Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (asf.osuosl.org: local policy)
From: "LORESERVO.COM" <administracion@loreservo.com>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Subject: RE: Is it even possible to retrieve a custom user principal? (Was:
 Tomcat user principal)
Date: Tue, 18 Oct 2005 09:35:26 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcXT8KfBKbTPnffHRomVW8Dy3CDADQAAIRYA
In-Reply-To: <8330DFF1-4B57-4234-B1C5-723BE3D74DFA@neurofire.com>
Message-Id: <20051018143553.DAAD010FB2C5@asf.osuosl.org>


-----Mensaje original-----
De: Brad O'Hearne [mailto:brado@neurofire.com] 
Enviado el: Martes, 18 de Octubre de 2005 09:31 a.m.
Para: Tomcat Users List
Asunto: Re: Is it even possible to retrieve a custom user principal? (Was:
Tomcat user principal)

Mark,

Thanks for the response. In the code below, are you manually calling  
JAAS, rather than via the j_security_check mechanism? The proper way  
to access the authentication mechanism in Tomcat is to post to  
j_security_check from a login form -- I wasn't sure from your post  
below whether you were referring to this or to executing the below  
code within a servlet.

In my case, I'm JAAS is being invoked as a result of posting to  
j_security_check. This is why I'm confused as to the "place the JAAS  
subject in the session" part of it. I could just be missing the boat,  
but I do not see that I have access to the session in my JAAS login  
module. If you know of a way to access the session from within a JAAS  
login module, that is the code I need to see. I should have been more  
clear about this before.

Thanks for your help Mark.

Brad

On Oct 18, 2005, at 1:30 AM, Mark Benussi wrote:

> Hate publishing my code.
>
> I have a struts form that takes the user name and password.
>
> // Create a new CallbackHandler
> JAASCallbackHandler callbackHandler = new JAASCallbackHandler 
> ("username",
> "password");
>
> Subject jaasSubject = null;
> LoginContext context = null;
> try {
>     context = new LoginContext("IBTJAAS", callbackHandler);
>     context.login();
>     // Retrieve the authenticated subject
>     jaasSubject = context.getSubject();
> } catch (LoginException le) {
>     if (le instanceof UnknownUserNameException) {
>         throw (UnknownUserNameException) le;
>     } else if (le instanceof UserPasswordException) {
>         throw (UserPasswordException) le;
>     } else {
>         throw new SystemException(le);
>     }
> }
> // Now place the JAAS subject in the session.
>
> -----Original Message-----
> From: Brad O'Hearne [mailto:brado@neurofire.com]
> Sent: 17 October 2005 23:06
> To: Tomcat Users List
> Subject: Re: Is it even possible to retrieve a custom user  
> principal? (Was:
> Tomcat user principal)
>
> Mark,
>
> Thanks a ton for the reply. I almost want to reply with "you're  
> kidding,
> right?", as I am kind of speechless that using JAAS (which I am), the
> Java platform's standard authentication/authorization API, doesn't  
> allow
> one to use a custom principal. It seems like a major hole in Tomcat
> security flexibility. I suppose I'll float on over the developer  
> list to
> find out more about whether this is a planned change or not, and how
> much trouble it would be to add it.
>
> As for your workaround, where can I set the session? My JAAS login
> module doesn't have access to the session, I don't believe, which is
> where my user principal is created. If I had my principal in the
> session, then the default isUserInRole() should work as is, I'll just
> retrieve my custom user principal out of the session for other  
> custom data.
>
> Mark, where can I add my user principal to the session?
>
> Brad
>
> Mark Benussi wrote:
>
>
>> If you're implementing JAAS... no. No idea about the rest. Its not
>>
> supported
>
>> in Tomcat (But should be). Stick it in the session, and then you  
>> have to
>> override the Tomcat HttpRequestProcessor (isUserInRole()) to get your
>> Principal out of the session and call the validation.
>>
>> -----Original Message-----
>> From: Brad O'Hearne [mailto:brado@neurofire.com]
>> Sent: 17 October 2005 22:25
>> To: Brad O'Hearne
>> Cc: Tomcat Users List
>> Subject: Is it even possible to retrieve a custom user principal?  
>> (Was:
>> Tomcat user principal)
>>
>> Hello,
>>
>> As this has become a bit of a roadblock in implementing security, I'd
>> like to ask anyone out there two things:
>>
>> 1) Is it even possible to use a custom user princpal within a  
>> realm that
>> is retrievable within a servlet (via presumably the request or
>> otherwise) in Tomcat?
>>
>> 2) If the answer to #1 is yes, how is this done? Does anyone have a
>> working code snippet that demonstrates this?
>>
>> Thanks, I'm about to head to the developer list to ask this  
>> question, as
>> its pretty crucial for our security implementation.
>>
>> Brad
>>
>> Brad O'Hearne wrote:
>>
>>
>>
>>
>>> Response below:
>>>
>>> Wendy Smoak wrote:
>>>
>>>
>>>
>>>
>>>> From: "Brad O'Hearne" <brado@neurofire.com>
>>>>
>>>>
>>>>
>>>>
>>>>> I would have expected that designation of the user class name  
>>>>> would
>>>>> have resulted in my being returned the class I specified for the
>>>>> user class name from the requestion.getUserPrincpal() method,  
>>>>> but it
>>>>> doesn't.
>>>>>
>>>>>
>>>>>
>>>>
>>>> What version of Tomcat are you using?  As far as I know, it  
>>>> works the
>>>> way you want on 5.0.28.  I remember trying it with and without the
>>>> class name, and writing that comment to remind myself.
>>>>
>>>> Could this be it?
>>>> http://issues.apache.org/bugzilla/show_bug.cgi?id=37044
>>>>
>>>>
>>>>
>>>>
>>> I am using 5.0.28, and I'm not seeing the expected behavior.
>>> Hmmm.....was there anything else that has to be done to be able to
>>> access your own custom user principal?
>>>
>>> Brad
>>>
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org