tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From juraj Lenharcik <juraj.lenhar...@datainput.de>
Subject AW: protect websites with jaas
Date Thu, 07 Feb 2002 16:01:38 GMT
Hi Mike,

you are right. JAAS with with the Authorization part is not constructed for
j2ee Applications. Authentication works fine, but the Authorizationpart you
have to implement yourself. I am doing something like this, because I didn`t
found any other solution.

I authenticate with JAAS on a JSP (without an Applet). The Authorization
runs like the policy grants, but on xml. On every request I go to an
ActionServlet (struts) witch send a request to an Authorizationservlet. This
servlet checks for the rights for this directory and sends his response back
to the ActionServlet. 
On this result will be the correct forwart taken.
I hope it will be working, because I am on it, now. I hope there will be
soon an non (struts) ;-) solution or something like that.

Juraj  




-----Urspr√ľngliche Nachricht-----
Von: Mike Jackson [mailto:mjackson@cdi-hq.com]
Gesendet: Donnerstag, 7. Februar 2002 16:27
An: Tomcat Users List
Betreff: Re: protect websites with jaas 


I tried to do something like that.  But I found that with jaas all I got was
the permissions of the user
that was running tomcat.  After reading and playing a bit more I concluded
that I'd need an applet
running on the web client in order to get jaas to work for me.  And with the
restrictions on applets
I decided that wasn't worth it either.

However, I could have misunderstood something or been doing it wrong, but
that's my experience.
You mileage may vary, some assembly required, batteries not included.

--mikej
-=-----
mike jackson
mjackson@cdi-hq.com

----- Original Message -----
From: "juraj Lenharcik" <juraj.lenharcik@datainput.de>
To: <tomcat-user@jakarta.apache.org>
Sent: Thursday, February 07, 2002 2:12 AM
Subject: protect websites with jaas


> Hello,
>
> I have build an application with an authentication with a NT Domain. I
have
> some authorization aspects, too. That means, not every authenticated user
> has the rights to do some actions.
>
> I have port this application to a webapp. The authentication part works
> fine. The user has to input his name and password an will be authenticate
or
> not. But with the authorization part I have some problems.
>
> What is the best way to protect some sites with Jaas. I mean the user1 has
> the right to run some jsp`s, but user2 has this right not.
>
> On the application site I do this grants in the policy like:
>
> grant codebase "file:./MyTest.jar", Principal NTPrincipal "user1"{
> permission java.util.PropertyPermission "user.dir", "read";
> permission java.util.PropertyPermission "user.home", "read";
> permission java.util.PropertyPermission "java.home", "read";
> permission java.io.FilePermission "foo.txt", "read";
> };
>
> But has anyone an idea, or has it implemented for websites. I am not sure
> what the best concept is. I think the server should take some work on
this,
> so that I can grant it like:
>
> server.accessFantasyPermission"htdocs/jsp1", "read";
> permission
>
> Is it possible to do something like this?
>
> Thank you
> Juraj
>
>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message