Hello! I ran out of time and have had to go to a clients today, may do dome work tonight from the hotel.
The end result with my JAAS implementation was that I successfully got the JAAS code invoked from tomcat via the LoginContext, however I had to, excuse my language, bastardise my app to place the Subject in the session after authentication, and then override the Struts RequestProcessor to override the processRoles method to lookup my Subject from the session and validate against that. Luckily I use a tag in the JSP end <fw:user_in_role name="Role1"> so I was able to change the underlying code to get the Subject I placed in the session out and check the role instead of doing request.isUserInRole. In summary.... I wrote a heck of a lot of JAAS code to implement a JDBC lookup and put a class in the session, all of which I could have done myself :s. I am going to write to the tomcat user list and see if I am missing anything obvious. In relation to the JDBC realm, the sole reason I didn't want to use that was because I have a complex/powerful/over engineered ;) database model which involves Users, Roles, User Groups and Role Groups all of which can be associated with each other [User can have direct Role, belong to a User Group and Role Group, User Group can have Roles but also belong to Role Groups, and Role Groups can contain Roles... phew!]. The SQL statement for that will be a task in itself for me. If I get it done and it works better than then JAAS stuff I will write the whole thing up, but please if anyone has done JDBCRealm stuff and thinks Tomcat will fail in the same way as JAAS (After you have authenticated a subject Tomcat has no awareness) please tell me now to stop me wasting my time, when there is Champions League to watch tonight... Will post again when I have made some more progress. Thanks to everyone for their input -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 10 August 2005 11:28 To: Struts Users Mailing List Subject: Re: Last question on JAAS I promise My bet is that Mark will get will get 95% of the way there but not be able to bend container-managed security that last little bit to achieve what he needs. I don't want to be deliberately down on this and I'd love to be wrong about it, but I've been there and done that in Tomcat 5 and JBoss and came up short. In fact, Craig posted a link to a Sun colleague of his who is looking at the next Servlet spec and [quote]: # Improved Security - This has been an area where we have wanted to refine for sometime. This may includes APIs for programatic login. Mark, I thought you might want to leave comments when you're done with what you're doing, since it will be fresh in your mind (I added comments just yesterday but the programming was something I did over a year ago) http://weblogs.java.net/blog/gmurray71/archive/2005/07/got_servlets.html Adam [EMAIL PROTECTED] on 09/08/05 22:04, wrote: > Thanks Craig. > > Well Mark, I'd be interested in hearing how it turns out. Good luck. > > Erik > > > -----Original Message----- > From: Craig McClanahan <[EMAIL PROTECTED]> > Sent: Aug 9, 2005 4:42 PM > To: Struts Users Mailing List <user@struts.apache.org>, [EMAIL PROTECTED] > Subject: Re: Last question on JAAS I promise > > On 8/9/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >>I found my login-config.xml. Suddenly I fear that I had this working in JBoss but not stand-alone Tomcat, but yet I *know* I was calling isUserInRole. At the same time, I remember the propagation problem between Tomcat and JBoss, and this config is definitely for JBoss. But isUserInRole would definitely be a Tomcat thing . . . Damn! >> >><application-policy name="mysqldb"> >> <authentication> >> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> >> <module-option name="unauthenticatedIdentity">anybody</module-option> >> <module-option name="dsJndiName">java:/MySQLDB</module-option> >> <module-option name="principalsQuery">SELECT password FROM auth_user WHERE username = ?</module-option> >> <module-option name="rolesQuery">SELECT group_name, 'Roles' FROM auth_group, auth_user_group, auth_user WHERE auth_group.group_id = auth_user_group.group_id AND auth_user_group.user_id = auth_user.user_id AND auth_user.username = ?</module-option> >> </login-module> >> </authentication> >></application-policy> >> >>Erik >> > > > Tomcat has reasonably good documentation about how to configure > container managed security. For Tomcat 5.0, it's at: > > http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html > > Because it looks like you have your users in a database, you'll want > to focus on setting up a JDBCRealm configuration. If you need further > help on it, asking on the Tomcat User list is a good bet (to > subscribe, send an empty message to > <[EMAIL PROTECTED]>). > > Craig > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
