You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Mohan Radhakrishnan <ra...@gmail.com> on 2006/02/17 13:23:47 UTC

JAAS in Tomcat

Hi,

I have anabled authentication usng JAASRealm in Tomcat 5.x

The steps are

1. Security constraints in web.xml - Working
2. JAAS LoginModule implementation - Working because I am able to login.
3. Policy file like this



grant CodeBase "file:./struts-blank.war" Principal
com.paper.security.filter.Principal "mohan" {
  permission com.xor.auth.perm.URLPermission "/index.jsp";
  permission com.xor.auth.perm.URLPermission "/struts-blank/index.jsp";
  permission com.xor.auth.perm.URLPermission "/struts-blank/Welcome.do";};




4. Struts filter like this



       	    HttpServletRequest httpReq = (HttpServletRequest) req;
            LoginContext lc = *new* LoginContext("WhitePaper",
        	    		*new* WhitePaperCallbackHandler( httpReq.getRemoteUser(),
          	    		 			                   "javatech" ));
			logger.info( "Authenticating [" + httpReq.getRequestURI() );
        	lc.login();
			logger.info( "Authenticated" );
        	Subject s = lc.getSubject();
        	javax.security.auth.Policy policy =
javax.security.auth.Policy.getPolicy();
        	CodeSource cs = *new* CodeSource(*new* URL("file:./struts-blank.war"),
        			                       (CodeSigner[])*null*);
        	PermissionCollection perms = policy.getPermissions( s, cs );
    	
        	*if*( perms!= *null* ) {
        		Enumeration e = perms.elements();
        		*while*( e.hasMoreElements()) {
    				logger.info( "[" + e.nextElement() + "]");
        		}
       	    }

        	Subject.doAsPrivileged(s, *new* PrivilegedExceptionAction() {
        		*public* Object run() {
        		  proceed( req,res,chain );
        		  *return* *null*;
        		}
       		}, *null*);




The problem is that I am not able to print any permissions. So I am assuming
there is a configuration problem. I am able to login and JAAS itself works
fine.

Now I am able to type a URL that is not mentioned in the policy file and
access it. So my policy file is not taking effect ??

Appreciate any help.

Thanks,
Mohan

Re: JAAS in Tomcat

Posted by Mohan Radhakrishnan <ra...@gmail.com>.

Hi,
        Now I have made some progress.

My policy file is

grant CodeBase "file:C:/apache-tomcat-5.5.15/webapps/struts-blank" Principal
* * {
  permission javax.security.auth.AuthPermission "
createLoginContext.WhitePaper";
  permission java.util.PropertyPermission "java.home", "read";


  permission com.paper.security.filter.URLPermission "/index.jsp";
  permission com.paper.security.filter.URLPermission "/struts-blank/";
  permission com.paper.security.filter.URLPermission"/struts-blank/index.jsp";
  permission com.paper.security.filter.URLPermission"/struts-blank/Welcome.do";

};

and I am using code like this.

           final SecurityManager sm;
         if (System.getSecurityManager() == null) {
            sm  = new SecurityManager();
           } else {
            sm = System.getSecurityManager();
         }
         Subject.doAsPrivileged(s, new PrivilegedExceptionAction() {
                              public Object run() {
                                  sm.checkPermission(p);
                                  return null;
                              }
         },null);
Now after JAAS authentication, I get access denied (
com.paper.security.filter.URLPermission /struts-blank/)


Thanks,
Mohan


On 2/17/06, Mohan Radhakrishnan <ra...@gmail.com> wrote:
>
> Hi,
>
> I have anabled authentication usng JAASRealm in Tomcat 5.x
>
> The steps are
>
> 1. Security constraints in web.xml - Working
> 2. JAAS LoginModule implementation - Working because I am able to login.
> 3. Policy file like this
>
>
>
> grant CodeBase "file:./struts-blank.war" Principal com.paper.security.filter.Principal "mohan" {
>   permission com.xor.auth.perm.URLPermission "/index.jsp";
>   permission com.xor.auth.perm.URLPermission "/struts-blank/index.jsp";
>   permission com.xor.auth.perm.URLPermission "/struts-blank/Welcome.do";};
>
>
>
>
> 4. Struts filter like this
>
>
>
>        	    HttpServletRequest httpReq = (HttpServletRequest) req;
>             LoginContext lc = *new* LoginContext("WhitePaper",
>         	    		*new* WhitePaperCallbackHandler( httpReq.getRemoteUser(),
>           	    		 			                   "javatech" ));
> 			logger.info( "Authenticating [" + httpReq.getRequestURI() );
>         	lc.login();
> 			logger.info( "Authenticated" );
>         	Subject s = lc.getSubject();
>         	javax.security.auth.Policy policy = javax.security.auth.Policy.getPolicy();
>         	CodeSource cs = *new* CodeSource(*new* URL("file:./struts-blank.war"),
>         			                       (CodeSigner[])*null*);
>         	PermissionCollection perms = policy.getPermissions( s, cs );
>     	
>         	*if*( perms!= *null* ) {
>         		Enumeration e = perms.elements();
>         		*while*( e.hasMoreElements()) {
>     				logger.info( "[" + e.nextElement() + "]");
>         		}
>        	    }
>
>         	Subject.doAsPrivileged(s, *new* PrivilegedExceptionAction() {
>         		*public* Object run() {
>         		  proceed( req,res,chain );
>         		  *return* *null*;
>         		}
>        		}, *null*);
>
>
>
>
> The problem is that I am not able to print any permissions. So I am
> assuming there is a configuration problem. I am able to login and JAAS
> itself works fine.
>
> Now I am able to type a URL that is not mentioned in the policy file and
> access it. So my policy file is not taking effect ??
>
> Appreciate any help.
>
> Thanks,
> Mohan
>