You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Francis Pallini <pa...@clamart.oilfield.slb.com> on 2001/07/27 11:41:35 UTC
Re: The relationship between Tomcat security mechanism and
JAAS?
Hello,
As far as I know (and I am not a specialist) :
Tomcat, Resin and iPlanet do not support JAAS natively. But, at least with
Tomcat and Resin, it is possible to implement easily an authentication
scheme (a "Realm") that will be used by the container thanks to a simple
xml configuration file. At the contrary, jBoss offers built-in JAAS support
and provides the ability to use other vendor-dependant implementations (a
stub to NTLM for example).
But what is exactly JAAS ? Java Authentication and Authorization Service is
an optional package for JDK 1.3.x and is incorporated in standard in JDK
1.4. It simply provides an architecture for building an A&A service plus
ready-to-use services like Kerberos, JNDI (LDAP), NT and Solaris login
modules (I never managed to use the LDAP module) and extends Java security
mechanisms (that were exclusively code-centric). Thanks to JAAS, you can
check a user login, and once the user is authenticated, check his
permissions on the code being executed. Permissions are defined in a policy
file.
How can we take advantage of JAAS in a servlet container ? You can write an
adapter between the container realm and JAAS login modules. Then, you will
be able to reuse the same code for login modules whatever application is
using them (web-based or classical application) and provide an uniform
authentication service. Roles can also be implemented in a more flexible
and powerful way.
What about authorization service ? Within an EJB container, code can be
called by an unauthorized code and JAAS can check that the caller (which
can be a Java or anything else code) owns sufficient credentials. By the
way, it doesn't seem to be the jBoss implementation. And that case rarely
happens in a servlet container (a servlet acting as an entry point for a
kind of http-based RPC ?).
I hope I was clear enough and I didn't make too many mistakes ;=)
Regards,
Francis Pallini
At 11:43 PM 7/26/01 -0700, you wrote:
>Hi
>Having heard of "JDBCRealm" "JAAS" for months,I still
>don't catch the meaning.
>I've noticed that JSP/Servlet spec doesn't metion
>JAAS,and most container(as Tomcat) doesn't support(or
>implement) it.
>So
>What is the benifit of JAAS?Isn't Tomcat's security
>mechanism already powerful enough?
>If someone would like to "implement" JAAS in his
>application,what to do?
>
>Thanks.
>
>Pan.
>
>__________________________________________________
>Do You Yahoo!?
>Make international calls for as low as $.04/minute with Yahoo! Messenger
>http://phonecard.yahoo.com/
Dynamic Class Loading - Reflexion failure
Posted by Frank Bourdache <fr...@fr.renault-sport-f1.com>.
Hi,
I am facing problems while loading dynamically classes in my servlet. For my application's purposes, I have to generate java code and compile it on the fly, then use it.
Using standard reflexion mecanisms, I try to instanciate a new testClass object. If it fails, I fork a new process to generate the class, and retry to instanciate this object again.
If testClass.class is not present when I'm starting Tomcat 4.0b6, there is no way i can instanciate a testClass Object. (exceptions are raised in both blocks)
If I put testClass.class in the CLASSPATH, after starting Tomcat 4.0b6, then I can instanciate a testClass Object (no exception raised in the first block, second block not reached)
If I comment out the first block (I always generate the testClass.class file), then everything works fine, but this is unacceptable.
I also tried using classLoader, but failed again.
Don't know if it really is Tomcat related. Any clues ?
Thanks for the help !
Regards,
/Frank
public class LoadClassSample extends HttpServlet {
...
try {
Class testObjClass = Class.forName("testClass");
Object testObject = testObjClass.newInstance();
} catch( ClassNotFoundException CNFException ) {
try {
Process _proc = Runtime.getRuntime().exec("/usr/lib/java/bin/javac /tmp/testClass.java -d /usr/local/jakarta-tomcat-4.0-b6/webapps/examples/WEB-INF/classes/");
_proc.waitFor();
Class testObjClass = Class.forName("testClass");
Object testObject = testObjClass.newInstance();
...
} catch( Exception PROCException ) {
...
}
...
Re: The relationship between Tomcat security mechanism and
JAAS?
Posted by Francis Pallini <pa...@clamart.oilfield.slb.com>.
Hello,
I had the same problem, but I never managed to get the LDAP login module at
work. In theory, you can use this JAAS module to check user authentication
and get user roles from the LDAP server with a very few code. JNDI login
module is very poorly documented...
By now, the following code works for what I have to do, event if it is not
very elegant :
String buf = "alias=zorglub,ou=employee,o=XXX,c=AN";
Hashtable env = new Hashtable();
out.println("String: "+buf);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ldap.xxx.com:389/o=xxx,c=an");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, buf.toString());
// env.put(Context.SECURITY_CREDENTIALS, "toto");
try{
DirContext ctx = new InitialDirContext(env);
out.println("Authenticated");
}
catch (NamingException ae) {
out.println("Not Authenticated");
}
Regards,
Francis Pallini
At 03:59 PM 7/31/01 +0530, you wrote:
>hi Francis !
> i too have a query regards security..in particular authentication.
> my intranet has LDAP where as one of my applications...i.e "jetspeed"
>maintains a databse for user-authentication....
> so a user has to authenticate himself again if he comes to jetspeed from
>his INTRANET page...
> is there a way we can have a common authntication?...more
>specifically...how can i enable my LDAP to talk to my jetspeed or vice
>versa. how can JAAS help me in this regard ?
>
>Please help.
>
>TIA
>
>sumit ranjan
Re: The relationship between Tomcat security mechanism and JAAS?
Posted by Sumit Ranjan <s_...@rti.daimlerchrysler.com>.
hi Francis !
i too have a query regards security..in particular authentication.
my intranet has LDAP where as one of my applications...i.e "jetspeed"
maintains a databse for user-authentication....
so a user has to authenticate himself again if he comes to jetspeed from
his INTRANET page...
is there a way we can have a common authntication?...more
specifically...how can i enable my LDAP to talk to my jetspeed or vice
versa. how can JAAS help me in this regard ?
Please help.
TIA
sumit ranjan
----- Original Message -----
From: "Francis Pallini" <pa...@clamart.oilfield.slb.com>
To: <to...@jakarta.apache.org>
Sent: Friday, July 27, 2001 3:11 PM
Subject: Re: The relationship between Tomcat security mechanism and JAAS?
> Hello,
>
> As far as I know (and I am not a specialist) :
>
> Tomcat, Resin and iPlanet do not support JAAS natively. But, at least with
> Tomcat and Resin, it is possible to implement easily an authentication
> scheme (a "Realm") that will be used by the container thanks to a simple
> xml configuration file. At the contrary, jBoss offers built-in JAAS
support
> and provides the ability to use other vendor-dependant implementations (a
> stub to NTLM for example).
>
> But what is exactly JAAS ? Java Authentication and Authorization Service
is
> an optional package for JDK 1.3.x and is incorporated in standard in JDK
> 1.4. It simply provides an architecture for building an A&A service plus
> ready-to-use services like Kerberos, JNDI (LDAP), NT and Solaris login
> modules (I never managed to use the LDAP module) and extends Java security
> mechanisms (that were exclusively code-centric). Thanks to JAAS, you can
> check a user login, and once the user is authenticated, check his
> permissions on the code being executed. Permissions are defined in a
policy
> file.
>
> How can we take advantage of JAAS in a servlet container ? You can write
an
> adapter between the container realm and JAAS login modules. Then, you will
> be able to reuse the same code for login modules whatever application is
> using them (web-based or classical application) and provide an uniform
> authentication service. Roles can also be implemented in a more flexible
> and powerful way.
>
> What about authorization service ? Within an EJB container, code can be
> called by an unauthorized code and JAAS can check that the caller (which
> can be a Java or anything else code) owns sufficient credentials. By the
> way, it doesn't seem to be the jBoss implementation. And that case rarely
> happens in a servlet container (a servlet acting as an entry point for a
> kind of http-based RPC ?).
>
> I hope I was clear enough and I didn't make too many mistakes ;=)
>
> Regards,
>
> Francis Pallini
>
> At 11:43 PM 7/26/01 -0700, you wrote:
> >Hi
> >Having heard of "JDBCRealm" "JAAS" for months,I still
> >don't catch the meaning.
> >I've noticed that JSP/Servlet spec doesn't metion
> >JAAS,and most container(as Tomcat) doesn't support(or
> >implement) it.
> >So
> >What is the benifit of JAAS?Isn't Tomcat's security
> >mechanism already powerful enough?
> >If someone would like to "implement" JAAS in his
> >application,what to do?
> >
> >Thanks.
> >
> >Pan.
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Make international calls for as low as $.04/minute with Yahoo! Messenger
> >http://phonecard.yahoo.com/
>