You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Liyi Meng <me...@gmail.com> on 2008/04/01 14:21:59 UTC

JAAS authentication goes OK, but 403 occurs on requesting resources

Hi all,

I am trying JAAS in tomcat, but hit on a really frustrating problem
right now. When login, authentication goes OK, but when requesting a
resource, I always get 403 access denied!

I try to print out httprequest.getRemoteUser in servlet, the username
is correct there, however httprequest.isUserInRoles() always returns
false :(

I am wondering if I have dose something wrong in storing the Roles.

Below is the code how I populate User and Role then save in Subject
public boolean commit() throws LoginException
{
if (succeeded == false)
{
return false;
} else
{
// add a Principal (authenticated identity)
// to the Subject
principals = new Principal[2];
principals[0] = new WebUser(username);
principals[1] = new WebRole("manager");


for(int i= 0 ; i < principals.length ; i++)
{
if (!subject.getPrincipals().contains(principals[i]))
subject.getPrincipals().add(principals[i]);
}
if (debug)
{
Set<Principal> all = subject.getPrincipals();
Iterator<Principal> i = all.iterator();
while(i.hasNext())
{
System.out.println(+ i.next().toString());
}
}

commitSucceeded = true;
return true;
}

}
The debug shows that both user and role are stored in subject. But Why
tomcat is not recognized the role?!
If you ever see this kind of problem, please help! I'll greatly appreciate!

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JAAS authentication goes OK, but 403 occurs on requesting resources

Posted by Liyi Meng <me...@gmail.com>.

Hi Chuck,

Thanks for your reply. Here is my web.xml consider of security:

<security-constraint>
     <display-name>Security Constraint</display-name>
     <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
         <!-- Define the context-relative URL(s) to be protected -->
       <url-pattern>/protected/*</url-pattern>
       </web-resource-collection>
   <auth-constraint>
   <!-- Anyone with one of the listed roles may access this area -->
     <role-name>manager</role-name>
   </auth-constraint>
   </security-constraint>


   <!-- Default login configuration uses form-based authentication -->
   <login-config>
   <auth-method>FORM</auth-method>
   <realm-name>Example Form-Based Authentication Area</realm-name>
   <form-login-config>
   <form-login-page>/auth/login2.jsp</form-login-page>
   <form-error-page>/auth/error.jsp</form-error-page>
   </form-login-config>
   </login-config>

   <!-- Security roles referenced by this web application -->
   <security-role>
     <role-name>manager</role-name>
   </security-role>

Security role is out there, I believe. but I run tomcat in embedded  
way, start JAASRealm like this:

	JAASRealm jaasRealm = new JAASRealm();
    	this.embedded.setRealm(jaasRealm);
         jaasRealm.setUserClassNames("web.security.realm.WebUser");
         jaasRealm.setRoleClassNames("web.security.realm.WebRole");

// Start the embedded server
         this.embedded.start();
         running = true;

I don't know if there is problem in my Java code.

BR/Liyi


On Apr 2, 2008, at 12:34 AM, Caldarale, Charles R wrote:

>> From: Liyi Meng [mailto:meng.liyi@gmail.com]
>> Subject: JAAS authentication goes OK, but 403 occurs on
>> requesting resources
>
>> When login, authentication goes OK, but when requesting
>> a resource, I always get 403 access denied!
>
> What's in the <security-constraint>, <login-config>, and <security- 
> role>
> sections of the web.xml for your webapp?  Have you left out the
> <security-role> element, by any chance?
>
>> Below is the code how I populate User and Role then save in Subject
>
> Your code is very similar to mine, which does work, so I don't  
> think the
> problem's there.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e- 
> mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

RE: JAAS authentication goes OK, but 403 occurs on requesting resources

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Liyi Meng [mailto:meng.liyi@gmail.com] 
> Subject: JAAS authentication goes OK, but 403 occurs on 
> requesting resources

> When login, authentication goes OK, but when requesting
> a resource, I always get 403 access denied!

What's in the <security-constraint>, <login-config>, and <security-role>
sections of the web.xml for your webapp?  Have you left out the
<security-role> element, by any chance?

> Below is the code how I populate User and Role then save in Subject

Your code is very similar to mine, which does work, so I don't think the
problem's there.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org