's what I'd do: 1. A initiate.jsp with two purposes: a. Obtain a session id b. Set a user's identity (a) is accomplished by orion automatically. In every JSP page, there's a 'session' variable wich holds a javax.servlet.http.HTTPSession instance (it may be an simple implementation or a clustered one, with all of orion's http session clustering features built in) (b) is accomplished by using RoleManager.login(username, password) method sample of invocation: HTTP GET: GET /[YOURAPPPATHHERE]/initiate.jsp?username=JPLorandipassword=rambalanga on the response header you'd get a cookie(it wouldn't disable them) Set-Cookie: JSESSIONID=JGASDHUIGSAIAIHBH (or something along these lines) from here on, every request posted should either (a) contain on its header a cookie field: Cookie: JSESSIONID=JGASDHUIGSAIAIHBH (b) be URL rewritted (postfix to the URL): ;jsession=JGASDHUIGSAIAIHBH example: http://[YOURHOST]/[YOURAPPPATHHERE]/[a-given-action-page]?param1=somevalue;j sessionid=JGASDHUIGSAIAIHBH No need to set form auth, but even if you want to do it, just leave initiate.jsp unprotected(i.e.: not in any resource collection), both (browser based form auth VB client auth) will work just fine. I hope this, altough may not solve Alex's at-hand problem, will help someone. I sure would have liked someone gave this explanation to me instead of having to decompile all orion to find out how the GHU"$%"@ it works. Regards, JP -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Monday, April 16, 2001 4:47 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... I belive we *are* using Orion/J2EE sessions. We are not doing any of our own session management stuff. All our HTTP session is done through standard J2EE interfaces. You mentioned that there is a field in the HTTPSession that we can set to tell Orion what user is using this session? Is this documented anywhere on the Orion site? If not, can you give a little more detail on this field. What type of object should be stored into this attribute. As I understand it, after an object is stored into this "user" attribute in the session, Orion will use a UserManager to validate and retrieve group/rights information about this user for every HTTP call. So all I would have to do then, is write my own custom, UserManager and tell Orion to use it. Thanks for your help, I think I am getting closer, here is what I plan to do: 1. Create a specific login .JSP page which will: a. validate the user b. create a session c. configure the "user" attribute to the user object d. return session id to the client 2. Client passes the session id on every call as a part of the url Again, the only part of the above which I am not sure about is 1c... Thanks. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Lorandi (Chile) Sent: Monday, April 16, 2001 11:26 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Alex, I have a few questions and comments, 1. Which HTTPSession are you using? Orion's or your own? I recommend Orion's, tough one on the developments here uses a home-brewn session management. This forces us to include a few lines of code (with a taglib) in almost every page. Also, this renders Orion's J2EE security useless (Orion's HTTPSession has a User field where it stores either null (not authenticated) or a User reference to know the session Identity. 2. How are you authenticating a user? I presume you aren't right now. I would go with this: a. A Custom UserManager(for DB persistence, kinda like DataSourceUserManager, but yours) b. No custom SessionManager. (Orion has this declared as a public interface, but has no means to know which is the desired implementation; pity, session management,URL rewriting, and session + auth
RE: How to enable UserManager support for arbitrary user...
and in case you don't want to mix M$ and Java (mainly because M$ is a suspect platform, given C# and the Sun suit), you might try at AlphaWorks (http://www.alphaworks.ibm.com. Especially something like Caribbean (http://www.alphaworks.ibm.com/aw.nsf/frame?ReadForm/aw.nsf/techmain/DA6EC6 F79B61F68B8825695400664D79 Soap is REALLY bloated in most implementations I've seen, slows down the server and seems to be, on the whole, rather kludgy. XML-RPC is MUCH better at this, but takes some study. Not trying to create a flame war, Jeff. Just don't trust the source of the technology, and the implementations, thus far, are not very impressive, especially in an environment like ORION. Plus, mixing vb and Java makes me feel...I dunno...ill-at-ease, to be polite? Michael Cannon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Monday, April 16, 2001 11:12 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Given that he has a smart/fat client, I don't think the web form is the way to go. It's a square peg for a round hole. Alex, when you execute a successful RoleManager.login(), whatever user information Orion keeps is automaticaly taken care of. All you need to do is make sure you maintain the session id in either a cookie or a rewritten url (;jsessionid=ASDFGHIJKL) in your requests. You don't need to explicitly create a session in the JSP, either. If you subsequently want to get the user name or programmatically check security, use the getCallerPrincipal() or isCallerInRole() methods on the servlet context or ejb context objects. You'll need to watch out for session timeouts in your client. You should seriously consider using SOAP. That is designed for exactly what you're trying to do. There is a free Apache implementation that you could probably get running under Orion, and VB will do all the client work for you. Jeff -Original Message- From: Hani Suleiman [mailto:[EMAIL PROTECTED]] Sent: Monday, April 16, 2001 2:07 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Thanks for your help, I think I am getting closer, here is what I plan to do: 1. Create a specific login .JSP page which will: a. validate the user b. create a session c. configure the "user" attribute to the user object d. return session id to the client 2. Client passes the session id on every call as a part of the url Why go through any of 1? J2EE does all this for you. All you need to do is use form auth. Have your login page return whatever xml is required to show the VB login box. So whenever you request a protected resource, the login box will pop up. Disable cookies in the webapp, and then read in the JSESSIONID from the url and just make sure it's in every future request, so the servlet container knows where to find your authenticated session. Again, the only part of the above which I am not sure about is 1c... Thanks. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Lorandi (Chile) Sent: Monday, April 16, 2001 11:26 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Alex, I have a few questions and comments, 1. Which HTTPSession are you using? Orion's or your own? I recommend Orion's, tough one on the developments here uses a home-brewn session management. This forces us to include a few lines of code (with a taglib) in almost every page. Also, this renders Orion's J2EE security useless (Orion's HTTPSession has a User field where it stores either null (not authenticated) or a User reference to know the session Identity. 2. How are you authenticating a user? I presume you aren't right now. I would go with this: a. A Custom UserManager(for DB persistence, kinda like DataSourceUserManager, but yours) b. No custom SessionManager. (Orion has this declared as a public interface, but has no means to know which is the desired implementation; pity, session management,URL rewriting, and session + auth integration is not complaint to standards but purely propietary) c. a custom login action jsp/servlet. It takes username and password paramters and returns a session ID; this might be a cookie or URL rewriting (you can disable cookies in orion-web.xml) d. every new call has either a cookie field set on the HTTP header or a URL rewrite in the form of: http://somehost/somepath/somepage.jsp?a_Whole_Lotta_Params;jses sionid=SOMESE SSIONID That's it. 3. Are the client and the server in a LAN? Why not using JIntegra, J2EE CAS or SOAP4j + SOAP Toolkit to integrate them? I think basically your problem is that your HTTP Session is propietary and not seamlessly integrated with Orion. All we all
RE: How to enable UserManager support for arbitrary user...
But of course, since he's already USING VB, that point is moot... BOY! I can be an idiot sometimes... Sorry, Jeff. but I still don't like the looks of SOAP yet. the bloat is really bothersome. Oh, and my MTA mucked the URL for Caribbean, for those of you who are interested. }}Slinking back to my hole, tail between my legs.{{ Michael J. Cannon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael J. Cannon Sent: Tuesday, April 17, 2001 1:22 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... and in case you don't want to mix M$ and Java (mainly because M$ is a suspect platform, given C# and the Sun suit), you might try at AlphaWorks (http://www.alphaworks.ibm.com. Especially something like Caribbean (http://www.alphaworks.ibm.com/aw.nsf/frame?ReadForm/aw.nsf/techm ain/DA6EC6 F79B61F68B8825695400664D79 Soap is REALLY bloated in most implementations I've seen, slows down the server and seems to be, on the whole, rather kludgy. XML-RPC is MUCH better at this, but takes some study. Not trying to create a flame war, Jeff. Just don't trust the source of the technology, and the implementations, thus far, are not very impressive, especially in an environment like ORION. Plus, mixing vb and Java makes me feel...I dunno...ill-at-ease, to be polite? Michael Cannon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Monday, April 16, 2001 11:12 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Given that he has a smart/fat client, I don't think the web form is the way to go. It's a square peg for a round hole. Alex, when you execute a successful RoleManager.login(), whatever user information Orion keeps is automaticaly taken care of. All you need to do is make sure you maintain the session id in either a cookie or a rewritten url (;jsessionid=ASDFGHIJKL) in your requests. You don't need to explicitly create a session in the JSP, either. If you subsequently want to get the user name or programmatically check security, use the getCallerPrincipal() or isCallerInRole() methods on the servlet context or ejb context objects. You'll need to watch out for session timeouts in your client. You should seriously consider using SOAP. That is designed for exactly what you're trying to do. There is a free Apache implementation that you could probably get running under Orion, and VB will do all the client work for you. Jeff -Original Message- From: Hani Suleiman [mailto:[EMAIL PROTECTED]] Sent: Monday, April 16, 2001 2:07 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Thanks for your help, I think I am getting closer, here is what I plan to do: 1. Create a specific login .JSP page which will: a. validate the user b. create a session c. configure the "user" attribute to the user object d. return session id to the client 2. Client passes the session id on every call as a part of the url Why go through any of 1? J2EE does all this for you. All you need to do is use form auth. Have your login page return whatever xml is required to show the VB login box. So whenever you request a protected resource, the login box will pop up. Disable cookies in the webapp, and then read in the JSESSIONID from the url and just make sure it's in every future request, so the servlet container knows where to find your authenticated session. Again, the only part of the above which I am not sure about is 1c... Thanks. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Lorandi (Chile) Sent: Monday, April 16, 2001 11:26 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Alex, I have a few questions and comments, 1. Which HTTPSession are you using? Orion's or your own? I recommend Orion's, tough one on the developments here uses a home-brewn session management. This forces us to include a few lines of code (with a taglib) in almost every page. Also, this renders Orion's J2EE security useless (Orion's HTTPSession has a User field where it stores either null (not authenticated) or a User reference to know the session Identity. 2. How are you authenticating a user? I presume you aren't right now. I would go with this: a. A Custom UserManager(for DB persistence, kinda like DataSourceUserManager, but yours) b. No custom SessionManager. (Orion has this declared as a public interface, but has no means to know which is the desired implementation; pity, session management,URL rewriting, and session + auth integration is not complaint to
RE: How to enable UserManager support for arbitrary user...
Alex, I have a few questions and comments, 1. Which HTTPSession are you using? Orion's or your own? I recommend Orion's, tough one on the developments here uses a home-brewn session management. This forces us to include a few lines of code (with a taglib) in almost every page. Also, this renders Orion's J2EE security useless (Orion's HTTPSession has a User field where it stores either null (not authenticated) or a User reference to know the session Identity. 2. How are you authenticating a user? I presume you aren't right now. I would go with this: a. A Custom UserManager(for DB persistence, kinda like DataSourceUserManager, but yours) b. No custom SessionManager. (Orion has this declared as a public interface, but has no means to know which is the desired implementation; pity, session management,URL rewriting, and session + auth integration is not complaint to standards but purely propietary) c. a custom login action jsp/servlet. It takes username and password paramters and returns a session ID; this might be a cookie or URL rewriting (you can disable cookies in orion-web.xml) d. every new call has either a cookie field set on the HTTP header or a URL rewrite in the form of: http://somehost/somepath/somepage.jsp?a_Whole_Lotta_Params;jsessionid=SOMESE SSIONID That's it. 3. Are the client and the server in a LAN? Why not using JIntegra, J2EE CAS or SOAP4j + SOAP Toolkit to integrate them? I think basically your problem is that your HTTP Session is propietary and not seamlessly integrated with Orion. All we all would need to implement a SessionManager of our own without recompiling Orion is a SessionManager tag much like the UserManager tag in orion-application.xml. Then whenever a custom SessionManager is needed(in our case, to share sessions between Orion and IIS) would benefit of many neat things orion does, such as automatic URL rewriting, transparent session management(the session object available in JSP) and declarative security, to name a few. My 2c, JP -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 15, 2001 1:03 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Here is the problem that I am not sure how to really fix. Our EJB application is wrapped with a number of "command" URL's which return XML results. For example: http://localhost/getAccountInformation.jsp?account=2234 would return an XML representation of an account. An http://localhost/addUserToAccount?account=2234userName=test.. . would add a user to a particular account. A Visual Basic client, then uses these "command" URLs and resulting XML to present a user interface. Given the above scenario, what would be your recommendation for authenticating the user starting right after I accept the user/password from the VB form (I don't much care for VB specifics, just the part which deals with EJB/JSP/J2EE security). After accepting user authentication information from a VB dialog, what should I do next. How do I get this information "registered" with Orion or any j2ee application server so that the deployment descriptor information works correctly. Is this the way J2EE security was meant to be used. A non super-user account, cannot execute a setSuperuser(boolean) function on the User bean. Is this how I should be controlling this? Is this the proper method? I was reading the J2EE EJB spec which states that coding security should be the last resort. I am not clear on how to execute the above scenario. Thanks to all the people who have already posted in regards to this issue. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Friday, April 13, 2001 10:09 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... I suggest using an MVC (aka "Model 2") approach, separating your view from your controller. One of the controller's responsibilities can be to check for authentication and provide to the user either the requested page or the login page. If you use a dispatcher-servlet-action framework for your controller, you typically will only need to put the authentication checking code in a base action class from which all protected action classes derive. If you use JSPs as controllers you'll need some sort of code in every one (you can use @include for this). You will be much happer if you use an MVC appraoch, trust me. The J2EE automatic form-based authentication is very crude and fails to accomodate simple use cases like automatically logging in new users. You might want to look at WebWork: http://www.sourceforge.net/projects/webwork. BTW, if you use the Orion UserManager (and RoleManager), you should not do your own database lookup. Calling RoleManage
RE: How to enable UserManager support for arbitrary user...
Given that he has a smart/fat client, I don't think the web form is the way to go. It's a square peg for a round hole. Alex, when you execute a successful RoleManager.login(), whatever user information Orion keeps is automaticaly taken care of. All you need to do is make sure you maintain the session id in either a cookie or a rewritten url (;jsessionid=ASDFGHIJKL) in your requests. You don't need to explicitly create a session in the JSP, either. If you subsequently want to get the user name or programmatically check security, use the getCallerPrincipal() or isCallerInRole() methods on the servlet context or ejb context objects. You'll need to watch out for session timeouts in your client. You should seriously consider using SOAP. That is designed for exactly what you're trying to do. There is a free Apache implementation that you could probably get running under Orion, and VB will do all the client work for you. Jeff -Original Message- From: Hani Suleiman [mailto:[EMAIL PROTECTED]] Sent: Monday, April 16, 2001 2:07 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Thanks for your help, I think I am getting closer, here is what I plan to do: 1. Create a specific login .JSP page which will: a. validate the user b. create a session c. configure the "user" attribute to the user object d. return session id to the client 2. Client passes the session id on every call as a part of the url Why go through any of 1? J2EE does all this for you. All you need to do is use form auth. Have your login page return whatever xml is required to show the VB login box. So whenever you request a protected resource, the login box will pop up. Disable cookies in the webapp, and then read in the JSESSIONID from the url and just make sure it's in every future request, so the servlet container knows where to find your authenticated session. Again, the only part of the above which I am not sure about is 1c... Thanks. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Lorandi (Chile) Sent: Monday, April 16, 2001 11:26 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Alex, I have a few questions and comments, 1. Which HTTPSession are you using? Orion's or your own? I recommend Orion's, tough one on the developments here uses a home-brewn session management. This forces us to include a few lines of code (with a taglib) in almost every page. Also, this renders Orion's J2EE security useless (Orion's HTTPSession has a User field where it stores either null (not authenticated) or a User reference to know the session Identity. 2. How are you authenticating a user? I presume you aren't right now. I would go with this: a. A Custom UserManager(for DB persistence, kinda like DataSourceUserManager, but yours) b. No custom SessionManager. (Orion has this declared as a public interface, but has no means to know which is the desired implementation; pity, session management,URL rewriting, and session + auth integration is not complaint to standards but purely propietary) c. a custom login action jsp/servlet. It takes username and password paramters and returns a session ID; this might be a cookie or URL rewriting (you can disable cookies in orion-web.xml) d. every new call has either a cookie field set on the HTTP header or a URL rewrite in the form of: http://somehost/somepath/somepage.jsp?a_Whole_Lotta_Params;jses sionid=SOMESE SSIONID That's it. 3. Are the client and the server in a LAN? Why not using JIntegra, J2EE CAS or SOAP4j + SOAP Toolkit to integrate them? I think basically your problem is that your HTTP Session is propietary and not seamlessly integrated with Orion. All we all would need to implement a SessionManager of our own without recompiling Orion is a SessionManager tag much like the UserManager tag in orion-application.xml. Then whenever a custom SessionManager is needed(in our case, to share sessions between Orion and IIS) would benefit of many neat things orion does, such as automatic URL rewriting, transparent session management(the session object available in JSP) and declarative security, to name a few. My 2c, JP -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 15, 2001 1:03 AM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Here is the problem that I am not sure how to really fix. Our EJB application is wrapped with a number of "command" URL's which return XML results. For example: http://localhost/getAccountInformation.jsp?account=2234 would return an XML representation of an account. An http://localhost/addUserToAccount?account=2234userName=test.. . would add a user to a particula
RE: How to enable UserManager support for arbitrary user...
Out of curiosity, why aren't you using SOAP? Seems like that is designed to do exactly what you want, and I'm sure there is terrific VB support for it. You can use J2EE security, but the usual paradigms for J2EE authentication aren't going to do you much good. You probably just want a login.jsp?name=xxxpassword=xxx url and from within that call RoleManager.login(). Since you have a fat client, you don't need to worry about the user trying to access a protected page without logging in; the client can be smart about what users are allowed to do. Make sure you're properly handling the http cookie returned by the server otherwise your login isn't going to "stick"... security is associated with the session, of course. IMHO, support for HTTP-based RPC in J2EE is very poor, and MS is way ahead of the game here. Jeff -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 14, 2001 10:03 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Here is the problem that I am not sure how to really fix. Our EJB application is wrapped with a number of "command" URL's which return XML results. For example: http://localhost/getAccountInformation.jsp?account=2234 would return an XML representation of an account. An http://localhost/addUserToAccount?account=2234userName=test... would add a user to a particular account. A Visual Basic client, then uses these "command" URLs and resulting XML to present a user interface. Given the above scenario, what would be your recommendation for authenticating the user starting right after I accept the user/password from the VB form (I don't much care for VB specifics, just the part which deals with EJB/JSP/J2EE security). After accepting user authentication information from a VB dialog, what should I do next. How do I get this information "registered" with Orion or any j2ee application server so that the deployment descriptor information works correctly. Is this the way J2EE security was meant to be used. A non super-user account, cannot execute a setSuperuser(boolean) function on the User bean. Is this how I should be controlling this? Is this the proper method? I was reading the J2EE EJB spec which states that coding security should be the last resort. I am not clear on how to execute the above scenario. Thanks to all the people who have already posted in regards to this issue. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Friday, April 13, 2001 10:09 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... I suggest using an MVC (aka "Model 2") approach, separating your view from your controller. One of the controller's responsibilities can be to check for authentication and provide to the user either the requested page or the login page. If you use a dispatcher-servlet-action framework for your controller, you typically will only need to put the authentication checking code in a base action class from which all protected action classes derive. If you use JSPs as controllers you'll need some sort of code in every one (you can use @include for this). You will be much happer if you use an MVC appraoch, trust me. The J2EE automatic form-based authentication is very crude and fails to accomodate simple use cases like automatically logging in new users. You might want to look at WebWork: http://www.sourceforge.net/projects/webwork. BTW, if you use the Orion UserManager (and RoleManager), you should not do your own database lookup. Calling RoleManager.login() causes methods to be called on the UserManager, which can either be your class or one of the UserManagers that ship with Orion. DataSourceUserManager looks up password and group information in a table. Jeff -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:20 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately,
RE: How to enable UserManager support for arbitrary user...
Here is the problem that I am not sure how to really fix. Our EJB application is wrapped with a number of "command" URL's which return XML results. For example: http://localhost/getAccountInformation.jsp?account=2234 would return an XML representation of an account. An http://localhost/addUserToAccount?account=2234userName=test... would add a user to a particular account. A Visual Basic client, then uses these "command" URLs and resulting XML to present a user interface. Given the above scenario, what would be your recommendation for authenticating the user starting right after I accept the user/password from the VB form (I don't much care for VB specifics, just the part which deals with EJB/JSP/J2EE security). After accepting user authentication information from a VB dialog, what should I do next. How do I get this information "registered" with Orion or any j2ee application server so that the deployment descriptor information works correctly. Is this the way J2EE security was meant to be used. A non super-user account, cannot execute a setSuperuser(boolean) function on the User bean. Is this how I should be controlling this? Is this the proper method? I was reading the J2EE EJB spec which states that coding security should be the last resort. I am not clear on how to execute the above scenario. Thanks to all the people who have already posted in regards to this issue. -AP_ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer Sent: Friday, April 13, 2001 10:09 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... I suggest using an MVC (aka "Model 2") approach, separating your view from your controller. One of the controller's responsibilities can be to check for authentication and provide to the user either the requested page or the login page. If you use a dispatcher-servlet-action framework for your controller, you typically will only need to put the authentication checking code in a base action class from which all protected action classes derive. If you use JSPs as controllers you'll need some sort of code in every one (you can use @include for this). You will be much happer if you use an MVC appraoch, trust me. The J2EE automatic form-based authentication is very crude and fails to accomodate simple use cases like automatically logging in new users. You might want to look at WebWork: http://www.sourceforge.net/projects/webwork. BTW, if you use the Orion UserManager (and RoleManager), you should not do your own database lookup. Calling RoleManager.login() causes methods to be called on the UserManager, which can either be your class or one of the UserManagers that ship with Orion. DataSourceUserManager looks up password and group information in a table. Jeff -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:20 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_
Re: How to enable UserManager support for arbitrary user...
Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_
RE: How to enable UserManager support for arbitrary user...
Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_
RE: How to enable UserManager support for arbitrary user...
Alex, I beleive that what's important is the deployment descripter according to j2ee. As long as a role is required by the descripter, if you navigate to the jsp, servlet, or use a resource such as a ejb or database, as long as the application descriptor notes the proper security role, and the path to the resource is defined for the security role,the login screen will be presented when the user navigates or clicks on a resource that is in a security role. What's happening is container will check if they are in role, if they aren't the login form (if you used form-based login) will come up. You don't have to hard code this. These bits a defined in the web.xml, or the web application descripter. The only hardcoding I have done is when you need to automatically login somebody (for example, after they create an account), or when a resource is outside of the application, but you want to control it with your security anyway. An example of the first case is in the pet store example. If you don't want to go to the trouble of creating a special path for your jsp pages, you can stick a ifinrole statement on every page, and these will go to the login page if somebody accesses a page by typing a guessed url... mysecretplace.mycompany.com/allmysecrets.jsp, the jsp can have a statement like: util:ifInRole role="customer" include="true" ... content /util:ifInRole util:ifInRole role="customer" include="false" jsp:forward page="/control/animaginarypage" / /util:ifInRole The util tags are from orion's utility tag package. The /control path is also the j2ee path control in the deployment descripter. This is also a good idea on jsp content in general, because jsp's change very frequently, and people don't always have time to update the deployment descripter. Regards, the Elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alex Paransky Sent: Friday, April 13, 2001 3:20 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_
RE: How to enable UserManager support for arbitrary user...
oops, I forgot one little thing. If you want to know Who is using a resource, and they have already been authenticated, use the session context (in an ejb) String userid = sc.getCallerPrincipal().getName(); obviously, you can expose this as a business method for the session ejb, and access the userid from a servlet or jsp. This is the safest way to get the userid into a web page. Somehow, I think manipulating the usermanager from within a jsp offers a security hole. If anybody ever gained access to a jsp, they could copy the code for access to the usermanager, modify it so that an email would send the password and userid, and then put it back on the website. The same hack on a ejb is much more difficult. I believe the session context in the servlet api was depricated just for this reason. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of elephantwalker Sent: Friday, April 13, 2001 4:12 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Alex, I beleive that what's important is the deployment descripter according to j2ee. As long as a role is required by the descripter, if you navigate to the jsp, servlet, or use a resource such as a ejb or database, as long as the application descriptor notes the proper security role, and the path to the resource is defined for the security role,the login screen will be presented when the user navigates or clicks on a resource that is in a security role. What's happening is container will check if they are in role, if they aren't the login form (if you used form-based login) will come up. You don't have to hard code this. These bits a defined in the web.xml, or the web application descripter. The only hardcoding I have done is when you need to automatically login somebody (for example, after they create an account), or when a resource is outside of the application, but you want to control it with your security anyway. An example of the first case is in the pet store example. If you don't want to go to the trouble of creating a special path for your jsp pages, you can stick a ifinrole statement on every page, and these will go to the login page if somebody accesses a page by typing a guessed url... mysecretplace.mycompany.com/allmysecrets.jsp, the jsp can have a statement like: util:ifInRole role="customer" include="true" ... content /util:ifInRole util:ifInRole role="customer" include="false" jsp:forward page="/control/animaginarypage" / /util:ifInRole The util tags are from orion's utility tag package. The /control path is also the j2ee path control in the deployment descripter. This is also a good idea on jsp content in general, because jsp's change very frequently, and people don't always have time to update the deployment descripter. Regards, the Elephantwalker -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alex Paransky Sent: Friday, April 13, 2001 3:20 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we nee
RE: How to enable UserManager support for arbitrary user...
Again, I am not sure if your JSP page can even make this call. I have only ever used it in the container in a session bean. I seem to remember not being able to lookup the RoleManager from my servlet. I think you would have to have every SB method call this. Which is why I suggested using the InitialContext approach, which is portable across servers, and I think it scales better. Alas, it is pre-empted by a bug in Orion in that servlets don't properly initialize the credentials on the first (or in my case, all) use. tim. Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_
RE: How to enable UserManager support for arbitrary user...
I suggest using an MVC (aka "Model 2") approach, separating your view from your controller. One of the controller's responsibilities can be to check for authentication and provide to the user either the requested page or the login page. If you use a dispatcher-servlet-action framework for your controller, you typically will only need to put the authentication checking code in a base action class from which all protected action classes derive. If you use JSPs as controllers you'll need some sort of code in every one (you can use @include for this). You will be much happer if you use an MVC appraoch, trust me. The J2EE automatic form-based authentication is very crude and fails to accomodate simple use cases like automatically logging in new users. You might want to look at WebWork: http://www.sourceforge.net/projects/webwork. BTW, if you use the Orion UserManager (and RoleManager), you should not do your own database lookup. Calling RoleManager.login() causes methods to be called on the UserManager, which can either be your class or one of the UserManagers that ship with Orion. DataSourceUserManager looks up password and group information in a table. Jeff -Original Message- From: Alex Paransky [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:20 PM To: Orion-Interest Subject: RE: How to enable UserManager support for arbitrary user... Tim, this IS what I am looking for, but does it mean that I need to put this into every .JSP page that I have? Then, somehow (according to J2EE spec) Orion will forward this information to all EJB calls and properly make use of the deployment descriptor stuff? So every .JSP page will check the session, find the User object which I stored in there, and execute this call with the user.login and user.password? Thanks. -AP_ -Original Message- From: Tim Endres [mailto:[EMAIL PROTECTED]] Sent: Friday, April 13, 2001 3:04 PM To: Orion-Interest Cc: Alex Paransky Subject: Re: How to enable UserManager support for arbitrary user... Is this what you are looking for? RoleManager roleMgr = (RoleManager) (new InitialContext()).lookup( "java:comp/RoleManager" ); roleMgr.login( "user", "pass" ); Unfortunately, I think that can only run in the container. To accomodate multiple logins under a servlet, we used to use a new InitialContext on every servlet request and set the appropriate JNDI properties for each InitialContext construction. tim. We have developed a web application with our own user/group schema. Creating a UserManager to map our schema seems pretty trivial. What we are NOT clear on is how to tell Orion that a particular user has logged in. For example, we start our application with a LOGIN.JSP page, which accepts user name/password, and proceeds to find the user in the database. After the user is found/authenticated, we create an HTTP session, and store a certain User object in the session to tell us who the user is on the next http request. How do we introduce J2EE security into this picture. In other words, how do we tell Orion which user is logged on so that it starts using the security attributes/group/rights of the deployment descriptors? Do we need to put a special attribute into the HTTPSession so that Orion knows on behalf of what user the request is running? Thanks. -AP_