Re: JAAS getRemoteUser security custom

2010-05-19 Thread Neville Peter 
Hi,

I'm still not satisfied with the options so far and I'm sure I do not fully 
understand it:

Although the valve works in that I can set the principal on the catalina 
request, realm.authenticate("username","credentials") within the valve is not 
actually passing anything to my JAAS login module although the login module is 
being used. Therefore, I can not currently authenticate the user within the 
JAAS module correctly as there appears to be no data passed from the valve. 
Also, if I use the valve then what is the point of the servlet using 
LoginContext.login()?

If I choose not to use a valve then I appear to not have any access to the 
request object within JAAS. 
Even if I use org.apache.catalina.realm.JAASCallbackHandler, I do not get 
access to the request. So how are you able to add the principal to the request 
like you can do with the valve?

SecurityFilter not an option as it does not support SSO.

Thanks for the comments so far.





> 
> Using a Valve will give you access to the the internal
> model of the
> request, so you can set Principals etc.
> 
> I had the impression that a full JAAS implementation gave
> you access to
> the request and enabled the use of a Realm, but maybe it
> isn't what you
> need.
> 
> The SecurityFilter project might be worth a look, before
> you commit to
> rolling your own.
> 
> 
> p





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JAAS getRemoteUser security custom

2010-05-18 Thread Pid 
On 18/05/2010 15:42, Neville Peter wrote:
> The authentication will take place without any user intervention. For 
> example, from a request parameter or cookie value.
> 
> BTW, I have just managed to get it to work by using a custom Valve that 
> extends AuthenticatorBase and uses my JAAS realm. The valve adds the 
> principal to the request and this in turn allows getRemoteUser() to work in 
> the servlet.
> 
> Is this the missing link between using JAAS and still supporting 
> getRemoteUser()? Or is there a standard way of doing this?

Using a Valve will give you access to the the internal model of the
request, so you can set Principals etc.

I had the impression that a full JAAS implementation gave you access to
the request and enabled the use of a Realm, but maybe it isn't what you
need.

The SecurityFilter project might be worth a look, before you commit to
rolling your own.


p




>> Why is a callbackhandler not required?
>>
>>
>> p
> 
> 
> 
>   
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 




signature.asc
Description: OpenPGP digital signature

Re: JAAS getRemoteUser security custom

2010-05-18 Thread Neville Peter 
The authentication will take place without any user intervention. For example, 
from a request parameter or cookie value.

BTW, I have just managed to get it to work by using a custom Valve that extends 
AuthenticatorBase and uses my JAAS realm. The valve adds the principal to the 
request and this in turn allows getRemoteUser() to work in the servlet.

Is this the missing link between using JAAS and still supporting 
getRemoteUser()? Or is there a standard way of doing this?

Thanks


> Why is a callbackhandler not required?
> 
> 
> p





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JAAS getRemoteUser security custom

2010-05-18 Thread Pid 
On 18/05/2010 10:51, Neville Peter wrote:
> I need to login programmatically, but continue to support getRemoteUser().
> 
> I have written a csutom JAAS login module (no callbackhandler required) and 
> this can be seen to run when I programmatically logon within my filter 
> servlet using: 
> LoginContext lc = new LoginContext("MyJAASAccess",subject);
> lc.login();
> 
> I've done all the configuration and am happy the login module is in use. 
> 
> For example, 
> 
> jaas.config:
> 
> MyJAASAccess {
>   nhs.cfh.ssd.security.jaas.TomcatLoginModule optional debug=true;
> };
> 
> I also add the role and userid to the subject as principals in the login 
> module. However, calls to HTTPServletRequest.getRemoteUser() 
> always return null.
> What do I need to do make JAAS work with getRemoteUser()?

Why is a callbackhandler not required?


p


> Thanks,
> Peter
> 
> 
> Tomcat version 6.0.20
> 
> 
>   
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 




signature.asc
Description: OpenPGP digital signature