tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carsten Schiller <...@ikom.de>
Subject Antwort: Re: JAASRealm, Tomcat 5.5 getting HTTP error page 403 Access denied
Date Fri, 21 Oct 2005 08:40:57 GMT
Jukka Uusisalo <jukka.uusisalo@dnainternet.net> wrote on 20.10.2005 
17:37:31:

> Carsten Schiller wrote:
> > Hello!
> > 
> > We are trying to implement a login/security environment using Tomcat 
5.5's 
> > JAASRealm and Struts as a MVC-Framework.
> > After Login ,which fails with error "HTTP Status 403 - Access to the 
> > requested ressource has been denied", we can navigate manually to our 
> > output.jsp and use 
> > ...
> > <%= request.getUserPrincipal %> , 
> > ...
> > <%= request.isUserInRole("administrator") %> 
> > ...
> > <logic:present role="administrator">
> > Admin present!
> > </logic:present>
> > 
> > These return correct username, (true) for isUserInRole, and the logic 
tag 
> > also works... 
> > BUT
> > Our problem is: We protected *.do in our web.xml to be only accessible 
by 
> > users in role "administrator", which fails as described above. 
> > Why does the login fail, but we still get a valid Subject with 
Principals, 
> > and can access the roles on the output.jsp?
> > We are stuck now for over a week, reading tutorials, asking google, 
but 
> > with no success... Any Ideas would be appreciated!
> > 
> 
> Hi,
> 
> I think resources that does not require authentication, like your
> output.jsp, should return null from request.getUserPrincipal().
> 
> But what kind of JAAS loginmodule you have? Does that login module
> work correctly?
> 
> - Jukka -

Hi Jukka,

what you mention is the same we thought and so we were wondering how it 
could be, that our authentication resulted in an "HTTP 403" error and 
checking the role on our output.jsp returned the correct role of the user.
The tag <logic:present role="administrator"> as well as <%= 
request.getUserPrincipal()%> returned the needed informations (username 
and role) and not as expected (AFTER a failed login) "null".
Our JAAS login-module is selfwritten and we debugged it on every little 
code. 
I append it for inspection...
We tested the authentication with a JNDIRealm, which works fine and there 
we don't get "HTTP 403" errors for correct username/password combinations 
(were using the same LDAP server).

Greetings Carsten







SimpleLoginModule.java
[code]
import java.util.Map;
import java.util.Set;

import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.spi.LoginModule;
import javax.security.auth.login.*;
import java.security.Principal;

public class SimpleLoginModule implements LoginModule 
{
  private static final int NOT_AUTHENTICATED = 0;
  private static final int AUTHENTICATED = 1;
  private static final int AUTHENTICATE_COMMITTED = 2;
  private static final String SERVERURL="vm-kallisto-04";
  private static final String DOMAIN="dc=ikom,dc=de";
  protected String username = null;
  protected String password = null;
  protected int state;
  protected Principal sp;
  protected Subject sub;
  protected DirContext ctx;
  protected String userDN;
  protected GroupPrincipal einRollenPrincipal;
  protected CallbackHandler cbh = null;
 
  public boolean abort() 
  { 
        System.out.println("Login.abort()");
    sub = null;
    sp = null;
    state = NOT_AUTHENTICATED;
    return true;
  }
 
  public boolean commit() 
  {
        System.out.println("Login.commit()");
    if (state < AUTHENTICATED) {
      return false;
    }
    if (sp == null) {
      return false;
    }
    try
    {
        Attributes myAttributes = ctx.getAttributes(userDN,new 
String[]{"cn","authorizationRole"});
        Attribute user = myAttributes.get("cn");
        Attribute rollen = myAttributes.get("authorizationRole");
        System.out.println("LDAPuser: "+user);
        NamingEnumeration alleWerte = rollen.getAll();
        if (!sub.getPrincipals().contains(sp))
        {
                sub.getPrincipals().add(sp);
        }

        while (alleWerte.hasMore())
        {
                String eineRolle = alleWerte.next().toString();
                sub.getPrincipals().add(new GroupPrincipal(eineRolle));
                System.out.println("Fuege GROUPPrincipal hinzu: " + 
eineRolle);
        }
    }
    catch (Exception e)
    {
        //System.out.println("Fehler bei Commit: "+e);
        return false;
    }
    state = AUTHENTICATE_COMMITTED;
        System.out.println("Login.commit()::true");
    return true;
  }
 
  public void initialize(Subject s,CallbackHandler ch, Map shared, Map 
options) 
  { 
        System.out.println("Login.initialize()");
        state = NOT_AUTHENTICATED;
    sub = s;
    System.out.println("Subject-Name: "+ sub.toString());
    this.cbh = ch;
  }
 
  public boolean login() throws LoginException {
        System.out.println("Login.login()");

    if (cbh == null)
        throw new LoginException("No CallbackHandler specified");
    Callback[] myCb = new Callback[2];
    myCb[0] = new NameCallback("Name: ");
    myCb[1] = new PasswordCallback("PW: ", false);
    username = null;
    password = null;
    try
        {
        cbh.handle(myCb);
        username = ((NameCallback) myCb[0]).getName();
        password = new String(((PasswordCallback) myCb[1]).getPassword());
        }
    catch(Exception cbex)
        {
        System.out.println("Fehler: " + cbex);
        }
 
    userDN=PasswortTester.getDN(username,SERVERURL,DOMAIN);
     ctx = PasswortTester.getContext(SERVERURL,DOMAIN,userDN,password);
    if (PasswortTester.test(ctx,userDN,password))
    {
            state = AUTHENTICATED;
            sp = new UserPrincipal(username); //username
                System.out.println("Login.login()::true " + username);
            return true;
    }
    else
    {
        state = NOT_AUTHENTICATED;
        sp = null;
        sub = null;
                System.out.println("Login.login()::false");
        return false;
    }
  }
 
  public boolean logout() 
  {
        System.out.println("Login.logout()");
    state = NOT_AUTHENTICATED;
    sp = null;
    sub = null;
    return true;
  }
}

[/code]


+++++++++++++++++++++++++++++++++++++++++++ 
Diese E-Mail enthält vertrauliche und/oder rechtlich
geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das
unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
 ----------------------------------------------------

This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. 
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message