JAAS, Tomcat and own Policy-implementation

Similar Messages

• Implementing own Policy - Problems occur.

  I am implementing my own Policy class (via the -Xbootclasspath and
  java.security file). (Using jdk 1.4)
  I have two problems:
  1. My Policy class is not instantiated unless I call Policy.getPolicy()
  a. I have run the app as such:
  java -Djava.security.manager -Xbootclasspath:d:\JavaProjects;d:\jdk1.4\jre\l
  ib\rt.jar -Djava.security.policy=d:\javaprojects\com\zeno\security\policy\po
  licyfile.policy  MyAppb. I have set (in java.security):
  policy.provider=com.MyTest.SecurityPolicy
  c. I have in the constructor: System.out.println("Policy Instanitated");
  d.When I run the app, I do not get "Policy Instantiated" until AFTER I
  call Policy.getPolicy() (and I never get it if I don't call getPolicy())
  2. For some reason, when I do the following, it never calls getPermissions()
  or implies() on my Policy file:
      FileInputStream fis = new FileInputStream("d:\\testfile.txt");
      int ch;
      while ( (ch = fis.read()) != -1 )
          System.out.println(ch);
      }a. Inside my Policy class' methods I have a System.out.println() for
  each one, and they're never called.
  Thank you

  I am experiencing almost exactly the same problem. The documentation seems a little spotty on this, so we're probably missing something. I am using the following syntax:
  java -Djava.security.manager -Dpolicy.provider=security.MyPolicy -Xbootclasspath/a:c:\jdk1.3.0_02\jre\classes -Djava.security.policy=java.policy security.Test
  The -Xbootclasspath/a: option appends (at the beginning) instead of replacing, so you don't have to specify rt.jar. I put my custom Policy class (security.MyPolicy) in c:\jdk1.3.0_02\jre\classes, thinking that this path was searched by default (b/c that's what the documentation claims.) But, my Test class was not able to instantiate it directly until I specifically added the -Xbootclasspath option, but even then my Policy class is not used. In fact, it seems to still be using the default Policy implementation and still respects entries in the java.policy file even though my custom security.MyPolicy class does not do this.
  In general, the behavior I'm seeing (we're seeing?) is consistent with the -Dpolicy.provider being ignored completely. I get the same behavior if I set this to "asdf". So this must be wrong somehow, even though it is consistent with all the documentation I can find...

• I am unable to access iCloud because my iPhone states that my Apple ID and\or password is incorrect.  Based on Apple's own policy my current ID and P/W should be fine to access iCloud.  Any suggestions?

  I am unable to access iCloud because my iPhone states that my Apple ID and\or password is incorrect.  Based on Apple's own policy my current ID and P/W should be fine to access iCloud.  Any suggestions?

  You will have to contact Apple Care and ask for account security for help. Apple ID: Contacting Apple for help with Apple ID account security

• Question about blazeds turnkey, tomcat and directory structure

  hi. this question is pretty basic...been reading sujit reddy g's blog on installing/setting up blazeds.
  in one article he creates a samplewebapps directory in C:\Program Files\Apache Software Foundation\Tomcat 6.0\webapps\samplewebapps and copies the blazeds WEB-INF/lib into that directory and the configuration files in the flex folder across as well...http://sujitreddyg.wordpress.com/2009/04/07/setting-up-blazeds/
  in another article on invoking java methods from flex he configures the remote-config.xml file directly in the blazeds\WEB-INF\flex folder....http://sujitreddyg.wordpress.com/2008/01/14/invoking-java-methods-from-adobe-fle x/
  wasn't sure why in the first example he copied the files and folders to the samplewebapps directory while in the second example he just configured the files within the blazeds directory...thanx...(i'm a newbie at server side development)

  I'll take a stab at it. The key thing to realize is the BlazeDS code is ADDED on
  to the appserver. E.g. for Tomcat/WebLogic/et al one adds the reference in the web.xml file in WEB-INF.
  So, what is that add-on?
  1. Executable files. These are jar files and typically stuck into WEB-INF/lib
  2. Configuration files. flex/services-config.xml is specified in web.xml. It refers to the other config files in WEB-INF/flex
  So, the config in web.xml tells Tomcat (and its forked commercial products) to load up the Flex jars and run some classes. By standard, the "run some classes" follows the servlet lifecycle and runs specific methods in the class when the servlet is loaded, called, destroyed. So, Flex jars have a class which implements the servlet interface.
  Incidentally, you may also see references to log4j, Spring, and other frameworks in the web.xml as well. They do the same sort of stuff. So, Tomcat does the passing of the HTTP packets and stages them into Java classes and the hooked in frameworks do add their own behaviours to the setup.
  HTH,
  TimJowers
  P.S> Also note in Flex when you setup the project properties for a Flex Project then you need to match up your URL and "context" to what you have on your server. In his exampe, the "samples" context may have already been setup so easier to use. What is a "context"? The idea is to have more than one webapp running on an appserver. In Tomcat, its basically just the subdirectory under "webapps". That directory name becomes part of the URL. E.g. webapps/samples -> http://localhost:8080/samples  or webapps/mytest -> http://localhost:8080/mytest

• How to build my own policy?

  i need build my own policy to interact with database.
  just tell me where can i get a better reference of this.
  thanks a lot

  http://www-106.ibm.com/developerworks/library/j-jaas/?n-j-442
  This example from IBM is very good however it does more than you may need. Concentrate on the XMLPolicy.java code and corresponding .xml files.
  hope this helps!

• JAAS + Tomcat 4.0.2

  Hi,
  i search any example about using JAAS in the web-enviroment. Anyone speaks about JAAS but nobody
  implements any example for JAAS in a web-application.
  Can somebody explain me, how i can realize JAAS + Tomcat. I want to write a JAAS-Module for authentication
  and authorization. Please help me !!!!
  Erdal

  Authentication:
  Implement a custom LoginModule, CallbackHandler and UserPrincipal. Use the Sample application in http://java.sun.com/security/jaas/doc/api.html#Sample as a base. Execute them as an application to test them. Eventually you will call them from the service method of your servlet.
  Authorization:
  Package all your privileged actions into a jar file and put them on the Catalina classpath. Assign that jar permissions for your custom principal.
  Package all the classes which call the actions into a second jar file, and also put them on the classpath. Grant this jar the same permissions, excluding the Principal modifier.
  Place your servlet which calls the above classes under one of application root directories.
  That's all there is to it. I was able to make this work by piecing together all the excellent posts by in this forum.

• JAAS + Tomcat 4

  Hi,
  Can someone help me ??? I want realize JAAS + Tomcat 4.0.2. I want to implement a JAAS-Module for authentication and authorization in the web-enviroment !!!!
  Hava anyone code or example to this topic, then please
  let me take part at this experience.
  Erdkal

  I'm interested in this as well. I'm new to JAAS, but I noticed a couple of classes in the catalina source.
  @see
  org.apache.catalina.realm.JAASMemoryLoginModule
  org.apache.catalina.realm.JAASRealm
  If there is more interest in this, maybe we should collaborate under the apache tomcat project by improving/extending these classes.
  Kevin Ross

• Load Balancing, Tomcat, and SharePoint

  I'm a new BusinessObjects customer and am working on getting all of the hardware in place for a new install.  The initial plan is to have two BOE servers, and two tomcat virtual servers, with a hardware based load balancer (F5 BIG-IP Switch: Local Traffic Manager 1600 4GB, possibly) in front of the tomcat servers to handle the load balancing.
  But, I'm starting to think that it would be a good idea for us to integrate directly in to our SharePoint portal using the SAP SharePoint Integration option.
  So, here's my question.  If we do that, then our users will get to their BusinessObjects information via SharePoint.  So, SharePoint and IIS will be the web server.  Will we still have a need for the Tomcat servers?  Will SharePoint point to the load balancer, then to Tomcat, and finally to the BOE server, or will it go right to the BOE server, thus negating the need for the tomcat servers altogether, and also even negating the need for the load balancer?  If so, can the BOE app servers themselves still be load balanced?
  Hopefully this all makes sense - like I said, we're a new customer, so I don't fully understand all of what the servers are doing.  I've spent several days searching the forums & the web & reading documentation and haven't come up with an answer yet, so I'm reaching out to you all & hoping somebody can clear it up for me.  Thanks!!

  Thank you for your input, Denis, this does help explain things.  Also, thanks for pointing me to that Windows Patterns document.  I hadn't seen that one - since we're starting out on 4.0, I've only been looking at documents under the 4.0 folders...
  It sounds like we may want to utilize this same load balancer to balance the SharePoint traffic as well, while we're at it.  Right now our SharePoint server is clustered using Microsoft Clustering, but not load balanced in any way.  Or maybe we just post a link from within SharePoint to the regular old BI LaunchPad and call it a day!
  So, if I understand correctly, if we utilize SharePoint, any traffic/processing that the Tomcat server would have handled would now be handled by the SharePoint server, which could potentially be significant.  The actual processing of the reports, though, will still get handled by the BOE Cluster, which takes care of its own load balancing, so we'll be fine.  Really the only thing the hardware load balancer does is allow the presentation layer to be load balanced - the layers beyond that get load balanced automatically via CMS.  Is that all somewhat valid?  In the patterns doc, there's Application Servers separate from the BOE Servers.  We were just going to have two BOE servers and two Web servers.  Where do the application servers fall in, and are they load balanced using the hardware piece?
  If we were just concerned about High Availability, it seems like maybe we could more easily use Windows Clustering on those Tomcat servers, and avoid the hardware component altogether.  Do the Web servers really get hammered that hard that we need them load balanced?  It seems like the BOE servers are the ones doing the heavy resource intensive tasks and we get them load balanced without the hardware anyway, so maybe load balancing the web servers is overkill.....  I'm sure a lot of this is tough to answer, I'm just trying to get a feel for it.  I want us to have our best performance & be somewhat future-proofed, but don't want to buy things that I don't need to!  We're probably looking at a small, 10-20 concurrent user setup for starters, and out to say 200 concurrent max once it's fully rolled out...
  Thanks again!!

• Installing Log4J in Tomcat and using JDBC to log errors

  Has anyone figured out how to install Log4J in Tomcat and use the Log4J JDBC functionality?
  I have log4j.jar in CATALINA_HOME/common/lib.
  I also have log4j.properties is in CATALINA_HOME/common/classes
  Then when I start Tomcat I get the following error:
  [main] DEBUG org.apache.commons.digester.Digester - addRuleSet() with no namespace URI
  is it something to do w/ the log4j.properties file? do i have to use a xml format or is it ok to use .properties format?
  -Karthik

  I would say you have something wrong in your log4j properties file.
  properties format is fine, but I suspect something in there is not quite right.
  Try starting with a simple example one, see if it works, and then try adding your own config based on that one.
  Good luck,
  evnafets

• How to use JMS with tomcat and Axis

  Hello
  I'm new in ii, so i'm still a little bit lost. I have been implementing web services with tomcat and Axis. However, these services are synchronous and I would like that some services were asynchronous.
  I've been reading about the topic and I've found that JMS is a good solution for it. I have already downloaded JMS in my computer but now I don't know what else to do. I've been trying to run the SimpleQueueSender.java example but I get the error:
  JNDI API lookup failed: javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
  But I have attached all .jar from F:\Sun\MessageQueue\lib
  In addition to this, for my first webservices I used the Java2WSDL, WSDL2Java and AdminClient (axis tool) to create my web services bindings, stubs and skeletons and to deploy the web service on the server. Do I have to use them now with JMS? or now the deployment must be performed in a different way?
  Thank you in advanced,

  The error means that you have to specify the type and location of your jndi store. You could create a jndi.properties file and put two properties in it:
  java.naming.provider.url=file\\\:////var/jndi
  java.naming.factory.initial=com.sun.jndi.fscontext.RefFSContextFactory
  for a file based jndi store. Then you have to make sure your jndi.properties file is in your CLASSPATH. Then you have to use something like imqadmin to create your jndi store and store in it your administrative objects like Queues and QueueConnectionFactories.

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.

• Tomcat and localhost

  Greetings,
  I'm sorry if this is the wrong forum.
  This one is a fairly easy one, I'm quite sure.
  I'm a newbie and I just setted up Tomcat and Apache with a jk connector. I want to create a test-server before I'm going live on the "real" server.
  My question is : Can I show or view my test server from a distant computer ?
  Is something like : http:\\my_local_address\examples\index.html possible ?
  Or do I have do own a www address ? I'm quite confused ... thanks for your time. Everything works fine on my localhost ...

  You're likely to have a provider-assigned IP-address through DHCP and you're behind your provider's proxy.
  You can't reach your computer directly from outside unless you set up some kind of VPN, or you subscribed to a dynamic DNS service.
  I found this : http://www.technopagan.org/dynamic/
  seems interesting read.

• JAAS-authentication and wls-authorization in a webapp

  Hi,
  I am developing a webapp with jsp, servlets and ejbs.
  My question:
  Is it possible to use JAAS-authentication together with wls-authorization in a
  webapp?
  thanks
  /Chriz

  Hi, Office 365 tenants indeed include an Azure AD tenant in the background and you can implement Single Sign-On against that. The authentication scenario for this case is documented
  here. For the code samples (with steps to create them) see the
  samples' Github repository, especially the
  WebApp-WSFederation-DotNet sample. 
  For the SQL database it's a bit different. Azure SQL Database connection can't be authenticated like this - there's no integration to the "domain" accounts there. So you should create one service account for the SQL connection and use that for
  all the traffic in your web app. If you need authorization for accessing certain data in SQL, you have to implement that on your web application side.

• Upgrade the default Tomcat and Apache

  Hi
  Is there a working and correct way to upgrade and run a Tomcat and Apache server of your pick instead of the pre installed versions in OSX 10.4.8 server.
  Meaning that i want to start and admin them throught Server Admin interface, and making Jboss notice the new Tomcat aswell.
  Mikael

  If you're asking here, the answer is probably no.
  It is possible to build and install later versions of all the Mac OS X Server-bundled apps, including Apache, Tomcat, postfix, bind, etc., etc., but in most cases once you do you lose the ability to drive them via Server Admin.
  Server Admin knows what it knows - more importantly it doesn't know any of the features of later versions of the apps (it may work with point released (e.g. Apache 1.3.20 -> 1.3.30, but it won't work with major versions like 1.3 -> 2.0).
  So if you go that way you're on your own as far as configuring and maintaining the service is concerned.
  Leopard (10.5) will include later versions of these apps if you're prepared to wait.