tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robin Coe <Robin....@kaleidescape.com>
Subject RE: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 17:53:33 GMT
Thanks for the response.  I tried to keep the original post simple, to see if there was a known
problem with declaring realms in Tomcat.  I've attached the most relevant parts of my web-app
below.  I included the part of web.xml that defines the security constraints; the context.xml
contents, which sets up the JAASRealm; my LoginModule's commit() method, and the output from
Tomcat for the full authentication handshake.

I tested the implementation of isUserInRole() by wild-carding the role, to force Tomcat to
authenticate but not authorize:

    <security-constraint>
        <web-resource-collection>
                <web-resource-name>Velocity templates</web-resource-name>
                <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

Then I used a filter to intercept my request check for my roles.  After authentication, the
request gets to my authorization check, whereby I tested my Subject for its Principals:

        boolean test = request.isUserInRole( "landscape" );

After my login module authenticates me, test == true.  However, as you can see from the Tomcat
debug messages, attached below, Tomcat fails to see that my Subject holds the "landscape"
Principal, even though a previous message shows that this Principal was added to my Subject.

Again, I appreciate any help and will try to add whatever info is asked for.  As a side note,
I wrote my own implementation of the login process, using a servlet to hook into my login
module, thus avoiding the declarative security.  However, while this works, I am left with
the fact that the user's credentials are easily discovered by a misplaced logging message,
whereas it's much trickier to get the credentials when using Tomcat's implementation.  The
real pain, though, is that I would have to manage my own mappings between resources and roles.

Thanks again for any and all help.


Here's the relevant part to the web.xml (This section is actually much longer but I removed
all the other url-patterns, as they obfuscated the part that I am testing):
<!-- Define Security Constraints -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Velocity pages</web-resource-name>
      <url-pattern>/home.vm</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>landscape</role-name>
    </auth-constraint>
  </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>

        <security-role>
                <description>Role required to see reports</description>
                <role-name>landscape</role-name>
        </security-role>

My context.xml:
<?xml version="1.0"?>

<Context>
        <Realm className="org.apache.catalina.realm.JAASRealm"
           appName="landscape"
           userClassNames="com.kaleidescape.logdb.webapp.security.auth.UserPrincipal"
           roleClassNames="com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal"
           useContextClassLoader="false" />
</Context>

The JAAS module is not based on a security policy file, I wrote it to work from a database.
 The login() method calls to my LDAP service provider and successfully authenticates me, returning
my DN from the Active Directory server.  The commit() method of my login module looks like:

   public boolean commit()
        throws LoginException
    {
        if( m_authenticated ) {
            //add the user principal to the subject
            UserCredential usercred = new UserCredential( m_uid );
            m_subject.getPublicCredentials().add( usercred );

            UserPrincipal user = new UserPrincipal( m_username );
            m_subject.getPrincipals().add( user );

            //add the entitlements (i.e., roles) that the user belongs to
            try {
                Set entitlements = AuthUtil.getUserEntitlements( m_username );
                Iterator it = entitlements.iterator();
                while( it.hasNext() ) {
                    Entitlement entitlement = (Entitlement)it.next();
                    UserGroupPrincipal group = new UserGroupPrincipal( entitlement.getName()
);
                    m_subject.getPrincipals().add( group );
                }
            } catch( KException e ) {
                throw new LoginException( "Error while attempting to retrieve group "
                                          + "names from the database." );
            }
        }

        // we can get the username from the <code>Subject</code>, so cleanup the
reference
        m_username = null;

        return true;
    }

The full debug stack during the login in phase looks like:

2008-05-05 13:08:49,534 7641062 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - JAASRealm login requested for username "robin.coe" using LoginContext for application "landscape"
2008-05-05 13:08:50,343 7641871 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Login context created robin.coe
2008-05-05 13:08:52,997 7644525 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - JAAS LoginContext created for username "robin.coe"
2008-05-05 13:08:52,999 7644527 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Checking Principal "CN=Robin Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com"
[com.kaleidescape.logdb.webapp.security.auth.UserPrincipal]
2008-05-05 13:08:53,000 7644528 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Principal "CN=Robin Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com" is a valid
user class. We will use this as the user Principal.
2008-05-05 13:08:53,002 7644530 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Checking Principal "landscape" [com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal]
2008-05-05 13:08:53,003 7644531 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Adding role Principal "landscape" to this user Principal's roles
2008-05-05 13:08:53,004 7644532 [http-9808-Processor24] DEBUG org.apache.catalina.realm.JAASRealm
 - Username "robin.coe" successfully authenticated as Principal "{1}" -- Subject was created
too
2008-05-05 13:08:53,035 7644563 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Velocity templates]' against GET /index.html
--> true
2008-05-05 13:08:53,036 7644564 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Login Page]' against GET /index.html --> false2008-05-05
13:08:53,037 7644565 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase  -
  Checking constraint 'SecurityConstraint[home]' against GET /index.html --> false
2008-05-05 13:08:53,039 7644567 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Protected Velocity pages]' against GET /index.html
--> false
2008-05-05 13:08:53,040 7644568 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Velocity templates]' against GET /index.html
--> true
2008-05-05 13:08:53,041 7644569 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Login Page]' against GET /index.html --> false2008-05-05
13:08:53,042 7644570 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase  -
  Checking constraint 'SecurityConstraint[home]' against GET /index.html --> false
2008-05-05 13:08:53,043 7644571 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Protected Velocity pages]' against GET /index.html
--> false
2008-05-05 13:08:53,044 7644572 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   User data constraint has no restrictions
2008-05-05 13:08:53,123 7644651 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Velocity templates]' against GET /home.vm -->
true
2008-05-05 13:08:53,124 7644652 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Login Page]' against GET /home.vm --> false
2008-05-05 13:08:53,125 7644653 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[home]' against GET /home.vm --> true
2008-05-05 13:08:53,126 7644654 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking constraint 'SecurityConstraint[Protected Velocity pages]' against GET /home.vm
--> false
2008-05-05 13:08:53,127 7644655 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   User data constraint has no restrictions
2008-05-05 13:08:53,128 7644656 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 -   Checking roles CN=Robin Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com
2008-05-05 13:08:53,129 7644657 [http-9808-Processor24] DEBUG org.apache.catalina.realm.RealmBase
 - No role found:  landscape

-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, May 05, 2008 1:24 PM
To: Tomcat Users List
Subject: RE: JAAS authenticated user fails authorization check

> From: Robin Coe [mailto:Robin.Coe@kaleidescape.com]
> Subject: JAAS authenticated user fails authorization check
>
> However, when I declare a protected resource declaratively,
> and specify that the resource is protected with "rolename",
> Tomcat fails to authorize the user for that resource.

Post your web.xml for the webapp, since this works fine for everyone
else and we need to see what you really have configued.  Also post the
relevant parts of server.xml so we can see how the realm is set up.
Finally, what file does the system property
java.security.auth.login.config point to and what are the contents of
that file?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message