You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mohan Radhakrishnan <ra...@gmail.com> on 2006/02/17 13:23:47 UTC
JAAS in Tomcat
Hi,
I have anabled authentication usng JAASRealm in Tomcat 5.x
The steps are
1. Security constraints in web.xml - Working
2. JAAS LoginModule implementation - Working because I am able to login.
3. Policy file like this
grant CodeBase "file:./struts-blank.war" Principal
com.paper.security.filter.Principal "mohan" {
permission com.xor.auth.perm.URLPermission "/index.jsp";
permission com.xor.auth.perm.URLPermission "/struts-blank/index.jsp";
permission com.xor.auth.perm.URLPermission "/struts-blank/Welcome.do";};
4. Struts filter like this
HttpServletRequest httpReq = (HttpServletRequest) req;
LoginContext lc = *new* LoginContext("WhitePaper",
*new* WhitePaperCallbackHandler( httpReq.getRemoteUser(),
"javatech" ));
logger.info( "Authenticating [" + httpReq.getRequestURI() );
lc.login();
logger.info( "Authenticated" );
Subject s = lc.getSubject();
javax.security.auth.Policy policy =
javax.security.auth.Policy.getPolicy();
CodeSource cs = *new* CodeSource(*new* URL("file:./struts-blank.war"),
(CodeSigner[])*null*);
PermissionCollection perms = policy.getPermissions( s, cs );
*if*( perms!= *null* ) {
Enumeration e = perms.elements();
*while*( e.hasMoreElements()) {
logger.info( "[" + e.nextElement() + "]");
}
}
Subject.doAsPrivileged(s, *new* PrivilegedExceptionAction() {
*public* Object run() {
proceed( req,res,chain );
*return* *null*;
}
}, *null*);
The problem is that I am not able to print any permissions. So I am assuming
there is a configuration problem. I am able to login and JAAS itself works
fine.
Now I am able to type a URL that is not mentioned in the policy file and
access it. So my policy file is not taking effect ??
Appreciate any help.
Thanks,
Mohan
Re: JAAS in Tomcat
Posted by Mohan Radhakrishnan <ra...@gmail.com>.
Hi,
Now I have made some progress.
My policy file is
grant CodeBase "file:C:/apache-tomcat-5.5.15/webapps/struts-blank" Principal
* * {
permission javax.security.auth.AuthPermission "
createLoginContext.WhitePaper";
permission java.util.PropertyPermission "java.home", "read";
permission com.paper.security.filter.URLPermission "/index.jsp";
permission com.paper.security.filter.URLPermission "/struts-blank/";
permission com.paper.security.filter.URLPermission"/struts-blank/index.jsp";
permission com.paper.security.filter.URLPermission"/struts-blank/Welcome.do";
};
and I am using code like this.
final SecurityManager sm;
if (System.getSecurityManager() == null) {
sm = new SecurityManager();
} else {
sm = System.getSecurityManager();
}
Subject.doAsPrivileged(s, new PrivilegedExceptionAction() {
public Object run() {
sm.checkPermission(p);
return null;
}
},null);
Now after JAAS authentication, I get access denied (
com.paper.security.filter.URLPermission /struts-blank/)
Thanks,
Mohan
On 2/17/06, Mohan Radhakrishnan <ra...@gmail.com> wrote:
>
> Hi,
>
> I have anabled authentication usng JAASRealm in Tomcat 5.x
>
> The steps are
>
> 1. Security constraints in web.xml - Working
> 2. JAAS LoginModule implementation - Working because I am able to login.
> 3. Policy file like this
>
>
>
> grant CodeBase "file:./struts-blank.war" Principal com.paper.security.filter.Principal "mohan" {
> permission com.xor.auth.perm.URLPermission "/index.jsp";
> permission com.xor.auth.perm.URLPermission "/struts-blank/index.jsp";
> permission com.xor.auth.perm.URLPermission "/struts-blank/Welcome.do";};
>
>
>
>
> 4. Struts filter like this
>
>
>
> HttpServletRequest httpReq = (HttpServletRequest) req;
> LoginContext lc = *new* LoginContext("WhitePaper",
> *new* WhitePaperCallbackHandler( httpReq.getRemoteUser(),
> "javatech" ));
> logger.info( "Authenticating [" + httpReq.getRequestURI() );
> lc.login();
> logger.info( "Authenticated" );
> Subject s = lc.getSubject();
> javax.security.auth.Policy policy = javax.security.auth.Policy.getPolicy();
> CodeSource cs = *new* CodeSource(*new* URL("file:./struts-blank.war"),
> (CodeSigner[])*null*);
> PermissionCollection perms = policy.getPermissions( s, cs );
>
> *if*( perms!= *null* ) {
> Enumeration e = perms.elements();
> *while*( e.hasMoreElements()) {
> logger.info( "[" + e.nextElement() + "]");
> }
> }
>
> Subject.doAsPrivileged(s, *new* PrivilegedExceptionAction() {
> *public* Object run() {
> proceed( req,res,chain );
> *return* *null*;
> }
> }, *null*);
>
>
>
>
> The problem is that I am not able to print any permissions. So I am
> assuming there is a configuration problem. I am able to login and JAAS
> itself works fine.
>
> Now I am able to type a URL that is not mentioned in the policy file and
> access it. So my policy file is not taking effect ??
>
> Appreciate any help.
>
> Thanks,
> Mohan
>