Realm programmatic authentication
Hi, I would like to use the configured realm to authenticate users but I don't want to use the standard J2EE mechanism (for many reasons). Also, my needs for authorisations are not limited to URLs and are more fine-grained. Since I configured a JNDI realm I wanted to access the reamù in my webapp but I haven't been able to. I am using Tomcat 5.5.9. Actually, I had a look at the sources of the manager application and tried to mimic it. I created a Servlet which implemented the ContainerServlet interface. Then using the setWrapper callback method I could access the wrapper and realm to authenticate users: Principal principal = wrapper.getRealm().authenticate(username, password); But i haven't managed to make it work I faced many issues: - catalina classes could not be loaded : I added the catalina.jar in the common.loader section of the catalina.properties file. - security exceptions: I had security java.lang.SecurityException which I have been unable to solve. I added (at least tried) permissions to the catalina.policy file for the webapp to be able to load catalina classes but it didn't work: permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; Is there a way via JMX or other to access the Realm to authenticate users manually? Thanks for your help . Luc - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Programmatic Authentication?
Thank you very much. -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 11:05 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Here is my code. I make no guaranties as to its security. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAv+bl8MW+BaXrmuERAmFAAJ9gqFUKeZ54D5H9tpl6CDPGoF0GJACfTCoM U5qTqv7CbTxHzuC3zAdEosM= =2p5g -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Here is my code. I make no guaranties as to its security. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAv+bl8MW+BaXrmuERAmFAAJ9gqFUKeZ54D5H9tpl6CDPGoF0GJACfTCoM U5qTqv7CbTxHzuC3zAdEosM= =2p5g -END PGP SIGNATURE- authentication.tgz Description: application/compressed-tar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
Hi Annie, The authentication is completely separate from my example. In my example, I already assume that the user has authenticated itself succesfully to Tomcat (either through a frontend webserver like Apache or in Tomcat itself). The code in the example only deals with what you can do after that (i.e. assigning Permissions based on Principals in the Java security framework). The Filter is simply used to establish a security context in which the servlets are run. In short, you should first get your authentication set up... Cheers, Michiel Annie Guo wrote: Thank you Michiel. I did read your tutorial. I am new to JAAS and security stuff. I am still strugling with it. I have followed all your code and setup in web.xml. My problem is even though from my LoginModule debug statements that the login and LoginModule commit is successful (I just check the username equals password), my resources are still protected and I keep getting the 'Enter Network Password' popup. Would yuo please shed some light on that? Thank you. -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:53 AM To: Tomcat Users List Subject: Re: Programmatic Authentication? I've done something similar and written a little tutorial about it at: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Maybe it helps. Michiel -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Programmatic Authentication?
Thank you Michiel. I did read your tutorial. I am new to JAAS and security stuff. I am still strugling with it. I have followed all your code and setup in web.xml. My problem is even though from my LoginModule debug statements that the login and LoginModule commit is successful (I just check the username equals password), my resources are still protected and I keep getting the 'Enter Network Password' popup. Would yuo please shed some light on that? Thank you. -Original Message- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, June 03, 2004 9:53 AM To: Tomcat Users List Subject: Re: Programmatic Authentication? I've done something similar and written a little tutorial about it at: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Maybe it helps. Michiel Annie Guo wrote: >Victor: > >I would greatly appreciate it. > >-Original Message- >From: Victor R. Cardona [mailto:[EMAIL PROTECTED] >Sent: Wednesday, June 02, 2004 11:56 PM >To: Tomcat Users List >Subject: Re: Programmatic Authentication? > > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Annie Guo wrote: >| Mind sharing your code? > >Not at all. I will post it tomorrow. > >Victor >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.2.2 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL >sOKKrL/5FysdzIvQx8W4VTY= >=C7EW >-END PGP SIGNATURE- > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
I've done something similar and written a little tutorial about it at: http://www.kopz.org/public/documents/tomcat/jaasintomcat.html Maybe it helps. Michiel Annie Guo wrote: Victor: I would greatly appreciate it. -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 11:56 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Not at all. I will post it tomorrow. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL sOKKrL/5FysdzIvQx8W4VTY= =C7EW -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Programmatic Authentication?
Victor: I would greatly appreciate it. -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 11:56 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Not at all. I will post it tomorrow. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL sOKKrL/5FysdzIvQx8W4VTY= =C7EW -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Programmatic Authentication?
I would greatly appreciate it. -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 02, 2004 11:56 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Not at all. I will post it tomorrow. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL sOKKrL/5FysdzIvQx8W4VTY= =C7EW -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Annie Guo wrote: | Mind sharing your code? Not at all. I will post it tomorrow. Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvqE/8MW+BaXrmuERAhybAKCAijJnR/09NmI4GaPMoVaPHlgAFACeM2aL sOKKrL/5FysdzIvQx8W4VTY= =C7EW -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Programmatic Authentication?
Mind sharing your code? -Original Message- From: Victor R. Cardona [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 9:44 PM To: Tomcat Users List Subject: Re: Programmatic Authentication? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carl Howells wrote: | Is it possible to set the Principal and Roles for a session in a manner | which will satisfy a security constraint programmatically? | At all? I don't mind ignoring the servlet spec and doing something | tomcat-specific. This is something that vitally needs to be done on my | project. | | Thanks for any solutions... I did it by writing a filter that wrapped the incoming HttpServletRequest with a HttpServletRequestWrapper if the client's session contained a token placed there when they logged in. The token is a subclass of java.security.Principal, and the HttpServletRequestWrapper overrides the getRemoteUser() isUserInRole() and getUserPrincipal() methods. HTH, Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvTDt8MW+BaXrmuERAv/KAJ9Jq3XpjNZr3ixbbjm0GozngFc56gCfcsai xukh2MxbvHzV8JMI9r1lWdc= =0dYP -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carl Howells wrote: | Is it possible to set the Principal and Roles for a session in a manner | which will satisfy a security constraint programmatically? | At all? I don't mind ignoring the servlet spec and doing something | tomcat-specific. This is something that vitally needs to be done on my | project. | | Thanks for any solutions... I did it by writing a filter that wrapped the incoming HttpServletRequest with a HttpServletRequestWrapper if the client's session contained a token placed there when they logged in. The token is a subclass of java.security.Principal, and the HttpServletRequestWrapper overrides the getRemoteUser() isUserInRole() and getUserPrincipal() methods. HTH, Victor -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAvTDt8MW+BaXrmuERAv/KAJ9Jq3XpjNZr3ixbbjm0GozngFc56gCfcsai xukh2MxbvHzV8JMI9r1lWdc= =0dYP -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic Authentication?
Yes, just write your own extension of org.apache.catalina.Realm (or extend o.a.c.realm.RealmBase)and read: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html then follow the instruction on how to install your own valve (search the list :-) ) -- Jeanfrancois Carl Howells wrote: Is it possible to set the Principal and Roles for a session in a manner which will satisfy a security constraint programmatically? At all? I don't mind ignoring the servlet spec and doing something tomcat-specific. This is something that vitally needs to be done on my project. Thanks for any solutions... Carl Howells - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Programmatic Authentication?
Is it possible to set the Principal and Roles for a session in a manner which will satisfy a security constraint programmatically? At all? I don't mind ignoring the servlet spec and doing something tomcat-specific. This is something that vitally needs to be done on my project. Thanks for any solutions... Carl Howells - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Programmatic authentication into the Servlet Container
There is no API available to webapps for this functionality. To get around this gap, you'll probably need to look at writing your own Valve. What and how - I am am unsure based on the description below. http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/mbeans-descriptor-howto.html -Tim kapil khanna wrote: How do i programmatically authenticate to the servlet container usin Tomcat? I was unable to find the appropriate API call to do so. The reason i need this is because the web app that i have has a self registration feature (like most other web apps). Currently without making the API call, i first take the username/password from the user. Then i make the appropriate entries to the user & user role table (Am using JDBCRealm), After which a client side redirect is sent to access a protected page. The container, intercepts the request and forwards to the login screen (am using form based authentication). The user enters their credentials and gets logged into the app. As you can see that during registration the user needs to first register, and then login. This is big inconvenience and a usability issue. To avoid this i would like the user to register after which i want to programmatically log the user to the servlet container, thus avoiding the user to enter redundant info twice. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Programmatic authentication into the Servlet Container
How do i programmatically authenticate to the servlet container usin Tomcat? I was unable to find the appropriate API call to do so. The reason i need this is because the web app that i have has a self registration feature (like most other web apps). Currently without making the API call, i first take the username/password from the user. Then i make the appropriate entries to the user & user role table (Am using JDBCRealm), After which a client side redirect is sent to access a protected page. The container, intercepts the request and forwards to the login screen (am using form based authentication). The user enters their credentials and gets logged into the app. As you can see that during registration the user needs to first register, and then login. This is big inconvenience and a usability issue. To avoid this i would like the user to register after which i want to programmatically log the user to the servlet container, thus avoiding the user to enter redundant info twice.
implementing custom JDBCRealm and programmatic authentication
I am considering to implement a custom JDBCRealm. It should make available a method such as boolean authenticate(String username) perhaps in a custom Principal class. The method should log in (authenticate) the user and return true, if user exists (with correct roles), false otherwise. Can anyone tell me if this would work? How should I go about to implement such a mechanism? Best regards jarla [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]