JAAS and HTTPSession

Similar Messages

• Problem with HttpURLConnection and HttpSession.

  Hi,
  Problem with HttpURLConnection and HttpSession.
  I created a HttpSession object in my main class and then called a URL via HttpURLConnection.
  I tried to access the same session object from the servlet called by the URL . but the main session
  is not returned a new seperate session is created.let me know how can we continue the same session in
  the called URL also which is created in main class.
  Thanks
  Prasad

  You are not supported to create a HttpSession by java client. Only J2EE web container can create it.

• JAAS and j_security_check

  Hi there,
  I'm using Weblogic 6.1 and working on the security aspect of a project.
  What I want to do is to set up the app so that a user logs in and gets authenticated
  using JAAS. I also want to secure the app so that all requests for urls must
  be authenticated first i.e. They go through the login page first.
  The easiest way I can see to do this is to use FORM based authentication using
  j_security_check.
  Is there a way then to set whatever j_security_check in the session, within the
  JAAS part of the code? Rather than authenticating with JAAS and then sending
  username and password to j_security_check.
  Does anyone know what to set? I looked at previous messages but they seem to
  deal with earlier versions and these do not work with 6.1
  Any help would be appreciated,
  Thanks,
  Ian

  Frank, thanks for comments.
  Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
  User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
  So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
  ferdo

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• JAAS and JBOSS

  I'm trying to use JAAS to log in a user on a JBOSS app, but am running into a problem. I'm able to successfully authenticate the user, and retrieve a Subject from my LoginContext. However, once that request is done (i.e. the browser displays the "log in complete" page), the application seems to forget that the user was logged in. How does JAAS and JBOSS keep track of the logged in user? Is this done by keeping a singleton of LoginContext around in some scope? Right now I'm creating a new instance of LoginContext, and using it to load a new instance of my CallbackHandler. Note, when I used JBOSS default form based authentication, it kept the user logged in. However, I can't use their default auth because I have some custom things I need to do.
  Thanks in advance for any help you provide.

  Hi,
  I tested this on OC4J for you and here - after setting jbo.security.enforce to Must, the user principal name and the roles are displayed.
  So there are three possibilities why you don't see things working
  - JBoss doesn't add the role principals to the Subject so they become available in the session
  - You attempt accessing this information in a prepareSession() override without enforcing authentication to happen for the root page - URL pattern = /
  - ADF BC security doesn't recognize the custom role principal
  After briefly reviewing the security implementation code, it seems that ADF BC security is dependent on Oracle JAZN for authorization.
  Frank

• What's differences between jaas and jacc?

  lately i saw a new java scurity released on http://java.sun.com/j2ee/javaacc/; it seems like similar to JAAS (http://java.sun.com/products/jaas/); though, reportedly, jacc concerned more detail in authrization, however, there's autherization api been included as i know. is there anyone be able to tell me what's differences between jaas and jacc? or where there's resource or article exaplained detail about this issue?
  i appreciate any suggestions.
  thank you very much,

  From what I saw, the JACC specifically deals with what is currently called Container Managed Security. JAAS is something that would be used on top of JACC.
  See also:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security11.html
  JACC contracts provide the following benefits:
  - JACC moves security administration and decision-making responsibility from the container to the security providers.
  - JACC enables the use of a common policy across different security systems.
  - J2EE system integrators can integrate containers with existing authorization policy infrastructure
  re Jaap

• Difference betwwen jaas and realm

  hi
  i would like to add jaas to my web application
  i have a confusion between jaas and realm
  can anyone tell me what difference between this two technologies

  This is less or more Servlet related. In the future, please use the [Servlet forum|http://forums.sun.com/forum.jspa?forumID=33] for this kind of question to get better response.
  To the point: JAAS (Java Authentication & Authorization Service) is authentication framework at Java SE level. Realm is an abstract layer between the webapplication and several ways of authentication so that you can easily switch between the authentication types/frameworks for the case that. JAAS is one of them.

• JAAS and GSS-API Tutorial Question

  I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
  I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
  Thank you.
  Craig

  Please do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.

• JAAS and logout

  Is this code enough to logout
  ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
  HttpSession session = (HttpSession)ectx.getSession(false);
  session.invalidate();
  I am assuming that the invalidate() call will trigger a call to the logout() method of the JAAS login module by the container.
  Pranab

  Hi,
  no, its invalidating the http session only as far as I can tell. I don't think that OC4J response to session invalidation with a callback to the login context. However, add a print statement to the LoginModule and you will know for sure
  Frank

• JAAS and Active Directory Problem

  I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
  Authentication failed:
  Pre-authentication information was invalid (24)
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  The troubleshooting documentation indicates that this could mean 3 things:
  1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
  2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
  3. clock skew. I am sure that there is no time difference between my computer and the server.
  That said, does anyone know of any other reason that authentication will fail?

  I am using....
  AppConfigurationEntry entry = new AppConfigurationEntry(
  "com.sun.security.auth.module.Krb5LoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  options);
  and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
  Jay

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• XSQL and HttpSession object availability

  Hello,
  How to access the very convenient unique HttpSession unique ID?
  The one we have this way within a servlet:
  HttpSession session = request.getSession(true);
  System.out.println(session.getId());
  Thank You in advance
  JRoch
  null

  You can access this easily by writing a custom action handler. Here is the code for a custom action handler that sets the value of the Http Session id into a page parameter named "session-id".
  import oracle.xml.xsql.*;
  import java.sql.SQLException;
  import org.w3c.dom.Node;
  import javax.servlet.http.*;
  public class GetSessionId extends XSQLActionHandlerImpl {
  public void handleAction( Node rootNode ) throws SQLException {
  XSQLPageRequest req = getPageRequest();
  if (req.getRequestType().equals("Servlet")) {
  HttpSession sess =
  ((XSQLServletPageRequest)req).getHttpServletRequest().getSession(true);
  if (sess != null) {
  req.setPageParam("session-id",sess.getId());
  }Then from within your XSQL page, you can say:
  <xsql:action handler="GetSessionId"/>
  and then later in the page refer to the parameter named session-id to access it's value as a lexical or bind parameter.

• Struts and HttpSession

  Hi guys, i think this is not te correct forum to ask about struts, but i realy need some help with that, i need to get the ID of a Http session and use this ID inte action class of struts for others task, can anyone help me on how to get the http session id from struts 2
  thanks in advance

  Use HttpSession.getId() [1]. Make it a point to read the documentation, you'll get more than enough help there and you'll learn as well.
  [1] http://java.sun.com/products/servlet/2.2/javadoc/javax/servlet/http/HttpSession.html#getId()
  People on the forum help others voluntarily, it's not their job.
  Help them help you.
  Learn how to ask questions first: http://faq.javaranch.com/java/HowToAskQuestionsOnJavaRanch
  (Yes I know it's on JavaRanch but I think it applies everywhere)
  ----------------------------------------------------------------

• IE6 and HttpSession

  My JSP's/Servlets use simple HttpSession objects that expire when the browser is closed. It is my understanding that if a browser has cookies disabled that URL rewriting is used. I've been testing in IE6 and when cookies are restricted all my session objects are all null. So it appears URL writing isn't occuring.
  Is there anything I have to do to 'turn on' URL rewriting? Any other suggestions?

  Hi Jason,
  Read this:
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;q293222
  http://support.microsoft.com/support/kb/articles/q293/2/22.asp?LN=EN-US&SD=gn&FR=0&qry=cookie&rnk=10&src=DHCS_MSPSS_gn_SRCH&SPR=IE600
  --Paul                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• OracleAS 9.0.4 Clustering and HttpSession

  Does OracleAS 9.0.4 Clustering replicate HttpSession state between cluster nodes or just stateful session bean state?
  Thanks
  Bill

  "Checking operating system version: must be 5200 Failed <<<<"
  So don't install this version on AIX 5.3. AS 9.0.4 has been desupported. Please don't get yourself into the hell of installing it and especially not on AIX.
  Install 10.1.2.0.2, and not before you have read the certification notes on MetaLink and taken every step you need to install on this challenging platform!