• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS programatically

 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

am facing a problem applying JAAS on top of my Oracle AS or even the embedded OC4J, the problem is that i need to make the login process done programmaticly not only when user request a J2EE resource and being forwarded to the login form, how could i after executing the login and getting the user subject seat it on the session or any scope in order for the container to see this user as authenticated. any help is appreciated.

Thanks.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

What kind of client is this? How is it accessing the server?
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
the client is a browser(thin), and am using the form based authentication
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's tricky, since JAAS and the Servlet API were never fully integrated; you may have to user vendor-specific extensions. See this article for a description of the difficulties.
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
am using Oracle application server and i notices that it adds an attribuit to the session with the key "jaas.subject" and an object of the user subject.

i do the programatic login and i get the subject and i add it to the session myself but this does not make the constrained resources open, please if you have any idea let me know.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not sure if it helps with Oracle specifically, but you could check out http://jguard.net/ which adapts JAAS to web apps.
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your help
 
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For integration of JAAS code with a Java web server, you need to configure the following system property:

java.security.auth.login.config

The value of this property should be set to the physical location of the JAAS configuration file, e.g. X:\TOMCAT\CONF\application-jaas.conf
 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i think his problem is authorization, i get the same question.
i get a subject from the authentication and then don't know what to do.

how to authorize, especially authorizing those resources in database.


sorry to my poor english.
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
you right jerry, but i think this is unsolvalble problem as JAAS in origin was not built to support web application, hence we stuck on this issue, you may have to see jguard in this case
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not too sure, but we have been using the JAAS API for security in web applications for some time (without any third-party add-ons). It works fine.
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
the issue here James is that JAAS will not work probably when you run the login page directly without referring first to some constrained resource.
add to that if we apply the login method programatically and initialize a subject for the logged in user, we cant find the way to set the user subject or principal into the request so that the following code will result on the object we set not null poiter
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It seems that the issue stems from "how" you are attempting to use JAAS. This is not a fault of the API itself. Again, it is "how" you are trying to code the authentication.

A login JSP page should authenticate via JAAS module by calling on a Business Delegate which then calls a POJO. The code in the POJO uses JAAS modules to authenticate. There is no need to refer to "some contrained resource" to execute the login module.

JAAS Subject objects should not be set in a HttpRequest or HttpSession.

Everything mentioned above assumes a strict Model-View-Controller implementation. If you are attempting to do JAAS authentication directly from JSP pages, then you most likely will have difficulty in many places.

You need to have state in the Model application, this will hold references to the JAAS Subjects returned once a user is authenticated.

Good luck!
 
QiJun Yang
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi, maybe the below code is helpful to you.

final SecurityManager sm;
if (System.getSecurityManager() == null) {
sm = new SecurityManager();
} else {
sm = System.getSecurityManager();
}
Subject subject = ....;
Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() {

public Object run() throws Exception {
// TODO Auto-generated method stub
Permission p = new URLPermission("/demo/soft/query.jsp");
sm.checkPermission(p);

return true;
}
}, null);

you can put this code into a javax.servlet.Filter or ActionServlet and get the request url, and then construct a Permission. of course you need a URLPermission.

if the subject has access to the url "/demo/soft/query.jsp", the above code will give you a return, or throw an exception otherwise.

your security policy file should like this.

grant Principal org.xfree.jaas.exam.SimplePrincipal "manager"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "admin"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "tom"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "jerry"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal *{
permission org.xfree.jaas.exam.URLPermission "/demo/login.jsp";
permission org.xfree.jaas.exam.URLPermission "/demo/error.jsp";
};


the above configuration represent permission collection of two roles and two users respectively.

you can get your configuration information from database. what you need is a policy class extending javax.security.auth.Policy.java, the default policy class is FilePolicy which extends class Policy and reads file %java_home%\jre\lib\security\java.policy.

reference: http://www.mooreds.com/jaas.html
 
QiJun Yang
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
code of URLPermission:
http://www.koders.com/java/fidC12C6A4B391CA70EE8535CAC410B27403E8A2A31.aspx
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
"jerry yang",
please check your private messages.
 
Rami Hailat
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi James, if we dont set the subject or the principal into the request or session, how would any request return the use principal when using
for example.
 
Jimmy Clark
Ranch Hand
Posts: 2187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A request does not return anything. A request is sent to a server. The server returns a response.

In regards to the isUserInRole() method, this method returns a boolean value, not a JAAS Subject object.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic