RE: Realm Security Implementation Question [OT]
| -Original Message- | From: Will Hartung [mailto:[EMAIL PROTECTED]] | Sent: Thursday, August 22, 2002 6:14 PM | To: Tomcat Users List | Subject: Re: Realm Security Implementation Question [OT] | | From: Jacob Hookom [EMAIL PROTECTED] | Sent: Thursday, August 22, 2002 11:19 AM | | | Sorry, I only glanced at the first Pstmt. | | The roles for our application(s) are complex enough that I'm almost | thinking of storing a Document (XML) for the user when they login, so | role validation actually is an XPath statement by which the Realm | queries the Principal's DOM for 1 or more nodes and returns true, | otherwise false. This would lead to additional flexibility for querying | out all roles for a specific project, not just validating against them. | Also, future applications can attach themselves to the Document without | affecting current applications. | | Wow! That sounds complicated. Does it really need to be this complicated? Everything about container management seems to be URI/Filter based, but we have issues of okay, everyone can hit /project.do, but we authorize based on a param. | | My only concern is memory, I'm am looking at Dom4j as the Principal's | Document, and from IBM's tests, it's the next best thing to XPP and it | has a memory footprint that's slightly smaller than Xerces. | | You have the memory of the XML document and all of the classes. | | Either way, String[] vs. Document, there's going to be about 50+ | elements and with strings, I would end up duplicating information | (project/id, project/id/role1, project/id/role2, project/id/role3). | | Sure, but how many users? 10? 1? | | 50 entries * 25 chars per entry = 1250 chars, or 2500 bytes (as chars are | 16-bits in Java). Seems pretty cheap to me. | | It just seems expedient is all, the replicated roles are a little | wasteful, | perhaps, but it's simple. It works. It's easy to debug if you have | problems. | Depending on your load, it certainly gets you over the hump to move on to | more interesting problems. All the data role data is being pulled from SQL, but we are thinking about proxy'ing the Principal to check XPath role requests against a single document, so all projects and user roles are actually stored in one big document, which would also help with read requests like give me all of user 54's projects -Jacob | | Regards, | | Will Hartung | ([EMAIL PROTECTED]) | | | | | | -- | To unsubscribe, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | For additional commands, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | | --- | Incoming mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 | --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Realm Security Implementation Question [OT]
On Thu, 22 Aug 2002 [EMAIL PROTECTED] wrote: Date: Thu, 22 Aug 2002 02:01:55 EDT From: [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Realm Security Implementation Question [OT] Why in the FUCK am I getting all these Tomcat and Apache Fuckin` e-mails? FUCKIN` STOP IT Funny thing ... when you subscribe to a mailing list, suddenly you start receiving all of the messages that are posted to that mailing list. Imagine that :-). Because your approach to communication appears to be at the pre-teen juvenile level (I've heard 12 year olds swear more effectively :-), I won't even bother trying to explain to you how to unsubscribe -- instead I will just remove you from the list. If you ever grow up and want to join adult conversations about Tomcat, you can resubscribe by sending an empty message to [EMAIL PROTECTED]. In the mean time, please go away -- otherwise I'll add you to Apache's spam filter list. (sigh ... I *so* try not to judge people by aol.com email addresses ...) -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Realm Security Implementation Question [OT]
why can't you just combine the project id and role name to create a complex role that is returned. that way each time you need to check project '10' for role 'admin', your combined role would be '10admin' and that's what you would check for in your code and web.xml. So then your view returns all combinations for the user and better yet, you don't have to write your own realm. Charlie -Original Message- From: Jacob Hookom [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 22, 2002 12:53 AM To: 'Tomcat Users List' Subject: RE: Realm Security Implementation Question [OT] Comments below | -Original Message- | From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, August 21, 2002 11:04 PM | To: Tomcat Users List | Subject: Re: Realm Security Implementation Question [OT] | | On most reasonable databases, you can create views that organize the data | in the way that JDBCRealm needs, and that's a *lot* easier than writing | your own LoginMethod implementation in JAAS. | It's not a problem to creating views, but I am hesitant to use JDBCRealm. From looking at the source, it requires one row to contain all valid roles. In this case, I would have to setup extensive amounts of triggers since role management for the site is extremely volatile and set by users of the site as they go. I had posted about creating Realms before which you graciously responded to, but I'm still stuck as to how to handle this schema: tbl_user uid email password tbl_project uid name tbl_project_user useruid projectuid role tbl_resource uid name tbl_resource_user useruid resourceuid role So, if a user is accessing a project referenced by its uid (project.do?id=443), I must be able to check a role to see if the user is even a member of that project, and then get the role(s) he has for it. There isn't any uri/directory based validation required. We are developing only for ourselves so we do have the flexibility of working directly with our own principal. The other option is again, coming up with a String representation that can be tokenized in representing a role for a particular project id. -Jacob | Our | applications are deployed under a single war to take advantage of a | pseudo single sign-on. | | | Tomcat 4 supports real single sign on if you want it -- see the section | entitled Single Sign On: | | http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/host.html | | http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html | | | | Any suggestions would be apprechiated, | | Jacob | | | Craig | | | -- | To unsubscribe, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | For additional commands, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | | --- | Incoming mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 | --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Realm Security Implementation Question [OT]
We are trying to figure out a way to handle realm-based security in a multi-application environement where users and their roles are specified in a DB. Users are stored in one table with password and there is a table for each application definining permissions for the user. I have been looking at the new JAASRealm the Craig put together, but I'm not sure if it's exactly what we need or if it's going overboard. Otherwise we have to represent roles in this manner: [applicationName]:[applicationId]:[role] and have a specialized realm do string parsing to validate roles within an application. Our applications are deployed under a single war to take advantage of a pseudo single sign-on. Any suggestions would be apprechiated, Jacob -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Realm Security Implementation Question [OT]
Your users and roles are in a DB? It's almost JDBCRealm, except you have a table of roles for each application. Take a look at the JDBCRealm and I bet you could make your own Realm based loosely on that. - Andrew -Original Message- From: Hookom, Jacob John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 4:20 PM To: [EMAIL PROTECTED] Subject: Realm Security Implementation Question [OT] We are trying to figure out a way to handle realm-based security in a multi-application environement where users and their roles are specified in a DB. Users are stored in one table with password and there is a table for each application definining permissions for the user. I have been looking at the new JAASRealm the Craig put together, but I'm not sure if it's exactly what we need or if it's going overboard. Otherwise we have to represent roles in this manner: [applicationName]:[applicationId]:[role] and have a specialized realm do string parsing to validate roles within an application. Our applications are deployed under a single war to take advantage of a pseudo single sign-on. Any suggestions would be apprechiated, Jacob -- To unsubscribe, e-mail: mailto:tomcat-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Realm Security Implementation Question [OT]
Thanks, I'm looking farther down the road since our application could also require roles to be pulled from an XML, the more I read about JAAS, the more I think it's the way to go. Our deployed larger applications have roles setup in the DB under separate tables, but with each additional small project, it might be ideal to setup roles in an XML file, we could possibly look at stacking LoginModules for a single Subject. | -Original Message- | From: Andrew Conrad [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, August 21, 2002 5:31 PM | To: 'Tomcat Users List' | Subject: RE: Realm Security Implementation Question [OT] | | Your users and roles are in a DB? It's almost JDBCRealm, except you | have a table of roles for each application. | | Take a look at the JDBCRealm and I bet you could make your own Realm | based loosely on that. | | - Andrew | | -Original Message- | From: Hookom, Jacob John [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, August 21, 2002 4:20 PM | To: [EMAIL PROTECTED] | Subject: Realm Security Implementation Question [OT] | | | We are trying to figure out a way to handle realm-based | security in a multi-application environement where users and | their roles are specified in a DB. Users are stored in one | table with password and there is a table for each application | definining permissions for the user. | | I have been looking at the new JAASRealm the Craig put | together, but I'm not sure if it's exactly what we need or if | it's going overboard. Otherwise we have to represent roles | in this manner: [applicationName]:[applicationId]:[role] and | have a specialized realm do string parsing to validate roles | within an application. Our applications are deployed under a | single war to take advantage of a pseudo single sign-on. | | Any suggestions would be apprechiated, | | Jacob | | -- | To unsubscribe, e-mail: | mailto:tomcat-user- [EMAIL PROTECTED] | For | additional commands, | e-mail: mailto:[EMAIL PROTECTED] | | | | -- | To unsubscribe, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | For additional commands, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | | --- | Incoming mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 | --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Realm Security Implementation Question [OT]
On Wed, 21 Aug 2002, Hookom, Jacob John wrote: Date: Wed, 21 Aug 2002 15:19:56 -0500 From: Hookom, Jacob John [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Realm Security Implementation Question [OT] We are trying to figure out a way to handle realm-based security in a multi-application environement where users and their roles are specified in a DB. Users are stored in one table with password and there is a table for each application definining permissions for the user. I have been looking at the new JAASRealm the Craig put together, but I'm not sure if it's exactly what we need or if it's going overboard. Otherwise we have to represent roles in this manner: [applicationName]:[applicationId]:[role] and have a specialized realm do string parsing to validate roles within an application. On most reasonable databases, you can create views that organize the data in the way that JDBCRealm needs, and that's a *lot* easier than writing your own LoginMethod implementation in JAAS. Our applications are deployed under a single war to take advantage of a pseudo single sign-on. Tomcat 4 supports real single sign on if you want it -- see the section entitled Single Sign On: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/host.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html Any suggestions would be apprechiated, Jacob Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Realm Security Implementation Question [OT]
Comments below | -Original Message- | From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, August 21, 2002 11:04 PM | To: Tomcat Users List | Subject: Re: Realm Security Implementation Question [OT] | | On most reasonable databases, you can create views that organize the data | in the way that JDBCRealm needs, and that's a *lot* easier than writing | your own LoginMethod implementation in JAAS. | It's not a problem to creating views, but I am hesitant to use JDBCRealm. From looking at the source, it requires one row to contain all valid roles. In this case, I would have to setup extensive amounts of triggers since role management for the site is extremely volatile and set by users of the site as they go. I had posted about creating Realms before which you graciously responded to, but I'm still stuck as to how to handle this schema: tbl_user uid email password tbl_project uid name tbl_project_user useruid projectuid role tbl_resource uid name tbl_resource_user useruid resourceuid role So, if a user is accessing a project referenced by its uid (project.do?id=443), I must be able to check a role to see if the user is even a member of that project, and then get the role(s) he has for it. There isn't any uri/directory based validation required. We are developing only for ourselves so we do have the flexibility of working directly with our own principal. The other option is again, coming up with a String representation that can be tokenized in representing a role for a particular project id. -Jacob | Our | applications are deployed under a single war to take advantage of a | pseudo single sign-on. | | | Tomcat 4 supports real single sign on if you want it -- see the section | entitled Single Sign On: | | http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/host.html | | http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/host.html | | | | Any suggestions would be apprechiated, | | Jacob | | | Craig | | | -- | To unsubscribe, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | For additional commands, e-mail: mailto:tomcat-user- | [EMAIL PROTECTED] | | --- | Incoming mail is certified Virus Free. | Checked by AVG anti-virus system (http://www.grisoft.com). | Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 | --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/2002 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Realm Security Implementation Question [OT]
Why in the FUCK am I getting all these Tomcat and Apache Fuckin` e-mails? FUCKIN` STOP IT
