Re: [OT] JBoss, Jaas and Struts

[Erik Weber]

Dang I thought I was onto something! I guess I'll stick to my User 
object in each session, and just try to make sure I centralize the auth 
checks as much as I can. Dunno why I ever wanted to change it, anyway.

Thanks Craig for your time.
Erik

Craig McClanahan wrote:
On Sun, 18 Jul 2004 21:50:19 -0400, Erik Weber [EMAIL PROTECTED] wrote:
 

So, I am trying to use the JAAS implementations that JBoss provides,
which are configurable via login-config.xml. Now, if you configure that
file appropriately and create a login page that follows the J2EE specs
for container-managed login (the form action is j_security_check, the
username field is called j_username and the password field is called
j_password), the container does indeed propagate the authenticated
subject to the web-app environment somehow; you can use the methods such
as request.isUserInRole successfully. However, with the form action
having to be set to j_security_check, you lose the link to the Struts
controller, and thus give up Struts stuff like form validation, error
redirecting, etc.
   

That is as it should be.
When you create a form login page (for container managed security),
what you are essentially doing is designing a page that is part of the
*container*, not part of your *application* -- in other words, the
only thing you get to do is make the login page visually look like the
rest of your app.  It is not, in any way shape or form, actually part
of your app.  Therefore, you can't assume things like Struts
validators.
To grasp this more fully, switch your app to use BASIC authentication
instead of FORM, so that the browser pops up its login box.  See how
you don't have any way to specify validators on the input dialog, or
control where the input goes?  That's because form based login is an
exact analog to that procedure.
 

So I toyed with the idea of bridging my Struts login page (action !=
j_security_check) with the container, by somehow processing the form
submittal on my own, but then forwarding the username and password as
j_username and j_passsword to this j_security_check resource, but
I couldn't figure out how to do it. I even went so far as opening an
HttpURLConnection to http://localhost:8080/j_security_check; and
setting the username and password as request parameters, just to see if
it would work. Yeah, it's been a long day. Anyone have an idea on this
approach?
   

Yah, I do ... give up on expecting any portable solution that will
work across servers.  The current specs do not provide for that,
although there are current JSRs under way to address that precise
concern.
 

So I went the route of the typical examples; I wrote a login Action that
instantiates a LoginContext using the domain I have configured in
login-config.xml, provided my own CallbackHandler to submit the username
and password, etc. And the login method does work -- it does
authenticate using the database I specified in login-config.xml, but yet
somehow the Subject is not propagated to the web-app environment the way
it is when you login using the form action j_security_check, and so I
still cannot use the methods such as request.isUserInRole. So obviously
whatever intercepts the call to j_security_check is not only doing
authentication, but it is taking some extra step to let the container
know that the user has been authenticated. I know this is true because
the request.isUserInRole method works when I do it that way. I iterated
all the session attributes and there are no new ones present after
authenticating with j_security_check.
Does anyone know what this missing step is, and how I can do it from my
own code? Or am I wasting my time?
   

If you want to use Struts features in your login page, you'll need to
abandon container managed security.  Perhaps something like
SecurityFilter (a sourceforge project) might be useful to you -- but,
if you're using EJBs and need the propogation of user identity from
the web tier to the EJB tier, this is not likely to work.  The only
possible solution would be something your app server itself provides.
 

Thanks if you even took time to read this!
Erik
   

Craig
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [OT] JBoss, Jaas and Struts

[Rick Reumann]

Erik Weber wrote:
Dang I thought I was onto something! I guess I'll stick to my User 
object in each session, and just try to make sure I centralize the auth 
checks as much as I can. Dunno why I ever wanted to change it, anyway.

Thanks Craig for your time.
I also sent your question on to a co-worker and he had this to say...
Craig if you have any comments regarding below I'd be interested in forwarding 
on to my co-worker here as well. Thanks.

==
This very topic has given me plenty of headaches.  Only by diving into the
Tomcat code did I start to figure out what was going on.
The issue is that the login must happen in two places since both JBoss and
Tomcat security were designed to work standalone.  JBoss accomplished the
integration of the two by hacking Tomcat to use JBossSX as a security realm
while allowing Tomcat to continue collecting its own login credentials.
When you performed your JAAS login within your action, you only authenticated
yourself with JBoss.  Since doing so bypassed the aformentioned hack, Tomcat
never authenticated and the user principal was never applied to the session.
I had a very similar issue not too long ago and when I finally figured out how
JBoss/Tomcat integrated, my brain started spinning trying to figure out how
to do a more intelligent form login through the JBoss/Tomcat stack.
Fortunately form authentication wasn't a requirement for the immediate
problem so I didn't put too many cycles on that problem.
The moral of the story is that you can't bypass j_security_check without
cutting Tomcat out of the authentication loop.  You can't proxy
j_security_check either.  I tried some VERY creative hacks that way and none
of them worked.  Tomcat was designed specifically to not allow it.  Too many
potential exploits there.
There is a possible solution if you're willing to apply a little elbow grease
and bend the JAAS spec a little.  Download the Tomcat source and take a look
at org.apache.catalina.authenticator.BasicAuthenticator.  That's a good
reference for how Tomcat authentication works.
Now take a look at the FormAuthenticator in the same package.  This one is a
bit more complex in that it saves the initial request so that it can replay
it once authentication is complete.
It is conceivable that you can write a StrutsFormAuthenticator that forwards
to the ActionServlet to collect the credentials.  Once you have your new
authenticator, you can register it by adding it to
org/apache/catalina/startup/Authenticators.properties with a key like
STRUTS.  Now go back to your web.xml and replace FORM with STRUTS and
next time Tomcat deploys your war it should load up with your custom
authenticator.
Be aware that JBossWeb has its own shadows of Tomcat authenticators (the
aformentioned hacks).  Instead of extending Tomcat classes directly, you must
extend these and you must patch the
org/jboss/web/tomcat/tc4/Authenticators.properties file in
deploy/jbossweb-tomcat41.sar/tomcat41-service.jar with your STRUTS
reference.
Good luck!

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [OT] JBoss, Jaas and Struts

[Erik Weber]

The helpfulness of people on this list continues to amaze me. Glad to 
know I'm not the only one struggling with this!

I will play with the technique described when I get a chance, and I will 
let everyone know how it goes. But that may be next weekend.

Meanwhile, I will post this general solicitation for advice to the list:
I have a couple different Servlet-based apps that will be deployed on 
JBoss and/or Tomcat. Both will be exposed to the Internet, and both will 
require SSL -- at least server authentication and encryption of 
credentials (for sure), if not encryption of all content (maybe) and 
even SSL client authentication (probably not).

On one, I will get full access to the Server box (we are planning to use 
JBoss 3.2.4). But, unfortunately, they are going to have Windows running 
on the box (ack). Had it been a unix box, my plan would have been to put 
an Apache in front of the JBoss server and to try to configure all the 
SSL stuff via Apache, because I know that is commonly done and I know it 
would be easy to get help doing it. But, if that doesn't work out, is 
IIS-Tomcat or IIS-JBoss/Tomcat a viable option, securitywise? Or how 
about JBoss/Tomcat alone?

For the other, we will probably use a hosting company such as 
webappcabaret. They run Tomcat and promise full SSL support.

The main question I have is, are there best practices I can follow 
within the scope of my Struts/Servlet-related programming that will make 
it easier to upgrade the security of these apps, or does it really 
matter that much exactly how access to resources is controlled (within 
this scope I mean)? Typically I find myself in the same environment -- 
authentication/authorization data is stored via RDBMS, an app-specific 
login is programmed for authentication, and the Servlet-related 
processors check User.Permissions objects stored as HttpSession 
attributes for authorization.

Thanks again,
Erik

Rick Reumann wrote:
Erik Weber wrote:
Dang I thought I was onto something! I guess I'll stick to my User 
object in each session, and just try to make sure I centralize the 
auth checks as much as I can. Dunno why I ever wanted to change it, 
anyway.

Thanks Craig for your time.

I also sent your question on to a co-worker and he had this to say...
Craig if you have any comments regarding below I'd be interested in 
forwarding on to my co-worker here as well. Thanks.

==
This very topic has given me plenty of headaches. Only by diving into the
Tomcat code did I start to figure out what was going on.
The issue is that the login must happen in two places since both JBoss 
and
Tomcat security were designed to work standalone. JBoss accomplished the
integration of the two by hacking Tomcat to use JBossSX as a security 
realm
while allowing Tomcat to continue collecting its own login credentials.

When you performed your JAAS login within your action, you only 
authenticated
yourself with JBoss. Since doing so bypassed the aformentioned hack, 
Tomcat
never authenticated and the user principal was never applied to the 
session.

I had a very similar issue not too long ago and when I finally figured 
out how
JBoss/Tomcat integrated, my brain started spinning trying to figure 
out how
to do a more intelligent form login through the JBoss/Tomcat stack.
Fortunately form authentication wasn't a requirement for the immediate
problem so I didn't put too many cycles on that problem.

The moral of the story is that you can't bypass j_security_check without
cutting Tomcat out of the authentication loop. You can't proxy
j_security_check either. I tried some VERY creative hacks that way and 
none
of them worked. Tomcat was designed specifically to not allow it. Too 
many
potential exploits there.

There is a possible solution if you're willing to apply a little elbow 
grease
and bend the JAAS spec a little. Download the Tomcat source and take a 
look
at org.apache.catalina.authenticator.BasicAuthenticator. That's a good
reference for how Tomcat authentication works.

Now take a look at the FormAuthenticator in the same package. This one 
is a
bit more complex in that it saves the initial request so that it can 
replay
it once authentication is complete.

It is conceivable that you can write a StrutsFormAuthenticator that 
forwards
to the ActionServlet to collect the credentials. Once you have your new
authenticator, you can register it by adding it to
org/apache/catalina/startup/Authenticators.properties with a key like
STRUTS. Now go back to your web.xml and replace FORM with STRUTS 
and
next time Tomcat deploys your war it should load up with your custom
authenticator.

Be aware that JBossWeb has its own shadows of Tomcat authenticators (the
aformentioned hacks). Instead of extending Tomcat classes directly, 
you must
extend these and you must patch the
org/jboss/web/tomcat/tc4/Authenticators.properties file in
deploy/jbossweb-tomcat41.sar/tomcat41-service.jar with your STRUTS
reference.

Good 

RE: [OT] JBoss, Jaas and Struts

[Erez Efrati]

Hi Erik, 

Not too long ago I struggled with this issue too and also played with
the 
SecurityFilter (on sourceforge.net) but it didn't work with JBoss.
And so after digging and digging I came up with my own security filter
that
Does work with JBoss and in fact can be adapted to more Application
server.

Though it is not as fancy in terms of configuration, it is sure working
for me and since then I have no headaches - at least not from that
direction :)

If you are interested in the code, send me an email.

Regards,

Erez


-Original Message-
From: Erik Weber [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 19, 2004 6:43 PM
To: Struts Users Mailing List
Subject: Re: [OT] JBoss, Jaas and Struts

The helpfulness of people on this list continues to amaze me. Glad to 
know I'm not the only one struggling with this!

I will play with the technique described when I get a chance, and I will

let everyone know how it goes. But that may be next weekend.

Meanwhile, I will post this general solicitation for advice to the list:

I have a couple different Servlet-based apps that will be deployed on 
JBoss and/or Tomcat. Both will be exposed to the Internet, and both will

require SSL -- at least server authentication and encryption of 
credentials (for sure), if not encryption of all content (maybe) and 
even SSL client authentication (probably not).

On one, I will get full access to the Server box (we are planning to use

JBoss 3.2.4). But, unfortunately, they are going to have Windows running

on the box (ack). Had it been a unix box, my plan would have been to put

an Apache in front of the JBoss server and to try to configure all the 
SSL stuff via Apache, because I know that is commonly done and I know it

would be easy to get help doing it. But, if that doesn't work out, is 
IIS-Tomcat or IIS-JBoss/Tomcat a viable option, securitywise? Or how 
about JBoss/Tomcat alone?

For the other, we will probably use a hosting company such as 
webappcabaret. They run Tomcat and promise full SSL support.

The main question I have is, are there best practices I can follow 
within the scope of my Struts/Servlet-related programming that will make

it easier to upgrade the security of these apps, or does it really 
matter that much exactly how access to resources is controlled (within 
this scope I mean)? Typically I find myself in the same environment -- 
authentication/authorization data is stored via RDBMS, an app-specific 
login is programmed for authentication, and the Servlet-related 
processors check User.Permissions objects stored as HttpSession 
attributes for authorization.

Thanks again,

Erik




Rick Reumann wrote:

 Erik Weber wrote:

 Dang I thought I was onto something! I guess I'll stick to my User 
 object in each session, and just try to make sure I centralize the 
 auth checks as much as I can. Dunno why I ever wanted to change it, 
 anyway.

 Thanks Craig for your time.


 I also sent your question on to a co-worker and he had this to say...

 Craig if you have any comments regarding below I'd be interested in 
 forwarding on to my co-worker here as well. Thanks.

 ==

 This very topic has given me plenty of headaches. Only by diving into
the
 Tomcat code did I start to figure out what was going on.

 The issue is that the login must happen in two places since both JBoss

 and
 Tomcat security were designed to work standalone. JBoss accomplished
the
 integration of the two by hacking Tomcat to use JBossSX as a security 
 realm
 while allowing Tomcat to continue collecting its own login
credentials.

 When you performed your JAAS login within your action, you only 
 authenticated
 yourself with JBoss. Since doing so bypassed the aformentioned hack, 
 Tomcat
 never authenticated and the user principal was never applied to the 
 session.

 I had a very similar issue not too long ago and when I finally figured

 out how
 JBoss/Tomcat integrated, my brain started spinning trying to figure 
 out how
 to do a more intelligent form login through the JBoss/Tomcat stack.
 Fortunately form authentication wasn't a requirement for the immediate
 problem so I didn't put too many cycles on that problem.

 The moral of the story is that you can't bypass j_security_check
without
 cutting Tomcat out of the authentication loop. You can't proxy
 j_security_check either. I tried some VERY creative hacks that way and

 none
 of them worked. Tomcat was designed specifically to not allow it. Too 
 many
 potential exploits there.

 There is a possible solution if you're willing to apply a little elbow

 grease
 and bend the JAAS spec a little. Download the Tomcat source and take a

 look
 at org.apache.catalina.authenticator.BasicAuthenticator. That's a good
 reference for how Tomcat authentication works.

 Now take a look at the FormAuthenticator in the same package. This one

 is a
 bit more complex in that it saves the initial request so that it can 
 replay
 it once authentication

[OT] JBoss, Jaas and Struts

[Erik Weber]

Kindly let me know if this is too off-topic. I ask here for reasons I 
think probably go without mention: Smart and helpful people participate 
on this list, and I'm sure many are producing Struts apps that run on JBoss.

I am using JBoss 3.2.4. I am trying to integrate my app with JAAS.
I have followed what JAAS literature I could find on the web, including 
the JAAS howto that is available from Scott Stark of the JBoss group. 
This is a complex document and so if the answer is there, please forgive 
me as I have already read it two or three times and am finding this 
subject matter difficult.

All the examples I have seen on the web (such as at JavaWorld) show you 
how to implement your own JAAS classes (I don't need to do this because 
I can reuse one that JBoss provides). The thing I cannot understand is 
why they go through all the trouble of implementing LoginContext, 
LoginModules, etc., only to, in the end, store the Subject instance in 
the session and repeatedly check that for every request before allowing 
commands to be executed. In other words, they go through all this 
trouble to follow the JAAS API and yet you still cannot use the methods 
like HttpServletRequest.isUserInRole that are built into the Servlet 
API. I don't see how this is really any better than rolling your own; 
it's still Java code, it's still portable, and it's still querying 
whatever resource (DB) by which you store your user data. Storing the 
Subject instance in the user's session and checking it for every request 
-- how is that any different from checking your own User object?

So, I am trying to use the JAAS implementations that JBoss provides, 
which are configurable via login-config.xml. Now, if you configure that 
file appropriately and create a login page that follows the J2EE specs 
for container-managed login (the form action is j_security_check, the 
username field is called j_username and the password field is called 
j_password), the container does indeed propagate the authenticated 
subject to the web-app environment somehow; you can use the methods such 
as request.isUserInRole successfully. However, with the form action 
having to be set to j_security_check, you lose the link to the Struts 
controller, and thus give up Struts stuff like form validation, error 
redirecting, etc.

So I toyed with the idea of bridging my Struts login page (action != 
j_security_check) with the container, by somehow processing the form 
submittal on my own, but then forwarding the username and password as 
j_username and j_passsword to this j_security_check resource, but 
I couldn't figure out how to do it. I even went so far as opening an 
HttpURLConnection to http://localhost:8080/j_security_check; and 
setting the username and password as request parameters, just to see if 
it would work. Yeah, it's been a long day. Anyone have an idea on this 
approach?

So I went the route of the typical examples; I wrote a login Action that 
instantiates a LoginContext using the domain I have configured in 
login-config.xml, provided my own CallbackHandler to submit the username 
and password, etc. And the login method does work -- it does 
authenticate using the database I specified in login-config.xml, but yet 
somehow the Subject is not propagated to the web-app environment the way 
it is when you login using the form action j_security_check, and so I 
still cannot use the methods such as request.isUserInRole. So obviously 
whatever intercepts the call to j_security_check is not only doing 
authentication, but it is taking some extra step to let the container 
know that the user has been authenticated. I know this is true because 
the request.isUserInRole method works when I do it that way. I iterated 
all the session attributes and there are no new ones present after 
authenticating with j_security_check.

Does anyone know what this missing step is, and how I can do it from my 
own code? Or am I wasting my time?

Thanks if you even took time to read this!
Erik

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [OT] JBoss, Jaas and Struts

[Craig McClanahan]

On Sun, 18 Jul 2004 21:50:19 -0400, Erik Weber [EMAIL PROTECTED] wrote:
 So, I am trying to use the JAAS implementations that JBoss provides,
 which are configurable via login-config.xml. Now, if you configure that
 file appropriately and create a login page that follows the J2EE specs
 for container-managed login (the form action is j_security_check, the
 username field is called j_username and the password field is called
 j_password), the container does indeed propagate the authenticated
 subject to the web-app environment somehow; you can use the methods such
 as request.isUserInRole successfully. However, with the form action
 having to be set to j_security_check, you lose the link to the Struts
 controller, and thus give up Struts stuff like form validation, error
 redirecting, etc.

That is as it should be.

When you create a form login page (for container managed security),
what you are essentially doing is designing a page that is part of the
*container*, not part of your *application* -- in other words, the
only thing you get to do is make the login page visually look like the
rest of your app.  It is not, in any way shape or form, actually part
of your app.  Therefore, you can't assume things like Struts
validators.

To grasp this more fully, switch your app to use BASIC authentication
instead of FORM, so that the browser pops up its login box.  See how
you don't have any way to specify validators on the input dialog, or
control where the input goes?  That's because form based login is an
exact analog to that procedure.

 
 So I toyed with the idea of bridging my Struts login page (action !=
 j_security_check) with the container, by somehow processing the form
 submittal on my own, but then forwarding the username and password as
 j_username and j_passsword to this j_security_check resource, but
 I couldn't figure out how to do it. I even went so far as opening an
 HttpURLConnection to http://localhost:8080/j_security_check; and
 setting the username and password as request parameters, just to see if
 it would work. Yeah, it's been a long day. Anyone have an idea on this
 approach?
 

Yah, I do ... give up on expecting any portable solution that will
work across servers.  The current specs do not provide for that,
although there are current JSRs under way to address that precise
concern.

 So I went the route of the typical examples; I wrote a login Action that
 instantiates a LoginContext using the domain I have configured in
 login-config.xml, provided my own CallbackHandler to submit the username
 and password, etc. And the login method does work -- it does
 authenticate using the database I specified in login-config.xml, but yet
 somehow the Subject is not propagated to the web-app environment the way
 it is when you login using the form action j_security_check, and so I
 still cannot use the methods such as request.isUserInRole. So obviously
 whatever intercepts the call to j_security_check is not only doing
 authentication, but it is taking some extra step to let the container
 know that the user has been authenticated. I know this is true because
 the request.isUserInRole method works when I do it that way. I iterated
 all the session attributes and there are no new ones present after
 authenticating with j_security_check.
 
 Does anyone know what this missing step is, and how I can do it from my
 own code? Or am I wasting my time?
 

If you want to use Struts features in your login page, you'll need to
abandon container managed security.  Perhaps something like
SecurityFilter (a sourceforge project) might be useful to you -- but,
if you're using EJBs and need the propogation of user identity from
the web tier to the EJB tier, this is not likely to work.  The only
possible solution would be something your app server itself provides.

 Thanks if you even took time to read this!
 
 Erik

Craig

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]