JAAS Realms, cookies and authentication

["Emsley, I (Iain)" <I....@rl.ac.uk>]

Hi,
 
I'm trying to implement a solution to log in users to one of our web
apps which runs on Tomcat via cookies to which I've had several false
starts and I'd like to ask some advice on the best way of implementing
this securely. 
 
What I'm trying to achieve is when the user logs in on main site and
clicks the link to the Java calendar, the link will read the cookie
(extracting the user name/password and converting into hex to send back
to the main config files to check if its valid whilst also checking that
they are a member of our service) and then grant access to the
application on success.

I was looking at the JAAS realm since the user information is kept in
what is essentially a flat file db and trying to write a LoginModule
which replicates the existing Perl scripts actions for checking
username/password and membership. AFAIUI, I'd need to write a servlet to
process the cookie before hitting the JAAS realm though. Have I
understood this correctly or can I get the LoginModule to do the
processing (which appears to be implied in the Tomcat manual on Realms)?

Ultimately I will need to be able to log users in via http, https and
the Shibboleth Single Sign On (for which I know there is a JAAS realm).
As I understand it, as long as I have a config which lists all the
various login methods, I should be able to stack these onto one Tomcat,
or have I also misunderstood this? 

Many thanks in advance. 

Iain
 
Iain Emsley
 
Support Analyst
JISCmail: www.jiscmail.ac.uk
Mailtalk: www.mailtalk.ac.uk
 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: JAAS Realms, cookies and authentication

["Emsley, I (Iain)" <I....@rl.ac.uk>]

Chris, 

Essentially it is a "remember me". Many thanks for the comments - I'm
beginning to see the forest from the trees and all that JAAS ;) 

Thanks,

Iain 

-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: 11 October 2007 18:25
To: Tomcat Users List
Subject: Re: JAAS Realms, cookies and authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Iain,

Emsley, I (Iain) wrote:
> What I'm trying to achieve is when the user logs in on main site and 
> clicks the link to the Java calendar, the link will read the cookie 
> (extracting the user name/password and converting into hex to send 
> back to the main config files to check if its valid whilst also 
> checking that they are a member of our service) and then grant access 
> to the application on success.

Shouldn't this happen automatically? When the browser makes an HTTP
connection to your server, as long as the hostname and path match, the
cookie will be sent automatically. Am I misunderstanding your thought?

Are you trying to implement "remember me" functionality?
 

> I was looking at the JAAS realm since the user information is kept in 
> what is essentially a flat file db and trying to write a LoginModule 
> which replicates the existing Perl scripts actions for checking 
> username/password and membership.

I have no experience with JAASRealm. Would it be easier to write a
simple Realm instead of dealing with JAAS?

> AFAIUI, I'd need to write a servlet to process the cookie before 
> hitting the JAAS realm though.

That's not going to happen: if you're using Tomcat's built-in
authentication and authorization mechanism, then basically none of your
code gets to run before the authentication is performed (unless you
write your own Realm, or JAAS LoginModule).


> Have I
> understood this correctly or can I get the LoginModule to do the 
> processing (which appears to be implied in the Tomcat manual on
Realms)?

Hopefully, the request object is available to your LoginModule or Realm
in order to do the authentication. That would allow you to substitute
the authentication information from the cookie instead of attempting to
get it from the request (parameters).

> Ultimately I will need to be able to log users in via http, https and 
> the Shibboleth Single Sign On (for which I know there is a JAAS
realm).

Aah, a better reason to use JAAS ;)

> As I understand it, as long as I have a config which lists all the 
> various login methods, I should be able to stack these onto one 
> Tomcat, or have I also misunderstood this?

Sorry, I can't answer this, but I think that's what JAAS was made for:
multiple authentication methods glued together, and a simpler, more
stable interface (LoginModule) for implementation.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHDlxR9CaO5/Lv0PARAlr3AJ9LDhSciOxAXJZ94uu5eOkNdoodhQCfZHtG
PPrHJfLQe4qapF3p7xv4Y6k=
=W8zh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JAAS Realms, cookies and authentication

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Iain,

Emsley, I (Iain) wrote:
> What I'm trying to achieve is when the user logs in on main site and
> clicks the link to the Java calendar, the link will read the cookie
> (extracting the user name/password and converting into hex to send back
> to the main config files to check if its valid whilst also checking that
> they are a member of our service) and then grant access to the
> application on success.

Shouldn't this happen automatically? When the browser makes an HTTP
connection to your server, as long as the hostname and path match, the
cookie will be sent automatically. Am I misunderstanding your thought?

Are you trying to implement "remember me" functionality?

> I was looking at the JAAS realm since the user information is kept in
> what is essentially a flat file db and trying to write a LoginModule
> which replicates the existing Perl scripts actions for checking
> username/password and membership.

I have no experience with JAASRealm. Would it be easier to write a
simple Realm instead of dealing with JAAS?

> AFAIUI, I'd need to write a servlet to
> process the cookie before hitting the JAAS realm though.

That's not going to happen: if you're using Tomcat's built-in
authentication and authorization mechanism, then basically none of your
code gets to run before the authentication is performed (unless you
write your own Realm, or JAAS LoginModule).

> Have I
> understood this correctly or can I get the LoginModule to do the
> processing (which appears to be implied in the Tomcat manual on Realms)?

Hopefully, the request object is available to your LoginModule or Realm
in order to do the authentication. That would allow you to substitute
the authentication information from the cookie instead of attempting to
get it from the request (parameters).

> Ultimately I will need to be able to log users in via http, https and
> the Shibboleth Single Sign On (for which I know there is a JAAS realm).

Aah, a better reason to use JAAS ;)

> As I understand it, as long as I have a config which lists all the
> various login methods, I should be able to stack these onto one Tomcat,
> or have I also misunderstood this? 

Sorry, I can't answer this, but I think that's what JAAS was made for:
multiple authentication methods glued together, and a simpler, more
stable interface (LoginModule) for implementation.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHDlxR9CaO5/Lv0PARAlr3AJ9LDhSciOxAXJZ94uu5eOkNdoodhQCfZHtG
PPrHJfLQe4qapF3p7xv4Y6k=
=W8zh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org