You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Renato Romano <r....@set-network.com> on 2004/03/04 16:12:38 UTC
JAAS and container managed security
I used container managed security (I mean declaring security issues in
web.xml, and using security standard servlet API isUserInRole,
getUserPrincipal and so on) for several webapp, but I'm now facing the
following need that this approach seem not to satisfy:
I have to authenticate users based on both
1) A usual username, password mechanism;
2) A OTP (One Time Password) mechanism, something like a complex string
parameter on a URL (sent by e-mail), stored in the DB that uniquely
identifies the identity of the user.
Now, I'm doing some little tries with JAAS to achieve this, but I have
the following doubt:
If I understand well I cannot merge the two approaches, that is use
servlet declarative and programmatic security with JAAS. If I use JAAS
LoginModules, I will not have the isUserInRole and other API's
working... Is that right ??
Any help is very appreciated
Renato
____________________________________
Renato Romano
Sistemi e Telematica S.p.A.
Calata Grazie - Vial Al Molo Giano
16127 - GENOVA
e-mail: r.romano@set-network.com
Tel.: 010 2712603
_____________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: JAAS and container managed security
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 03/04/2004 04:12 PM Renato Romano wrote:
> I used container managed security (I mean declaring security issues in
> web.xml, and using security standard servlet API isUserInRole,
> getUserPrincipal and so on) for several webapp, but I'm now facing the
> following need that this approach seem not to satisfy:
>
> I have to authenticate users based on both
> 1) A usual username, password mechanism;
> 2) A OTP (One Time Password) mechanism, something like a complex string
> parameter on a URL (sent by e-mail), stored in the DB that uniquely
> identifies the identity of the user.
>
> Now, I'm doing some little tries with JAAS to achieve this, but I have
> the following doubt:
>
> If I understand well I cannot merge the two approaches, that is use
> servlet declarative and programmatic security with JAAS. If I use JAAS
> LoginModules, I will not have the isUserInRole and other API's
> working... Is that right ??
JAAS will integrate with container-managed security in tomcat. You can
use your login modules. The principal that you fill out in the login
module must contain the role objects. Those methods will work.
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org