JAAS and j_security_check

Similar Messages

• Authentication & Authorization with SSO, JAAS and Database Tables mix

  Hi,
  I'm looking for how manage Authentication & Authorization in a J2EE ADF+Struts+JSP application.
  I'm interested in use SSO for authentication (I just did it programatically & dynamically already), and now I would like to could define authorization using database tables with users, groups, profiles, individual permissions, ..., (maitanined dynamically by web application admin) throught JAZN (JAAS or however is said) but not statically defining roles, groups, users, ... in jazn xml files.
  I saw that exists the possibility to create a custom DataSourceUserManager class to manage all this, and this gave me the idea that this could be possible to do (I was thinking in make a custom Authorization API over my application tables, without JAZN) but what is better that use and extended and consolidated aprox like JAZN.
  Anybody could tell me if my idea could be possible, and realizable, and maybe give me some orientation to build this approach.
  A lot of thanks in advanced.
  And sorry, excuse my so bad english.
  See you.

  Marcel,
  Originally the idea was to create a post to only explain how to do authentication using a Servlet filter. However,
  I have recently added code to the JHeadstart runtime and generators to enable both JAAS and 'Custom' authentication AND authorization in generated applications. Therefore, this post will be made after we have released the next patch release, as it will depend on these code changes.
  We currently plan to have the patch release available sometime in the second half of May.
  Kind regards,
  Peter Ebell
  JHeadstart Team

• JAAS and JBOSS

  I'm trying to use JAAS to log in a user on a JBOSS app, but am running into a problem. I'm able to successfully authenticate the user, and retrieve a Subject from my LoginContext. However, once that request is done (i.e. the browser displays the "log in complete" page), the application seems to forget that the user was logged in. How does JAAS and JBOSS keep track of the logged in user? Is this done by keeping a singleton of LoginContext around in some scope? Right now I'm creating a new instance of LoginContext, and using it to load a new instance of my CallbackHandler. Note, when I used JBOSS default form based authentication, it kept the user logged in. However, I can't use their default auth because I have some custom things I need to do.
  Thanks in advance for any help you provide.

  Hi,
  I tested this on OC4J for you and here - after setting jbo.security.enforce to Must, the user principal name and the roles are displayed.
  So there are three possibilities why you don't see things working
  - JBoss doesn't add the role principals to the Subject so they become available in the session
  - You attempt accessing this information in a prepareSession() override without enforcing authentication to happen for the root page - URL pattern = /
  - ADF BC security doesn't recognize the custom role principal
  After briefly reviewing the security implementation code, it seems that ADF BC security is dependent on Oracle JAZN for authorization.
  Frank

• What's differences between jaas and jacc?

  lately i saw a new java scurity released on http://java.sun.com/j2ee/javaacc/; it seems like similar to JAAS (http://java.sun.com/products/jaas/); though, reportedly, jacc concerned more detail in authrization, however, there's autherization api been included as i know. is there anyone be able to tell me what's differences between jaas and jacc? or where there's resource or article exaplained detail about this issue?
  i appreciate any suggestions.
  thank you very much,

  From what I saw, the JACC specifically deals with what is currently called Container Managed Security. JAAS is something that would be used on top of JACC.
  See also:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security11.html
  JACC contracts provide the following benefits:
  - JACC moves security administration and decision-making responsibility from the container to the security providers.
  - JACC enables the use of a common policy across different security systems.
  - J2EE system integrators can integrate containers with existing authorization policy infrastructure
  re Jaap

• Difference betwwen jaas and realm

  hi
  i would like to add jaas to my web application
  i have a confusion between jaas and realm
  can anyone tell me what difference between this two technologies

  This is less or more Servlet related. In the future, please use the [Servlet forum|http://forums.sun.com/forum.jspa?forumID=33] for this kind of question to get better response.
  To the point: JAAS (Java Authentication & Authorization Service) is authentication framework at Java SE level. Realm is an abstract layer between the webapplication and several ways of authentication so that you can easily switch between the authentication types/frameworks for the case that. JAAS is one of them.

• JAAS and GSS-API Tutorial Question

  I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
  I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
  Thank you.
  Craig

  Please do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.

• JAAS LoginModule j_security_check and user info

  Hello there,
  I successfully implemented custom LoginModule which validates users against passwords stored in database by calling some server api's. I am using container managed security via j_security_check servlet.
  This is working fine, now I just wonder what is the best way to store additional information about user like name, surname email and make them accessible to JSP/JSF pages.
  I did not found any link from LoginModule to HttpSession so I am stuck on this. Ideally I would like to store this additional info immediately after user is successfully authenticated by LoginModule.
  Any hint on this?
  ferdo

  Frank, thanks for comments.
  Yes user info is in the sama database so I can get it from there, but I would like to call this DB function once after succesfull authentication. In addition we have kind of 2 level passwords in place, one application password and one internal db password for user to access database resources.
  User does not know his/her db password, we have just api to get db password after authentication and existing application api (developed for forms client originaly) assumes user access db by his own connection, so in many api's oracle function user is stored in some tables.
  So what I need is after authentication of user (with application password) I can get Oracle password and then make new DB connection to all application api, just would like to store Oracle password (or new user db connection )somewhere so I dont need to fetch it everytime I need to call application API.
  ferdo

• How to do JAAS and J2EE Deployment Descriptor ACL : Please help

  I am trying to develop a Single sign on application using EJB's, JAAS,
  ACL, struts and JSP to Log in with a form authenticate (using
  j_security_check to hook into the web.xml security) then pull a user
  from a database and use the roles defined there for authorization in
  the rest of the system?
  The examples on the web are from java clients to RMI, they also sit
  alone. They dont say how to hook them into weblogic. They say to use
  JAAS but they have just JAAS examples! No hooking of it into an EJB,
  servlet, etc! They also dont show how to hook that code into web
  server to use it as your security module!
  What Settings/configuration I need to make in the web server for JAAS
  to work. How the logic proceeds to authorization after form is
  submitted using j_security_check. and to further logic in the
  application. How is it then integrated with the Struts action forms.
  Help, I'm at a loss. They recommend using JAAS but their documentation
  and examples do not explain how. We have a complex real world product
  and need examples of
  the same. Can somebody provide me a working real-life example which
  really work and give me some pointers to proceeds that will be really
  helpful.
  Thanks in advance for the help.

  I am trying to develop a Single sign on application using EJB's, JAAS,
  ACL, struts and JSP to Log in with a form authenticate (using
  j_security_check to hook into the web.xml security) then pull a user
  from a database and use the roles defined there for authorization in
  the rest of the system?
  The examples on the web are from java clients to RMI, they also sit
  alone. They dont say how to hook them into weblogic. They say to use
  JAAS but they have just JAAS examples! No hooking of it into an EJB,
  servlet, etc! They also dont show how to hook that code into web
  server to use it as your security module!
  What Settings/configuration I need to make in the web server for JAAS
  to work. How the logic proceeds to authorization after form is
  submitted using j_security_check. and to further logic in the
  application. How is it then integrated with the Struts action forms.
  Help, I'm at a loss. They recommend using JAAS but their documentation
  and examples do not explain how. We have a complex real world product
  and need examples of
  the same. Can somebody provide me a working real-life example which
  really work and give me some pointers to proceeds that will be really
  helpful.
  Thanks in advance for the help.

• How to do JAAS and J2EE Deployment Descriptor ACL in WLS

  The examples on this website and shipped with WLS stink. Does there exist a GOOD
  example of how to
  Log in with a form
  authenticate (I guess using j_security_check to hook into the web.xml security)
  then pull a user from a database and use the roles defined there for authorization
  in the rest of the system?
  The weblogic examples are from java clients to RMI (ya, thats handy). They also
  sit alone. They dont say how to hook them into weblogic. They say to use JAAS
  but they have just JAAS examples! No hooking of it into an EJB, servlet, etc!
  They also dont show how to hook that code into WLS to use it as your security
  module!
  Help, I'm at a loss.
  They recommend using JAAS but their documentation and examples of doing so suck
  or are non existant. We have a complex real world product and need examples of
  the same. Stupid, stand alone examples that teach nothing do no help.
  frustrated at BEA for their poor documentation and support,
  Mike

  Also, I use struts....
  In struts you have to extend the Action class which then calls the perform()
  method on your servlet.
  So to call an EJB I have to have my servlet implement PrivilegedAction?
  If so, then this wants a run() method. Struts calls perform so that means
  I'm going to have to make another class to call from my servlet with a run
  method()? Or I'm going to have my servlet implement PrivledgedAction and
  call Security.runAs()?
  What if I just want to call the EJB from my servlet and put my security
  credentials in the JNDI lookup? I want the container to use the roles of the
  user in the JNDI lookup to authorize methods based on the deployment
  descriptors.
  thanks,
  Mike
  "Vimala Ranganathan" <[email protected]> wrote in message
  news:[email protected]...
  Hi Micheal,
  Attached is an exmaple of JAAS login and invoking an EJB.
  Let me know if this turns out to be useful.
  Regarding the form based authentication, Could you be more clear on whatissue you are
  facing?
  Just as note, when you use form based login, WLS would authenticate theuser against
  the realm
  WLS is setup for, which could be a file Realm, or a RDBMS realm (in whichcase users
  and groups are from database)
  Roles cannot be defined at the database level. This needs to be atapplication level
  which you can define in web.xml or
  console(in 7.0)
  If you need any specific help or more information please let me know.
  Vimala
  Michael Lee wrote:
  The examples on this website and shipped with WLS stink. Does there
  exist a GOOD
  example of how to
  Log in with a form
  authenticate (I guess using j_security_check to hook into the web.xmlsecurity)
  then pull a user from a database and use the roles defined there forauthorization
  in the rest of the system?
  The weblogic examples are from java clients to RMI (ya, thats handy).They also
  sit alone. They dont say how to hook them into weblogic. They say to useJAAS
  but they have just JAAS examples! No hooking of it into an EJB, servlet,etc!
  They also dont show how to hook that code into WLS to use it as yoursecurity
  module!
  Help, I'm at a loss.
  They recommend using JAAS but their documentation and examples of doingso suck
  or are non existant. We have a complex real world product and needexamples of
  the same. Stupid, stand alone examples that teach nothing do no help.
  frustrated at BEA for their poor documentation and support,
  Mike

• JAAS and Active Directory Problem

  I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
  Authentication failed:
  Pre-authentication information was invalid (24)
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  The troubleshooting documentation indicates that this could mean 3 things:
  1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
  2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
  3. clock skew. I am sure that there is no time difference between my computer and the server.
  That said, does anyone know of any other reason that authentication will fail?

  I am using....
  AppConfigurationEntry entry = new AppConfigurationEntry(
  "com.sun.security.auth.module.Krb5LoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  options);
  and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
  Jay

• Client remote Authentication using JAAS and EJB Access

  Hi,
  I have a problem using JAAS in combination with Sun One Appserver 8.1 and a java remote client trying to access an EJB. Here is the scenario:
  I have implemented an EJB who's methods are protected through the deployment descriptor:
          <assembly-descriptor>
               <security-role>
                  <description>role for clients outside of the server </description>
                  <role-name>sedna</role-name>
                </security-role>
              <method-permission>
                <role-name>sedna</role-name>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-intf>Remote</method-intf>
                  <method-name>*</method-name>
                </method>
              </method-permission>
              <method-permission>
                <unchecked/>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>getVersion</method-name>
                </method>
                <method>
                  <ejb-name>ServerInfoBean</ejb-name>
                  <method-name>create</method-name>
                </method>
              </method-permission>
          </assembly-descriptor>I've deployed the EJB in a jar file which was packed into an ear file of a bigger application. The role has been mapped to the admin Principal in the sun-ejb-jar.xml descriptor.
  I can find the EJB, create it, and call the unchecked method getVersion and that works fine, so far so good.
  But then I try to access another method which is protected and then I get this exception
  org.omg.CORBA.NO_PERMISSION:   vmcid: 0x2000  minor code: 1806 completed: Maybe
          at com.sun.enterprise.iiop.POAProtocolMgr.mapException(POAProtocolMgr.java:179)
          at com.sun.ejb.containers.BaseContainer.postInvoke(BaseContainer.java:853)
          at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:137)
  ...I have to mention that I do make a login via the LoginContext. My jaas.config File has a reference to the com.sun.enterprise.security.auth.login.ClientPasswordLoginModule module.
  After login (which works perfectly) I lookup the context with a corbaname url which - if I understood it right - ignores the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS settings.
  After that I make the calls to the EJB. And I am allways ANONYMOUS on the server side, which is definitely the problem. Because ANONYMOUS is not allowed to call the protected EJB Methods. But I made a jaas login in advance. So where am I making a mistake???
  Am I doing something wrong?
  Need help! Thx,
  Stephan

  Hi.
  I understand correctly that you call Subject.doAs on
  the client to call the remote EJB. I guess It isn't
  right way.I had also a bad feeling about this, so I forget it. But anyway it wasn't working with or without using that doAs().
  >
  >
  Subject contextSubject =
  Subject.getSubject(AccessController.getContext());
  contextSubject.getPrincipals();This code throws exceptions in the Appserver. Unfortunately they are catched somewhere so I'm unable to find out what was going wrong. But I guess, that these exceptions where security exceptions. Never the less thanks for the hint!
  But I don't think that doing the check on the server side is the way I want to go because that is programmatically security and I want to use the declarative security which can be used through the deployment descriptor. If used correctly - and supposed I do not completely misunderstand the specification - then it should be possible to create an EJB that is protected via it's deployment descriptor and access it through the client only if the client has been authenticated through JAAS mechanisms. After successful authentication the principal should be accessible through the EJB context but not for security check, that should allready been done at this time.
  Unfortunately I don't find any resource on the internet describing the scenario in such a detail that I can reproduce it. There are only very high level documentations and hints in forums.
  Again, thanks for your effort,
  Stephan

• JAAS and JNDI (LDAP)

  Hello,
  I am using JAAS to connect to a Active Directory and login successfully (Authentication of the user). After the login, I want to get the users property like email address, phone number, ... from the Active Directory using JNDI. As I understand, to get connected to the AD with JNDI I have to use someting like:
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  env.put(Context.SECURITY_PRINCIPAL,ldapUserName);
  env.put(Context.SECURITY_CREDENTIALS,ldapUserPassword);
  My Problem is now, that I would like to take the user, which has connected to the AD with JASS for accessing the AD, but I do not have the ldapUserPassword from the JAAS Principal (the logged on user).
  Is ther a way to use the current logged in user as LDAP (JNDI) user, or another way, to access the requested proeprties?
  Thanks and Regards
  Stefan

  If had excatly the same problem.
  In my my case I had a domain "testdomain.mycompany.com" and a domain controller "domaincontroller.mycompany.com" (maybe this is a misconfiguration?)
  So I have set in the kerberos config file
  [realms]
          TESTDOMAIN.MYCOMPANY.COM = {
                  kdc = domaincontroller.mycompany.com
          }and the lpad connection url to "ldap://domaincontroller.mycompany.com/dc=testdomain,dc=mycompany,dc=com
  This resulted in the error you have descibed.
  Finally I put the following entry in the hosts file on my local PC
  192.168.0.10 domaincontroller.testdomain.mycompany.com (192.168.0.10 is the ip address of the domain controller) and then it worked!

• JAAS and J2EE SDK -- please help!

  Hi,
  I'd like to know if it is possible to use customized LoginModule classes in the J2EE SDK reference impl. 1.3
  If so what I can't understand is the following:
  if I use the form-based auth. mechanism in my web app. how can I specify which login module to use? I mean I know JAAS needs an entry in a configuration file such as
  mylogin{
    MyLoginModule required debug=false;
  };but my question is in what file should I add it? clientlogin.config, login.config or serverlogin.config?
  And much more important question is: how can I then specify that I need to use the "mylogin" entry?
  I don't know how the JSecurityCheck servlet work, is there any document where I can find the source code of it?
  Please can anyone help me?
  Thanks in advance.

  I managed to get it working in tomcat 4.0 if you create a config file with the details you've specified called login.config you then need to pass it as a parameter when you start your servlet engine
  i.e. -Djava.security.auth.login.conf=login.config

• JAAS and JSF

  hey all,
  i managed to create a JAAS loginModule, the JAAS config file , Handler. everything works perfectly .
  my problem is how do i update the http session with the JAAS subject ??
  i have seen in the forum examples of loading the subject into the session by using the following line :
  Subject.doAs(lc.getSubject(), new WorkingClass(request, resp));
  what is WorkingClass ?
  any ideas ?
  i am using JSF but i don't mind getting an answer in jsp ,servlets ....
  Thank you

  As far as I know, the consensus seems is don't use JSF for your login forms as the login form controls can't be set to j_username and j_password as required by the servlet container for form-based logins. It's better (and pretty easy) to create your own login form and let the container take care of checking security roles, displaying your login JSP etc.
  If this doesn't give you enough flexibility then you may want to consider using servlet filters, or the discussion at http://forum.java.sun.com/thread.jsp?forum=427&thread=502322 may be of some help.
  Regards,
  Keith.

• JAAS and Java client authentication

  I'm trying to use JAAS authentication from a Java Swing client against a
  WLS 6.1 SP1 server. Using the samples I've successfully managed to
  authenticate a client, however a couple of issues have arisen:
  - How can I remove the principal association with the current thread when
  the user wishes to log out ? The LoginContext.logout implementation in
  the samples doesn't appear to be sufficient.
  - I'm assuming that the current server authentication called via
  weblogic.security.auth.Authenticate.authenticate does not store roles and
  group information as Principals within the returned Subject ? Is there
  anyway I can access this information so I can modify the UI for the
  current user ?
  - Should I be able to establish a secure connection by using
  t3s://host:secure_port when authenticating through JAAS ? When I tried
  this I received, 'java.rmi.ConnectException - unable to get direct or
  routed connection to '904601561764...:<ip address>'
  Thanks
  Darren

  Yes Sun provides a Windows LoginModule implementation called com.sun.security.auth.module.NTLoginModulewhich should do Windows logins (I have not tried it on XP)
  However, in order to understand how this all works you have to read the JAAS reference guide and tutorial.
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/index.html