tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Lucia" <timlu...@yahoo.com>
Subject RE: CMS and JAAS
Date Thu, 20 Apr 2006 10:25:48 GMT
Why do you wish to do this?  Perhaps elaborating on the " exchange with the
user in a front filter" bit will get you a more satisfactory answer?

Tim

-----Original Message-----
From: Chapoor Chapoor [mailto:chapoor@gmail.com] 
Sent: Thursday, April 20, 2006 4:34 AM
To: Tomcat Users List
Subject: Re: CMS and JAAS

Thanks Rolf, but it is not what I m looking for.
The major difference in my structure is that I want do authentication
manually (like from a servlet/filter to call Jaas, I dont want to use basic,
form, cert methods) and in some way notify the container with credentials
(so the authorization can be taken over by the server).

Thank you



On 4/20/06, mailinglist@august.de <mailinglist@august.de> wrote:
>
> The JSPWiki team has done something into the same direction.
> I tested the deployment of Andrews implementation and collected a
> checklist.
> It's not exactly what you are asking for but it could help to inspire you
> where look for errors.
>
>
>
http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthen
tication
>
> (AAA stands for "Authentication And Authorization")
>
> Have fun
>
> Rolf
>
> > It is strange that it is so quiet about this issue.
> > I can't be the only one who gets affected, many projects must have come
> > across this.
> >
> > Thank you
> >
> >
> > On 4/18/06, Chapoor Chapoor <chapoor@gmail.com> wrote:
> >>
> >>  Hi,
> >>
> >> I m stucked in a security authentication/authorization issue, which I
> >> hope
> >> you have some advice for me.
> >>
> >> In simple words, I want to use the Web container security (for
> >> authorization) together with my own JAAS implementation (for
> >> authentication).
> >>
> >> How to achieve this ?
> >>
> >> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I
> >> want
> >> to by pass these and hit my JAAS login model.
> >> The reason is that we collect user information in different way, by an
> >> exchange with the user in a front filter.
> >>
> >> I cant get this to work, even though that I have configured my
> >> loginmodule, user, role and configured the JAASRealm in Tomcat,
> >>
> >> This is how I want to do it (in theory).
> >> 1. User enters a URL (e.g. /mycontext/cars/),
> >> 2. The SecFilter gets triggered, which ends by exchanging user
> >> information,
> >> 3. The MyLoginModule gets called with user information
> >> 4. User is been looked up and get assigned a User/Role Principals.
> >> 5. Login is OK
> >> 6. Now the web container security can take place and checks in web.xml
> >> if
> >> this user is-in-role to call /cars url.
> >>
> >> I've searched the entire web but could not see any good article about
> >> this. Am I the only one who wants to by-pass the auth-methods but still
> >> can
> >> provide good authentication and "standard" web-authorization.
> >>
> >> (I've seen some work-around such as:
> >> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this
> >> is
> >> a work-around, which I dont like).
> >>
> >>
> >>
> >> Please advice,
> >>
> >>
> >> Thank you for reading, and sorry for the long email.
> >>
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message