JAASRealm and JDK1.3.1_03

2002-09-09 Thread James Krygowski 

Is anyone here able to get JAAS authentication working using the JAASRealm,
Tomcat 4.1.9, and JDK1.3.1_02??

I've been having lots of what look like classpath/classloader issues in
getting the default JAASMemoryLoginModule to work.  I've read that the
jaas.jar located in Tomcat's server/lib must be removed due to some issues
regarding the server classloader.  This class I've relocated to a different
directory and included on the Tomcat classpath via the setclasspath.bat
file.  When I did this I was able to get the LoginModule to load (I can see
this because I'm JPDA stepping through the Tomcat source) but the whole
thing fails when I execute the login on the LoginModule.  This is the point
at which the JAAS infrastructure loads the JAASMemoryLoginModule.  I assume
that this fails because the classes loaded from the classpath can't "see"
the classes loaded by the system classloader (server/lib).  As a fix, I
tried to jar up the relevant classes from the realm package and put them on
the classpath via setclasspath.bat.  However, this caused Tomcat to fail to
start.

Any suggestions would be appreciated.  Thanks!

jk


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

JAASRealm SecurityException unable to instantiate LoginConfiguration

2002-09-04 Thread James Krygowski 

Hey All-

I'm trying to get the standard JAASMemoryLoginModule in Tomcat 4.1.9beta to
work and haven't had much success.  After tinkering with JAASRealm and
adding the following exception catch block:

LoginContext loginContext = null;
try {
loginContext = new LoginContext
(appName, new JAASCallbackHandler(this, username,
  credentials));
} catch (LoginException e) {
log(sm.getString("jaasRealm.loginException", username), e);
return (null);
} catch (Exception e) {
log(sm.getString("jaasRealm.loginException", username), e);
return (null);
}

I found that the instantiation of LoginContext results in a
java.lang.SecurityException with a detail message of "unable to instantiate
LoginConfiguration"

I'm using the standard 4.1.9beta install (standalone) and I've modified my
catalina.bat file so that the JAAS env variable is getting set
(-Djava.security.auth.login.config=C:/java/apache/jakarta-tomcat-4.1.9/conf/
auth.conf).

Can anyone point me toward a solution here?

thanks,

jk


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Tomcat 4.1.x JAASRealm Implementation

2002-08-09 Thread James Krygowski 

Hey All (Craig particularly)-

Going through the code that exists in 4.1.8, I noticed that in the JAASRealm
comments, Craig makes mention of using classes implementing the Principal
interface to represent Users and Roles.  This sounds like a good approach
given the vagueness surrounding the JAAS implementation once you get into
implementing it.  In the JAASRealm class, there are setters for configuring
the JAASRealm with the names of Principal classes that contain Users and
Roles.  After running a "Find Usages" with IDEA, I wasn't able to find any
code which references these methods.  So, how does the JAASRealm find out
what classes contain users vs. roles?  Is there some kind of magic going on
with the realm config node in server.xml?  I'd like to start using JAAS on
Tomcat since we currently use JAAS for our JRun servers and converting the
existing LoginModules won't be too much of a pain.

jk


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: forwarding through j_security_check

2002-07-18 Thread James Krygowski 

Hi Craig-

I've come up with a solution that seems to work very well for my purposes.
Unfortunately, my project's priority is to build on Jrun, but I'll need to
adapt this solution to Tomcat in the near future.  I post the description of
my implemented solution just to get it out there for comment and possibly
(if the solution is worthy) to help out anyone else trying to solve this
problem.

The essence of the problem, again, was to enable a single sign-on through a
corporate portal.  The portal presents links to other corporate web
applications.  Clicking on those links automatically signs the user on
through the web-app's security service.

My solution was to create a servlet (Jrun)SecurityCredentialForward capable
of interacting with the security service (in the current solution Jrun's
WebAppSecurityService).  By bypassing the FormAuthentication class (the real
manager of the j_security_check workflow) I could avoid the two step
process.  Each url in the portal's application list contains a link to the
security servlet and parameters specifying the applications main url,
username and password.  The SecurityCredentialForward takes the username and
password, authenticates them with the WebAppSecurityService and if
everything is kosher, redirects the user to the main web page.  All
"natural" web container security functions are used from there on and as far
as the container is concerned, the j_security_check process ran as normal.

I'm pretty sure this same approach could be used with Tomcat.  It doesn't
seem to incur any negative performance penalties and doesn't (as far as I
can see) violate the login process since it uses resources that are already
available to the servlet.

Any opinions are gladly accepted.

thanks,

Jim

> -Original Message-
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 16, 2002 12:45 PM
> To: Tomcat Users List
> Subject: RE: forwarding through j_security_check
>
>
>
>
> On Tue, 16 Jul 2002, James Krygowski wrote:
>
> > Date: Tue, 16 Jul 2002 07:09:55 -0400
> > From: James Krygowski <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: RE: forwarding through j_security_check
> >
> > Hi Craig-
> >
> > >> If so, is it possible to set up a servlet that
> > >> could manipulate the Referrer in the header, and redirect a
> request along
> > to
> > >> an application in another Tomcat server, making it look like
> a post to
> > >> j_security_check, complete with referrer, j_username and j_password?
> > >>
> > >> Any suggestions or comments are welcome and appreciated.
> > >>
> > > Trying to forward security credentials like this is pretty
> much guaranteed
> > > not to work.
> > >
> > > One thing you might consider using is Tomcat's standard
> support for single
> > > sign on across multiple webaps.  Check out the "Single Sign
> On" section
> >
> > Thanks for the response.  Your suggestion is only applicable
> for those who
> > have a homogenous Tomcat environment.  In my situation, my
> portal will have
> > to forward to a mixed environment of Tomcat and JRun servers.
> In the future
> > that may expand to include either WebLogic or WebSphere.  I
> find it hard to
> > believe that there is no way to programmatically manage a login sequence
> > using j_security_check. Is it possible to use a servlet intermediary to
> > handle the login interaction and then redirect the user to a "protected"
> > resource once the login sequence is successfully completed?
>
> Hard to believe or not, the servlet spec is totally silent about
> programmatic interaction with j_security_check.  That means there is
> absolutely no guarantee of behavior consistency in this regard across
> servlet containers -- or even across different versions of the same
> container (Tomcat 3.3 and 4.x do things very differently in this regard,
> for example).
>
> Your use case is something that things like the Liberty Alliance
> <http://www.projectliberty.org> are trying to solve.  Unfortunately,
> you're a bit early on the adoption curve for that to be helpful.
>
> About the only portable thing you can do in the mean time would be a proxy
> app that your users always went through for every request, which knows how
> to do the login interaction with each back end app as needed (i.e.
> whenever they challenge for credentials, answer based on what it knows
> about this user, but pass all other requests through).  But the
> performance impact of such a proxy isn't going to be very attractive.
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: forwarding through j_security_check

2002-07-16 Thread James Krygowski 

Hi Craig-

>> If so, is it possible to set up a servlet that
>> could manipulate the Referrer in the header, and redirect a request along
to
>> an application in another Tomcat server, making it look like a post to
>> j_security_check, complete with referrer, j_username and j_password?
>>
>> Any suggestions or comments are welcome and appreciated.
>>
> Trying to forward security credentials like this is pretty much guaranteed
> not to work.
>
> One thing you might consider using is Tomcat's standard support for single
> sign on across multiple webaps.  Check out the "Single Sign On" section

Thanks for the response.  Your suggestion is only applicable for those who
have a homogenous Tomcat environment.  In my situation, my portal will have
to forward to a mixed environment of Tomcat and JRun servers.  In the future
that may expand to include either WebLogic or WebSphere.  I find it hard to
believe that there is no way to programmatically manage a login sequence
using j_security_check. Is it possible to use a servlet intermediary to
handle the login interaction and then redirect the user to a "protected"
resource once the login sequence is successfully completed?
--
To unsubscribe, e-mail:

For additional commands, e-mail:




--
To unsubscribe, e-mail:   
For additional commands, e-mail:

forwarding through j_security_check

2002-07-15 Thread James Krygowski 

Hi All-

I'm working on a web-app launcher.  The essential idea is to provide users
with a centralized, secure web portal from which they can launch other web
applications.  The other applications will reside in Tomcat servers
different from the portal Tomcat server.

Each application will be protected by standard J2EE security implemented
with j_security_check.  I'd like to be able to forward to applications and
automatically negotiate the j_security_check so that user's don't have to
log on once they've already presented their credentials to the portal
application (i.e. single sign-on).

Is it possible to formulate an href url that simultaneously specifies the
target resource and the credentials being passed to j_security_check?  I
note that in the packet sent in the j_security_check post, all the
information needed is present.  If the read the packet right, the Referrer
in the http header contains the information about the desired "protected"
resource.  Is this Referrer used by j_security_check to forward a request on
to the desired destination?  If so, is it possible to set up a servlet that
could manipulate the Referrer in the header, and redirect a request along to
an application in another Tomcat server, making it look like a post to
j_security_check, complete with referrer, j_username and j_password?

Any suggestions or comments are welcome and appreciated.

Thanks,

Jim



--
To unsubscribe, e-mail:   
For additional commands, e-mail: