You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Mark Benussi <ma...@hotmail.com> on 2005/08/09 09:39:03 UTC
Last question on JAAS I promise
OK I got JAAS working with form authentication. That worked a treat (After a
bit of head banging).
I then moved to invoking the login from Struts (Or a Servlet for Tomcat
users who don't use Struts)
The code still gets invoked correctly.
IBTJAASCallbackHandler callbackHandler = new
IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword());
LoginContext context = new LoginContext("IBTJAAS", callbackHandler);
context.login();
However the request.remoteUser() is now null (Was populated correctly when I
used form authentication) and the same for request.isUserInRole() (It
returns false, even though the Principal was added to the subject).
Any ideas...?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Last question on JAAS I promise
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Before going any further with it on your own, perhaps you can integrate
your JAAS module with sslext.
Mark Benussi on 09/08/05 11:36, wrote:
> Um wow.... so Form authentication works but not my own.
>
> Thats fine then, I can get the Subject that has been authenticated but
> how do I place the Principals returned from the LoginContext Subject and
> make them available to the session so that I can do requst.isUserInRole?
> Is there a session variable I have to set?
>
> ----Original Message Follows----
> From: Adam Hardy <ah...@cyberspaceroad.com>
> Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
> To: Struts Users Mailing List <us...@struts.apache.org>
> Subject: Re: Last question on JAAS I promise
> Date: Tue, 09 Aug 2005 09:49:59 +0100
>
> Mark Benussi on 09/08/05 08:39, wrote:
>
>> OK I got JAAS working with form authentication. That worked a treat
>> (After a
>> bit of head banging).
>>
>> I then moved to invoking the login from Struts (Or a Servlet for Tomcat
>> users who don't use Struts)
>>
>> The code still gets invoked correctly.
>>
>> IBTJAASCallbackHandler callbackHandler = new
>> IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword());
>> LoginContext context = new LoginContext("IBTJAAS", callbackHandler);
>> context.login();
>>
>> However the request.remoteUser() is now null (Was populated correctly
>> when I
>> used form authentication) and the same for request.isUserInRole() (It
>> returns false, even though the Principal was added to the subject).
>>
>> Any ideas...?
>
>
> I could be totally wrong but I believe that I have read about people
> trying this before, and that the answer was that you have to do it all
> yourself.
>
> I hesitate to say that since I'm not 100% sure but I think it's true
> because it makes sense that the container (request.isUserInRole etc)
> would know nothing about what you are doing with LoginContext and
> CallbackHandler. I don't think there is any code in LoginContext that
> injects your info into the servlet container, is there?
>
> In this situation, you would override the HttpServletRequest class,
> overriding those methods with your own so that they look for your login
> info and return user objects, roles etc when required.
>
> You could ask on the tomcat user list but I too have found it difficult
> to get help there.
>
>
> Adam
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Last question on JAAS I promise
Posted by "David G. Friedman" <hu...@ix.netcom.com>.
Mark,
A year ago I skimmed through SecurityFilter(.sourceforge.net) to
see how they did things like this. I recommend you download the
code and see how they went from a session filter based on their
own forms to putting credentials into Tomcat. I clearly remember
they had a Tomcat (Catalina) connector in one of their modules.
Regards,
David
-----Original Message-----
From: Mark Benussi [mailto:mark_benussi@hotmail.com]
Sent: Tuesday, August 09, 2005 6:37 AM
To: user@struts.apache.org
Subject: Re: Last question on JAAS I promise
Um wow.... so Form authentication works but not my own.
Thats fine then, I can get the Subject that has been authenticated but how
do I place the Principals returned from the LoginContext Subject and make
them available to the session so that I can do requst.isUserInRole? Is there
a session variable I have to set?
----Original Message Follows----
From: Adam Hardy <ah...@cyberspaceroad.com>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
To: Struts Users Mailing List <us...@struts.apache.org>
Subject: Re: Last question on JAAS I promise
Date: Tue, 09 Aug 2005 09:49:59 +0100
Mark Benussi on 09/08/05 08:39, wrote:
>OK I got JAAS working with form authentication. That worked a treat (After
>a
>bit of head banging).
>
>I then moved to invoking the login from Struts (Or a Servlet for Tomcat
>users who don't use Struts)
>
>The code still gets invoked correctly.
>
>IBTJAASCallbackHandler callbackHandler = new
>IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword());
>LoginContext context = new LoginContext("IBTJAAS", callbackHandler);
>context.login();
>
>However the request.remoteUser() is now null (Was populated correctly when
>I
>used form authentication) and the same for request.isUserInRole() (It
>returns false, even though the Principal was added to the subject).
>
>Any ideas...?
I could be totally wrong but I believe that I have read about people trying
this before, and that the answer was that you have to do it all yourself.
I hesitate to say that since I'm not 100% sure but I think it's true because
it makes sense that the container (request.isUserInRole etc) would know
nothing about what you are doing with LoginContext and CallbackHandler. I
don't think there is any code in LoginContext that injects your info into
the servlet container, is there?
In this situation, you would override the HttpServletRequest class,
overriding those methods with your own so that they look for your login info
and return user objects, roles etc when required.
You could ask on the tomcat user list but I too have found it difficult to
get help there.
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Last question on JAAS I promise
Posted by Mark Benussi <ma...@hotmail.com>.
Um wow.... so Form authentication works but not my own.
Thats fine then, I can get the Subject that has been authenticated but how
do I place the Principals returned from the LoginContext Subject and make
them available to the session so that I can do requst.isUserInRole? Is there
a session variable I have to set?
----Original Message Follows----
From: Adam Hardy <ah...@cyberspaceroad.com>
Reply-To: "Struts Users Mailing List" <us...@struts.apache.org>
To: Struts Users Mailing List <us...@struts.apache.org>
Subject: Re: Last question on JAAS I promise
Date: Tue, 09 Aug 2005 09:49:59 +0100
Mark Benussi on 09/08/05 08:39, wrote:
>OK I got JAAS working with form authentication. That worked a treat (After
>a
>bit of head banging).
>
>I then moved to invoking the login from Struts (Or a Servlet for Tomcat
>users who don't use Struts)
>
>The code still gets invoked correctly.
>
>IBTJAASCallbackHandler callbackHandler = new
>IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword());
>LoginContext context = new LoginContext("IBTJAAS", callbackHandler);
>context.login();
>
>However the request.remoteUser() is now null (Was populated correctly when
>I
>used form authentication) and the same for request.isUserInRole() (It
>returns false, even though the Principal was added to the subject).
>
>Any ideas...?
I could be totally wrong but I believe that I have read about people trying
this before, and that the answer was that you have to do it all yourself.
I hesitate to say that since I'm not 100% sure but I think it's true because
it makes sense that the container (request.isUserInRole etc) would know
nothing about what you are doing with LoginContext and CallbackHandler. I
don't think there is any code in LoginContext that injects your info into
the servlet container, is there?
In this situation, you would override the HttpServletRequest class,
overriding those methods with your own so that they look for your login info
and return user objects, roles etc when required.
You could ask on the tomcat user list but I too have found it difficult to
get help there.
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Last question on JAAS I promise
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Mark Benussi on 09/08/05 08:39, wrote:
> OK I got JAAS working with form authentication. That worked a treat (After a
> bit of head banging).
>
> I then moved to invoking the login from Struts (Or a Servlet for Tomcat
> users who don't use Struts)
>
> The code still gets invoked correctly.
>
> IBTJAASCallbackHandler callbackHandler = new
> IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword());
> LoginContext context = new LoginContext("IBTJAAS", callbackHandler);
> context.login();
>
> However the request.remoteUser() is now null (Was populated correctly when I
> used form authentication) and the same for request.isUserInRole() (It
> returns false, even though the Principal was added to the subject).
>
> Any ideas...?
I could be totally wrong but I believe that I have read about people
trying this before, and that the answer was that you have to do it all
yourself.
I hesitate to say that since I'm not 100% sure but I think it's true
because it makes sense that the container (request.isUserInRole etc)
would know nothing about what you are doing with LoginContext and
CallbackHandler. I don't think there is any code in LoginContext that
injects your info into the servlet container, is there?
In this situation, you would override the HttpServletRequest class,
overriding those methods with your own so that they look for your login
info and return user objects, roles etc when required.
You could ask on the tomcat user list but I too have found it difficult
to get help there.
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: File serving servlet
Posted by Craig McClanahan <cr...@gmail.com>.
On 8/9/05, Jim Kennedy <jg...@mindspring.com> wrote:
> Can anyone give me the name of the source file that handles the serving of
> static content for Tomcat. I have a need to duplicate this function for
> alternate locations and want to make sure I cover all bases in terms of
> security, http headers ...
>
> FYI I just downloaded all source files and just need the name of the file
> serving servlet.
>
At least through 5.0 (haven't looked to see if it changed in 5.5), you
could go into $CATALINA_HOME/conf/web.xml and discover the names of
all the global servlets supported by Tomcat, including the one you
seek (org.apache.catalina.servlets.DefaultServlet).
> thanks
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
File serving servlet
Posted by Jim Kennedy <jg...@mindspring.com>.
Can anyone give me the name of the source file that handles the serving of
static content for Tomcat. I have a need to duplicate this function for
alternate locations and want to make sure I cover all bases in terms of
security, http headers ...
FYI I just downloaded all source files and just need the name of the file
serving servlet.
thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org