Re: Getting HttpRequest inside Realm/Tomcat 4
On Thu, 25 Oct 2001, Antony Bowesman wrote: Date: Thu, 25 Oct 2001 14:12:36 +0300 From: Antony Bowesman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Getting HttpRequest inside Realm/Tomcat 4 Hi Craig, Thanks for your comments again. You're right ... there is nothing there to do this. The original design was based on the idea that Realm simply encapsulates a service that authenticates a user, given a username and some credentials. In addition, it needs to work even when HTTP sessions are not in use (for example, for BASIC authentication). One strategy for dealing with this might be to register a session event listener and registers your session in the sessionCreated() event handler. I like the realm and general design in TC4, it's much better and cleaner than 3.2. However, I think there is something missing in the realm interface authenticate methods, particulary for form login:- If you modify a login form to include a field other than j_username and j_password so the user can select some kind of 'post login preferences' it is not possible to get this extra field to the realm. The mechanics of form-based login was the subject of no little amount of discussion in the JSR-053 expert group during the development of Servlet 2.3. The idea of supporting additional fields was discussed somewhat, but in the end we decided to punt on making any big-time changes, because it became obvious that this problem has a larger scope than just logging users in to a web application. One of the outgrowths of that realization is another JSR that you might want to keep track of (via http://www.jcp.org: JSR #115 -- Java(tm) Authorization Service Provider Contract for Containers Once this is fleshed out, Tomcat can be modified to support the new SPI contracts, and your Realm-equivalent implementation will itself be portable to different containers if it conforms. Until then, though, I'm a little gunshy about mucking around with the Realm interface. We use JAAS for authentication. JAAS allows and one of the login modules authenticates against our EJB user repository and loads user preferences (groups/roles etc) and one feature the user can select is their preferred role set for the session. I don't think the event listener will work for our use, following login, so it seems the following is how I can achieve what I want. Replace the org.apache.catalina.authenticator.FormAuthenticator with my own FormAuthenticator class by modifying the Authenticators.properties and extend the realm interface to pass either a map of http request parameters, or in fact the http request itself. My realm can do what it wants. That seems like a reasonable strategy. What about passing the Request object as a parameter to the Realm interface authenticate() methods for 4.1 release. And how about having only a JAAS realm in standard tomcat and just provide different login modules for jdbc/jndi/other access. JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for Tomcat 4? The current supported minimum is JDK 1.2.2. And, I thought JAAS required 1.4 -- am I mis-remembering? BTW, I saw you offered your BOF slides to someone, are they available? I assume you mean my BOF on container-managed security, right? Forwarded under separate cover. Rgds Antony Craig
Re: Getting HttpRequest inside Realm/Tomcat 4
Craig, One of the outgrowths of that realization is another JSR that you might want to keep track of (via http://www.jcp.org: JSR #115 -- Java(tm) Authorization Service Provider Contract for Containers Once this is fleshed out, Tomcat can be modified to support the new SPI contracts, and your Realm-equivalent implementation will itself be portable to different containers if it conforms. Until then, though, I'm a little gunshy about mucking around with the Realm interface. Yes, I had seen this, essentially, it looks to standardise what we are already using, i.e. a JAAS subject wrapped inside the authenticated container principal and each of the JAAS principals represents a role (or something else) with associated permissions. J2EE roles and application roles are both supported. This allows us to use principal based access control. Also with the configurable rolemapper class we can effectively delegate as many access control decisions as we like. That seems like a reasonable strategy. Well, it's done now :). Is there any likelihood of these interfaces/classes changing. I've changed Realm, RealmBase and made my own FormAuthenticator. Are there any changes planed to these realm parts? JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for Tomcat 4? The current supported minimum is JDK 1.2.2. And, I thought JAAS required 1.4 -- am I mis-remembering? JAAS 1.0 was introduced as an extension to JDK1.3 but incorporated into 1.4 with some minor changes. I'm glad to see that JAAS is now adopted as a requirement in J2EE 1.3 spec, although it only mandates version 1.0 of JAAS. What is the roadmap for Tomcat to confirm to J2EE 1.3, presumably that means some kind of JAAS support required (why not start now!!) I assume you mean my BOF on container-managed security, right? Forwarded under separate cover. Received. Many thanks. Antony
Re: Getting HttpRequest inside Realm/Tomcat 4
On Wed, 24 Oct 2001, Antony Bowesman wrote: Date: Wed, 24 Oct 2001 14:50:04 +0300 From: Antony Bowesman [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: TomcatDev [EMAIL PROTECTED] Subject: Getting HttpRequest inside Realm/Tomcat 4 Hi, I have a realm implementation that needs to access the HttpSession when a new successful authentication request is made. (I need to hand off the session to a third party) How can I do this from within the realm.authenticate() method? I've looked through the Container interface and can't find anything. You're right ... there is nothing there to do this. The original design was based on the idea that Realm simply encapsulates a service that authenticates a user, given a username and some credentials. In addition, it needs to work even when HTTP sessions are not in use (for example, for BASIC authentication). One strategy for dealing with this might be to register a session event listener and registers your session in the sessionCreated() event handler. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com Craig
Re: Getting HttpRequest inside Realm/Tomcat 4
Hi Craig, Thanks for your comments again. You're right ... there is nothing there to do this. The original design was based on the idea that Realm simply encapsulates a service that authenticates a user, given a username and some credentials. In addition, it needs to work even when HTTP sessions are not in use (for example, for BASIC authentication). One strategy for dealing with this might be to register a session event listener and registers your session in the sessionCreated() event handler. I like the realm and general design in TC4, it's much better and cleaner than 3.2. However, I think there is something missing in the realm interface authenticate methods, particulary for form login:- If you modify a login form to include a field other than j_username and j_password so the user can select some kind of 'post login preferences' it is not possible to get this extra field to the realm. We use JAAS for authentication. JAAS allows and one of the login modules authenticates against our EJB user repository and loads user preferences (groups/roles etc) and one feature the user can select is their preferred role set for the session. I don't think the event listener will work for our use, following login, so it seems the following is how I can achieve what I want. Replace the org.apache.catalina.authenticator.FormAuthenticator with my own FormAuthenticator class by modifying the Authenticators.properties and extend the realm interface to pass either a map of http request parameters, or in fact the http request itself. My realm can do what it wants. What about passing the Request object as a parameter to the Realm interface authenticate() methods for 4.1 release. And how about having only a JAAS realm in standard tomcat and just provide different login modules for jdbc/jndi/other access. JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for Tomcat 4? BTW, I saw you offered your BOF slides to someone, are they available? Rgds Antony
Getting HttpRequest inside Realm/Tomcat 4
Hi, I have a realm implementation that needs to access the HttpSession when a new successful authentication request is made. (I need to hand off the session to a third party) How can I do this from within the realm.authenticate() method? I've looked through the Container interface and can't find anything. Rgds -- Antony Bowesman Teamware Group [EMAIL PROTECTED] phone: +358 9 5128 2562 fax : +358 9 5128 2705 intra / extra / Internet solutions at www.teamware.com