You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Antony Bowesman <ad...@teamware.com> on 2001/10/24 13:50:04 UTC
Getting HttpRequest inside Realm/Tomcat 4
Hi,
I have a realm implementation that needs to access the HttpSession when
a new successful authentication request is made. (I need to hand off
the session to a third party)
How can I do this from within the realm.authenticate() method? I've
looked through the Container interface and can't find anything.
Rgds
--
Antony Bowesman
Teamware Group
adb@teamware.com
phone: +358 9 5128 2562
fax : +358 9 5128 2705
intra / extra / Internet solutions at www.teamware.com
Re: Getting HttpRequest inside Realm/Tomcat 4
Posted by Antony Bowesman <ad...@teamware.com>.
Craig,
> One of the outgrowths of that realization is another JSR that you
> might want to keep track of (via <http://www.jcp.org>:
>
> JSR #115 -- Java(tm) Authorization Service Provider
> Contract for Containers
>
> Once this is fleshed out, Tomcat can be modified to support the new
> SPI contracts, and your Realm-equivalent implementation will itself
> be portable to different containers if it conforms. Until then,
> though, I'm a little gunshy about mucking around with the Realm
> interface.
Yes, I had seen this, essentially, it looks to standardise what we are
already using, i.e. a JAAS subject wrapped inside the authenticated
container principal and each of the JAAS principals represents a role
(or something else) with associated permissions. J2EE roles and
application roles are both supported. This allows us to use principal
based access control. Also with the configurable rolemapper class we
can effectively delegate as many access control decisions as we like.
> That seems like a reasonable strategy.
Well, it's done now :). Is there any likelihood of these
interfaces/classes changing. I've changed Realm, RealmBase and made my
own FormAuthenticator. Are there any changes planed to these realm
parts?
> > JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
> > Tomcat 4?
> >
>
> The current supported minimum is JDK 1.2.2. And, I thought JAAS
> required 1.4 -- am I mis-remembering?
JAAS 1.0 was introduced as an extension to JDK1.3 but incorporated into
1.4 with some minor changes.
I'm glad to see that JAAS is now adopted as a requirement in J2EE 1.3
spec, although it only mandates version 1.0 of JAAS.
What is the roadmap for Tomcat to confirm to J2EE 1.3, presumably that
means some kind of JAAS support required (why not start now!!)
> I assume you mean my BOF on container-managed security, right?
> Forwarded under separate cover.
Received. Many thanks.
Antony
Re: Getting HttpRequest inside Realm/Tomcat 4
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 25 Oct 2001, Antony Bowesman wrote:
> Date: Thu, 25 Oct 2001 14:12:36 +0300
> From: Antony Bowesman <ad...@teamware.com>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Getting HttpRequest inside Realm/Tomcat 4
>
> Hi Craig,
>
> Thanks for your comments again.
>
> > You're right ... there is nothing there to do this. The original
> > design was based on the idea that Realm simply encapsulates a
> > service that authenticates a user, given a username and some
> > credentials. In addition, it needs to work even when HTTP sessions
> > are not in use (for example, for BASIC authentication).
> >
> > One strategy for dealing with this might be to register a session
> > event listener and registers your session in the sessionCreated()
> > event handler.
>
> I like the realm and general design in TC4, it's much better and cleaner
> than 3.2. However, I think there is something missing in the realm
> interface authenticate methods, particulary for form login:-
>
> If you modify a login form to include a field other than j_username and
> j_password so the user can select some kind of 'post login preferences'
> it is not possible to get this extra field to the realm.
>
The mechanics of form-based login was the subject of no little amount of
discussion in the JSR-053 expert group during the development of Servlet
2.3. The idea of supporting additional fields was discussed somewhat, but
in the end we decided to punt on making any big-time changes, because it
became obvious that this problem has a larger scope than just logging
users in to a web application.
One of the outgrowths of that realization is another JSR that you might
want to keep track of (via <http://www.jcp.org>:
JSR #115 -- Java(tm) Authorization Service Provider
Contract for Containers
Once this is fleshed out, Tomcat can be modified to support the new
SPI contracts, and your Realm-equivalent implementation will itself be
portable to different containers if it conforms. Until then, though, I'm
a little gunshy about mucking around with the Realm interface.
> We use JAAS for authentication. JAAS allows and one of the login
> modules authenticates against our EJB user repository and loads user
> preferences (groups/roles etc) and one feature the user can select is
> their preferred role set for the session.
>
> I don't think the event listener will work for our use, following login,
> so it seems the following is how I can achieve what I want.
>
> Replace the org.apache.catalina.authenticator.FormAuthenticator with my
> own FormAuthenticator class by modifying the Authenticators.properties
> and extend the realm interface to pass either a map of http request
> parameters, or in fact the http request itself. My realm can do what it
> wants.
>
That seems like a reasonable strategy.
> What about passing the Request object as a parameter to the Realm
> interface authenticate() methods for 4.1 release.
>
> And how about having only a JAAS realm in standard tomcat and just
> provide different login modules for jdbc/jndi/other access.
>
> JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
> Tomcat 4?
>
The current supported minimum is JDK 1.2.2. And, I thought JAAS required
1.4 -- am I mis-remembering?
> BTW, I saw you offered your BOF slides to someone, are they available?
>
I assume you mean my BOF on container-managed security, right? Forwarded
under separate cover.
> Rgds
> Antony
>
Craig
Re: Getting HttpRequest inside Realm/Tomcat 4
Posted by Antony Bowesman <ad...@teamware.com>.
Hi Craig,
Thanks for your comments again.
> You're right ... there is nothing there to do this. The original
> design was based on the idea that Realm simply encapsulates a
> service that authenticates a user, given a username and some
> credentials. In addition, it needs to work even when HTTP sessions
> are not in use (for example, for BASIC authentication).
>
> One strategy for dealing with this might be to register a session
> event listener and registers your session in the sessionCreated()
> event handler.
I like the realm and general design in TC4, it's much better and cleaner
than 3.2. However, I think there is something missing in the realm
interface authenticate methods, particulary for form login:-
If you modify a login form to include a field other than j_username and
j_password so the user can select some kind of 'post login preferences'
it is not possible to get this extra field to the realm.
We use JAAS for authentication. JAAS allows and one of the login
modules authenticates against our EJB user repository and loads user
preferences (groups/roles etc) and one feature the user can select is
their preferred role set for the session.
I don't think the event listener will work for our use, following login,
so it seems the following is how I can achieve what I want.
Replace the org.apache.catalina.authenticator.FormAuthenticator with my
own FormAuthenticator class by modifying the Authenticators.properties
and extend the realm interface to pass either a map of http request
parameters, or in fact the http request itself. My realm can do what it
wants.
What about passing the Request object as a parameter to the Realm
interface authenticate() methods for 4.1 release.
And how about having only a JAAS realm in standard tomcat and just
provide different login modules for jdbc/jndi/other access.
JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
Tomcat 4?
BTW, I saw you offered your BOF slides to someone, are they available?
Rgds
Antony
Re: Getting HttpRequest inside Realm/Tomcat 4
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Wed, 24 Oct 2001, Antony Bowesman wrote:
> Date: Wed, 24 Oct 2001 14:50:04 +0300
> From: Antony Bowesman <ad...@teamware.com>
> Reply-To: tomcat-dev@jakarta.apache.org
> To: TomcatDev <to...@jakarta.apache.org>
> Subject: Getting HttpRequest inside Realm/Tomcat 4
>
> Hi,
>
> I have a realm implementation that needs to access the HttpSession when
> a new successful authentication request is made. (I need to hand off
> the session to a third party)
>
> How can I do this from within the realm.authenticate() method? I've
> looked through the Container interface and can't find anything.
>
You're right ... there is nothing there to do this. The original design
was based on the idea that Realm simply encapsulates a service that
authenticates a user, given a username and some credentials. In addition,
it needs to work even when HTTP sessions are not in use (for example, for
BASIC authentication).
One strategy for dealing with this might be to register a session event
listener and registers your session in the sessionCreated() event handler.
> Rgds
> --
> Antony Bowesman
> Teamware Group
> adb@teamware.com
> phone: +358 9 5128 2562
> fax : +358 9 5128 2705
>
> intra / extra / Internet solutions at www.teamware.com
>
Craig