Now i can access to the subject (thanks to Jean Francois and Matt)!! In my use case, tomcat uses jaas (and specific login module) first to authenticate users (it runs)... and secondly to authorize the access to resources (EJB) deployed in weblogic server. I use weblogic API to propagate implicitly the subject (or principals) information from tomcat to weblogic, and use j2ee roles to secure access to resources. At this stage, i get the exception : [java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal]... caused because the GenericPrincipal in Catalina isn't serializable. Somebody (or Craig R. McClanahan, the author) could explain for which reason this class is not serializable. Thanks.
-----Message d'origine----- De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Envoyé : mercredi 21 juillet 2004 17:58 À : Tomcat Users List Objet : Re: RE : RE : RE : RE : RE : how to access Subject after authentifica tion LERBSCHER Jean-Pierre wrote: >In fact my java options are : > >JAVA_OPTS=-Djava.security.auth.login.config=%CATALINA_HOME%\conf\Sample_jaa s >.config > >-----Message d'origine----- >De : LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] >Envoyé : mercredi 21 juillet 2004 12:13 >À : 'Tomcat Users List' >Cc : 'Jeanfrancois Arcand' >Objet : RE : RE : RE : RE : how to access Subject after authentification > >The command line is ok ! > >But I have an exception : >Caused by: java.io.IOException: Impossible de trouver une configuration de >connexion > > Hehe :-) Pas mal comme message d'erreur ;-) > at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206) > at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95) > ... 33 more >I set >JAVA_OPTS=-DJAVA_OPTS=-Djava.security.auth.login.config=%CATALINA_HOME%\con f >\Sample_jaas.config > > I never used JAAS this way so I cannot help you. Are you trying to load the file from your webapp? Hav eyou try to put the file inside the war? -- Jeanfrancois >The classe that instantiates the login context is located in common/classes > >The standard Catalina.policy containts this permission > >grant codeBase "file:${catalina.home}/common/-" { > permission java.security.AllPermission; >}; > >Any ideas ? > >Thanks in advance! > >-----Message d'origine----- >De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] >Envoyé : mardi 20 juillet 2004 19:52 >À : Tomcat Users List >Objet : Re: RE : RE : RE : how to access Subject after authentification > > > >LERBSCHER Jean-Pierre wrote: > > > >>Could you tell me what is the correct configuration to access the jaas >> >> >login > > >>file with this security manager. >> >> >> >> >You need to start Tomcat using the -security > >./catalina.sh start -security > >-- Jeanfrancois > > > > >>Thanks >> >>-----Message d'origine----- >>De : Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] >>Envoyé : mardi 20 juillet 2004 18:42 >>À : Tomcat Users List >>Objet : Re: RE : RE : how to access Subject after authentification >> >>Are you both running with the security manager on? I think that's the >>problem... >> >>-- Jeanfrancois >> >>LERBSCHER Jean-Pierre wrote: >> >> >> >> >> >>>Matt I am ok with you! I try the two methods and I have the same results >>>(null) ! >>>Perhaps we have to configure properly tomcat (?) so that it can record the >>>subject in the session. Perhaps an authenticator ? >>>Jean François ! any ideas ? >>> >>>The second method is >>>Subject.getSubject(java.security.AccessController.getContext()); >>> >>>-----Message d'origine----- >>>De : Matt Harrison [mailto:[EMAIL PROTECTED] >>>Envoyé : mardi 20 juillet 2004 17:42 >>>À : 'Tomcat Users List' >>>Objet : RE: RE : how to access Subject after authentification >>> >>>I have tried both of these and they both return null! >>> >>> >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] >>>>Sent: 20 July 2004 16:30 >>>>To: Tomcat Users List >>>>Subject: Re: RE : how to access Subject after authentification >>>> >>>> >>>>Two ways: >>>> >>>>httpSession.getAttribute("javax.security.auth.subject") >>>> >>>>or >>>> >>>>Subject.getSubject(AccessControl.getContext()) >>>> >>>>-- Jeanfrancois >>>> >>>>Matt Harrison wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Sorry for mis-reading your email >>>>> >>>>>If anybody out there knows how to retrieve the Subject, >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>Jean-Pierre and I >>>> >>>> >>>> >>>> >>>> >>>> >>>>>would most appreciate it! >>>>> >>>>>But, if, as I suspect, this is not part of the current >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>servlet spec, and >>>> >>>> >>>> >>>> >>>> >>>> >>>>>thus not part of Tomcat, can I make a request for this to be >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>included next >>>> >>>> >>>> >>>> >>>> >>>> >>>>>time round? >>>>> >>>>>I work around this by concatenating all the information I >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>require from the >>>> >>>> >>>> >>>> >>>> >>>> >>>>>subject into the Principal's name in my JAAS login module, as a >>>>>java.security.Principal object is available from the request >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>object in >>>> >>>> >>>> >>>> >>>> >>>> >>>>>Tomcat. But I guess this isn't an option for this problem. >>>>> >>>>>Matt >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>-----Original Message----- >>>>>>From: LERBSCHER Jean-Pierre >>>>>>[mailto:[EMAIL PROTECTED] >>>>>>Sent: 20 July 2004 15:40 >>>>>>To: 'Tomcat Users List' >>>>>>Subject: RE : how to access Subject after authentification >>>>>> >>>>>> >>>>>>Thanks Matt ! >>>>>>My problem is that have to call EJB deployed in Weblogic >>>>>>application server >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>from servlet components. I use the weblogic api to propagate >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>the security >>>>>>information from tomcat to WLS. This api uses the subject! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>Thus it is >>>> >>>> >>>> >>>> >>>> >>>> >>>>>>necessary that I can reach it. >>>>>> >>>>>>-----Message d'origine----- >>>>>>De : Matt Harrison [mailto:[EMAIL PROTECTED] >>>>>>Envoyé : mardi 20 juillet 2004 15:59 >>>>>>À : 'Tomcat Users List' >>>>>>Objet : RE: how to access Subject after authentification >>>>>> >>>>>>Hi >>>>>> >>>>>>I had a similar question a while back and never really got it fully >>>>>>resolved, but I found that Tomcat doesn't save the subject as >>>>>>a session >>>>>>attribute. >>>>>> >>>>>>However in your case you don't need to access the subject. In >>>>>>the web.xml >>>>>>file for your app, you can define what roles have access to >>>>>>each resource >>>>>>(jsp, servlet) and have your JAAS login module assign these >>>>>>roles to the >>>>>>subject - i.e. container managed security. >>>>>> >>>>>>e.g. add to web.xml (gives access to logins with role "user" >>>>>>to all of your >>>>>>application): >>>>>> >>>>>> <security-constraint> >>>>>> <web-resource-collection> >>>>>> >>>>>><web-resource-name>myApplication</web-resource-name> >>>>>> <url-pattern>/*</url-pattern> >>>>>> </web-resource-collection> >>>>>> <auth-constraint> >>>>>> <role-name>user</role-name> >>>>>> </auth-constraint> >>>>>> </security-constraint> >>>>>> <security-role> >>>>>> <role-name>user</role-name> >>>>>> </security-role> >>>>>> >>>>>>see the tomcat docs for more info >>>>>> >>>>>>Matt >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>>-----Original Message----- >>>>>>>From: LERBSCHER Jean-Pierre >>>>>>>[mailto:[EMAIL PROTECTED] >>>>>>>Sent: 20 July 2004 14:42 >>>>>>>To: '[EMAIL PROTECTED]' >>>>>>>Subject: how to access Subject after authentification >>>>>>> >>>>>>> >>>>>>>Hi, >>>>>>> >>>>>>>I am using JAAS authentification module to authenticate user >>>>>>>within tomcat >>>>>>>5.0.27. >>>>>>> >>>>>>>After the authentification, I want to control access to >>>>>>>resources (like ejb >>>>>>>deployed in weblogic application server). >>>>>>> >>>>>>>To control access, I have to use weblogic api with the >>>>>>>Subject instance >>>>>>>delivred by authentification to tomcat. >>>>>>> >>>>>>> >>>>>>> >>>>>>>The problem is : how can I get the subject object.. I try >>>>>>>session.getAttribute( "javax.security.auth.subject" ); but it >>>>>>>seems that I >>>>>>>can't access to this information ! >>>>>>> >>>>>>>Any ideas? >>>>>>> >>>>>>>Thanks, >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>------------------------------------------------------------ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>--------- >>>> >>>> >>>> >>>> >>>> >>>> >>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>>>------------------------------------------------------------ >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>--------- >>>> >>>> >>>> >>>> >>>> >>>> >>>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>--------------------------------------------------------------------- >>>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>--------------------------------------------------------------------- >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>>For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >>> >>> >>> >>> >>> >>> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> >> >> >> > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
