Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 63857 invoked from network); 18 Oct 2005 17:14:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 18 Oct 2005 17:14:05 -0000 Received: (qmail 58832 invoked by uid 500); 18 Oct 2005 17:13:49 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 58620 invoked by uid 500); 18 Oct 2005 17:13:48 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 58609 invoked by uid 99); 18 Oct 2005 17:13:48 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Oct 2005 10:13:48 -0700 X-ASF-Spam-Status: No, hits=1.9 required=10.0 tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,MSGID_FROM_MTA_HEADER,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of mark_benussi@hotmail.com designates 65.54.162.78 as permitted sender) Received: from [65.54.162.78] (HELO hotmail.com) (65.54.162.78) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Oct 2005 10:13:48 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 18 Oct 2005 10:13:26 -0700 Message-ID: Received: from 86.131.73.197 by BAY108-DAV6.phx.gbl with DAV; Tue, 18 Oct 2005 17:13:26 +0000 X-Originating-IP: [86.131.73.197] X-Originating-Email: [mark_benussi@hotmail.com] X-Sender: mark_benussi@hotmail.com From: "Mark Benussi" To: "'Tomcat Users List'" Subject: RE: Is it even possible to retrieve a custom user principal? (Was: Tomcat user principal) Date: Tue, 18 Oct 2005 18:13:21 +0100 Message-ID: <000e01c5d407$3dbad080$0101a8c0@episys.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <8330DFF1-4B57-4234-B1C5-723BE3D74DFA@neurofire.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcXT8KhZ7MfwIh4+Q/WyFx4jQddnsgAFb67g X-OriginalArrivalTime: 18 Oct 2005 17:13:26.0900 (UTC) FILETIME=[40EC1340:01C5D407] X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Brad, >From my understanding of j_security_check (Which I used to use) it integrated seamlessly with JAAS. However: 1) You will not be able to get at the Principal to place in the session if you let Tomcat do the work. It will still fail in the way it is doing at the moment i.e. JAAS works but the request.getUserPrincipal() is not your class and its associated Roles. 2) The j_security_check is a very basic validation. It doesn't really help if you want to let them know that the user name was ok but the password was wrong or that the user_name doesn't exists, which is why I write a custom call to JAAS via the LoginContext. See > if (le instanceof UnknownUserNameException) { > throw (UnknownUserNameException) le; > } else if (le instanceof UserPasswordException) { > throw (UserPasswordException) le; > } else { > throw new SystemException(le); > } I get a bit scared of making these sweeping statements as there are people on this list that know infinitely more than me but myself and people like Wendy Smoak went through this a while back and when I published my thoughts I didn't get any grumbles. Hell maybe Apache have reworked this. -----Original Message----- From: Brad O'Hearne [mailto:brado@neurofire.com] Sent: 18 October 2005 15:31 To: Tomcat Users List Subject: Re: Is it even possible to retrieve a custom user principal? (Was: Tomcat user principal) Mark, Thanks for the response. In the code below, are you manually calling JAAS, rather than via the j_security_check mechanism? The proper way to access the authentication mechanism in Tomcat is to post to j_security_check from a login form -- I wasn't sure from your post below whether you were referring to this or to executing the below code within a servlet. In my case, I'm JAAS is being invoked as a result of posting to j_security_check. This is why I'm confused as to the "place the JAAS subject in the session" part of it. I could just be missing the boat, but I do not see that I have access to the session in my JAAS login module. If you know of a way to access the session from within a JAAS login module, that is the code I need to see. I should have been more clear about this before. Thanks for your help Mark. Brad On Oct 18, 2005, at 1:30 AM, Mark Benussi wrote: > Hate publishing my code. > > I have a struts form that takes the user name and password. > > // Create a new CallbackHandler > JAASCallbackHandler callbackHandler = new JAASCallbackHandler > ("username", > "password"); > > Subject jaasSubject = null; > LoginContext context = null; > try { > context = new LoginContext("IBTJAAS", callbackHandler); > context.login(); > // Retrieve the authenticated subject > jaasSubject = context.getSubject(); > } catch (LoginException le) { > if (le instanceof UnknownUserNameException) { > throw (UnknownUserNameException) le; > } else if (le instanceof UserPasswordException) { > throw (UserPasswordException) le; > } else { > throw new SystemException(le); > } > } > // Now place the JAAS subject in the session. > > -----Original Message----- > From: Brad O'Hearne [mailto:brado@neurofire.com] > Sent: 17 October 2005 23:06 > To: Tomcat Users List > Subject: Re: Is it even possible to retrieve a custom user > principal? (Was: > Tomcat user principal) > > Mark, > > Thanks a ton for the reply. I almost want to reply with "you're > kidding, > right?", as I am kind of speechless that using JAAS (which I am), the > Java platform's standard authentication/authorization API, doesn't > allow > one to use a custom principal. It seems like a major hole in Tomcat > security flexibility. I suppose I'll float on over the developer > list to > find out more about whether this is a planned change or not, and how > much trouble it would be to add it. > > As for your workaround, where can I set the session? My JAAS login > module doesn't have access to the session, I don't believe, which is > where my user principal is created. If I had my principal in the > session, then the default isUserInRole() should work as is, I'll just > retrieve my custom user principal out of the session for other > custom data. > > Mark, where can I add my user principal to the session? > > Brad > > Mark Benussi wrote: > > >> If you're implementing JAAS... no. No idea about the rest. Its not >> > supported > >> in Tomcat (But should be). Stick it in the session, and then you >> have to >> override the Tomcat HttpRequestProcessor (isUserInRole()) to get your >> Principal out of the session and call the validation. >> >> -----Original Message----- >> From: Brad O'Hearne [mailto:brado@neurofire.com] >> Sent: 17 October 2005 22:25 >> To: Brad O'Hearne >> Cc: Tomcat Users List >> Subject: Is it even possible to retrieve a custom user principal? >> (Was: >> Tomcat user principal) >> >> Hello, >> >> As this has become a bit of a roadblock in implementing security, I'd >> like to ask anyone out there two things: >> >> 1) Is it even possible to use a custom user princpal within a >> realm that >> is retrievable within a servlet (via presumably the request or >> otherwise) in Tomcat? >> >> 2) If the answer to #1 is yes, how is this done? Does anyone have a >> working code snippet that demonstrates this? >> >> Thanks, I'm about to head to the developer list to ask this >> question, as >> its pretty crucial for our security implementation. >> >> Brad >> >> Brad O'Hearne wrote: >> >> >> >> >>> Response below: >>> >>> Wendy Smoak wrote: >>> >>> >>> >>> >>>> From: "Brad O'Hearne" >>>> >>>> >>>> >>>> >>>>> I would have expected that designation of the user class name >>>>> would >>>>> have resulted in my being returned the class I specified for the >>>>> user class name from the requestion.getUserPrincpal() method, >>>>> but it >>>>> doesn't. >>>>> >>>>> >>>>> >>>> >>>> What version of Tomcat are you using? As far as I know, it >>>> works the >>>> way you want on 5.0.28. I remember trying it with and without the >>>> class name, and writing that comment to remind myself. >>>> >>>> Could this be it? >>>> http://issues.apache.org/bugzilla/show_bug.cgi?id=37044 >>>> >>>> >>>> >>>> >>> I am using 5.0.28, and I'm not seeing the expected behavior. >>> Hmmm.....was there anything else that has to be done to be able to >>> access your own custom user principal? >>> >>> Brad >>> >>> >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org