Re: Container-managed authentication not possible
Craig, True indeed, and I have info about that on the project home page. SecurityFilter does not work with EJBs. I am looking into making it work, but your application code would have to pass the Principal into the call programmatically (and thus would not be the same as it would be for container managed security). The same code should work for container or filter security, but it wouldn't be the same code you would write if you were planning to use container managed security from the outset. I am not really sure if this will work yet or not, but it is on my list of things to try. -Max - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] I haven't had time to check your docs for myself :-), but I hope you do point out one critical place where the application *does* have to care about whether it is real container managed security or not -- EJB access. From the point of view of an EJB container, requests protected by any sort of mimicing security filter will appear to be coming from an unauthenticated web user (which might or might not be ok, depending on your security policies and application design). Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
On Wed, 21 Aug 2002, Max Cooper wrote: Date: Wed, 21 Aug 2002 23:49:12 -0700 From: Max Cooper [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Container-managed authentication not possible Craig, True indeed, and I have info about that on the project home page. SecurityFilter does not work with EJBs. I am looking into making it work, but your application code would have to pass the Principal into the call programmatically (and thus would not be the same as it would be for container managed security). The same code should work for container or filter security, but it wouldn't be the same code you would write if you were planning to use container managed security from the outset. I am not really sure if this will work yet or not, but it is on my list of things to try. -Max Max, I'm very glad to hear that you've covered this issue in the docs already ... it is a very obvious place that people might make mistaken assumptions. However, I can't hold out much hope that you will be able to find a portable solution to working for EJBs in the short term. The key problem you're facing is that you need to convince the container to trust an application's assertions about security -- and that just isn't going to fly in current generation containers, because it would lead to a raft of security attacks by maliciously coded applications. (If we want that kind of thing, we can just use .NET, thank you :-). I'm personally adamant about Tomcat *never* trusting a user application for this kind of thing, until there is a safe way to do so. I can't imagine that any other app server would be any less stringent about managing something this fundamental either. The current reality of J2EE security APIs is that there is no portable mechanism to support several commonly-desired features (such as setting up new users and auto-logging-in in a portal type environment). These sorts of problems need to be solved at the container level, so that applications don't need to worry about them. In my day-job role (at Sun) as the Web Layer Architect for the entire J2EE platform, this is one of my priority concerns. Unfortunately, providing the appropriate solution is going to take a while. In the mean time, things like SecurityFilter serve a very valid need for non-EJB webapps, and I'm happy to see that you've taken on the effort to provide a general purpose solution in this problem space. Craig - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] I haven't had time to check your docs for myself :-), but I hope you do point out one critical place where the application *does* have to care about whether it is real container managed security or not -- EJB access. From the point of view of an EJB container, requests protected by any sort of mimicing security filter will appear to be coming from an unauthenticated web user (which might or might not be ok, depending on your security policies and application design). Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
Thanks for the info, Craig. It looks like SecurityFilter won't work with EJB apps, now or in the future, with current server implementations. My feedback about what I find lacking in current container managed security are these items: 1) The inability to submit unsolicited login requests (when the container didn't force you to the login form) 2) Lack of a standard realm interface (though this is becoming a non-issue with JAAS, LDAP adapters, etc.) -Max - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] Max, I'm very glad to hear that you've covered this issue in the docs already ... it is a very obvious place that people might make mistaken assumptions. However, I can't hold out much hope that you will be able to find a portable solution to working for EJBs in the short term. The key problem you're facing is that you need to convince the container to trust an application's assertions about security -- and that just isn't going to fly in current generation containers, because it would lead to a raft of security attacks by maliciously coded applications. (If we want that kind of thing, we can just use .NET, thank you :-). I'm personally adamant about Tomcat *never* trusting a user application for this kind of thing, until there is a safe way to do so. I can't imagine that any other app server would be any less stringent about managing something this fundamental either. The current reality of J2EE security APIs is that there is no portable mechanism to support several commonly-desired features (such as setting up new users and auto-logging-in in a portal type environment). These sorts of problems need to be solved at the container level, so that applications don't need to worry about them. In my day-job role (at Sun) as the Web Layer Architect for the entire J2EE platform, this is one of my priority concerns. Unfortunately, providing the appropriate solution is going to take a while. In the mean time, things like SecurityFilter serve a very valid need for non-EJB webapps, and I'm happy to see that you've taken on the effort to provide a general purpose solution in this problem space. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
On Wed, 2002-08-21 at 21:31, Craig R. McClanahan wrote: On Wed, 21 Aug 2002, Max Cooper wrote: Date: Wed, 21 Aug 2002 13:07:47 -0700 From: Max Cooper [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Container-managed authentication not possible Brandon, SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and getRemoteUser(). By mimics I mean that your app (or Tiles and Struts) will not be able to distinguish between SecurityFilter and Container Managed Security. It behaves the same, and it looks the same to the code running on top of it. One of the major design goals of the project is to allow you to switch between container-managed and filter-based security without changing your application's code. SecurityFilter also shares the same configuration syntax and features, except that you put the info in a securityfilter-config.xml file rather than web.xml. I haven't had time to check your docs for myself :-), but I hope you do point out one critical place where the application *does* have to care about whether it is real container managed security or not -- EJB access. From the point of view of an EJB container, requests protected by any sort of mimicing security filter will appear to be coming from an unauthenticated web user (which might or might not be ok, depending on your security policies and application design). -Max Craig If the filter used JAAS authentication, what would it need to do in order to integrate the Subject into the container's environment so that EJB access wouldn't seem unauthorized? Would it be container specific? In what ways? It seems like the request would also NOT need to be wrapped if the Subject was properly established (i.e. had the right ~type~ of principals, and was stored in the container correctly [but where would that be?]), does that sound right? Troy - Original Message - From: Brandon Goodin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 12:52 PM Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm
RE: Container-managed authentication not possible
You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Container-managed authentication not possible
You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Container-managed authentication not possible
That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
[CORRECTION]RE: Container-managed authentication not possible
Sorry I am wrong :-) It plays nice with the request based info. -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 1:53 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
Brandon, SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and getRemoteUser(). By mimics I mean that your app (or Tiles and Struts) will not be able to distinguish between SecurityFilter and Container Managed Security. It behaves the same, and it looks the same to the code running on top of it. One of the major design goals of the project is to allow you to switch between container-managed and filter-based security without changing your application's code. SecurityFilter also shares the same configuration syntax and features, except that you put the info in a securityfilter-config.xml file rather than web.xml. -Max - Original Message - From: Brandon Goodin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 12:52 PM Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Container-managed authentication not possible
Thanks Max, But I already corrected myself :-) Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:08 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: Container-managed authentication not possible Brandon, SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and getRemoteUser(). By mimics I mean that your app (or Tiles and Struts) will not be able to distinguish between SecurityFilter and Container Managed Security. It behaves the same, and it looks the same to the code running on top of it. One of the major design goals of the project is to allow you to switch between container-managed and filter-based security without changing your application's code. SecurityFilter also shares the same configuration syntax and features, except that you put the info in a securityfilter-config.xml file rather than web.xml. -Max - Original Message - From: Brandon Goodin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 12:52 PM Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
Elderclei, Todd mentioned my SecurityFilter project as a possible alternative for you, and I enourage you to try it. Not having access to the server configuration is one of the particular situations in which I thought it would be useful. -Max http://www.securityfilter.org/ - Original Message - From: Elderclei R Reami [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 3:43 PM Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Container-managed authentication not possible
Max, I love what you are doing. I apologize that i jumped to conclusions and provided bad direction. My bad. I am swapping out my code for yours. Thanks for the great job. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:08 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: Container-managed authentication not possible Brandon, SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and getRemoteUser(). By mimics I mean that your app (or Tiles and Struts) will not be able to distinguish between SecurityFilter and Container Managed Security. It behaves the same, and it looks the same to the code running on top of it. One of the major design goals of the project is to allow you to switch between container-managed and filter-based security without changing your application's code. SecurityFilter also shares the same configuration syntax and features, except that you put the info in a securityfilter-config.xml file rather than web.xml. -Max - Original Message - From: Brandon Goodin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 12:52 PM Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto
Re: [CORRECTION]RE: Container-managed authentication not possible
Thanks for the tips, Brandon Todd. I will have a look at SecurityFilter, as I have no other option, perhaps I'll need to develop my own security control (not good anyway) Regards. Elder On Wed, 21 Aug 2002 14:02:09 -0600, Brandon Goodin [EMAIL PROTECTED] escreveu : De: Brandon Goodin [EMAIL PROTECTED] Data: Wed, 21 Aug 2002 14:02:09 -0600 Para: Struts Users Mailing List [EMAIL PROTECTED] Assunto: [CORRECTION]RE: Container-managed authentication not possible Sorry I am wrong :-) It plays nice with the request based info. -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 1:53 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
Max, Have you considered using JAAS for authentication? Why or why not? Thanks, Troy On Wed, 2002-08-21 at 14:13, Max Cooper wrote: Elderclei, Todd mentioned my SecurityFilter project as a possible alternative for you, and I enourage you to try it. Not having access to the server configuration is one of the particular situations in which I thought it would be useful. -Max http://www.securityfilter.org/ - Original Message - From: Elderclei R Reami [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 3:43 PM Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
Troy, I need to look into it more, but that seems like something the SecurityFilter should support. I do have a task defined on the project to support JAAS already. However, my current priorities are to get a solid 1.0 release out there with all the current and a few new features (user-data-constraint support, more realm adapters, and smarter default page handling). JAAS support is not likely to be in the 1.0 release, but it should be one of the highest priorities once the 1.0 release is out the door. I will announce any SecurityFilter updates to this list as long as it seems relevant. If you want to be sure to get all update notifications or discuss SecurityFilter more deeply, I have created some (so far very low-traffic ;-) mailing lists at SourceForge: http://sourceforge.net/mail/?group_id=59484 Releases are also announced on Freshmeat, and you can subscribe there as well: http://freshmeat.net/projects/securityfilter/ Thanks everyone for the interest and support! -Max - Original Message - From: Troy Hart [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 2:29 PM Subject: Re: Container-managed authentication not possible Max, Have you considered using JAAS for authentication? Why or why not? Thanks, Troy On Wed, 2002-08-21 at 14:13, Max Cooper wrote: Elderclei, Todd mentioned my SecurityFilter project as a possible alternative for you, and I enourage you to try it. Not having access to the server configuration is one of the particular situations in which I thought it would be useful. -Max http://www.securityfilter.org/ - Original Message - From: Elderclei R Reami [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 3:43 PM Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Container-managed authentication not possible
On Wed, 21 Aug 2002, Max Cooper wrote: Date: Wed, 21 Aug 2002 13:07:47 -0700 From: Max Cooper [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Container-managed authentication not possible Brandon, SecurityFilter *does* implement isUserInRole(), getUserPrincipal(), and getRemoteUser(). By mimics I mean that your app (or Tiles and Struts) will not be able to distinguish between SecurityFilter and Container Managed Security. It behaves the same, and it looks the same to the code running on top of it. One of the major design goals of the project is to allow you to switch between container-managed and filter-based security without changing your application's code. SecurityFilter also shares the same configuration syntax and features, except that you put the info in a securityfilter-config.xml file rather than web.xml. I haven't had time to check your docs for myself :-), but I hope you do point out one critical place where the application *does* have to care about whether it is real container managed security or not -- EJB access. From the point of view of an EJB container, requests protected by any sort of mimicing security filter will appear to be coming from an unauthenticated web user (which might or might not be ok, depending on your security policies and application design). -Max Craig - Original Message - From: Brandon Goodin [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, August 21, 2002 12:52 PM Subject: RE: Container-managed authentication not possible That is a cool project. But, it only mimics. It has the same terminology associated with it. But it is NOT container managed security. Nor does it integrate (at this point) with many projects that use the container based security check methods like isUserInRole(). so, for example if you are using role checking with tiles it will not be able to locate the role and user information generated by SecurityFilter because it does not use container managed security. I wrote a SecurityFilter that interacts with an action to take advantage of container based security. It allows for auto-login, login from any page, and url based security. But the code is not very clean and is Tomcat specific. I am waiting for the ServletSpec to come up to par. Meanwhile my SecurityFilter is working and using container based security and I would rather stay tied to container managed security with all it's inflexibilities because it allows me to abstract my security from my app. Just my rambling thoughts, Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Todd G. Nist [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:46 PM To: 'Struts Users Mailing List' Subject: RE: Container-managed authentication not possible You may want to take a look at the SecurityFilter project on SourceForge.net by Max Cooper. Summary form site: SecurityFilter is a Java Servlet Filter that mimics the behavior and configuration format of container managed security, with several development and deployment advantages. See the Home Page http://securityfilter.sourceforge.net at for more details. Regards, Todd G. Nist -Original Message- From: Brandon Goodin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 2:48 PM To: Struts Users Mailing List Subject: RE: Container-managed authentication not possible You can implement container managed security in web.xml only if it has been setup within the server.xml under your host settings. Brandon Goodin Phase Web and Multimedia P(406)862-2245 F(406)862-0354 http://www.phase.ws -Original Message- From: Elderclei R Reami [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Container-managed authentication not possible Hi Friends, It's been a month developing in struts, and the party's been pretty good. I'm just finishing my first application (30 jsps, actions, and so on), and now I'm including some security in it. I'm in trouble regarding authentication, because my client's ISP does not let me change server.xml configs, probably because they use virtual hosting. My question is: is it possible to configure container-managed authentication using the web.xml? Or must I implement my own authentication? Cheers, Elderclei R Reami Vertis Tecnologia +55 11 3887-0835 www.vertisnet.com.br -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED