tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brad O'Hearne <br...@neurofire.com>
Subject Re: Antwort: Re: JAASRealm, Tomcat 5.5 getting HTTP error page 403 Access denied
Date Fri, 21 Oct 2005 13:10:38 GMT
Carsten,

This is a confirmed bug -- I've just spent a couple days wrestling with 
it myself. It is a logged bug and fixed on the trunk.

http://issues.apache.org/bugzilla/show_bug.cgi?id=37044

Brad

Carsten Schiller wrote:

>Jukka Uusisalo <jukka.uusisalo@dnainternet.net> wrote on 20.10.2005 
>17:37:31:
>
>  
>
>>Carsten Schiller wrote:
>>    
>>
>>>Hello!
>>>
>>>We are trying to implement a login/security environment using Tomcat 
>>>      
>>>
>5.5's 
>  
>
>>>JAASRealm and Struts as a MVC-Framework.
>>>After Login ,which fails with error "HTTP Status 403 - Access to the 
>>>requested ressource has been denied", we can navigate manually to our 
>>>output.jsp and use 
>>>...
>>><%= request.getUserPrincipal %> , 
>>>...
>>><%= request.isUserInRole("administrator") %> 
>>>...
>>><logic:present role="administrator">
>>>Admin present!
>>></logic:present>
>>>
>>>These return correct username, (true) for isUserInRole, and the logic 
>>>      
>>>
>tag 
>  
>
>>>also works... 
>>>BUT
>>>Our problem is: We protected *.do in our web.xml to be only accessible 
>>>      
>>>
>by 
>  
>
>>>users in role "administrator", which fails as described above. 
>>>Why does the login fail, but we still get a valid Subject with 
>>>      
>>>
>Principals, 
>  
>
>>>and can access the roles on the output.jsp?
>>>We are stuck now for over a week, reading tutorials, asking google, 
>>>      
>>>
>but 
>  
>
>>>with no success... Any Ideas would be appreciated!
>>>
>>>      
>>>
>>Hi,
>>
>>I think resources that does not require authentication, like your
>>output.jsp, should return null from request.getUserPrincipal().
>>
>>But what kind of JAAS loginmodule you have? Does that login module
>>work correctly?
>>
>>- Jukka -
>>    
>>
>
>Hi Jukka,
>
>what you mention is the same we thought and so we were wondering how it 
>could be, that our authentication resulted in an "HTTP 403" error and 
>checking the role on our output.jsp returned the correct role of the user.
>The tag <logic:present role="administrator"> as well as <%= 
>request.getUserPrincipal()%> returned the needed informations (username 
>and role) and not as expected (AFTER a failed login) "null".
>Our JAAS login-module is selfwritten and we debugged it on every little 
>code. 
>I append it for inspection...
>We tested the authentication with a JNDIRealm, which works fine and there 
>we don't get "HTTP 403" errors for correct username/password combinations 
>(were using the same LDAP server).
>
>Greetings Carsten
>
>
>
>
>
>
>
>SimpleLoginModule.java
>[code]
>import java.util.Map;
>import java.util.Set;
>
>import javax.naming.NamingEnumeration;
>import javax.naming.directory.Attribute;
>import javax.naming.directory.Attributes;
>import javax.naming.directory.DirContext;
>import javax.security.auth.Subject;
>import javax.security.auth.callback.Callback;
>import javax.security.auth.callback.CallbackHandler;
>import javax.security.auth.callback.NameCallback;
>import javax.security.auth.callback.PasswordCallback;
>import javax.security.auth.spi.LoginModule;
>import javax.security.auth.login.*;
>import java.security.Principal;
>
>public class SimpleLoginModule implements LoginModule 
>{
>  private static final int NOT_AUTHENTICATED = 0;
>  private static final int AUTHENTICATED = 1;
>  private static final int AUTHENTICATE_COMMITTED = 2;
>  private static final String SERVERURL="vm-kallisto-04";
>  private static final String DOMAIN="dc=ikom,dc=de";
>  protected String username = null;
>  protected String password = null;
>  protected int state;
>  protected Principal sp;
>  protected Subject sub;
>  protected DirContext ctx;
>  protected String userDN;
>  protected GroupPrincipal einRollenPrincipal;
>  protected CallbackHandler cbh = null;
> 
>  public boolean abort() 
>  { 
>        System.out.println("Login.abort()");
>    sub = null;
>    sp = null;
>    state = NOT_AUTHENTICATED;
>    return true;
>  }
> 
>  public boolean commit() 
>  {
>        System.out.println("Login.commit()");
>    if (state < AUTHENTICATED) {
>      return false;
>    }
>    if (sp == null) {
>      return false;
>    }
>    try
>    {
>        Attributes myAttributes = ctx.getAttributes(userDN,new 
>String[]{"cn","authorizationRole"});
>        Attribute user = myAttributes.get("cn");
>        Attribute rollen = myAttributes.get("authorizationRole");
>        System.out.println("LDAPuser: "+user);
>        NamingEnumeration alleWerte = rollen.getAll();
>        if (!sub.getPrincipals().contains(sp))
>        {
>                sub.getPrincipals().add(sp);
>        }
>
>        while (alleWerte.hasMore())
>        {
>                String eineRolle = alleWerte.next().toString();
>                sub.getPrincipals().add(new GroupPrincipal(eineRolle));
>                System.out.println("Fuege GROUPPrincipal hinzu: " + 
>eineRolle);
>        }
>    }
>    catch (Exception e)
>    {
>        //System.out.println("Fehler bei Commit: "+e);
>        return false;
>    }
>    state = AUTHENTICATE_COMMITTED;
>        System.out.println("Login.commit()::true");
>    return true;
>  }
> 
>  public void initialize(Subject s,CallbackHandler ch, Map shared, Map 
>options) 
>  { 
>        System.out.println("Login.initialize()");
>        state = NOT_AUTHENTICATED;
>    sub = s;
>    System.out.println("Subject-Name: "+ sub.toString());
>    this.cbh = ch;
>  }
> 
>  public boolean login() throws LoginException {
>        System.out.println("Login.login()");
>
>    if (cbh == null)
>        throw new LoginException("No CallbackHandler specified");
>    Callback[] myCb = new Callback[2];
>    myCb[0] = new NameCallback("Name: ");
>    myCb[1] = new PasswordCallback("PW: ", false);
>    username = null;
>    password = null;
>    try
>        {
>        cbh.handle(myCb);
>        username = ((NameCallback) myCb[0]).getName();
>        password = new String(((PasswordCallback) myCb[1]).getPassword());
>        }
>    catch(Exception cbex)
>        {
>        System.out.println("Fehler: " + cbex);
>        }
> 
>    userDN=PasswortTester.getDN(username,SERVERURL,DOMAIN);
>     ctx = PasswortTester.getContext(SERVERURL,DOMAIN,userDN,password);
>    if (PasswortTester.test(ctx,userDN,password))
>    {
>            state = AUTHENTICATED;
>            sp = new UserPrincipal(username); //username
>                System.out.println("Login.login()::true " + username);
>            return true;
>    }
>    else
>    {
>        state = NOT_AUTHENTICATED;
>        sp = null;
>        sub = null;
>                System.out.println("Login.login()::false");
>        return false;
>    }
>  }
> 
>  public boolean logout() 
>  {
>        System.out.println("Login.logout()");
>    state = NOT_AUTHENTICATED;
>    sp = null;
>    sub = null;
>    return true;
>  }
>}
>
>[/code]
>
>
>+++++++++++++++++++++++++++++++++++++++++++ 
>Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn
Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren
Sie bitte sofort den Absender und vernichten Sie diese Mail.
>Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
> ---------------------------------------------------- 
>This e-mail may contain confidential and/or privileged information. If you are not the
intended recipient (or have received this e-mail in error) please notify the sender immediately
and destroy this e-mail. 
>Any unauthorized copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message