You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Oliver Block <li...@oliver-block.eu> on 2009/06/20 23:27:57 UTC
Form-based authentication
Hello everybody,
If this is not the appropriate mailing list, please tell me which mailing list
I should use.
I have writte a first jaas login module and it does authenticate users by
logging into an imap server. If the credentials establish a connection and
the inbox can be opened, the login is considered successful.
This works so far.
But now I do not see how to connect the authentication module to a security
constraint. I mean, do I have to add every user that has an imap account to
web.xml? Not really!? (You will find my web.xml and context.xml at the end of
this message)
Best Regards,
Oliver Block
<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/JavaMailLoginServlet">
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="WebLogin"
userClassNames="com.oliverblock.principal.JavaMailPrincipal"
roleClassNames=""
debug="99" />
<Resource name="mail/Session" auth="Container"
type="javax.mail.Session"
mail.smtp.host="localhost" mail.imap.host="localhost"
factory="org.apache.naming.factory.MailSessionFactory"
/>
</Context>
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>User</web-resource-name>
<description/>
<url-pattern>/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name/>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>User</role-name>
</security-role>
</web-app>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication
Posted by Oliver Block <li...@oliver-block.eu>.
Am Sonntag, 21. Juni 2009 01:34:29 schrieb Caldarale, Charles R:
> [...] you hard-code the single role name in the LoginModule, using whatever
> value you have in web.xml (currently "User"). You must have a role class
> that implements Principal and Serializable (in addition to the Principal
> class for the user name); this role class must be specified in your <Realm>
> element via the roleClassName attribute. Create an instance of the role
> class with the predefined name and add it to the Subject object's
> principals set in your commit() method after you have added the user name
> Principal object.
By adding a roleClassName to the Realm descriptor (context.xml) and by adding
a RolePrincipal to the subject solved my problem of authentication failures.
Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Form-based authentication
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Oliver Block [mailto:lists@oliver-block.eu]
> Subject: Re: Form-based authentication
>
> Are the roles passed to the LoginModule?
No, you hard-code the single role name in the LoginModule, using whatever value you have in web.xml (currently "User"). You must have a role class that implements Principal and Serializable (in addition to the Principal class for the user name); this role class must be specified in your <Realm> element via the roleClassName attribute. Create an instance of the role class with the predefined name and add it to the Subject object's principals set in your commit() method after you have added the user name Principal object.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Form-based authentication
Posted by Oliver Block <li...@oliver-block.eu>.
Am Samstag, 20. Juni 2009 23:41:11 schrieb Caldarale, Charles R:
> > From: Oliver Block [mailto:lists@oliver-block.eu]
> > Subject: Form-based authentication
> >
> > But now I do not see how to connect the authentication module
> > to a security constraint. I mean, do I have to add every user
> > that has an imap account to web.xml?
>
> No, each user would normally have a set of roles with which they are
> associated, and it's the roles that are configured in web.xml.
> your login module can simply utilize any role name it likes for
> all users once authentication has occurred.
Are the roles passed to the LoginModule? How?
Best Regards,
Oliver Block
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Form-based authentication
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Oliver Block [mailto:lists@oliver-block.eu]
> Subject: Form-based authentication
>
> But now I do not see how to connect the authentication module
> to a security constraint. I mean, do I have to add every user
> that has an imap account to web.xml?
No, each user would normally have a set of roles with which they are associated, and it's the roles that are configured in web.xml. Often, group membership is used as a substitute for roles. Since the imap accounts likely do not have any means of specifying role or group attributes, your login module can simply utilize any role name it likes for all users once authentication has occurred. Only that single role name ("User", in your current setup) needs to be configured in web.xml, assuming that every user that authenticates successfully is allowed access.
- Chuck
P.S. Remove the path attribute from your <Context> element - it's not allowed.
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org