I was trying to get you to do some research so you understand your situation
better and then you could see what you were doing wrong. In any case...
Your problem is that ClientLoginModule only passes security data to JBoss
invocation within the current thread. However, Tomcat uses thread pools
I have tried to get this to work too, but only been able to get static content
to be made available. Sorry.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964669#3964669
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&m
If you don't want my help, I'll be happy to move on. In past versions of
Tomcat, context elements were added to the server.xml config file. Now that is
discouraged in favor of web-app specific context.xml files. However, in your
case, I think you should add your context configuration inside T
fosodquez,
The ClientLoginModule does not have any authentication logic, so if that is
your only login module, then you are not authenticating.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964627#3964627
Reply to the post :
http://www.jboss.com
sdegenaar,
anonymous wrote : We have setup a seperate tomcat installation
How does Tomcat's security system interface with JBoss' in your environment?
Also you may want to read security chapter of server guide at
http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
cgriffith
Vie
I had started to digest the JACC spec and how JBoss implements it a few months
back, but have not looked at it recently. So this is pure speculation on what
I think I know.
The point I was trying to make is that you have been modifying the
PolicyContext specified by contextID "kr.jar". That
check out http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingContextDotXML
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964618#3964618
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3964618
__
P,
What does JBoss use as contextID? I am wondering if you need to use
"ear-name/bean-jar-name".
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964067#3964067
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p
matt10,
I would say this is an interesting use case. The problem with making client
unaware of buisness components is that you then have to come up with ways to
configure your client to do stuff with abstract notions of business objects.
In that case what you have done with annotation inspect
P,
Can you show us how you are attempting...
anonymous wrote :
| I try to change the role based ejb3 method permission on the fly
|
thanks cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3964037#3964037
Reply to the post :
http://www.jboss.com
I am no LDAP expert, but it looks like the LDAPLM is not providing correct
credentials when connecting to AD. Thus authentication of user is not even
attempted because connection to server is not authenticated.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=vi
ppradhan,
One thing that is not completely clear from your description is wether or not
the user has actually authenticated to servlet container. Just because the
login form is returned does not neccessarily mean authentication did not
happen. To be more specific...
Consider the case when a
matt10,
Wouldn't it be better if your fat client enabled/disabled menu items based on
the roles the user has rather than the methods they can call. I mean really
this is the same thing, only you do not have to go get method permissions.
cgriffith
View the original post :
http://www.jboss.com
I think this may help.
http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html#d0e20970
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963267#3963267
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=
dheelus,
With Tomcat bundled with JBoss, you deploy to JBoss not Tomcat. Then JBoss
does the deployment into Tomcat container. So if your ant script just copies
your war/ear int $YOUR_SERVER/deploy that's all she wrote.
cgriffith
View the original post :
http://www.jboss.com/index.html?modu
Jason,
>From what I can tell this can not be configured. I did find this that backs
>up my findings.
>http://mail-archives.apache.org/mod_mbox/tomcat-users/200407.mbox/[EMAIL
>PROTECTED]
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963146#3963
bjornn,
You are making more work for yourself. I already told you that your query is
not correct and pointed you to documentation on the LM. If the info you posted
about your database is correct, and assuming your table names are USERS and
ROLES, your queries should be as so...
| ...
|
javacodemonkey,
Even the Struts folks say this is not a good idea. There are static memebers
that would cause strange things to happen if shared accoss apps.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962956#3962956
Reply to the post :
http:
Baskar,
After a password is changed, the user must be logged out of application (i.e.
JBossSX cache flush). If your UI is web-based, this usually can occure by
invalidating the web session. Is this step happening? You can verify what
principals are in the cache via the jmx-console (mbean:
j
EricYP,
1.) javax.servlet.HttpServletRequest.getUserPrinicpal()
2.)AFAIK, as long as your query returns the password in the first column, and
only accepts one paramter (the username), you are good to go.
I am not sure why you posted your login form.
cgriffith
View the original post :
http://
bjornn,
Your problem then is your query. As I already mentioned, the sql configured in
your security-domain must be specific for you database. For more details about
the DatabaseServerLoginModule see
http://wiki.jboss.org/wiki/Wiki.jsp?page=DatabaseServerLoginModule.
cgriffith
View the orig
bjornn,
So far all your config looks good. The only thing that looks odd is your
queries. These must be made specific to your database. Specifically, your
query...
| SELECT LOGIN, 'Roles' FROM ROLES WHERE
LOGIN=?
|
just returns the login name. Is this correct? Other than checking th
fhh,
I believe that the login-config.xml file is loaded by the server, but actual
SecurityDomain/SecurityManagers are not instantiated and bound in JNDI until
they are needed. An example of when one would be needed is when an application
specifically says, "I am using security domain x" at dep
Frank,
How many/what type of deployable components does your site/web-app have.
More info about the basic organization of you applciation/site please.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962432#3962432
Reply to the post :
http://www.jbo
sasi2103,
I think this is what you are looking for.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=80296
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962425#3962425
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=post
Dear gang,
This was an interesting hunt for me as I have not used client certs before. I
think you have two options.
1.) Follow JBossSX Subject usage package in your custom login module and add a
java.security.acl.Group with name "CallerPrincipal" to the authenticated
Subject's principal set.
Bogdan,
Please give details about which login modules you are using. If you are using
a custom login module, please show how you set your custom principal.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961368#3961368
Reply to the post :
http://
adogg,
I am sure you can not add security role restrictions on a non-EJB3 class.
Since the interface is not either a stateless/statefull session bean or a
message driven bean, it is not a true EJB3 object. As such you can not add
security restrictions.
I would suggest you place the restricti
Victor,
I just want to further point out that the fine folks at jboss labs has a wonder
EJB3.0 trial. I have not found any other info on the net to be quite so
usefull.
You can get to it at http://trailblazer.demo.jboss.com/EJB3Trail/
enjoy, cgriffith
View the original post :
http://www.jbos
Sorry, #3 is poppy-cock. I am still learning EJB3.0 spec and Jboss extensions.
But I think it can be done with multiple interfaces.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959314#3959314
Reply to the post :
http://www.jboss.com/index.html?module=bb&
Victor,
There are many options you can try.
1.) combine the "other" and "db_store" domains into one and use for webapp#1,
webapp#2, and ejb. Thus if a user is not authenticated by DBSLM, the URLM will.
2.) Use a run-as role with the servlet
3.) Use EJB3.0. The ability to assign a security do
Victor,
It is doing what you have configured it to do.
Webapp#2 is secured using the "other" security domain. So when a user attempts
to access a secured resource (i.e. your servlet), the conatainer performs BASIC
authentication via the UsersRolesLoginModule. Thus you have set some principal
Victor,
Is the principal used as identity (ie username) in web-app#2 during BASIC
authentication in your database?
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959118#3959118
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=post
Hi Jeff,
Yes you can have more than one security-domain in an ear. However, you need to
make sure that the roles that intersect the two security domains are defined in
each. In other words, if EJB A in security domain A needs to communicate with
EJB B in security domain B, then the run-as rol
Markus,
I assume you got things working. Just a note, this forum is useful to keep
track of now and in the future. Had you done some searching you may have found
this http://www.jboss.com/index.html?module=bb&op=viewtopic&t=78329.
let us know if you still have problems, cgriffith
View the or
Adam,
see http://wiki.jboss.org/wiki/Wiki.jsp?page=BaseCertLoginModule ,
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX
, and http://wiki.jboss.org/wiki/Wiki.jsp?page=Logging.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958959#3958959
Reply to
Adam,
First off, see my comments at
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=86289.
SSL vs. CLIENT-CERT authentication are two separate issues.
That said, we would need to see some trace logging of JBoss security at the
point when a user attempts to access secured resource to se
Markus,
Since the SecurityDomain is a JBoss specific configuration, it does not go in
the ejb-jar.xml. I figured you would have known how to configure JBoss. In
this case, see the jboss.xml file and it's DTD for definitions.
cgriffith
View the original post :
http://www.jboss.com/index.html
Hi Markus,
Yes to all. I think it is important to note that ejb-jar.xml is the descriptor
file for bean configuration (it has always been). The addition of annotations
in EJB3 just makes that descriptor unecessary. Unless you want to use. If you
use both, the descriptor should override anno
See the EJB3 wiki for documentation on how to use annotations to provide the
same configurations as the ejb-jar.xml.
http://wiki.jboss.org/wiki/Wiki.jsp?page=EJB3
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958770#3958770
Reply to the post :
h
http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html#d0e18806
and
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX
enjoy, cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958769#3958769
Reply to the post :
http://www.jboss.com/index.h
kearns,
You need a better understanding of authentication/authorization. There is just
too much stuff that is wrong here. See the resource I mentioned below. As
well as the wikis at wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX
and
wiki.jboss.org/wiki/Wiki.jsp?page=Tomcat.
However in an effort t
Is it http://localhost:8080/MyApp/images/company_logo.gif
or
http://localhost:8080/MyApp/images/company_logo.jpg?
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958754#3958754
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=postin
Hi Kearns,
So you have a web-enabled client. I am still not clear on what is your
identifing principal and what is your credential. What does the user enter in
the form? My point is to determine how your authentication data can be used as
a String/Principal identity and an Object credential.
See tomcat's jboss-service.xml file that configures Tomcat as a JBoss service.
$YOUR_SERVER/deploy/jbossweb-tomcatxx.ser/META-INF/jboss-service.xml
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958505#3958505
Reply to the post :
http://www.jboss.c
kearns,
There are still a few details I would need to understand your situation.
1.) It was not clear to me what data you need to be passed to your
bank.jaas.CustomServerLoginModule. What is acting as the identity pricinpal
and what is acting as the authentication data? What else do you need
clodeindustrie,
I suspect ojdv14.jar and xdb.jar can work together, but that the problem is
with xdb.jar and JNDI. Did you follow instructions at oracle's site about how
to used JNDI to access XML DB Resource? They describe how to specify a JNDI
provider to use. If you do not do this, then J
cool_bhanu,
I would start by reading the security chapter in jboss server guide available
at http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958083#3958083
Reply to the post :
http
dzhao00,
There was no requirement to not re-use session ID in original question of
sundartri. The problem was how to invalidate the session. The original poster
was under the impression that the session was not being invalidated because the
ID did not change. You mis-read the problem and add
Why bother. There is no harm in re-using the session ID. The real issue is
weather or not the session contents were getting trashed on invalidate. If
that is occuring, then all is good.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957873#39578
Adam,
That is the behavior defined by the servlet spec. If you want a filter on that
resource to be invoked, then you need to use re-direct, not forward.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957793#3957793
Reply to the post :
http://ww
thmix10
>From the HTTP 1.1 spec...
anonymous wrote :
| 3.4.1 Missing Charset
| ...
|HTTP/1.1 recipients MUST respect the charset label provided by
|the sender; and those user agents that have a provision to "guess"
|a charset MUST use the charset from the content-type field
Paul,
Warrenc6 is leading you in the wrong direction.
Your idea to extend DatabaseServerLoginModule is a good choice. In order for
you to access the HttpSession from you login module you will need to see
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication
let us
atorres,
Warren6 is just plain silly. There are at least two ways to get the
Authenticated Subject. I think all of them are JBoss dependant; not sure if
this is a problem for you. However...
1.) the way you have done it is a great way using JNDI
2.) tomcat service has an SubjectAttributeNam
B,
Isn't the redirect port set in tomcat's server.xml file...
|
|
|
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957334#3957334
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3957334
Soheil,
That mechanism has been deprecated. You should consider using
http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthentication
instead.
cgriffith
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957329#3957329
Reply to the post :
h
56 matches
Mail list logo
