Re: Antwort: Re: JAASRealm, Tomcat 5.5 getting HTTP error page 403 Access denied

Fri, 21 Oct 2005 06:11:37 -0700 

Carsten,
This is a confirmed bug -- I've just spent a couple days wrestling with it myself. It is a logged bug and fixed on the trunk. 

http://issues.apache.org/bugzilla/show_bug.cgi?id=37044

Brad

Carsten Schiller wrote:


Jukka Uusisalo <[EMAIL PROTECTED]> wrote on 20.10.2005 
17:37:31:



 


Carsten Schiller wrote:

   


Hello!


We are trying to implement a login/security environment using Tomcat 
     


5.5's 
 


JAASRealm and Struts as a MVC-Framework.

After Login ,which fails with error "HTTP Status 403 - Access to the 
requested ressource has been denied", we can navigate manually to our 
output.jsp and use 
...
<%= request.getUserPrincipal %> , 
...
<%= request.isUserInRole("administrator") %> 
...

<logic:present role="administrator">
Admin present!
</logic:present>


These return correct username, (true) for isUserInRole, and the logic 
     


tag 
 


also works... 
BUT
Our problem is: We protected *.do in our web.xml to be only accessible 
     


by 
 


users in role "administrator", which fails as described above. 
Why does the login fail, but we still get a valid Subject with 
     


Principals, 
 


and can access the roles on the output.jsp?

We are stuck now for over a week, reading tutorials, asking google, 
     


but 
 


with no success... Any Ideas would be appreciated!


     


Hi,

I think resources that does not require authentication, like your
output.jsp, should return null from request.getUserPrincipal().

But what kind of JAAS loginmodule you have? Does that login module
work correctly?

- Jukka -

   



Hi Jukka,


what you mention is the same we thought and so we were wondering how it 
could be, that our authentication resulted in an "HTTP 403" error and 
checking the role on our output.jsp returned the correct role of the user.
The tag <logic:present role="administrator"> as well as <%= 
request.getUserPrincipal()%> returned the needed informations (username 
and role) and not as expected (AFTER a failed login) "null".
Our JAAS login-module is selfwritten and we debugged it on every little 
code. 
I append it for inspection...
We tested the authentication with a JNDIRealm, which works fine and there 
we don't get "HTTP 403" errors for correct username/password combinations 
(were using the same LDAP server).


Greetings Carsten







SimpleLoginModule.java
[code]
import java.util.Map;
import java.util.Set;

import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.login.*;
import java.security.Principal;


public class SimpleLoginModule implements LoginModule 
{

 private static final int NOT_AUTHENTICATED = 0;
 private static final int AUTHENTICATED = 1;
 private static final int AUTHENTICATE_COMMITTED = 2;
 private static final String SERVERURL="vm-kallisto-04";
 private static final String DOMAIN="dc=ikom,dc=de";
 protected String username = null;
 protected String password = null;
 protected int state;
 protected Principal sp;
 protected Subject sub;
 protected DirContext ctx;
 protected String userDN;
 protected GroupPrincipal einRollenPrincipal;
 protected CallbackHandler cbh = null;


 public boolean abort() 
 { 
       System.out.println("Login.abort()");

   sub = null;
   sp = null;
   state = NOT_AUTHENTICATED;
   return true;
 }


 public boolean commit() 
 {

       System.out.println("Login.commit()");
   if (state < AUTHENTICATED) {
     return false;
   }
   if (sp == null) {
     return false;
   }
   try
   {

       Attributes myAttributes = ctx.getAttributes(userDN,new 
String[]{"cn","authorizationRole"});

       Attribute user = myAttributes.get("cn");
       Attribute rollen = myAttributes.get("authorizationRole");
       System.out.println("LDAPuser: "+user);
       NamingEnumeration alleWerte = rollen.getAll();
       if (!sub.getPrincipals().contains(sp))
       {
               sub.getPrincipals().add(sp);
       }

       while (alleWerte.hasMore())
       {
               String eineRolle = alleWerte.next().toString();
               sub.getPrincipals().add(new GroupPrincipal(eineRolle));

               System.out.println("Fuege GROUPPrincipal hinzu: " + 
eineRolle);

       }
   }
   catch (Exception e)
   {
       //System.out.println("Fehler bei Commit: "+e);
       return false;
   }
   state = AUTHENTICATE_COMMITTED;
       System.out.println("Login.commit()::true");
   return true;
 }


 public void initialize(Subject s,CallbackHandler ch, Map shared, Map 
options) 
 { 
       System.out.println("Login.initialize()");

       state = NOT_AUTHENTICATED;
   sub = s;
   System.out.println("Subject-Name: "+ sub.toString());
   this.cbh = ch;
 }

 public boolean login() throws LoginException {
       System.out.println("Login.login()");

   if (cbh == null)
       throw new LoginException("No CallbackHandler specified");
   Callback[] myCb = new Callback[2];
   myCb[0] = new NameCallback("Name: ");
   myCb[1] = new PasswordCallback("PW: ", false);
   username = null;
   password = null;
   try
       {
       cbh.handle(myCb);
       username = ((NameCallback) myCb[0]).getName();
       password = new String(((PasswordCallback) myCb[1]).getPassword());
       }
   catch(Exception cbex)
       {
       System.out.println("Fehler: " + cbex);
       }

   userDN=PasswortTester.getDN(username,SERVERURL,DOMAIN);
    ctx = PasswortTester.getContext(SERVERURL,DOMAIN,userDN,password);
   if (PasswortTester.test(ctx,userDN,password))
   {
           state = AUTHENTICATED;
           sp = new UserPrincipal(username); //username
               System.out.println("Login.login()::true " + username);
           return true;
   }
   else
   {
       state = NOT_AUTHENTICATED;
       sp = null;
       sub = null;
               System.out.println("Login.login()::false");
       return false;
   }
 }


 public boolean logout() 
 {

       System.out.println("Login.logout()");
   state = NOT_AUTHENTICATED;
   sp = null;
   sub = null;
   return true;
 }
}

[/code]



+++++++++++++++++++++++++++++++++++++++++++ 
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.

Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht 
gestattet.

---------------------------------------------------- 
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. 
Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
 




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]















    











					Reply via email to