j_security_check, jaas and weblogic 6.1
I have to do security for the company I am at. I have never used j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for authentication/authorization). I read all through the examples on j_security_check, jaas and WLS RDBMS out there I could get my hands on. There seems to be no good real world examples of how to tie all these together. The reason I'm having an issue is struts is the middle man, the controller so he is key to it all. I know i configure j_security_check in my web.xml to point to use form authentication, i know all about deployment descriptor configuration for ejb, war, etc. This is not the problem. I don't see how JAAS fits into j_security_check? I also dont see how struts fits into it either? Do I need to also add a login.do? I need to get the locale for the user from the database and figured I would do this at the login. JAAS wants LoginContext.login(), most j2ee say j_security_check and struts examples have login.do (this is the way I've typically done it). Help! I can't find any real world examples to tie all these together! thanks! Mike Lee -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check, jaas and weblogic 6.1
JAAS is not relevant if you're using container-managed security. You'll need to set up users in whatever user database your container (WebLogic in your case) provides. Struts also has nothing to do with this -- although you can use role information with tags like logic:present or the roles attribute on an action if you want to. JAAS would only be relevant if you wanted to do application-managed security instead, or if you were implementing the container itself. Craig On Mon, 26 Aug 2002, Michael Lee wrote: Date: Mon, 26 Aug 2002 12:21:12 -0400 From: Michael Lee [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: j_security_check, jaas and weblogic 6.1 I have to do security for the company I am at. I have never used j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for authentication/authorization). I read all through the examples on j_security_check, jaas and WLS RDBMS out there I could get my hands on. There seems to be no good real world examples of how to tie all these together. The reason I'm having an issue is struts is the middle man, the controller so he is key to it all. I know i configure j_security_check in my web.xml to point to use form authentication, i know all about deployment descriptor configuration for ejb, war, etc. This is not the problem. I don't see how JAAS fits into j_security_check? I also dont see how struts fits into it either? Do I need to also add a login.do? I need to get the locale for the user from the database and figured I would do this at the login. JAAS wants LoginContext.login(), most j2ee say j_security_check and struts examples have login.do (this is the way I've typically done it). Help! I can't find any real world examples to tie all these together! thanks! Mike Lee -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check, jaas and weblogic 6.1
Thank you! You are the ONLY place I've heard this! Now everything seems to make more sense. I was just going to use j_security_check hooked into Weblogic RDBMS and put the user in the session for authentication from there on in (JNDI security to EJB). So this looks like the right path? No offense, but is this right? BEA recommends you use JAAS all over the place. I'm mainly going to use ACL in the deployment descriptors for my web app and ejbs. I also noticed that almost all JAAS implementations were at the java client layer. Few were servlets, etc. This would make sense with what your saying because no container would exist at a pure java client layer (such as with the JAAS RMI example that comes with weblogic). BTW, EXCELLENT job with struts Craig and team. I have 2 systems IN PRODUCTION! using struts. They wrote one at the job I'm at and I recommended struts to replace it. We are now going full steam ahead with struts! thanks, Mike Lee - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, August 26, 2002 12:52 PM Subject: Re: j_security_check, jaas and weblogic 6.1 JAAS is not relevant if you're using container-managed security. You'll need to set up users in whatever user database your container (WebLogic in your case) provides. Struts also has nothing to do with this -- although you can use role information with tags like logic:present or the roles attribute on an action if you want to. JAAS would only be relevant if you wanted to do application-managed security instead, or if you were implementing the container itself. Craig On Mon, 26 Aug 2002, Michael Lee wrote: Date: Mon, 26 Aug 2002 12:21:12 -0400 From: Michael Lee [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: j_security_check, jaas and weblogic 6.1 I have to do security for the company I am at. I have never used j_security_check, jaas or weblogic 6.1 RDBMS (we have a database for authentication/authorization). I read all through the examples on j_security_check, jaas and WLS RDBMS out there I could get my hands on. There seems to be no good real world examples of how to tie all these together. The reason I'm having an issue is struts is the middle man, the controller so he is key to it all. I know i configure j_security_check in my web.xml to point to use form authentication, i know all about deployment descriptor configuration for ejb, war, etc. This is not the problem. I don't see how JAAS fits into j_security_check? I also dont see how struts fits into it either? Do I need to also add a login.do? I need to get the locale for the user from the database and figured I would do this at the login. JAAS wants LoginContext.login(), most j2ee say j_security_check and struts examples have login.do (this is the way I've typically done it). Help! I can't find any real world examples to tie all these together! thanks! Mike Lee -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: j_security_check, jaas and weblogic 6.1
On Mon, 26 Aug 2002, Michael Lee wrote: Date: Mon, 26 Aug 2002 14:29:44 -0400 From: Michael Lee [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: Re: j_security_check, jaas and weblogic 6.1 Thank you! You are the ONLY place I've heard this! Now everything seems to make more sense. I was just going to use j_security_check hooked into Weblogic RDBMS and put the user in the session for authentication from there on in (JNDI security to EJB). So this looks like the right path? If BEA did things correctly, you shouldn't have to do anything special about saving the user in the session for EJB authentication -- the same user identity should be carried over automatically. No offense, but is this right? BEA recommends you use JAAS all over the place. I'm mainly going to use ACL in the deployment descriptors for my web app and ejbs. I also noticed that almost all JAAS implementations were at the java client layer. Few were servlets, etc. This would make sense with what your saying because no container would exist at a pure java client layer (such as with the JAAS RMI example that comes with weblogic). JAAS is what I'd use if I was writing the back end of WebLogic's servlet container. But web applications that run inside the container should not have to know anything about it. As you note, client apps don't have that kind of container support, so a roll your own solution based on JAAS makes more sense there. BTW, EXCELLENT job with struts Craig and team. I have 2 systems IN PRODUCTION! using struts. They wrote one at the job I'm at and I recommended struts to replace it. We are now going full steam ahead with struts! thanks, Mike Lee Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]