JAAS Auth

[Costin Manolache <cm...@yahoo.com>]

Hi,

I'm close to get JAAS realm and the memory LoginModule working - if I
remember correctly we agreed to make JAAS the default for 5.0 ( I don't
remember any objections ).

I never tried it in 4.x - but from the code and code I strongly doubt it
works.

There is one change I would like to make. 

As you know, JAAS login modules return a Subject and a set of Principals.
There is no clear way to decide which Principals are Roles - so we 
currently require the user to configure the realm with the list of classes 
that are role principals.

In addition to that, I would like to support a different pattern - used
in JBoss - which seems much cleaner and logical. 

If a Principal of type "java.security.acl.Group" is found - named "Roles" -
we'll treat all the Principlas in that Group as roles. ( the old mechanism
should still be supported, of course )

The other problem: I think we should move the catalina-indepedent JAAS
code in a separate module, for example j-t-c/jaas. That would include 
SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc
LoginModules if anyone has the time to make the conversion. It's not a big
priority, but it'll clean up the code deps and maybe the code could be
reused.

Opinions ? Votes ? 

Costin


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JAAS Auth

[David Graff <ph...@mindspring.com>]

Costin,

Sorry to mail you directly, but this doesn't seem like a major group
discussion kind of thing.

At work I'm doing a project that has an interesting set of criteria for user
authentication that I haven't really seen a way to do with JAAS readily.

Basically it boils down to this, a user has a userid, a password, and a
potential 'secondary' password.

What I haven't been able to figure out is if there would be a way through
realms to implement this type of
authentication scheme.  This is really just a "wonder how it could be done"
question and if you have no time to possibly give me some thoughts no big
deal.

Thanks for any ideas on how this /might/ be done if you get some time.

--Dave

----- Original Message -----
From: "Costin Manolache" <cm...@yahoo.com>
To: <to...@jakarta.apache.org>
Sent: Tuesday, March 11, 2003 20:31
Subject: JAAS Auth


> Hi,
>
> I'm close to get JAAS realm and the memory LoginModule working - if I
> remember correctly we agreed to make JAAS the default for 5.0 ( I don't
> remember any objections ).
>
> I never tried it in 4.x - but from the code and code I strongly doubt it
> works.
>
> There is one change I would like to make.
>
> As you know, JAAS login modules return a Subject and a set of Principals.
> There is no clear way to decide which Principals are Roles - so we
> currently require the user to configure the realm with the list of classes
> that are role principals.
>
> In addition to that, I would like to support a different pattern - used
> in JBoss - which seems much cleaner and logical.
>
> If a Principal of type "java.security.acl.Group" is found - named
"Roles" -
> we'll treat all the Principlas in that Group as roles. ( the old mechanism
> should still be supported, of course )
>
> The other problem: I think we should move the catalina-indepedent JAAS
> code in a separate module, for example j-t-c/jaas. That would include
> SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc
> LoginModules if anyone has the time to make the conversion. It's not a big
> priority, but it'll clean up the code deps and maybe the code could be
> reused.
>
> Opinions ? Votes ?
>
> Costin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JAAS Auth

[Costin Manolache <cm...@yahoo.com>]

Jeanfrancois Arcand wrote:


>>Hi,
>>
>>I'm close to get JAAS realm and the memory LoginModule working - if I
>>remember correctly we agreed to make JAAS the default for 5.0 ( I don't
>>remember any objections ).
>>
> What about authorization :-) Righ now, the Realm implementation includes
> the 3 authorization methods:
> 
> - hasRole
> - hasUserDataPermission
> - hasResourcePermission
> 
> Those methods are currently implemented in RealmBase. Are you moving
> them also?

I don't think so. Those are specific to tomcat - not to JAAS.
My thinking was to have generic, common-like stuff that can be used
with any app using JAAS. 

One of the requirements will be to return the Principals associated with
the Subject in a certain way - i.e. in a Group named "Roles". Or some
other pattern we can support. 

hasRole can be implemented on top of this, the other 2 are a different 
story.

 
>>If a Principal of type "java.security.acl.Group" is found - named "Roles"
>>- we'll treat all the Principlas in that Group as roles. ( the old
>>mechanism should still be supported, of course )
>>
> +1 We will have to document this new feature. I see lot of question on
> tomcat-user.....

Actually - another idea would be to return a Group ( which extends
Principal) from getUserPrincipal().

The name of the group will be the same as the primary identity ( the
username ), so all code will get the same behavior as today ( when we
return the GenericPrincipal - but nobody can call the methods since it
can't cast ).

Since it is a group and it can be cast, users will also be able to get
info about the roles. 


Costin



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JAAS Auth

[Jeanfrancois Arcand <jf...@apache.org>]

Costin Manolache wrote:

>Hi,
>
>I'm close to get JAAS realm and the memory LoginModule working - if I
>remember correctly we agreed to make JAAS the default for 5.0 ( I don't
>remember any objections ).
>
What about authorization :-) Righ now, the Realm implementation includes 
the 3 authorization methods:

- hasRole
- hasUserDataPermission
- hasResourcePermission

Those methods are currently implemented in RealmBase. Are you moving 
them also?

If yes, then the autorization stuff I'm working on (based on our 
previous discussion) will have to move there (I'm slowly slowly coming 
with an implementation ;-) ).

>
>I never tried it in 4.x - but from the code and code I strongly doubt it
>works.
>
>There is one change I would like to make. 
>
>As you know, JAAS login modules return a Subject and a set of Principals.
>There is no clear way to decide which Principals are Roles - so we 
>currently require the user to configure the realm with the list of classes 
>that are role principals.
>
>In addition to that, I would like to support a different pattern - used
>in JBoss - which seems much cleaner and logical. 
>
>If a Principal of type "java.security.acl.Group" is found - named "Roles" -
>we'll treat all the Principlas in that Group as roles. ( the old mechanism
>should still be supported, of course )
>
+1 We will have to document this new feature. I see lot of question on 
tomcat-user.....

>
>The other problem: I think we should move the catalina-indepedent JAAS
>code in a separate module, for example j-t-c/jaas. That would include 
>SimplePrincipal, MemoryLoginModule - and eventually JNDI/JDBC/etc
>LoginModules if anyone has the time to make the conversion. It's not a big
>priority, but it'll clean up the code deps and maybe the code could be
>reused.
>
+1

>
>Opinions ? Votes ? 
>
+1

-- Jeanfrancois

>
>Costin
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org