-----Mensaje original-----
De: Brad O'Hearne [mailto:[EMAIL PROTECTED]
Enviado el: Martes, 18 de Octubre de 2005 09:31 a.m.
Para: Tomcat Users List
Asunto: Re: Is it even possible to retrieve a custom user principal? (Was:
Tomcat user principal)
Mark,
Thanks for the response. In the code below, are you manually calling
JAAS, rather than via the j_security_check mechanism? The proper way
to access the authentication mechanism in Tomcat is to post to
j_security_check from a login form -- I wasn't sure from your post
below whether you were referring to this or to executing the below
code within a servlet.
In my case, I'm JAAS is being invoked as a result of posting to
j_security_check. This is why I'm confused as to the "place the JAAS
subject in the session" part of it. I could just be missing the boat,
but I do not see that I have access to the session in my JAAS login
module. If you know of a way to access the session from within a JAAS
login module, that is the code I need to see. I should have been more
clear about this before.
Thanks for your help Mark.
Brad
On Oct 18, 2005, at 1:30 AM, Mark Benussi wrote:
> Hate publishing my code.
>
> I have a struts form that takes the user name and password.
>
> // Create a new CallbackHandler
> JAASCallbackHandler callbackHandler = new JAASCallbackHandler
> ("username",
> "password");
>
> Subject jaasSubject = null;
> LoginContext context = null;
> try {
> context = new LoginContext("IBTJAAS", callbackHandler);
> context.login();
> // Retrieve the authenticated subject
> jaasSubject = context.getSubject();
> } catch (LoginException le) {
> if (le instanceof UnknownUserNameException) {
> throw (UnknownUserNameException) le;
> } else if (le instanceof UserPasswordException) {
> throw (UserPasswordException) le;
> } else {
> throw new SystemException(le);
> }
> }
> // Now place the JAAS subject in the session.
>
> -----Original Message-----
> From: Brad O'Hearne [mailto:[EMAIL PROTECTED]
> Sent: 17 October 2005 23:06
> To: Tomcat Users List
> Subject: Re: Is it even possible to retrieve a custom user
> principal? (Was:
> Tomcat user principal)
>
> Mark,
>
> Thanks a ton for the reply. I almost want to reply with "you're
> kidding,
> right?", as I am kind of speechless that using JAAS (which I am), the
> Java platform's standard authentication/authorization API, doesn't
> allow
> one to use a custom principal. It seems like a major hole in Tomcat
> security flexibility. I suppose I'll float on over the developer
> list to
> find out more about whether this is a planned change or not, and how
> much trouble it would be to add it.
>
> As for your workaround, where can I set the session? My JAAS login
> module doesn't have access to the session, I don't believe, which is
> where my user principal is created. If I had my principal in the
> session, then the default isUserInRole() should work as is, I'll just
> retrieve my custom user principal out of the session for other
> custom data.
>
> Mark, where can I add my user principal to the session?
>
> Brad
>
> Mark Benussi wrote:
>
>
>> If you're implementing JAAS... no. No idea about the rest. Its not
>>
> supported
>
>> in Tomcat (But should be). Stick it in the session, and then you
>> have to
>> override the Tomcat HttpRequestProcessor (isUserInRole()) to get your
>> Principal out of the session and call the validation.
>>
>> -----Original Message-----
>> From: Brad O'Hearne [mailto:[EMAIL PROTECTED]
>> Sent: 17 October 2005 22:25
>> To: Brad O'Hearne
>> Cc: Tomcat Users List
>> Subject: Is it even possible to retrieve a custom user principal?
>> (Was:
>> Tomcat user principal)
>>
>> Hello,
>>
>> As this has become a bit of a roadblock in implementing security, I'd
>> like to ask anyone out there two things:
>>
>> 1) Is it even possible to use a custom user princpal within a
>> realm that
>> is retrievable within a servlet (via presumably the request or
>> otherwise) in Tomcat?
>>
>> 2) If the answer to #1 is yes, how is this done? Does anyone have a
>> working code snippet that demonstrates this?
>>
>> Thanks, I'm about to head to the developer list to ask this
>> question, as
>> its pretty crucial for our security implementation.
>>
>> Brad
>>
>> Brad O'Hearne wrote:
>>
>>
>>
>>
>>> Response below:
>>>
>>> Wendy Smoak wrote:
>>>
>>>
>>>
>>>
>>>> From: "Brad O'Hearne" <[EMAIL PROTECTED]>
>>>>
>>>>
>>>>
>>>>
>>>>> I would have expected that designation of the user class name
>>>>> would
>>>>> have resulted in my being returned the class I specified for the
>>>>> user class name from the requestion.getUserPrincpal() method,
>>>>> but it
>>>>> doesn't.
>>>>>
>>>>>
>>>>>
>>>>
>>>> What version of Tomcat are you using? As far as I know, it
>>>> works the
>>>> way you want on 5.0.28. I remember trying it with and without the
>>>> class name, and writing that comment to remind myself.
>>>>
>>>> Could this be it?
>>>> http://issues.apache.org/bugzilla/show_bug.cgi?id=37044
>>>>
>>>>
>>>>
>>>>
>>> I am using 5.0.28, and I'm not seeing the expected behavior.
>>> Hmmm.....was there anything else that has to be done to be able to
>>> access your own custom user principal?
>>>
>>> Brad
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
