You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chapoor Chapoor <ch...@gmail.com> on 2006/04/18 17:02:46 UTC
CMS and JAAS
Hi,
I m stucked in a security authentication/authorization issue, which I hope
you have some advice for me.
In simple words, I want to use the Web container security (for
authorization) together with my own JAAS implementation (for
authentication).
How to achieve this ?
I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I want to
by pass these and hit my JAAS login model.
The reason is that we collect user information in different way, by an
exchange with the user in a front filter.
I cant get this to work, even though that I have configured my loginmodule,
user, role and configured the JAASRealm in Tomcat,
This is how I want to do it (in theory).
1. User enters a URL (e.g. /mycontext/cars/),
2. The SecFilter gets triggered, which ends by exchanging user information,
3. The MyLoginModule gets called with user information
4. User is been looked up and get assigned a User/Role Principals.
5. Login is OK
6. Now the web container security can take place and checks in web.xml if
this user is-in-role to call /cars url.
I've searched the entire web but could not see any good article about this.
Am I the only one who wants to by-pass the auth-methods but still can
provide good authentication and "standard" web-authorization.
(I've seen some work-around such as:
http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this is a
work-around, which I dont like).
Please advice,
Thank you for reading, and sorry for the long email.
Re: CMS and JAAS
Posted by Chapoor Chapoor <ch...@gmail.com>.
Thanks guys,
I want to do my own authentication (in this case using JAAS) because the
available once are not sufficient. The requirement are so, and I cant go
deep in those.
So the basic, form, client-cert are not OK to use for authentication.
That is why I do my own servlet/filter that will call the login context
"myapp" which uses JAAS.
After this I want to notify the container so it in some way can recognize
that there is a user, (in getremoteuser, isuserinrole, etc). In this case I
will be able to use the authorization provided from the container. Not only
on web level but also later I could use the roles down in Ejb container.
I want to keep the declarative security as much possible as it can be.
Thank you
On 4/20/06, Tim Lucia <ti...@yahoo.com> wrote:
>
> Why do you wish to do this? Perhaps elaborating on the " exchange with
> the
> user in a front filter" bit will get you a more satisfactory answer?
>
> Tim
>
> -----Original Message-----
> From: Chapoor Chapoor [mailto:chapoor@gmail.com]
> Sent: Thursday, April 20, 2006 4:34 AM
> To: Tomcat Users List
> Subject: Re: CMS and JAAS
>
> Thanks Rolf, but it is not what I m looking for.
> The major difference in my structure is that I want do authentication
> manually (like from a servlet/filter to call Jaas, I dont want to use
> basic,
> form, cert methods) and in some way notify the container with credentials
> (so the authorization can be taken over by the server).
>
> Thank you
>
>
>
> On 4/20/06, mailinglist@august.de <ma...@august.de> wrote:
> >
> > The JSPWiki team has done something into the same direction.
> > I tested the deployment of Andrews implementation and collected a
> > checklist.
> > It's not exactly what you are asking for but it could help to inspire
> you
> > where look for errors.
> >
> >
> >
>
> http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthen
> tication
> >
> > (AAA stands for "Authentication And Authorization")
> >
> > Have fun
> >
> > Rolf
> >
> > > It is strange that it is so quiet about this issue.
> > > I can't be the only one who gets affected, many projects must have
> come
> > > across this.
> > >
> > > Thank you
> > >
> > >
> > > On 4/18/06, Chapoor Chapoor <ch...@gmail.com> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I m stucked in a security authentication/authorization issue, which I
> > >> hope
> > >> you have some advice for me.
> > >>
> > >> In simple words, I want to use the Web container security (for
> > >> authorization) together with my own JAAS implementation (for
> > >> authentication).
> > >>
> > >> How to achieve this ?
> > >>
> > >> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I
> > >> want
> > >> to by pass these and hit my JAAS login model.
> > >> The reason is that we collect user information in different way, by
> an
> > >> exchange with the user in a front filter.
> > >>
> > >> I cant get this to work, even though that I have configured my
> > >> loginmodule, user, role and configured the JAASRealm in Tomcat,
> > >>
> > >> This is how I want to do it (in theory).
> > >> 1. User enters a URL (e.g. /mycontext/cars/),
> > >> 2. The SecFilter gets triggered, which ends by exchanging user
> > >> information,
> > >> 3. The MyLoginModule gets called with user information
> > >> 4. User is been looked up and get assigned a User/Role Principals.
> > >> 5. Login is OK
> > >> 6. Now the web container security can take place and checks in
> web.xml
> > >> if
> > >> this user is-in-role to call /cars url.
> > >>
> > >> I've searched the entire web but could not see any good article about
> > >> this. Am I the only one who wants to by-pass the auth-methods but
> still
> > >> can
> > >> provide good authentication and "standard" web-authorization.
> > >>
> > >> (I've seen some work-around such as:
> > >> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but
> this
> > >> is
> > >> a work-around, which I dont like).
> > >>
> > >>
> > >>
> > >> Please advice,
> > >>
> > >>
> > >> Thank you for reading, and sorry for the long email.
> > >>
> > >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: CMS and JAAS
Posted by Tim Lucia <ti...@yahoo.com>.
Why do you wish to do this? Perhaps elaborating on the " exchange with the
user in a front filter" bit will get you a more satisfactory answer?
Tim
-----Original Message-----
From: Chapoor Chapoor [mailto:chapoor@gmail.com]
Sent: Thursday, April 20, 2006 4:34 AM
To: Tomcat Users List
Subject: Re: CMS and JAAS
Thanks Rolf, but it is not what I m looking for.
The major difference in my structure is that I want do authentication
manually (like from a servlet/filter to call Jaas, I dont want to use basic,
form, cert methods) and in some way notify the container with credentials
(so the authorization can be taken over by the server).
Thank you
On 4/20/06, mailinglist@august.de <ma...@august.de> wrote:
>
> The JSPWiki team has done something into the same direction.
> I tested the deployment of Andrews implementation and collected a
> checklist.
> It's not exactly what you are asking for but it could help to inspire you
> where look for errors.
>
>
>
http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthen
tication
>
> (AAA stands for "Authentication And Authorization")
>
> Have fun
>
> Rolf
>
> > It is strange that it is so quiet about this issue.
> > I can't be the only one who gets affected, many projects must have come
> > across this.
> >
> > Thank you
> >
> >
> > On 4/18/06, Chapoor Chapoor <ch...@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I m stucked in a security authentication/authorization issue, which I
> >> hope
> >> you have some advice for me.
> >>
> >> In simple words, I want to use the Web container security (for
> >> authorization) together with my own JAAS implementation (for
> >> authentication).
> >>
> >> How to achieve this ?
> >>
> >> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I
> >> want
> >> to by pass these and hit my JAAS login model.
> >> The reason is that we collect user information in different way, by an
> >> exchange with the user in a front filter.
> >>
> >> I cant get this to work, even though that I have configured my
> >> loginmodule, user, role and configured the JAASRealm in Tomcat,
> >>
> >> This is how I want to do it (in theory).
> >> 1. User enters a URL (e.g. /mycontext/cars/),
> >> 2. The SecFilter gets triggered, which ends by exchanging user
> >> information,
> >> 3. The MyLoginModule gets called with user information
> >> 4. User is been looked up and get assigned a User/Role Principals.
> >> 5. Login is OK
> >> 6. Now the web container security can take place and checks in web.xml
> >> if
> >> this user is-in-role to call /cars url.
> >>
> >> I've searched the entire web but could not see any good article about
> >> this. Am I the only one who wants to by-pass the auth-methods but still
> >> can
> >> provide good authentication and "standard" web-authorization.
> >>
> >> (I've seen some work-around such as:
> >> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this
> >> is
> >> a work-around, which I dont like).
> >>
> >>
> >>
> >> Please advice,
> >>
> >>
> >> Thank you for reading, and sorry for the long email.
> >>
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CMS and JAAS
Posted by Chapoor Chapoor <ch...@gmail.com>.
Thanks Rolf, but it is not what I m looking for.
The major difference in my structure is that I want do authentication
manually (like from a servlet/filter to call Jaas, I dont want to use basic,
form, cert methods) and in some way notify the container with credentials
(so the authorization can be taken over by the server).
Thank you
On 4/20/06, mailinglist@august.de <ma...@august.de> wrote:
>
> The JSPWiki team has done something into the same direction.
> I tested the deployment of Andrews implementation and collected a
> checklist.
> It's not exactly what you are asking for but it could help to inspire you
> where look for errors.
>
>
> http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthentication
>
> (AAA stands for "Authentication And Authorization")
>
> Have fun
>
> Rolf
>
> > It is strange that it is so quiet about this issue.
> > I can't be the only one who gets affected, many projects must have come
> > across this.
> >
> > Thank you
> >
> >
> > On 4/18/06, Chapoor Chapoor <ch...@gmail.com> wrote:
> >>
> >> Hi,
> >>
> >> I m stucked in a security authentication/authorization issue, which I
> >> hope
> >> you have some advice for me.
> >>
> >> In simple words, I want to use the Web container security (for
> >> authorization) together with my own JAAS implementation (for
> >> authentication).
> >>
> >> How to achieve this ?
> >>
> >> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I
> >> want
> >> to by pass these and hit my JAAS login model.
> >> The reason is that we collect user information in different way, by an
> >> exchange with the user in a front filter.
> >>
> >> I cant get this to work, even though that I have configured my
> >> loginmodule, user, role and configured the JAASRealm in Tomcat,
> >>
> >> This is how I want to do it (in theory).
> >> 1. User enters a URL (e.g. /mycontext/cars/),
> >> 2. The SecFilter gets triggered, which ends by exchanging user
> >> information,
> >> 3. The MyLoginModule gets called with user information
> >> 4. User is been looked up and get assigned a User/Role Principals.
> >> 5. Login is OK
> >> 6. Now the web container security can take place and checks in web.xml
> >> if
> >> this user is-in-role to call /cars url.
> >>
> >> I've searched the entire web but could not see any good article about
> >> this. Am I the only one who wants to by-pass the auth-methods but still
> >> can
> >> provide good authentication and "standard" web-authorization.
> >>
> >> (I've seen some work-around such as:
> >> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this
> >> is
> >> a work-around, which I dont like).
> >>
> >>
> >>
> >> Please advice,
> >>
> >>
> >> Thank you for reading, and sorry for the long email.
> >>
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: CMS and JAAS
Posted by ma...@august.de.
The JSPWiki team has done something into the same direction.
I tested the deployment of Andrews implementation and collected a checklist.
It's not exactly what you are asking for but it could help to inspire you
where look for errors.
http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthentication
(AAA stands for "Authentication And Authorization")
Have fun
Rolf
> It is strange that it is so quiet about this issue.
> I can't be the only one who gets affected, many projects must have come
> across this.
>
> Thank you
>
>
> On 4/18/06, Chapoor Chapoor <ch...@gmail.com> wrote:
>>
>> Hi,
>>
>> I m stucked in a security authentication/authorization issue, which I
>> hope
>> you have some advice for me.
>>
>> In simple words, I want to use the Web container security (for
>> authorization) together with my own JAAS implementation (for
>> authentication).
>>
>> How to achieve this ?
>>
>> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I
>> want
>> to by pass these and hit my JAAS login model.
>> The reason is that we collect user information in different way, by an
>> exchange with the user in a front filter.
>>
>> I cant get this to work, even though that I have configured my
>> loginmodule, user, role and configured the JAASRealm in Tomcat,
>>
>> This is how I want to do it (in theory).
>> 1. User enters a URL (e.g. /mycontext/cars/),
>> 2. The SecFilter gets triggered, which ends by exchanging user
>> information,
>> 3. The MyLoginModule gets called with user information
>> 4. User is been looked up and get assigned a User/Role Principals.
>> 5. Login is OK
>> 6. Now the web container security can take place and checks in web.xml
>> if
>> this user is-in-role to call /cars url.
>>
>> I've searched the entire web but could not see any good article about
>> this. Am I the only one who wants to by-pass the auth-methods but still
>> can
>> provide good authentication and "standard" web-authorization.
>>
>> (I've seen some work-around such as:
>> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this
>> is
>> a work-around, which I dont like).
>>
>>
>>
>> Please advice,
>>
>>
>> Thank you for reading, and sorry for the long email.
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: CMS and JAAS
Posted by Chapoor Chapoor <ch...@gmail.com>.
It is strange that it is so quiet about this issue.
I can't be the only one who gets affected, many projects must have come
across this.
Thank you
On 4/18/06, Chapoor Chapoor <ch...@gmail.com> wrote:
>
> Hi,
>
> I m stucked in a security authentication/authorization issue, which I hope
> you have some advice for me.
>
> In simple words, I want to use the Web container security (for
> authorization) together with my own JAAS implementation (for
> authentication).
>
> How to achieve this ?
>
> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I want
> to by pass these and hit my JAAS login model.
> The reason is that we collect user information in different way, by an
> exchange with the user in a front filter.
>
> I cant get this to work, even though that I have configured my
> loginmodule, user, role and configured the JAASRealm in Tomcat,
>
> This is how I want to do it (in theory).
> 1. User enters a URL (e.g. /mycontext/cars/),
> 2. The SecFilter gets triggered, which ends by exchanging user
> information,
> 3. The MyLoginModule gets called with user information
> 4. User is been looked up and get assigned a User/Role Principals.
> 5. Login is OK
> 6. Now the web container security can take place and checks in web.xml if
> this user is-in-role to call /cars url.
>
> I've searched the entire web but could not see any good article about
> this. Am I the only one who wants to by-pass the auth-methods but still can
> provide good authentication and "standard" web-authorization.
>
> (I've seen some work-around such as:
> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this is
> a work-around, which I dont like).
>
>
>
> Please advice,
>
>
> Thank you for reading, and sorry for the long email.
>