You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by daniel_asv <da...@macropro.com.mx> on 2008/08/07 19:47:32 UTC
How to use JSecurity
Hi, i have a webservice from a stateless session bean running in a GlassFish
Application Server. The webservice is consumed by a swing application, i
want to agregate a login to the swing application, the user and password
will be stored in a SQL Server 2005 database managed by JPA (Hibernate).
What i need to do for use JSecurity in my login window using the webservice?
--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p679197.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: How to use JSecurity
Posted by Les Hazlewood <le...@hazlewood.com>.
No worries Daniel - its good to see that you're trying to get it all under
control! Keep us posted with any questions along the way.
Cheers,
Les
On Thu, Aug 14, 2008 at 12:26 PM, daniel_asv <da...@macropro.com.mx> wrote:
>
> I'am using JBuilder 2008 and i choose to Create an EJB Modeling project for
> the servidor.jar. I only have 2 months programming in java maybe that's why
> i'm doing wrong usage of ejb with jsecurity.
>
>
> Les Hazlewood wrote:
> >
> > Just out of curiosity, are you using EJB3?
> >
> > On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <le...@hazlewood.com>
> wrote:
> >
> >> Ah, I see now.
> >>
> >> The default JSecurity SecurityManager implemenations are almost always
> >> intended to reside in the business tier, not in the client. In an EJB3
> >> application, this means it should reside along side of (a peer to) your
> >> Stateless Session Bean - in the server, not in the client gui.
> >>
> >> So, if you want to secure a web service, JSecurity has to be configured
> >> to
> >> handle http communication - this is done by configuring JSecurity as a
> >> servlet filter in web.xml, to intercept the webservice Servlet Requests
> >> that
> >> will eventually call the underlying EJB.
> >>
> >> See this JavaDoc for how to configure the filter:
> >>
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
> >>
> >> So, for example, if all of your web service calls go
> >>
> >> http://your.host.ip/myapp/webservices
> >>
> >> you would configure the JSecurity filter to intercept all the
> >> /webservices/** urls. For example:
> >>
> >> <filter>
> >> <filter-name>JSecurityFilter</filter-name>
> >>
> >> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
> >>
> >> <init-param>
> >> <param-name>config</param-name>
> >> <param-value>
> >> # The JSecurityFilter configuration is very powerful and
> >> flexible, while still remaining succinct.
> >> # Please read the comprehensive example, with full
> >> comments
> >> and explanations, in the JavaDoc:
> >> #
> >> #
> >>
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
> >>
> >> [filters]
> >> jsecurity.loginUrl = /s/login
> >> authc.successUrl = /s/index
> >>
> >> [urls]
> >> # specify any of the above filters here, depending on
> the
> >> type of security you want:
> >> /webservices/**=authc
> >>
> >> </param-value>
> >> </init-param>
> >>
> >> </filter>
> >>
> >> <filter-mapping>
> >> <filter-name>JSecurityFilter</filter-name>
> >> <url-pattern>*</url-pattern>
> >> </filter-mapping>
> >>
> >> Does this help?
> >>
> >>
> >> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv
> >> <da...@macropro.com.mx>wrote:
> >>
> >>>
> >>> Hi Les, i don´t use servlet and don´t configure web.xml.
> >>>
> >>> I have three jar:
> >>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
> >>> session bean (god) which exposes all his methods as webservice and my
> >>> jpa
> >>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente,
> Permiso,
> >>> Persona, Rol, Tratamiento, Usuario).
> >>> 2. servicios.jar with the generated web service client from wsdl in
> >>> glassfish using JAX-WS and JAXB.
> >>> 3. cliente.jar the swing application that consumes the webservices
> (here
> >>> i
> >>> use JSecurity).
> >>>
> >>> My problem is in the webservices. I don´t know how to call them using a
> >>> user
> >>> and password.
> >>>
> >>>
> >>> Les Hazlewood wrote:
> >>> >
> >>> > Hi Daniel,
> >>> >
> >>> > Have you configured JSecurity via a servlet filter in web.xml? I'm
> >>> just
> >>> > trying to see what your runtime environment is like first before I
> >>> > recommend
> >>> > a solution.
> >>> >
> >>> > Les
> >>> >
> >>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
> >>> > wrote:
> >>> >
> >>> >>
> >>> >> I have implemented this class that inherited from AuthorizingRealm
> >>> >>
> >>> >> package presentacion;
> >>> >>
> >>> >> import java.util.LinkedHashSet;
> >>> >> import java.util.Set;
> >>> >>
> >>> >> import org.jsecurity.authc.AccountException;
> >>> >> import org.jsecurity.authc.AuthenticationException;
> >>> >> import org.jsecurity.authc.AuthenticationInfo;
> >>> >> import org.jsecurity.authc.AuthenticationToken;
> >>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
> >>> >> import org.jsecurity.authc.UnknownAccountException;
> >>> >> import org.jsecurity.authc.UsernamePasswordToken;
> >>> >> import org.jsecurity.authz.AuthorizationException;
> >>> >> import org.jsecurity.authz.AuthorizationInfo;
> >>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
> >>> >> import org.jsecurity.realm.AuthorizingRealm;
> >>> >> import org.jsecurity.subject.PrincipalCollection;
> >>> >>
> >>> >> import acciones.God;
> >>> >> import acciones.Permiso;
> >>> >> import acciones.Rol;
> >>> >> import acciones.Usuario;
> >>> >>
> >>> >> public class EjbRealm extends AuthorizingRealm {
> >>> >> private God servicios;
> >>> >>
> >>> >> public EjbRealm(God servicios) {
> >>> >> this.servicios = servicios;
> >>> >> }
> >>> >>
> >>> >> private Set<String> getRoles(Usuario u) {
> >>> >> Set<String> roles = new LinkedHashSet<String>();
> >>> >> for (Rol rol : u.getRoles()) {
> >>> >> roles.add(rol.getNombre());
> >>> >> }
> >>> >> return roles;
> >>> >> }
> >>> >>
> >>> >> private Set<String> getPermisos(Usuario u) {
> >>> >> Set<String> permisos = new LinkedHashSet<String>();
> >>> >> for (Rol rol : u.getRoles()) {
> >>> >> for (Permiso p : rol.getPermisos()) {
> >>> >> permisos.add(p.getNombre());
> >>> >> }
> >>> >> }
> >>> >> return permisos;
> >>> >> }
> >>> >>
> >>> >> @Override
> >>> >> protected AuthorizationInfo doGetAuthorizationInfo(
> >>> >> PrincipalCollection principals) {
> >>> >> if (principals == null) {
> >>> >> throw new AuthorizationException(
> >>> >> "El parametro
> >>> PrincipalCollection
> >>> >> no
> >>> >> puede ser null.");
> >>> >> }
> >>> >> String apodo = (String)
> >>> >> principals.fromRealm(getName()).iterator()
> >>> >> .next();
> >>> >> Usuario u = servicios.consultarUsuario(apodo);
> >>> >> SimpleAuthorizationInfo info = new
> >>> >> SimpleAuthorizationInfo(getRoles(u));
> >>> >> info.setStringPermissions(getPermisos(u));
> >>> >> return info;
> >>> >> }
> >>> >>
> >>> >> @Override
> >>> >> protected AuthenticationInfo doGetAuthenticationInfo(
> >>> >> AuthenticationToken token) throws
> >>> >> AuthenticationException {
> >>> >> UsernamePasswordToken upToken =
> >>> (UsernamePasswordToken)
> >>> >> token;
> >>> >> String apodo = upToken.getUsername();
> >>> >> if (apodo == null) {
> >>> >> throw new AccountException(
> >>> >> "No se permiten apodos Null
> en
> >>> >> este
> >>> >> realm.");
> >>> >> }
> >>> >> AuthenticationInfo info = null;
> >>> >> String contrasenia =
> >>> >> servicios.consultarContrasenia(apodo);
> >>> >> if (contrasenia == null) {
> >>> >> throw new UnknownAccountException("No se
> >>> encontro
> >>> >> el
> >>> >> usuario ["
> >>> >> + apodo + "]");
> >>> >> }
> >>> >> info = new SimpleAuthenticationInfo(apodo,
> >>> contrasenia,
> >>> >> getName());
> >>> >> return info;
> >>> >> }
> >>> >>
> >>> >> }
> >>> >>
> >>> >> And in my login window i have implemented in a button this code
> >>> >> private GodService god = new GodService();
> >>> >> protected void button_actionPerformed(ActionEvent arg0) {
> >>> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
> >>> >> ejbRealm.setCredentialsMatcher(new
> >>> >> Sha256CredentialsMatcher());
> >>> >> DefaultSecurityManager securityManager = new
> >>> >> DefaultSecurityManager(
> >>> >> ejbRealm);
> >>> >> UsernamePasswordToken token = new
> >>> >> UsernamePasswordToken(apodoText
> >>> >> .getText(),
> >>> >> contraseniaText.getPassword());
> >>> >> try {
> >>> >> Subject user = securityManager.login(token);
> >>> >> if (user.isAuthenticated()) {
> >>> >> MenuForm window = new MenuForm(god);
> >>> >> window.show();
> >>> >> dispose();
> >>> >> }
> >>> >> } catch (AuthenticationException e) {
> >>> >> mostrarMensaje("Usuario o contraseña
> >>> >> incorrectos");
> >>> >> } finally {
> >>> >> securityManager.destroy();
> >>> >> }
> >>> >> }
> >>> >>
> >>> >> But now i want to know how to secure my webservice (God) using
> >>> JSecurity.
> >>> >> What i need to do?
> >>> >>
> >>> >>
> >>> >> daniel_asv wrote:
> >>> >> >
> >>> >> > Hi, i have a webservice from a stateless session bean running in a
> >>> >> > GlassFish Application Server. The webservice is consumed by a
> swing
> >>> >> > application, i want to agregate a login to the swing application,
> >>> the
> >>> >> user
> >>> >> > and password will be stored in a SQL Server 2005 database managed
> >>> by
> >>> >> JPA
> >>> >> > (Hibernate).
> >>> >> >
> >>> >> > What i need to do for use JSecurity in my login window using the
> >>> >> > webservice?
> >>> >> >
> >>> >>
> >>> >> --
> >>> >> View this message in context:
> >>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
> >>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>> >>
> >>> >>
> >>> >
> >>> >
> >>>
> >>> --
> >>> View this message in context:
> >>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
> >>> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>>
> >>>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/How-to-use-JSecurity-tp679197p724494.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: How to use JSecurity
Posted by daniel_asv <da...@macropro.com.mx>.
I'am using JBuilder 2008 and i choose to Create an EJB Modeling project for
the servidor.jar. I only have 2 months programming in java maybe that's why
i'm doing wrong usage of ejb with jsecurity.
Les Hazlewood wrote:
>
> Just out of curiosity, are you using EJB3?
>
> On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <le...@hazlewood.com> wrote:
>
>> Ah, I see now.
>>
>> The default JSecurity SecurityManager implemenations are almost always
>> intended to reside in the business tier, not in the client. In an EJB3
>> application, this means it should reside along side of (a peer to) your
>> Stateless Session Bean - in the server, not in the client gui.
>>
>> So, if you want to secure a web service, JSecurity has to be configured
>> to
>> handle http communication - this is done by configuring JSecurity as a
>> servlet filter in web.xml, to intercept the webservice Servlet Requests
>> that
>> will eventually call the underlying EJB.
>>
>> See this JavaDoc for how to configure the filter:
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>> So, for example, if all of your web service calls go
>>
>> http://your.host.ip/myapp/webservices
>>
>> you would configure the JSecurity filter to intercept all the
>> /webservices/** urls. For example:
>>
>> <filter>
>> <filter-name>JSecurityFilter</filter-name>
>>
>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>>
>> <init-param>
>> <param-name>config</param-name>
>> <param-value>
>> # The JSecurityFilter configuration is very powerful and
>> flexible, while still remaining succinct.
>> # Please read the comprehensive example, with full
>> comments
>> and explanations, in the JavaDoc:
>> #
>> #
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>> [filters]
>> jsecurity.loginUrl = /s/login
>> authc.successUrl = /s/index
>>
>> [urls]
>> # specify any of the above filters here, depending on the
>> type of security you want:
>> /webservices/**=authc
>>
>> </param-value>
>> </init-param>
>>
>> </filter>
>>
>> <filter-mapping>
>> <filter-name>JSecurityFilter</filter-name>
>> <url-pattern>*</url-pattern>
>> </filter-mapping>
>>
>> Does this help?
>>
>>
>> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv
>> <da...@macropro.com.mx>wrote:
>>
>>>
>>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>>
>>> I have three jar:
>>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>>> session bean (god) which exposes all his methods as webservice and my
>>> jpa
>>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>>> Persona, Rol, Tratamiento, Usuario).
>>> 2. servicios.jar with the generated web service client from wsdl in
>>> glassfish using JAX-WS and JAXB.
>>> 3. cliente.jar the swing application that consumes the webservices (here
>>> i
>>> use JSecurity).
>>>
>>> My problem is in the webservices. I don´t know how to call them using a
>>> user
>>> and password.
>>>
>>>
>>> Les Hazlewood wrote:
>>> >
>>> > Hi Daniel,
>>> >
>>> > Have you configured JSecurity via a servlet filter in web.xml? I'm
>>> just
>>> > trying to see what your runtime environment is like first before I
>>> > recommend
>>> > a solution.
>>> >
>>> > Les
>>> >
>>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
>>> > wrote:
>>> >
>>> >>
>>> >> I have implemented this class that inherited from AuthorizingRealm
>>> >>
>>> >> package presentacion;
>>> >>
>>> >> import java.util.LinkedHashSet;
>>> >> import java.util.Set;
>>> >>
>>> >> import org.jsecurity.authc.AccountException;
>>> >> import org.jsecurity.authc.AuthenticationException;
>>> >> import org.jsecurity.authc.AuthenticationInfo;
>>> >> import org.jsecurity.authc.AuthenticationToken;
>>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>>> >> import org.jsecurity.authc.UnknownAccountException;
>>> >> import org.jsecurity.authc.UsernamePasswordToken;
>>> >> import org.jsecurity.authz.AuthorizationException;
>>> >> import org.jsecurity.authz.AuthorizationInfo;
>>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>>> >> import org.jsecurity.realm.AuthorizingRealm;
>>> >> import org.jsecurity.subject.PrincipalCollection;
>>> >>
>>> >> import acciones.God;
>>> >> import acciones.Permiso;
>>> >> import acciones.Rol;
>>> >> import acciones.Usuario;
>>> >>
>>> >> public class EjbRealm extends AuthorizingRealm {
>>> >> private God servicios;
>>> >>
>>> >> public EjbRealm(God servicios) {
>>> >> this.servicios = servicios;
>>> >> }
>>> >>
>>> >> private Set<String> getRoles(Usuario u) {
>>> >> Set<String> roles = new LinkedHashSet<String>();
>>> >> for (Rol rol : u.getRoles()) {
>>> >> roles.add(rol.getNombre());
>>> >> }
>>> >> return roles;
>>> >> }
>>> >>
>>> >> private Set<String> getPermisos(Usuario u) {
>>> >> Set<String> permisos = new LinkedHashSet<String>();
>>> >> for (Rol rol : u.getRoles()) {
>>> >> for (Permiso p : rol.getPermisos()) {
>>> >> permisos.add(p.getNombre());
>>> >> }
>>> >> }
>>> >> return permisos;
>>> >> }
>>> >>
>>> >> @Override
>>> >> protected AuthorizationInfo doGetAuthorizationInfo(
>>> >> PrincipalCollection principals) {
>>> >> if (principals == null) {
>>> >> throw new AuthorizationException(
>>> >> "El parametro
>>> PrincipalCollection
>>> >> no
>>> >> puede ser null.");
>>> >> }
>>> >> String apodo = (String)
>>> >> principals.fromRealm(getName()).iterator()
>>> >> .next();
>>> >> Usuario u = servicios.consultarUsuario(apodo);
>>> >> SimpleAuthorizationInfo info = new
>>> >> SimpleAuthorizationInfo(getRoles(u));
>>> >> info.setStringPermissions(getPermisos(u));
>>> >> return info;
>>> >> }
>>> >>
>>> >> @Override
>>> >> protected AuthenticationInfo doGetAuthenticationInfo(
>>> >> AuthenticationToken token) throws
>>> >> AuthenticationException {
>>> >> UsernamePasswordToken upToken =
>>> (UsernamePasswordToken)
>>> >> token;
>>> >> String apodo = upToken.getUsername();
>>> >> if (apodo == null) {
>>> >> throw new AccountException(
>>> >> "No se permiten apodos Null en
>>> >> este
>>> >> realm.");
>>> >> }
>>> >> AuthenticationInfo info = null;
>>> >> String contrasenia =
>>> >> servicios.consultarContrasenia(apodo);
>>> >> if (contrasenia == null) {
>>> >> throw new UnknownAccountException("No se
>>> encontro
>>> >> el
>>> >> usuario ["
>>> >> + apodo + "]");
>>> >> }
>>> >> info = new SimpleAuthenticationInfo(apodo,
>>> contrasenia,
>>> >> getName());
>>> >> return info;
>>> >> }
>>> >>
>>> >> }
>>> >>
>>> >> And in my login window i have implemented in a button this code
>>> >> private GodService god = new GodService();
>>> >> protected void button_actionPerformed(ActionEvent arg0) {
>>> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>> >> ejbRealm.setCredentialsMatcher(new
>>> >> Sha256CredentialsMatcher());
>>> >> DefaultSecurityManager securityManager = new
>>> >> DefaultSecurityManager(
>>> >> ejbRealm);
>>> >> UsernamePasswordToken token = new
>>> >> UsernamePasswordToken(apodoText
>>> >> .getText(),
>>> >> contraseniaText.getPassword());
>>> >> try {
>>> >> Subject user = securityManager.login(token);
>>> >> if (user.isAuthenticated()) {
>>> >> MenuForm window = new MenuForm(god);
>>> >> window.show();
>>> >> dispose();
>>> >> }
>>> >> } catch (AuthenticationException e) {
>>> >> mostrarMensaje("Usuario o contraseña
>>> >> incorrectos");
>>> >> } finally {
>>> >> securityManager.destroy();
>>> >> }
>>> >> }
>>> >>
>>> >> But now i want to know how to secure my webservice (God) using
>>> JSecurity.
>>> >> What i need to do?
>>> >>
>>> >>
>>> >> daniel_asv wrote:
>>> >> >
>>> >> > Hi, i have a webservice from a stateless session bean running in a
>>> >> > GlassFish Application Server. The webservice is consumed by a swing
>>> >> > application, i want to agregate a login to the swing application,
>>> the
>>> >> user
>>> >> > and password will be stored in a SQL Server 2005 database managed
>>> by
>>> >> JPA
>>> >> > (Hibernate).
>>> >> >
>>> >> > What i need to do for use JSecurity in my login window using the
>>> >> > webservice?
>>> >> >
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>>> >>
>>> >>
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>>
>>>
>>
>
>
--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p724494.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: How to use JSecurity
Posted by Les Hazlewood <le...@hazlewood.com>.
Just out of curiosity, are you using EJB3?
On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <le...@hazlewood.com> wrote:
> Ah, I see now.
>
> The default JSecurity SecurityManager implemenations are almost always
> intended to reside in the business tier, not in the client. In an EJB3
> application, this means it should reside along side of (a peer to) your
> Stateless Session Bean - in the server, not in the client gui.
>
> So, if you want to secure a web service, JSecurity has to be configured to
> handle http communication - this is done by configuring JSecurity as a
> servlet filter in web.xml, to intercept the webservice Servlet Requests that
> will eventually call the underlying EJB.
>
> See this JavaDoc for how to configure the filter:
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> So, for example, if all of your web service calls go
>
> http://your.host.ip/myapp/webservices
>
> you would configure the JSecurity filter to intercept all the
> /webservices/** urls. For example:
>
> <filter>
> <filter-name>JSecurityFilter</filter-name>
>
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>
> <init-param>
> <param-name>config</param-name>
> <param-value>
> # The JSecurityFilter configuration is very powerful and
> flexible, while still remaining succinct.
> # Please read the comprehensive example, with full comments
> and explanations, in the JavaDoc:
> #
> #
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> [filters]
> jsecurity.loginUrl = /s/login
> authc.successUrl = /s/index
>
> [urls]
> # specify any of the above filters here, depending on the
> type of security you want:
> /webservices/**=authc
>
> </param-value>
> </init-param>
>
> </filter>
>
> <filter-mapping>
> <filter-name>JSecurityFilter</filter-name>
> <url-pattern>*</url-pattern>
> </filter-mapping>
>
> Does this help?
>
>
> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <da...@macropro.com.mx>wrote:
>
>>
>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>
>> I have three jar:
>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>> session bean (god) which exposes all his methods as webservice and my jpa
>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>> Persona, Rol, Tratamiento, Usuario).
>> 2. servicios.jar with the generated web service client from wsdl in
>> glassfish using JAX-WS and JAXB.
>> 3. cliente.jar the swing application that consumes the webservices (here i
>> use JSecurity).
>>
>> My problem is in the webservices. I don´t know how to call them using a
>> user
>> and password.
>>
>>
>> Les Hazlewood wrote:
>> >
>> > Hi Daniel,
>> >
>> > Have you configured JSecurity via a servlet filter in web.xml? I'm just
>> > trying to see what your runtime environment is like first before I
>> > recommend
>> > a solution.
>> >
>> > Les
>> >
>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
>> > wrote:
>> >
>> >>
>> >> I have implemented this class that inherited from AuthorizingRealm
>> >>
>> >> package presentacion;
>> >>
>> >> import java.util.LinkedHashSet;
>> >> import java.util.Set;
>> >>
>> >> import org.jsecurity.authc.AccountException;
>> >> import org.jsecurity.authc.AuthenticationException;
>> >> import org.jsecurity.authc.AuthenticationInfo;
>> >> import org.jsecurity.authc.AuthenticationToken;
>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> >> import org.jsecurity.authc.UnknownAccountException;
>> >> import org.jsecurity.authc.UsernamePasswordToken;
>> >> import org.jsecurity.authz.AuthorizationException;
>> >> import org.jsecurity.authz.AuthorizationInfo;
>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> >> import org.jsecurity.realm.AuthorizingRealm;
>> >> import org.jsecurity.subject.PrincipalCollection;
>> >>
>> >> import acciones.God;
>> >> import acciones.Permiso;
>> >> import acciones.Rol;
>> >> import acciones.Usuario;
>> >>
>> >> public class EjbRealm extends AuthorizingRealm {
>> >> private God servicios;
>> >>
>> >> public EjbRealm(God servicios) {
>> >> this.servicios = servicios;
>> >> }
>> >>
>> >> private Set<String> getRoles(Usuario u) {
>> >> Set<String> roles = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> roles.add(rol.getNombre());
>> >> }
>> >> return roles;
>> >> }
>> >>
>> >> private Set<String> getPermisos(Usuario u) {
>> >> Set<String> permisos = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> for (Permiso p : rol.getPermisos()) {
>> >> permisos.add(p.getNombre());
>> >> }
>> >> }
>> >> return permisos;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthorizationInfo doGetAuthorizationInfo(
>> >> PrincipalCollection principals) {
>> >> if (principals == null) {
>> >> throw new AuthorizationException(
>> >> "El parametro
>> PrincipalCollection
>> >> no
>> >> puede ser null.");
>> >> }
>> >> String apodo = (String)
>> >> principals.fromRealm(getName()).iterator()
>> >> .next();
>> >> Usuario u = servicios.consultarUsuario(apodo);
>> >> SimpleAuthorizationInfo info = new
>> >> SimpleAuthorizationInfo(getRoles(u));
>> >> info.setStringPermissions(getPermisos(u));
>> >> return info;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthenticationInfo doGetAuthenticationInfo(
>> >> AuthenticationToken token) throws
>> >> AuthenticationException {
>> >> UsernamePasswordToken upToken = (UsernamePasswordToken)
>> >> token;
>> >> String apodo = upToken.getUsername();
>> >> if (apodo == null) {
>> >> throw new AccountException(
>> >> "No se permiten apodos Null en
>> >> este
>> >> realm.");
>> >> }
>> >> AuthenticationInfo info = null;
>> >> String contrasenia =
>> >> servicios.consultarContrasenia(apodo);
>> >> if (contrasenia == null) {
>> >> throw new UnknownAccountException("No se
>> encontro
>> >> el
>> >> usuario ["
>> >> + apodo + "]");
>> >> }
>> >> info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> >> getName());
>> >> return info;
>> >> }
>> >>
>> >> }
>> >>
>> >> And in my login window i have implemented in a button this code
>> >> private GodService god = new GodService();
>> >> protected void button_actionPerformed(ActionEvent arg0) {
>> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>> >> ejbRealm.setCredentialsMatcher(new
>> >> Sha256CredentialsMatcher());
>> >> DefaultSecurityManager securityManager = new
>> >> DefaultSecurityManager(
>> >> ejbRealm);
>> >> UsernamePasswordToken token = new
>> >> UsernamePasswordToken(apodoText
>> >> .getText(),
>> >> contraseniaText.getPassword());
>> >> try {
>> >> Subject user = securityManager.login(token);
>> >> if (user.isAuthenticated()) {
>> >> MenuForm window = new MenuForm(god);
>> >> window.show();
>> >> dispose();
>> >> }
>> >> } catch (AuthenticationException e) {
>> >> mostrarMensaje("Usuario o contraseña
>> >> incorrectos");
>> >> } finally {
>> >> securityManager.destroy();
>> >> }
>> >> }
>> >>
>> >> But now i want to know how to secure my webservice (God) using
>> JSecurity.
>> >> What i need to do?
>> >>
>> >>
>> >> daniel_asv wrote:
>> >> >
>> >> > Hi, i have a webservice from a stateless session bean running in a
>> >> > GlassFish Application Server. The webservice is consumed by a swing
>> >> > application, i want to agregate a login to the swing application, the
>> >> user
>> >> > and password will be stored in a SQL Server 2005 database managed by
>> >> JPA
>> >> > (Hibernate).
>> >> >
>> >> > What i need to do for use JSecurity in my login window using the
>> >> > webservice?
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
Re: How to use JSecurity
Posted by Les Hazlewood <le...@hazlewood.com>.
P.S. You can look at the sample applications (and their source code)
distributed with the JSecurity release to see working examples of this
configuration.
On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <le...@hazlewood.com> wrote:
> Ah, I see now.
>
> The default JSecurity SecurityManager implemenations are almost always
> intended to reside in the business tier, not in the client. In an EJB3
> application, this means it should reside along side of (a peer to) your
> Stateless Session Bean - in the server, not in the client gui.
>
> So, if you want to secure a web service, JSecurity has to be configured to
> handle http communication - this is done by configuring JSecurity as a
> servlet filter in web.xml, to intercept the webservice Servlet Requests that
> will eventually call the underlying EJB.
>
> See this JavaDoc for how to configure the filter:
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> So, for example, if all of your web service calls go
>
> http://your.host.ip/myapp/webservices
>
> you would configure the JSecurity filter to intercept all the
> /webservices/** urls. For example:
>
> <filter>
> <filter-name>JSecurityFilter</filter-name>
>
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>
> <init-param>
> <param-name>config</param-name>
> <param-value>
> # The JSecurityFilter configuration is very powerful and
> flexible, while still remaining succinct.
> # Please read the comprehensive example, with full comments
> and explanations, in the JavaDoc:
> #
> #
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> [filters]
> jsecurity.loginUrl = /s/login
> authc.successUrl = /s/index
>
> [urls]
> # specify any of the above filters here, depending on the
> type of security you want:
> /webservices/**=authc
>
> </param-value>
> </init-param>
>
> </filter>
>
> <filter-mapping>
> <filter-name>JSecurityFilter</filter-name>
> <url-pattern>*</url-pattern>
> </filter-mapping>
>
> Does this help?
>
>
> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <da...@macropro.com.mx>wrote:
>
>>
>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>
>> I have three jar:
>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>> session bean (god) which exposes all his methods as webservice and my jpa
>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>> Persona, Rol, Tratamiento, Usuario).
>> 2. servicios.jar with the generated web service client from wsdl in
>> glassfish using JAX-WS and JAXB.
>> 3. cliente.jar the swing application that consumes the webservices (here i
>> use JSecurity).
>>
>> My problem is in the webservices. I don´t know how to call them using a
>> user
>> and password.
>>
>>
>> Les Hazlewood wrote:
>> >
>> > Hi Daniel,
>> >
>> > Have you configured JSecurity via a servlet filter in web.xml? I'm just
>> > trying to see what your runtime environment is like first before I
>> > recommend
>> > a solution.
>> >
>> > Les
>> >
>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
>> > wrote:
>> >
>> >>
>> >> I have implemented this class that inherited from AuthorizingRealm
>> >>
>> >> package presentacion;
>> >>
>> >> import java.util.LinkedHashSet;
>> >> import java.util.Set;
>> >>
>> >> import org.jsecurity.authc.AccountException;
>> >> import org.jsecurity.authc.AuthenticationException;
>> >> import org.jsecurity.authc.AuthenticationInfo;
>> >> import org.jsecurity.authc.AuthenticationToken;
>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> >> import org.jsecurity.authc.UnknownAccountException;
>> >> import org.jsecurity.authc.UsernamePasswordToken;
>> >> import org.jsecurity.authz.AuthorizationException;
>> >> import org.jsecurity.authz.AuthorizationInfo;
>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> >> import org.jsecurity.realm.AuthorizingRealm;
>> >> import org.jsecurity.subject.PrincipalCollection;
>> >>
>> >> import acciones.God;
>> >> import acciones.Permiso;
>> >> import acciones.Rol;
>> >> import acciones.Usuario;
>> >>
>> >> public class EjbRealm extends AuthorizingRealm {
>> >> private God servicios;
>> >>
>> >> public EjbRealm(God servicios) {
>> >> this.servicios = servicios;
>> >> }
>> >>
>> >> private Set<String> getRoles(Usuario u) {
>> >> Set<String> roles = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> roles.add(rol.getNombre());
>> >> }
>> >> return roles;
>> >> }
>> >>
>> >> private Set<String> getPermisos(Usuario u) {
>> >> Set<String> permisos = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> for (Permiso p : rol.getPermisos()) {
>> >> permisos.add(p.getNombre());
>> >> }
>> >> }
>> >> return permisos;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthorizationInfo doGetAuthorizationInfo(
>> >> PrincipalCollection principals) {
>> >> if (principals == null) {
>> >> throw new AuthorizationException(
>> >> "El parametro
>> PrincipalCollection
>> >> no
>> >> puede ser null.");
>> >> }
>> >> String apodo = (String)
>> >> principals.fromRealm(getName()).iterator()
>> >> .next();
>> >> Usuario u = servicios.consultarUsuario(apodo);
>> >> SimpleAuthorizationInfo info = new
>> >> SimpleAuthorizationInfo(getRoles(u));
>> >> info.setStringPermissions(getPermisos(u));
>> >> return info;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthenticationInfo doGetAuthenticationInfo(
>> >> AuthenticationToken token) throws
>> >> AuthenticationException {
>> >> UsernamePasswordToken upToken = (UsernamePasswordToken)
>> >> token;
>> >> String apodo = upToken.getUsername();
>> >> if (apodo == null) {
>> >> throw new AccountException(
>> >> "No se permiten apodos Null en
>> >> este
>> >> realm.");
>> >> }
>> >> AuthenticationInfo info = null;
>> >> String contrasenia =
>> >> servicios.consultarContrasenia(apodo);
>> >> if (contrasenia == null) {
>> >> throw new UnknownAccountException("No se
>> encontro
>> >> el
>> >> usuario ["
>> >> + apodo + "]");
>> >> }
>> >> info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> >> getName());
>> >> return info;
>> >> }
>> >>
>> >> }
>> >>
>> >> And in my login window i have implemented in a button this code
>> >> private GodService god = new GodService();
>> >> protected void button_actionPerformed(ActionEvent arg0) {
>> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>> >> ejbRealm.setCredentialsMatcher(new
>> >> Sha256CredentialsMatcher());
>> >> DefaultSecurityManager securityManager = new
>> >> DefaultSecurityManager(
>> >> ejbRealm);
>> >> UsernamePasswordToken token = new
>> >> UsernamePasswordToken(apodoText
>> >> .getText(),
>> >> contraseniaText.getPassword());
>> >> try {
>> >> Subject user = securityManager.login(token);
>> >> if (user.isAuthenticated()) {
>> >> MenuForm window = new MenuForm(god);
>> >> window.show();
>> >> dispose();
>> >> }
>> >> } catch (AuthenticationException e) {
>> >> mostrarMensaje("Usuario o contraseña
>> >> incorrectos");
>> >> } finally {
>> >> securityManager.destroy();
>> >> }
>> >> }
>> >>
>> >> But now i want to know how to secure my webservice (God) using
>> JSecurity.
>> >> What i need to do?
>> >>
>> >>
>> >> daniel_asv wrote:
>> >> >
>> >> > Hi, i have a webservice from a stateless session bean running in a
>> >> > GlassFish Application Server. The webservice is consumed by a swing
>> >> > application, i want to agregate a login to the swing application, the
>> >> user
>> >> > and password will be stored in a SQL Server 2005 database managed by
>> >> JPA
>> >> > (Hibernate).
>> >> >
>> >> > What i need to do for use JSecurity in my login window using the
>> >> > webservice?
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
Re: How to use JSecurity
Posted by daniel_asv <da...@macropro.com.mx>.
Okey Les, i will check the JSecurityFilter for use it with my webservice,
thanks for your recomendations.
Les Hazlewood wrote:
>
> Ah, I see now.
>
> The default JSecurity SecurityManager implemenations are almost always
> intended to reside in the business tier, not in the client. In an EJB3
> application, this means it should reside along side of (a peer to) your
> Stateless Session Bean - in the server, not in the client gui.
>
> So, if you want to secure a web service, JSecurity has to be configured to
> handle http communication - this is done by configuring JSecurity as a
> servlet filter in web.xml, to intercept the webservice Servlet Requests
> that
> will eventually call the underlying EJB.
>
> See this JavaDoc for how to configure the filter:
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> So, for example, if all of your web service calls go
>
> http://your.host.ip/myapp/webservices
>
> you would configure the JSecurity filter to intercept all the
> /webservices/** urls. For example:
>
> <filter>
> <filter-name>JSecurityFilter</filter-name>
>
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>
> <init-param>
> <param-name>config</param-name>
> <param-value>
> # The JSecurityFilter configuration is very powerful and
> flexible, while still remaining succinct.
> # Please read the comprehensive example, with full
> comments
> and explanations, in the JavaDoc:
> #
> #
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> [filters]
> jsecurity.loginUrl = /s/login
> authc.successUrl = /s/index
>
> [urls]
> # specify any of the above filters here, depending on the
> type of security you want:
> /webservices/**=authc
>
> </param-value>
> </init-param>
>
> </filter>
>
> <filter-mapping>
> <filter-name>JSecurityFilter</filter-name>
> <url-pattern>*</url-pattern>
> </filter-mapping>
>
> Does this help?
>
> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <da...@macropro.com.mx>
> wrote:
>
>>
>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>
>> I have three jar:
>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>> session bean (god) which exposes all his methods as webservice and my jpa
>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>> Persona, Rol, Tratamiento, Usuario).
>> 2. servicios.jar with the generated web service client from wsdl in
>> glassfish using JAX-WS and JAXB.
>> 3. cliente.jar the swing application that consumes the webservices (here
>> i
>> use JSecurity).
>>
>> My problem is in the webservices. I don´t know how to call them using a
>> user
>> and password.
>>
>>
>> Les Hazlewood wrote:
>> >
>> > Hi Daniel,
>> >
>> > Have you configured JSecurity via a servlet filter in web.xml? I'm
>> just
>> > trying to see what your runtime environment is like first before I
>> > recommend
>> > a solution.
>> >
>> > Les
>> >
>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
>> > wrote:
>> >
>> >>
>> >> I have implemented this class that inherited from AuthorizingRealm
>> >>
>> >> package presentacion;
>> >>
>> >> import java.util.LinkedHashSet;
>> >> import java.util.Set;
>> >>
>> >> import org.jsecurity.authc.AccountException;
>> >> import org.jsecurity.authc.AuthenticationException;
>> >> import org.jsecurity.authc.AuthenticationInfo;
>> >> import org.jsecurity.authc.AuthenticationToken;
>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> >> import org.jsecurity.authc.UnknownAccountException;
>> >> import org.jsecurity.authc.UsernamePasswordToken;
>> >> import org.jsecurity.authz.AuthorizationException;
>> >> import org.jsecurity.authz.AuthorizationInfo;
>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> >> import org.jsecurity.realm.AuthorizingRealm;
>> >> import org.jsecurity.subject.PrincipalCollection;
>> >>
>> >> import acciones.God;
>> >> import acciones.Permiso;
>> >> import acciones.Rol;
>> >> import acciones.Usuario;
>> >>
>> >> public class EjbRealm extends AuthorizingRealm {
>> >> private God servicios;
>> >>
>> >> public EjbRealm(God servicios) {
>> >> this.servicios = servicios;
>> >> }
>> >>
>> >> private Set<String> getRoles(Usuario u) {
>> >> Set<String> roles = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> roles.add(rol.getNombre());
>> >> }
>> >> return roles;
>> >> }
>> >>
>> >> private Set<String> getPermisos(Usuario u) {
>> >> Set<String> permisos = new LinkedHashSet<String>();
>> >> for (Rol rol : u.getRoles()) {
>> >> for (Permiso p : rol.getPermisos()) {
>> >> permisos.add(p.getNombre());
>> >> }
>> >> }
>> >> return permisos;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthorizationInfo doGetAuthorizationInfo(
>> >> PrincipalCollection principals) {
>> >> if (principals == null) {
>> >> throw new AuthorizationException(
>> >> "El parametro
>> PrincipalCollection
>> >> no
>> >> puede ser null.");
>> >> }
>> >> String apodo = (String)
>> >> principals.fromRealm(getName()).iterator()
>> >> .next();
>> >> Usuario u = servicios.consultarUsuario(apodo);
>> >> SimpleAuthorizationInfo info = new
>> >> SimpleAuthorizationInfo(getRoles(u));
>> >> info.setStringPermissions(getPermisos(u));
>> >> return info;
>> >> }
>> >>
>> >> @Override
>> >> protected AuthenticationInfo doGetAuthenticationInfo(
>> >> AuthenticationToken token) throws
>> >> AuthenticationException {
>> >> UsernamePasswordToken upToken = (UsernamePasswordToken)
>> >> token;
>> >> String apodo = upToken.getUsername();
>> >> if (apodo == null) {
>> >> throw new AccountException(
>> >> "No se permiten apodos Null en
>> >> este
>> >> realm.");
>> >> }
>> >> AuthenticationInfo info = null;
>> >> String contrasenia =
>> >> servicios.consultarContrasenia(apodo);
>> >> if (contrasenia == null) {
>> >> throw new UnknownAccountException("No se
>> encontro
>> >> el
>> >> usuario ["
>> >> + apodo + "]");
>> >> }
>> >> info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> >> getName());
>> >> return info;
>> >> }
>> >>
>> >> }
>> >>
>> >> And in my login window i have implemented in a button this code
>> >> private GodService god = new GodService();
>> >> protected void button_actionPerformed(ActionEvent arg0) {
>> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>> >> ejbRealm.setCredentialsMatcher(new
>> >> Sha256CredentialsMatcher());
>> >> DefaultSecurityManager securityManager = new
>> >> DefaultSecurityManager(
>> >> ejbRealm);
>> >> UsernamePasswordToken token = new
>> >> UsernamePasswordToken(apodoText
>> >> .getText(),
>> >> contraseniaText.getPassword());
>> >> try {
>> >> Subject user = securityManager.login(token);
>> >> if (user.isAuthenticated()) {
>> >> MenuForm window = new MenuForm(god);
>> >> window.show();
>> >> dispose();
>> >> }
>> >> } catch (AuthenticationException e) {
>> >> mostrarMensaje("Usuario o contraseña
>> >> incorrectos");
>> >> } finally {
>> >> securityManager.destroy();
>> >> }
>> >> }
>> >>
>> >> But now i want to know how to secure my webservice (God) using
>> JSecurity.
>> >> What i need to do?
>> >>
>> >>
>> >> daniel_asv wrote:
>> >> >
>> >> > Hi, i have a webservice from a stateless session bean running in a
>> >> > GlassFish Application Server. The webservice is consumed by a swing
>> >> > application, i want to agregate a login to the swing application,
>> the
>> >> user
>> >> > and password will be stored in a SQL Server 2005 database managed by
>> >> JPA
>> >> > (Hibernate).
>> >> >
>> >> > What i need to do for use JSecurity in my login window using the
>> >> > webservice?
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p724471.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: How to use JSecurity
Posted by Les Hazlewood <le...@hazlewood.com>.
Ah, I see now.
The default JSecurity SecurityManager implemenations are almost always
intended to reside in the business tier, not in the client. In an EJB3
application, this means it should reside along side of (a peer to) your
Stateless Session Bean - in the server, not in the client gui.
So, if you want to secure a web service, JSecurity has to be configured to
handle http communication - this is done by configuring JSecurity as a
servlet filter in web.xml, to intercept the webservice Servlet Requests that
will eventually call the underlying EJB.
See this JavaDoc for how to configure the filter:
http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
So, for example, if all of your web service calls go
http://your.host.ip/myapp/webservices
you would configure the JSecurity filter to intercept all the
/webservices/** urls. For example:
<filter>
<filter-name>JSecurityFilter</filter-name>
<filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
# The JSecurityFilter configuration is very powerful and
flexible, while still remaining succinct.
# Please read the comprehensive example, with full comments
and explanations, in the JavaDoc:
#
#
http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
[filters]
jsecurity.loginUrl = /s/login
authc.successUrl = /s/index
[urls]
# specify any of the above filters here, depending on the
type of security you want:
/webservices/**=authc
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>JSecurityFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
Does this help?
On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <da...@macropro.com.mx> wrote:
>
> Hi Les, i don´t use servlet and don´t configure web.xml.
>
> I have three jar:
> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
> session bean (god) which exposes all his methods as webservice and my jpa
> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
> Persona, Rol, Tratamiento, Usuario).
> 2. servicios.jar with the generated web service client from wsdl in
> glassfish using JAX-WS and JAXB.
> 3. cliente.jar the swing application that consumes the webservices (here i
> use JSecurity).
>
> My problem is in the webservices. I don´t know how to call them using a
> user
> and password.
>
>
> Les Hazlewood wrote:
> >
> > Hi Daniel,
> >
> > Have you configured JSecurity via a servlet filter in web.xml? I'm just
> > trying to see what your runtime environment is like first before I
> > recommend
> > a solution.
> >
> > Les
> >
> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
> > wrote:
> >
> >>
> >> I have implemented this class that inherited from AuthorizingRealm
> >>
> >> package presentacion;
> >>
> >> import java.util.LinkedHashSet;
> >> import java.util.Set;
> >>
> >> import org.jsecurity.authc.AccountException;
> >> import org.jsecurity.authc.AuthenticationException;
> >> import org.jsecurity.authc.AuthenticationInfo;
> >> import org.jsecurity.authc.AuthenticationToken;
> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
> >> import org.jsecurity.authc.UnknownAccountException;
> >> import org.jsecurity.authc.UsernamePasswordToken;
> >> import org.jsecurity.authz.AuthorizationException;
> >> import org.jsecurity.authz.AuthorizationInfo;
> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
> >> import org.jsecurity.realm.AuthorizingRealm;
> >> import org.jsecurity.subject.PrincipalCollection;
> >>
> >> import acciones.God;
> >> import acciones.Permiso;
> >> import acciones.Rol;
> >> import acciones.Usuario;
> >>
> >> public class EjbRealm extends AuthorizingRealm {
> >> private God servicios;
> >>
> >> public EjbRealm(God servicios) {
> >> this.servicios = servicios;
> >> }
> >>
> >> private Set<String> getRoles(Usuario u) {
> >> Set<String> roles = new LinkedHashSet<String>();
> >> for (Rol rol : u.getRoles()) {
> >> roles.add(rol.getNombre());
> >> }
> >> return roles;
> >> }
> >>
> >> private Set<String> getPermisos(Usuario u) {
> >> Set<String> permisos = new LinkedHashSet<String>();
> >> for (Rol rol : u.getRoles()) {
> >> for (Permiso p : rol.getPermisos()) {
> >> permisos.add(p.getNombre());
> >> }
> >> }
> >> return permisos;
> >> }
> >>
> >> @Override
> >> protected AuthorizationInfo doGetAuthorizationInfo(
> >> PrincipalCollection principals) {
> >> if (principals == null) {
> >> throw new AuthorizationException(
> >> "El parametro PrincipalCollection
> >> no
> >> puede ser null.");
> >> }
> >> String apodo = (String)
> >> principals.fromRealm(getName()).iterator()
> >> .next();
> >> Usuario u = servicios.consultarUsuario(apodo);
> >> SimpleAuthorizationInfo info = new
> >> SimpleAuthorizationInfo(getRoles(u));
> >> info.setStringPermissions(getPermisos(u));
> >> return info;
> >> }
> >>
> >> @Override
> >> protected AuthenticationInfo doGetAuthenticationInfo(
> >> AuthenticationToken token) throws
> >> AuthenticationException {
> >> UsernamePasswordToken upToken = (UsernamePasswordToken)
> >> token;
> >> String apodo = upToken.getUsername();
> >> if (apodo == null) {
> >> throw new AccountException(
> >> "No se permiten apodos Null en
> >> este
> >> realm.");
> >> }
> >> AuthenticationInfo info = null;
> >> String contrasenia =
> >> servicios.consultarContrasenia(apodo);
> >> if (contrasenia == null) {
> >> throw new UnknownAccountException("No se encontro
> >> el
> >> usuario ["
> >> + apodo + "]");
> >> }
> >> info = new SimpleAuthenticationInfo(apodo, contrasenia,
> >> getName());
> >> return info;
> >> }
> >>
> >> }
> >>
> >> And in my login window i have implemented in a button this code
> >> private GodService god = new GodService();
> >> protected void button_actionPerformed(ActionEvent arg0) {
> >> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
> >> ejbRealm.setCredentialsMatcher(new
> >> Sha256CredentialsMatcher());
> >> DefaultSecurityManager securityManager = new
> >> DefaultSecurityManager(
> >> ejbRealm);
> >> UsernamePasswordToken token = new
> >> UsernamePasswordToken(apodoText
> >> .getText(),
> >> contraseniaText.getPassword());
> >> try {
> >> Subject user = securityManager.login(token);
> >> if (user.isAuthenticated()) {
> >> MenuForm window = new MenuForm(god);
> >> window.show();
> >> dispose();
> >> }
> >> } catch (AuthenticationException e) {
> >> mostrarMensaje("Usuario o contraseña
> >> incorrectos");
> >> } finally {
> >> securityManager.destroy();
> >> }
> >> }
> >>
> >> But now i want to know how to secure my webservice (God) using
> JSecurity.
> >> What i need to do?
> >>
> >>
> >> daniel_asv wrote:
> >> >
> >> > Hi, i have a webservice from a stateless session bean running in a
> >> > GlassFish Application Server. The webservice is consumed by a swing
> >> > application, i want to agregate a login to the swing application, the
> >> user
> >> > and password will be stored in a SQL Server 2005 database managed by
> >> JPA
> >> > (Hibernate).
> >> >
> >> > What i need to do for use JSecurity in my login window using the
> >> > webservice?
> >> >
> >>
> >> --
> >> View this message in context:
> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: How to use JSecurity
Posted by daniel_asv <da...@macropro.com.mx>.
Hi Les, i don´t use servlet and don´t configure web.xml.
I have three jar:
1. servidor.jar an ejb deployed in glassfish, this contain my stateless
session bean (god) which exposes all his methods as webservice and my jpa
entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
Persona, Rol, Tratamiento, Usuario).
2. servicios.jar with the generated web service client from wsdl in
glassfish using JAX-WS and JAXB.
3. cliente.jar the swing application that consumes the webservices (here i
use JSecurity).
My problem is in the webservices. I don´t know how to call them using a user
and password.
Les Hazlewood wrote:
>
> Hi Daniel,
>
> Have you configured JSecurity via a servlet filter in web.xml? I'm just
> trying to see what your runtime environment is like first before I
> recommend
> a solution.
>
> Les
>
> On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx>
> wrote:
>
>>
>> I have implemented this class that inherited from AuthorizingRealm
>>
>> package presentacion;
>>
>> import java.util.LinkedHashSet;
>> import java.util.Set;
>>
>> import org.jsecurity.authc.AccountException;
>> import org.jsecurity.authc.AuthenticationException;
>> import org.jsecurity.authc.AuthenticationInfo;
>> import org.jsecurity.authc.AuthenticationToken;
>> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> import org.jsecurity.authc.UnknownAccountException;
>> import org.jsecurity.authc.UsernamePasswordToken;
>> import org.jsecurity.authz.AuthorizationException;
>> import org.jsecurity.authz.AuthorizationInfo;
>> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> import org.jsecurity.realm.AuthorizingRealm;
>> import org.jsecurity.subject.PrincipalCollection;
>>
>> import acciones.God;
>> import acciones.Permiso;
>> import acciones.Rol;
>> import acciones.Usuario;
>>
>> public class EjbRealm extends AuthorizingRealm {
>> private God servicios;
>>
>> public EjbRealm(God servicios) {
>> this.servicios = servicios;
>> }
>>
>> private Set<String> getRoles(Usuario u) {
>> Set<String> roles = new LinkedHashSet<String>();
>> for (Rol rol : u.getRoles()) {
>> roles.add(rol.getNombre());
>> }
>> return roles;
>> }
>>
>> private Set<String> getPermisos(Usuario u) {
>> Set<String> permisos = new LinkedHashSet<String>();
>> for (Rol rol : u.getRoles()) {
>> for (Permiso p : rol.getPermisos()) {
>> permisos.add(p.getNombre());
>> }
>> }
>> return permisos;
>> }
>>
>> @Override
>> protected AuthorizationInfo doGetAuthorizationInfo(
>> PrincipalCollection principals) {
>> if (principals == null) {
>> throw new AuthorizationException(
>> "El parametro PrincipalCollection
>> no
>> puede ser null.");
>> }
>> String apodo = (String)
>> principals.fromRealm(getName()).iterator()
>> .next();
>> Usuario u = servicios.consultarUsuario(apodo);
>> SimpleAuthorizationInfo info = new
>> SimpleAuthorizationInfo(getRoles(u));
>> info.setStringPermissions(getPermisos(u));
>> return info;
>> }
>>
>> @Override
>> protected AuthenticationInfo doGetAuthenticationInfo(
>> AuthenticationToken token) throws
>> AuthenticationException {
>> UsernamePasswordToken upToken = (UsernamePasswordToken)
>> token;
>> String apodo = upToken.getUsername();
>> if (apodo == null) {
>> throw new AccountException(
>> "No se permiten apodos Null en
>> este
>> realm.");
>> }
>> AuthenticationInfo info = null;
>> String contrasenia =
>> servicios.consultarContrasenia(apodo);
>> if (contrasenia == null) {
>> throw new UnknownAccountException("No se encontro
>> el
>> usuario ["
>> + apodo + "]");
>> }
>> info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> getName());
>> return info;
>> }
>>
>> }
>>
>> And in my login window i have implemented in a button this code
>> private GodService god = new GodService();
>> protected void button_actionPerformed(ActionEvent arg0) {
>> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>> ejbRealm.setCredentialsMatcher(new
>> Sha256CredentialsMatcher());
>> DefaultSecurityManager securityManager = new
>> DefaultSecurityManager(
>> ejbRealm);
>> UsernamePasswordToken token = new
>> UsernamePasswordToken(apodoText
>> .getText(),
>> contraseniaText.getPassword());
>> try {
>> Subject user = securityManager.login(token);
>> if (user.isAuthenticated()) {
>> MenuForm window = new MenuForm(god);
>> window.show();
>> dispose();
>> }
>> } catch (AuthenticationException e) {
>> mostrarMensaje("Usuario o contraseña
>> incorrectos");
>> } finally {
>> securityManager.destroy();
>> }
>> }
>>
>> But now i want to know how to secure my webservice (God) using JSecurity.
>> What i need to do?
>>
>>
>> daniel_asv wrote:
>> >
>> > Hi, i have a webservice from a stateless session bean running in a
>> > GlassFish Application Server. The webservice is consumed by a swing
>> > application, i want to agregate a login to the swing application, the
>> user
>> > and password will be stored in a SQL Server 2005 database managed by
>> JPA
>> > (Hibernate).
>> >
>> > What i need to do for use JSecurity in my login window using the
>> > webservice?
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
Sent from the JSecurity User mailing list archive at Nabble.com.
Re: How to use JSecurity
Posted by Les Hazlewood <le...@hazlewood.com>.
Hi Daniel,
Have you configured JSecurity via a servlet filter in web.xml? I'm just
trying to see what your runtime environment is like first before I recommend
a solution.
Les
On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <da...@macropro.com.mx> wrote:
>
> I have implemented this class that inherited from AuthorizingRealm
>
> package presentacion;
>
> import java.util.LinkedHashSet;
> import java.util.Set;
>
> import org.jsecurity.authc.AccountException;
> import org.jsecurity.authc.AuthenticationException;
> import org.jsecurity.authc.AuthenticationInfo;
> import org.jsecurity.authc.AuthenticationToken;
> import org.jsecurity.authc.SimpleAuthenticationInfo;
> import org.jsecurity.authc.UnknownAccountException;
> import org.jsecurity.authc.UsernamePasswordToken;
> import org.jsecurity.authz.AuthorizationException;
> import org.jsecurity.authz.AuthorizationInfo;
> import org.jsecurity.authz.SimpleAuthorizationInfo;
> import org.jsecurity.realm.AuthorizingRealm;
> import org.jsecurity.subject.PrincipalCollection;
>
> import acciones.God;
> import acciones.Permiso;
> import acciones.Rol;
> import acciones.Usuario;
>
> public class EjbRealm extends AuthorizingRealm {
> private God servicios;
>
> public EjbRealm(God servicios) {
> this.servicios = servicios;
> }
>
> private Set<String> getRoles(Usuario u) {
> Set<String> roles = new LinkedHashSet<String>();
> for (Rol rol : u.getRoles()) {
> roles.add(rol.getNombre());
> }
> return roles;
> }
>
> private Set<String> getPermisos(Usuario u) {
> Set<String> permisos = new LinkedHashSet<String>();
> for (Rol rol : u.getRoles()) {
> for (Permiso p : rol.getPermisos()) {
> permisos.add(p.getNombre());
> }
> }
> return permisos;
> }
>
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(
> PrincipalCollection principals) {
> if (principals == null) {
> throw new AuthorizationException(
> "El parametro PrincipalCollection no
> puede ser null.");
> }
> String apodo = (String)
> principals.fromRealm(getName()).iterator()
> .next();
> Usuario u = servicios.consultarUsuario(apodo);
> SimpleAuthorizationInfo info = new
> SimpleAuthorizationInfo(getRoles(u));
> info.setStringPermissions(getPermisos(u));
> return info;
> }
>
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(
> AuthenticationToken token) throws
> AuthenticationException {
> UsernamePasswordToken upToken = (UsernamePasswordToken)
> token;
> String apodo = upToken.getUsername();
> if (apodo == null) {
> throw new AccountException(
> "No se permiten apodos Null en este
> realm.");
> }
> AuthenticationInfo info = null;
> String contrasenia = servicios.consultarContrasenia(apodo);
> if (contrasenia == null) {
> throw new UnknownAccountException("No se encontro el
> usuario ["
> + apodo + "]");
> }
> info = new SimpleAuthenticationInfo(apodo, contrasenia,
> getName());
> return info;
> }
>
> }
>
> And in my login window i have implemented in a button this code
> private GodService god = new GodService();
> protected void button_actionPerformed(ActionEvent arg0) {
> EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
> ejbRealm.setCredentialsMatcher(new
> Sha256CredentialsMatcher());
> DefaultSecurityManager securityManager = new
> DefaultSecurityManager(
> ejbRealm);
> UsernamePasswordToken token = new
> UsernamePasswordToken(apodoText
> .getText(), contraseniaText.getPassword());
> try {
> Subject user = securityManager.login(token);
> if (user.isAuthenticated()) {
> MenuForm window = new MenuForm(god);
> window.show();
> dispose();
> }
> } catch (AuthenticationException e) {
> mostrarMensaje("Usuario o contraseña incorrectos");
> } finally {
> securityManager.destroy();
> }
> }
>
> But now i want to know how to secure my webservice (God) using JSecurity.
> What i need to do?
>
>
> daniel_asv wrote:
> >
> > Hi, i have a webservice from a stateless session bean running in a
> > GlassFish Application Server. The webservice is consumed by a swing
> > application, i want to agregate a login to the swing application, the
> user
> > and password will be stored in a SQL Server 2005 database managed by JPA
> > (Hibernate).
> >
> > What i need to do for use JSecurity in my login window using the
> > webservice?
> >
>
> --
> View this message in context:
> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Re: How to use JSecurity
Posted by daniel_asv <da...@macropro.com.mx>.
I have implemented this class that inherited from AuthorizingRealm
package presentacion;
import java.util.LinkedHashSet;
import java.util.Set;
import org.jsecurity.authc.AccountException;
import org.jsecurity.authc.AuthenticationException;
import org.jsecurity.authc.AuthenticationInfo;
import org.jsecurity.authc.AuthenticationToken;
import org.jsecurity.authc.SimpleAuthenticationInfo;
import org.jsecurity.authc.UnknownAccountException;
import org.jsecurity.authc.UsernamePasswordToken;
import org.jsecurity.authz.AuthorizationException;
import org.jsecurity.authz.AuthorizationInfo;
import org.jsecurity.authz.SimpleAuthorizationInfo;
import org.jsecurity.realm.AuthorizingRealm;
import org.jsecurity.subject.PrincipalCollection;
import acciones.God;
import acciones.Permiso;
import acciones.Rol;
import acciones.Usuario;
public class EjbRealm extends AuthorizingRealm {
private God servicios;
public EjbRealm(God servicios) {
this.servicios = servicios;
}
private Set<String> getRoles(Usuario u) {
Set<String> roles = new LinkedHashSet<String>();
for (Rol rol : u.getRoles()) {
roles.add(rol.getNombre());
}
return roles;
}
private Set<String> getPermisos(Usuario u) {
Set<String> permisos = new LinkedHashSet<String>();
for (Rol rol : u.getRoles()) {
for (Permiso p : rol.getPermisos()) {
permisos.add(p.getNombre());
}
}
return permisos;
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
if (principals == null) {
throw new AuthorizationException(
"El parametro PrincipalCollection no puede ser null.");
}
String apodo = (String) principals.fromRealm(getName()).iterator()
.next();
Usuario u = servicios.consultarUsuario(apodo);
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(getRoles(u));
info.setStringPermissions(getPermisos(u));
return info;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String apodo = upToken.getUsername();
if (apodo == null) {
throw new AccountException(
"No se permiten apodos Null en este realm.");
}
AuthenticationInfo info = null;
String contrasenia = servicios.consultarContrasenia(apodo);
if (contrasenia == null) {
throw new UnknownAccountException("No se encontro el usuario ["
+ apodo + "]");
}
info = new SimpleAuthenticationInfo(apodo, contrasenia, getName());
return info;
}
}
And in my login window i have implemented in a button this code
private GodService god = new GodService();
protected void button_actionPerformed(ActionEvent arg0) {
EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
ejbRealm.setCredentialsMatcher(new Sha256CredentialsMatcher());
DefaultSecurityManager securityManager = new DefaultSecurityManager(
ejbRealm);
UsernamePasswordToken token = new UsernamePasswordToken(apodoText
.getText(), contraseniaText.getPassword());
try {
Subject user = securityManager.login(token);
if (user.isAuthenticated()) {
MenuForm window = new MenuForm(god);
window.show();
dispose();
}
} catch (AuthenticationException e) {
mostrarMensaje("Usuario o contraseña incorrectos");
} finally {
securityManager.destroy();
}
}
But now i want to know how to secure my webservice (God) using JSecurity.
What i need to do?
daniel_asv wrote:
>
> Hi, i have a webservice from a stateless session bean running in a
> GlassFish Application Server. The webservice is consumed by a swing
> application, i want to agregate a login to the swing application, the user
> and password will be stored in a SQL Server 2005 database managed by JPA
> (Hibernate).
>
> What i need to do for use JSecurity in my login window using the
> webservice?
>
--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
Sent from the JSecurity User mailing list archive at Nabble.com.