Carsten,
This is a confirmed bug -- I've just spent a couple days wrestling with
it myself. It is a logged bug and fixed on the trunk.
http://issues.apache.org/bugzilla/show_bug.cgi?id=37044
Brad
Carsten Schiller wrote:
Jukka Uusisalo <[EMAIL PROTECTED]> wrote on 20.10.2005
17:37:31:
Carsten Schiller wrote:
Hello!
We are trying to implement a login/security environment using Tomcat
5.5's
JAASRealm and Struts as a MVC-Framework.
After Login ,which fails with error "HTTP Status 403 - Access to the
requested ressource has been denied", we can navigate manually to our
output.jsp and use
...
<%= request.getUserPrincipal %> ,
...
<%= request.isUserInRole("administrator") %>
...
<logic:present role="administrator">
Admin present!
</logic:present>
These return correct username, (true) for isUserInRole, and the logic
tag
also works...
BUT
Our problem is: We protected *.do in our web.xml to be only accessible
by
users in role "administrator", which fails as described above.
Why does the login fail, but we still get a valid Subject with
Principals,
and can access the roles on the output.jsp?
We are stuck now for over a week, reading tutorials, asking google,
but
with no success... Any Ideas would be appreciated!
Hi,
I think resources that does not require authentication, like your
output.jsp, should return null from request.getUserPrincipal().
But what kind of JAAS loginmodule you have? Does that login module
work correctly?
- Jukka -
Hi Jukka,
what you mention is the same we thought and so we were wondering how it
could be, that our authentication resulted in an "HTTP 403" error and
checking the role on our output.jsp returned the correct role of the user.
The tag <logic:present role="administrator"> as well as <%=
request.getUserPrincipal()%> returned the needed informations (username
and role) and not as expected (AFTER a failed login) "null".
Our JAAS login-module is selfwritten and we debugged it on every little
code.
I append it for inspection...
We tested the authentication with a JNDIRealm, which works fine and there
we don't get "HTTP 403" errors for correct username/password combinations
(were using the same LDAP server).
Greetings Carsten
SimpleLoginModule.java
[code]
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.login.*;
import java.security.Principal;
public class SimpleLoginModule implements LoginModule
{
private static final int NOT_AUTHENTICATED = 0;
private static final int AUTHENTICATED = 1;
private static final int AUTHENTICATE_COMMITTED = 2;
private static final String SERVERURL="vm-kallisto-04";
private static final String DOMAIN="dc=ikom,dc=de";
protected String username = null;
protected String password = null;
protected int state;
protected Principal sp;
protected Subject sub;
protected DirContext ctx;
protected String userDN;
protected GroupPrincipal einRollenPrincipal;
protected CallbackHandler cbh = null;
public boolean abort()
{
System.out.println("Login.abort()");
sub = null;
sp = null;
state = NOT_AUTHENTICATED;
return true;
}
public boolean commit()
{
System.out.println("Login.commit()");
if (state < AUTHENTICATED) {
return false;
}
if (sp == null) {
return false;
}
try
{
Attributes myAttributes = ctx.getAttributes(userDN,new
String[]{"cn","authorizationRole"});
Attribute user = myAttributes.get("cn");
Attribute rollen = myAttributes.get("authorizationRole");
System.out.println("LDAPuser: "+user);
NamingEnumeration alleWerte = rollen.getAll();
if (!sub.getPrincipals().contains(sp))
{
sub.getPrincipals().add(sp);
}
while (alleWerte.hasMore())
{
String eineRolle = alleWerte.next().toString();
sub.getPrincipals().add(new GroupPrincipal(eineRolle));
System.out.println("Fuege GROUPPrincipal hinzu: " +
eineRolle);
}
}
catch (Exception e)
{
//System.out.println("Fehler bei Commit: "+e);
return false;
}
state = AUTHENTICATE_COMMITTED;
System.out.println("Login.commit()::true");
return true;
}
public void initialize(Subject s,CallbackHandler ch, Map shared, Map
options)
{
System.out.println("Login.initialize()");
state = NOT_AUTHENTICATED;
sub = s;
System.out.println("Subject-Name: "+ sub.toString());
this.cbh = ch;
}
public boolean login() throws LoginException {
System.out.println("Login.login()");
if (cbh == null)
throw new LoginException("No CallbackHandler specified");
Callback[] myCb = new Callback[2];
myCb[0] = new NameCallback("Name: ");
myCb[1] = new PasswordCallback("PW: ", false);
username = null;
password = null;
try
{
cbh.handle(myCb);
username = ((NameCallback) myCb[0]).getName();
password = new String(((PasswordCallback) myCb[1]).getPassword());
}
catch(Exception cbex)
{
System.out.println("Fehler: " + cbex);
}
userDN=PasswortTester.getDN(username,SERVERURL,DOMAIN);
ctx = PasswortTester.getContext(SERVERURL,DOMAIN,userDN,password);
if (PasswortTester.test(ctx,userDN,password))
{
state = AUTHENTICATED;
sp = new UserPrincipal(username); //username
System.out.println("Login.login()::true " + username);
return true;
}
else
{
state = NOT_AUTHENTICATED;
sp = null;
sub = null;
System.out.println("Login.login()::false");
return false;
}
}
public boolean logout()
{
System.out.println("Login.logout()");
state = NOT_AUTHENTICATED;
sp = null;
sub = null;
return true;
}
}
[/code]
+++++++++++++++++++++++++++++++++++++++++++
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.
----------------------------------------------------
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]