You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Franck Borel <bo...@ub.uni-freiburg.de> on 2007/09/21 10:09:31 UTC
Problems with JAAS-Realm
Hi,
my problem is a bit complicate and I hope someone has enough courage to find an
answer :-).
First I try to explain what I want to do:
I am running an JAAS-Realm with FORM authentication. As known this can only
passes username and credential. Now, I was trying to pass the current IP address
of the user too. The only solution that I found was to overwrite the
org.apache.catalina.realm.JAASRealm class and catch the IP address of the user
using one of the methods which provide a request object, like this.
public SecurityConstraint[] findSecurityConstraints(Request request, Context
context) {
HttpServletRequest req = request; // catch Request
session = req.getSession(); // catch session
ipAddress = req.getRemoteAddr();
The problem:
In a first try this seems to work. But if more then one client try to use the
authentication, it catches the last IP address of the user who makes a request
and not the IP address of the current client I like to authenticate:
1) client A sends a request to the protected site
2) client A authenticate with username/password
3) At the same time client B sends a request to the protected site
4) JAASRealm will be started and calls req.getRemoteAddr()
5) JAASRealm gets the IP address from client B
So, the req.getRemoteAddr() seems to catch the information outside of the
current thread and I don't know why. Have someone an idea?
Thanks!
-- Franck
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with JAAS-Realm
Posted by Franck Borel <bo...@ub.uni-freiburg.de>.
Hi David,
thanks again for your time!
> There is only one instance of your realm that is shared by all incoming
> requests. That mean only local values inside methods are individual.
> Every property that is stored at instance of class level is to be
> accessed and stored in a ThreadSafe manner. It's up to you code to be
> Threadsafe by assuming several Http Threads can run it at the same Time.
I am not so shure if I've a clear understanding of the realm architecture. So
let me present my view of it:
Context --> Singleton?
Valve --> Singleton? Valve is the one who passes requests and responses
objects
Realm --> Singleton?
here I get requests and responses objects passing through the
Valve that wrapps the realm. A call of the
request.getRemoteAddr() invokes the valve to get current
request informations, which is out of scope of the current
informations I get about the user in the realm (except
username and password, which are set in the callback handler).
How this is done? Which pattern is used, listener?
> You can, however, make the assumption that the Thread that goes inside
> your realm methods is the same that will serve your request. As such,
> you can save datas for later use by same Thread using ThreadLocal.
Any example?
> However, Threadlocal are to be used with caution. Do not forget to set
> their value back to null our you could face a case of memory leak.
Ok.
Thanks!
-- Franck
>
> En l'instant précis du 21/09/07 13:21, Franck Borel s'exprimait en ces
> termes:
>> Salut David,
>>
>> thanks very much for your answer!
>>
>>>> public SecurityConstraint[] findSecurityConstraints(Request request,
>>>> Context context) {
>>>> HttpServletRequest req = request; // catch Request
>>>> session = req.getSession(); // catch session
>>>> ipAddress = req.getRemoteAddr();
>>>>
>>>> The problem:
>>>> In a first try this seems to work. But if more then one client try to
>>>> use the authentication, it catches the last IP address of the user who
>>>> makes a request and not the IP address of the current client I like to
>>>> authenticate:
>>>> So, the req.getRemoteAddr() seems to catch the information outside of
>>>> the current thread and I don't know why. Have someone an idea?
>>> req.getRemoteAddres() will get the address of that specific request,
>>> it's isolated from other simultaneous request, or lots of people would
>>> start getting problems using it. I would be more enclined to take a look
>>> at where you are defining the session and ipAddress properties, it looks
>>> like they are class or instance level, where it's mandatory that Realm
>>> be ThreadSafe and stateless.
>> This sounds like as my problem seems to be elsewhere as I supposed. I
>> have no idea where I should tell tomcat to keep the thread statefull.
>> I tried to set some page directives on my login.jsp:
>>
>> <%@ session="true %> (which I think is standard)
>> <%@ isThreadsafe="false" %>
>>
>> This doesn't help. Of course, it can't work, cause the Realm is a
>> valve and therefore the Realm is the part who calls the login.jsp page
>> and the directives of the page appears, in manner of speaking, "to late".
>>
>> How can I tell the Realm to get ThreadSafe? Or have I missunderstood
>> something?
>>
>>
>> -- Franck
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Beste Grüße
Franck Borel
**************************************************************************
Dipl.-Hyd. Franck Borel Telefon: +49[0]761-203 3908
Universitätsbibliothek Fax : +49[0]761-203 3987
Werthmannsplatz 2 E-Mail : borel@ub.uni-freiburg.de
WWW : http://www.ub.uni-freiburg.de
D-79098 Freiburg
**************************************************************************
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with JAAS-Realm
Posted by David Delbecq <de...@oma.be>.
There is only one instance of your realm that is shared by all incoming
requests. That mean only local values inside methods are individual.
Every property that is stored at instance of class level is to be
accessed and stored in a ThreadSafe manner. It's up to you code to be
Threadsafe by assuming several Http Threads can run it at the same Time.
You can, however, make the assumption that the Thread that goes inside
your realm methods is the same that will serve your request. As such,
you can save datas for later use by same Thread using ThreadLocal.
However, Threadlocal are to be used with caution. Do not forget to set
their value back to null our you could face a case of memory leak.
En l'instant précis du 21/09/07 13:21, Franck Borel s'exprimait en ces
termes:
> Salut David,
>
> thanks very much for your answer!
>
>>> public SecurityConstraint[] findSecurityConstraints(Request request,
>>> Context context) {
>>> HttpServletRequest req = request; // catch Request
>>> session = req.getSession(); // catch session
>>> ipAddress = req.getRemoteAddr();
>>>
>>> The problem:
>>> In a first try this seems to work. But if more then one client try to
>>> use the authentication, it catches the last IP address of the user who
>>> makes a request and not the IP address of the current client I like to
>>> authenticate:
>
>>> So, the req.getRemoteAddr() seems to catch the information outside of
>>> the current thread and I don't know why. Have someone an idea?
>
>> req.getRemoteAddres() will get the address of that specific request,
>> it's isolated from other simultaneous request, or lots of people would
>> start getting problems using it. I would be more enclined to take a look
>> at where you are defining the session and ipAddress properties, it looks
>> like they are class or instance level, where it's mandatory that Realm
>> be ThreadSafe and stateless.
>
> This sounds like as my problem seems to be elsewhere as I supposed. I
> have no idea where I should tell tomcat to keep the thread statefull.
> I tried to set some page directives on my login.jsp:
>
> <%@ session="true %> (which I think is standard)
> <%@ isThreadsafe="false" %>
>
> This doesn't help. Of course, it can't work, cause the Realm is a
> valve and therefore the Realm is the part who calls the login.jsp page
> and the directives of the page appears, in manner of speaking, "to late".
>
> How can I tell the Realm to get ThreadSafe? Or have I missunderstood
> something?
>
>
> -- Franck
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with JAAS-Realm
Posted by Franck Borel <bo...@ub.uni-freiburg.de>.
Salut David,
thanks very much for your answer!
>> public SecurityConstraint[] findSecurityConstraints(Request request,
>> Context context) {
>>
>> HttpServletRequest req = request; // catch Request
>> session = req.getSession(); // catch session
>> ipAddress = req.getRemoteAddr();
>>
>> The problem:
>> In a first try this seems to work. But if more then one client try to
>> use the authentication, it catches the last IP address of the user who
>> makes a request and not the IP address of the current client I like to
>> authenticate:
>> So, the req.getRemoteAddr() seems to catch the information outside of
>> the current thread and I don't know why. Have someone an idea?
> req.getRemoteAddres() will get the address of that specific request,
> it's isolated from other simultaneous request, or lots of people would
> start getting problems using it.
> I would be more enclined to take a look
> at where you are defining the session and ipAddress properties, it looks
> like they are class or instance level, where it's mandatory that Realm
> be ThreadSafe and stateless.
This sounds like as my problem seems to be elsewhere as I supposed. I have no
idea where I should tell tomcat to keep the thread statefull. I tried to set
some page directives on my login.jsp:
<%@ session="true %> (which I think is standard)
<%@ isThreadsafe="false" %>
This doesn't help. Of course, it can't work, cause the Realm is a valve and
therefore the Realm is the part who calls the login.jsp page and the directives
of the page appears, in manner of speaking, "to late".
How can I tell the Realm to get ThreadSafe? Or have I missunderstood something?
-- Franck
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Problems with JAAS-Realm
Posted by David Delbecq <de...@oma.be>.
En l'instant précis du 21/09/07 10:09, Franck Borel s'exprimait en ces
termes:
>
> public SecurityConstraint[] findSecurityConstraints(Request request,
> Context context) {
>
> HttpServletRequest req = request; // catch Request
> session = req.getSession(); // catch session
> ipAddress = req.getRemoteAddr();
>
> The problem:
> In a first try this seems to work. But if more then one client try to
> use the authentication, it catches the last IP address of the user who
> makes a request and not the IP address of the current client I like to
> authenticate:
> So, the req.getRemoteAddr() seems to catch the information outside of
> the current thread and I don't know why. Have someone an idea?
req.getRemoteAddres() will get the address of that specific request,
it's isolated from other simultaneous request, or lots of people would
start getting problems using it. I would be more enclined to take a look
at where you are defining the session and ipAddress properties, it looks
like they are class or instance level, where it's mandatory that Realm
be ThreadSafe and stateless.
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org