Re: JAAS getRemoteUser security custom
Hi, I'm still not satisfied with the options so far and I'm sure I do not fully understand it: Although the valve works in that I can set the principal on the catalina request, realm.authenticate("username","credentials") within the valve is not actually passing anything to my JAAS login module although the login module is being used. Therefore, I can not currently authenticate the user within the JAAS module correctly as there appears to be no data passed from the valve. Also, if I use the valve then what is the point of the servlet using LoginContext.login()? If I choose not to use a valve then I appear to not have any access to the request object within JAAS. Even if I use org.apache.catalina.realm.JAASCallbackHandler, I do not get access to the request. So how are you able to add the principal to the request like you can do with the valve? SecurityFilter not an option as it does not support SSO. Thanks for the comments so far. > > Using a Valve will give you access to the the internal > model of the > request, so you can set Principals etc. > > I had the impression that a full JAAS implementation gave > you access to > the request and enabled the use of a Realm, but maybe it > isn't what you > need. > > The SecurityFilter project might be worth a look, before > you commit to > rolling your own. > > > p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAAS getRemoteUser security custom
On 18/05/2010 15:42, Neville Peter wrote: > The authentication will take place without any user intervention. For > example, from a request parameter or cookie value. > > BTW, I have just managed to get it to work by using a custom Valve that > extends AuthenticatorBase and uses my JAAS realm. The valve adds the > principal to the request and this in turn allows getRemoteUser() to work in > the servlet. > > Is this the missing link between using JAAS and still supporting > getRemoteUser()? Or is there a standard way of doing this? Using a Valve will give you access to the the internal model of the request, so you can set Principals etc. I had the impression that a full JAAS implementation gave you access to the request and enabled the use of a Realm, but maybe it isn't what you need. The SecurityFilter project might be worth a look, before you commit to rolling your own. p >> Why is a callbackhandler not required? >> >> >> p > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: OpenPGP digital signature
Re: JAAS getRemoteUser security custom
The authentication will take place without any user intervention. For example, from a request parameter or cookie value. BTW, I have just managed to get it to work by using a custom Valve that extends AuthenticatorBase and uses my JAAS realm. The valve adds the principal to the request and this in turn allows getRemoteUser() to work in the servlet. Is this the missing link between using JAAS and still supporting getRemoteUser()? Or is there a standard way of doing this? Thanks > Why is a callbackhandler not required? > > > p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JAAS getRemoteUser security custom
On 18/05/2010 10:51, Neville Peter wrote: > I need to login programmatically, but continue to support getRemoteUser(). > > I have written a csutom JAAS login module (no callbackhandler required) and > this can be seen to run when I programmatically logon within my filter > servlet using: > LoginContext lc = new LoginContext("MyJAASAccess",subject); > lc.login(); > > I've done all the configuration and am happy the login module is in use. > > For example, > > jaas.config: > > MyJAASAccess { > nhs.cfh.ssd.security.jaas.TomcatLoginModule optional debug=true; > }; > > I also add the role and userid to the subject as principals in the login > module. However, calls to HTTPServletRequest.getRemoteUser() > always return null. > What do I need to do make JAAS work with getRemoteUser()? Why is a callbackhandler not required? p > Thanks, > Peter > > > Tomcat version 6.0.20 > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: OpenPGP digital signature