You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stephen More <st...@gmail.com> on 2007/10/12 14:35:55 UTC
application-managed security model and isUserInRole getRemoteUser
If I implement application-managed security ( I need to use cookies
for "Remember Me" ), is there a way to make it such that
HttpServletRequest.getRemoteUser() and
HttpServletRequest.isUserInRole(java.lang.String role) will respond
with values from the actual logged in user ?
I see an old thread from 2001 (
http://mail-archives.apache.org/mod_mbox/struts-dev/200108.mbox/%3CPine.BSF.4.21.0108051915280.38569-100000@localhost%3E
) In servlet 2.3, you can legally wrap a request (or response, for
that
matter, but it's request that matters for this purpose) before handing it
on via RequestDispatcher. Indeed, you can set up a Filter that gets
control before the servlet does and plays the same game. Therefore, you
can modify what isUserInRole() or getUserPrincipal() will return to the
called servlet.
Now that it is 2007, is the Filter + RequestDispatcher still the way
to implement this or is there a better way ? Is there an example of
this somewhere out there ?
Other options I am thinking of:
- write my own Realm implementation ??
- stick with container-based security and find a way to make
cookies for "Remember Me" work.
-Thanks
Steve More
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: application-managed security model and isUserInRole getRemoteUser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen,
Stephen More wrote:
> On 10/12/07, Christopher Schultz wrote:
>> Yes, this is how to do it. If you don't want to do it yourself, you can
>> use securityfilter (http://securityfilter.sourceforge.net), which has
>> already been written.
>
> Thanks, securityfilter is a great example.
Sure. Actually, this thread motivated me to start talking to the author,
and I'm now a maintainer for the project. Hopefully, I'll be able to
re-vamp the documentation, re-factor some code and start adding
features. (!)
>>> ?? - stick with container-based security and find a way to make
>>> cookies for "Remember Me" work.
>> I think you're out of luck, here, too.
>
> I think I found a way to make it work, but it is too difficult.
I looked into securityfilter 2.0, and it looks like the "remember me"
capability actually /is/ in there, in contrast to the documentation.
It's possible that it doesn't work properly, or that it is not fully tested.
> You can create your own org.apache.catalina.authenticator to look at
> cookies, but it requires making changes to catalina.jar.
>
> I prefer to stick with war files so I will go with application based security.
I agree. securityfilter is designed to provide the app-based security
for you... it's supposed to live in your webapp, not in the container.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHHiRW9CaO5/Lv0PARAqSiAJ0QUjk47q7YTptk7dtUUBfLJ8LAywCgkNhc
3VPT5uptLbbLeOOwC+7q4f8=
=x4KD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: application-managed security model and isUserInRole getRemoteUser
Posted by Stephen More <st...@gmail.com>.
On 10/12/07, Christopher Schultz wrote:
> Yes, this is how to do it. If you don't want to do it yourself, you can
> use securityfilter (http://securityfilter.sourceforge.net), which has
> already been written.
Thanks, securityfilter is a great example.
> > ?? - stick with container-based security and find a way to make
> > cookies for "Remember Me" work.
>
> I think you're out of luck, here, too.
I think I found a way to make it work, but it is too difficult.
You can create your own org.apache.catalina.authenticator to look at
cookies, but it requires making changes to catalina.jar.
I prefer to stick with war files so I will go with application based security.
-Steve More
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: application-managed security model and isUserInRole getRemoteUser
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen,
Stephen More wrote:
> If I implement application-managed security ( I need to use cookies
> for "Remember Me" ), is there a way to make it such that
> HttpServletRequest.getRemoteUser() and
> HttpServletRequest.isUserInRole(java.lang.String role) will respond
> with values from the actual logged in user ?
Yes...
> In servlet 2.3, you can legally wrap a request (or response, for that
> matter, but it's request that matters for this purpose) before
> handing it on via RequestDispatcher. Indeed, you can set up a Filter
> that gets control before the servlet does and plays the same game.
> Therefore, you can modify what isUserInRole() or getUserPrincipal()
> will return to the called servlet.
Yes, this is how to do it. If you don't want to do it yourself, you can
use securityfilter (http://securityfilter.sourceforge.net), which has
already been written. You can hack it to meet your needs, but I think it
also has "remember me" capability already built-in. If it doesn't, add
it (and post a patch!). sf does authentication and authorization itself,
so you may be able to replace your existing app-based security entirely
with sf. I use it on my project with great success. Since the Principal
object is accessible via the session, I can even perform "su"-style user
impersonation for administrative users.
> Now that it is 2007, is the Filter + RequestDispatcher still the way
> to implement this or is there a better way ? Is there an example of
> this somewhere out there ?
The best example I can think of is securityfilter.
> Other options I am thinking of:
> - write my own Realm implementation
I don't think the Realm has access to the request for authentication. It
does for authorization, but not authentication, so I think you're out of
luck.
> ?? - stick with container-based security and find a way to make
> cookies for "Remember Me" work.
I think you're out of luck, here, too.
Check out sf. I think you'll be pleasantly surprised. The code is very
straightforward, too, though the documentation is a little thin.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHD3pR9CaO5/Lv0PARAmHqAKC4OyiDAGU4h+QYVwQK460KVwfXwgCgtgu+
O2WAEK258zAL3CJnPoIZl50=
=j1VZ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: application-managed security model and isUserInRole getRemoteUser
Posted by Johnny Kewl <jo...@kewlstuff.co.za>.
----- Original Message -----
From: "Stephen More" <st...@gmail.com>
To: <us...@tomcat.apache.org>
Sent: Friday, October 12, 2007 2:35 PM
Subject: application-managed security model and isUserInRole getRemoteUser
> If I implement application-managed security ( I need to use cookies
> for "Remember Me" ), is there a way to make it such that
> HttpServletRequest.getRemoteUser() and
> HttpServletRequest.isUserInRole(java.lang.String role) will respond
> with values from the actual logged in user ?
Stephen... dont really understand what you asking?
The mechanics (if I remember correctly) are all linked to the session
(remember me) anyway?
So as soon as you use TC's (web.xml) protection, TC greats a session and
then associates that with the authentication... so if the browser then comes
into say another servlet, TC will via the session tell you that
getRemoteUser() is TheBrowserUser if they have been authenticated,
and you can query the roles they in?
There is no way to get the collection of roles... but if you protecting
access to an application, you will know which roles to check against?
I think I'm missing what it is you trying to do?
> I see an old thread from 2001 (
> http://mail-archives.apache.org/mod_mbox/struts-dev/200108.mbox/%3CPine.BSF.4.21.0108051915280.38569-100000@localhost%3E
> ) In servlet 2.3, you can legally wrap a request (or response, for
> that
> matter, but it's request that matters for this purpose) before handing it
> on via RequestDispatcher. Indeed, you can set up a Filter that gets
> control before the servlet does and plays the same game. Therefore, you
> can modify what isUserInRole() or getUserPrincipal() will return to the
> called servlet.
>
>
> Now that it is 2007, is the Filter + RequestDispatcher still the way
> to implement this or is there a better way ? Is there an example of
> this somewhere out there ?
>
>
> Other options I am thinking of:
> - write my own Realm implementation ??
> - stick with container-based security and find a way to make
> cookies for "Remember Me" work.
>
> -Thanks
> Steve More
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org