You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rashid Jilani <ji...@lifebiosystems.com> on 2010/08/13 22:03:46 UTC
JAAS Realm and http error 403
Hi: I am using JAAS authentication to access the protected resource using
the code below but even I got pass the login module successfully I got a 403
error.
I tested the code both on tomcat 6.0.29 and 6.0.18 on Windows XP with Java 6
and have the same behavior.
Here is the code I am using for login module,
public class MyLoginModule implements LoginModule {
protected CallbackHandler callbackHandler = null;
protected boolean committed = false;
protected boolean debug = false;
protected Map options = null;
protected Principal principal = null;
protected Map sharedState = null;
protected Subject subject = null;
protected void log(String message) {
System.out.print("MyLoginModule: ");
System.out.println(message);
}
public boolean abort() throws LoginException {
log("abort");
return (true);
}
public boolean commit() throws LoginException {
log("commit phase");
// If authentication was not successful, just return false
if (principal == null) {
log("no principal commit fails");
return (false);
}
if (!subject.getPrincipals().contains(principal))
subject.getPrincipals().add(principal);
// add role principals
subject.getPrincipals().add(new MyRolePrincipal("admin"));
committed = true;
log("commit successful");
return (true);
}
public void initialize(Subject subject, CallbackHandler
callbackHandler,
Map sharedState, Map options) {
// Save configuration values
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}
public boolean login() throws LoginException {
log("login phase");
// Set up our CallbackHandler requests
if (callbackHandler == null)
throw new LoginException("No CallbackHandler specified");
Callback callbacks[] = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
// Interact with the user to retrieve the username and password
String username = null;
String password = null;
try {
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
password = new String(
((PasswordCallback)
callbacks[1]).getPassword());
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throw new LoginException(e.toString());
}
if (!authenticate(username, password))
return false;
principal = new MyPrincipal(username);
return true;
}
public boolean logout() throws LoginException {
subject.getPrincipals().remove(principal);
committed = false;
principal = null;
return (true);
}
boolean authenticate(String s, String p) {
if (s == null || p == null)
return false;
return (s.compareTo("jaas") == 0) && (p.compareTo("jaas") == 0);
}
}
This is the JAAS configuration I am using inside my context file
<Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
appName="Test"
userClassNames="com.rashid.test.MyPrincipal"
roleClassNames="com.rashid.test.MyRolePrincipal" />
Regards,
RJ.
RE: JAAS Realm and http error 403
Posted by Rashid Jilani <ji...@lifebiosystems.com>.
Thanks Charles for clarification.
Regards,
RJ.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Friday, August 13, 2010 3:41 PM
To: Tomcat Users List
Subject: RE: JAAS Realm and http error 403
> From: Rashid Jilani [mailto:jilani@lifebiosystems.com]
> Subject: RE: JAAS Realm and http error 403
>
> After going through Tomcat specification I was under the impression
> that "*" will authenticate any role
Exactly where were you looking?
> I wonder is there any JAAS/Tomcat expert who can comments
> on this, and let me know the interpretation of the "*" under
> < role-name > element
Read the servlet spec:
"The special role name '*' is a shorthand for all role names defined in the
deployment descriptor."
Note that this is *not* any role, it is any of the *enumerated* roles in
web.xml.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAAS Realm and http error 403
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Rashid Jilani [mailto:jilani@lifebiosystems.com]
> Subject: RE: JAAS Realm and http error 403
>
> After going through Tomcat specification I was under the impression
> that "*" will authenticate any role
Exactly where were you looking?
> I wonder is there any JAAS/Tomcat expert who can comments
> on this, and let me know the interpretation of the "*" under
> < role-name > element
Read the servlet spec:
"The special role name '*' is a shorthand for all role names defined in the deployment descriptor."
Note that this is *not* any role, it is any of the *enumerated* roles in web.xml.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JAAS Realm and http error 403
Posted by Rashid Jilani <ji...@lifebiosystems.com>.
It looks like when it comes to JAAS and Java security your are your own, and
nobody knows nothing except trials and errors.
Any way looks like I resolve this issue by changing my web.xml file
<role-name> element
from
<role-name>*</role-name> //All roles
to
<role-name>admin</role-name> // subject.getPrincipals().add(new
MyRolePrincipal("admin"));
After going through Tomcat specification I was under the impression that "*"
will authenticate any role, but looks like it is not true, at least in my
case.
I wonder is there any JAAS/Tomcat expert who can comments on this, and let
me know the interpretation of the "*" under < role-name > element
Regards,
RJ.
-----Original Message-----
From: Rashid Jilani [mailto:jilani@lifebiosystems.com]
Sent: Friday, August 13, 2010 3:04 PM
To: users@tomcat.apache.org
Subject: JAAS Realm and http error 403
Hi: I am using JAAS authentication to access the protected resource using
the code below but even I got pass the login module successfully I got a 403
error.
I tested the code both on tomcat 6.0.29 and 6.0.18 on Windows XP with Java 6
and have the same behavior.
Here is the code I am using for login module,
public class MyLoginModule implements LoginModule {
protected CallbackHandler callbackHandler = null;
protected boolean committed = false;
protected boolean debug = false;
protected Map options = null;
protected Principal principal = null;
protected Map sharedState = null;
protected Subject subject = null;
protected void log(String message) {
System.out.print("MyLoginModule: ");
System.out.println(message);
}
public boolean abort() throws LoginException {
log("abort");
return (true);
}
public boolean commit() throws LoginException {
log("commit phase");
// If authentication was not successful, just return false
if (principal == null) {
log("no principal commit fails");
return (false);
}
if (!subject.getPrincipals().contains(principal))
subject.getPrincipals().add(principal);
// add role principals
subject.getPrincipals().add(new MyRolePrincipal("admin"));
committed = true;
log("commit successful");
return (true);
}
public void initialize(Subject subject, CallbackHandler
callbackHandler,
Map sharedState, Map options) {
// Save configuration values
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}
public boolean login() throws LoginException {
log("login phase");
// Set up our CallbackHandler requests
if (callbackHandler == null)
throw new LoginException("No CallbackHandler specified");
Callback callbacks[] = new Callback[2];
callbacks[0] = new NameCallback("Username: ");
callbacks[1] = new PasswordCallback("Password: ", false);
// Interact with the user to retrieve the username and password
String username = null;
String password = null;
try {
callbackHandler.handle(callbacks);
username = ((NameCallback) callbacks[0]).getName();
password = new String(
((PasswordCallback)
callbacks[1]).getPassword());
} catch (IOException e) {
throw new LoginException(e.toString());
} catch (UnsupportedCallbackException e) {
throw new LoginException(e.toString());
}
if (!authenticate(username, password))
return false;
principal = new MyPrincipal(username);
return true;
}
public boolean logout() throws LoginException {
subject.getPrincipals().remove(principal);
committed = false;
principal = null;
return (true);
}
boolean authenticate(String s, String p) {
if (s == null || p == null)
return false;
return (s.compareTo("jaas") == 0) && (p.compareTo("jaas") == 0);
}
}
This is the JAAS configuration I am using inside my context file
<Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
appName="Test"
userClassNames="com.rashid.test.MyPrincipal"
roleClassNames="com.rashid.test.MyRolePrincipal" />
Regards,
RJ.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org