RE: Re: jetty servlet security model: are there any extensions?

> I found out that with jetty request.getUserPrincipal() returns
> the principal ONLY for areas secured with <auth-constraint>. 
> Is that the supposed and correct bahaviour?
So it does.  That does seem a bit odd.

The servlet spec says that authentication information is meant to be
held at the container rather than the webapp level, but isn't quite
clear on whether it should be available to non secured webapps ...
that's one for Greg and Co. I think.

Still, as a workaround, you could add something like this to the
web.xml:

  <web-app>
    ...
    <security-constraint>
       <web-resource-collection>
         <web-resource-name>Everything</web-resource-name>
         <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
         <description>Everybody</description>
         <role-name>*</role-name>
       </auth-constraint>
    </security-constraint>
   ...
  </web-app>

This just says "everybody accesses everything" and appears to resolve
the problem.

Cheers,

Eoin.
-----Original Message-----
From: Alexey Yudichev [mailto:alexey@xxxxxxxxxxxxx] 
Sent: 09 December 2002 10:38
To: jetty-support@xxxxxxxxxxxxxxx
Subject: RE: [jetty-support] Re: jetty servlet security model: are there
any extensions?


Jboss 3.0.4 is actually bundled with jetty 4.1.3. 
In the meantime I faced a more serious problem. How can I have some area
at the site (preferrably the whole site) having
request.getUserPrincipal() returning either null or the principal of the
logged-in user WITHOUT securing this area? I mean I want to change the
behaviour of the site depending on if any user is logged in or not (for
ex. show his/her name). I found out that with jetty
request.getUserPrincipal() returns the principal ONLY for areas secured
with <auth-constraint>. Is that the supposed and correct bahaviour?
Here is my web.xml cutting: 
  <security-constraint> 
    <web-resource-collection> 
      <web-resource-name>Entire Site</web-resource-name> 
      <url-pattern>/</url-pattern> 
    </web-resource-collection> 
  </security-constraint> 
  <security-constraint> 
    <web-resource-collection> 
      <web-resource-name>Secure Page</web-resource-name> 
      <url-pattern>/users/*</url-pattern> 
    </web-resource-collection> 
    <auth-constraint> 
      <role-name>customer</role-name> 
      <role-name>operator</role-name> 
    </auth-constraint> 
  </security-constraint> 
  <login-config> 
    <auth-method>FORM</auth-method> 
    <form-login-config> 
      <form-login-page>/main/login.html</form-login-page> 
      <form-error-page>/main/login.html?badLogin=true</form-error-page> 
    </form-login-config> 
  </login-config> 
after user is logged in, request.getUserPrincipal() returns null
everywhere except inside /users/*. 
-----Original Message----- 
From: Greg Wilkins [mailto:gregw@xxxxxxxxxxx] 
Sent: Sunday, December 08, 2002 19:29 
To: jetty-support@xxxxxxxxxxxxxxx; Alexey Yudichev 
Subject: Re: [jetty-support] Re: jetty servlet security model: are there
any extensions? 



Sounds about right for Jetty 3.0... 
Give it a go! 


ayudichev wrote:> After looking at FormAuthenticator.java, I realized
that 
> 
> 
> 1) to forward to default page I need to set "org.mortbay.jetty.URI" 
> session attribute before post to j_security_check 
> 
> 
> 2) to logout I have to remove "org.mortbay.jetty.Auth" sesisn 
> attribute. 
> 
> 
> Will above be 100% working and is this a correct way? 
> 
> 
>     
> 
> 
> 
> 
> --- In jetty-support@xxxxxxxxxxxxxxx, "ayudichev <alexey@xxxx>" 
> <alexey@xxxx> wrote: 
> 
> 
> 
>>I use jboss 3.0.4 with jetty. 
> 
> 
> 
>>Using form-based auth is it possible to: 
> 
> 
> 
>>  1) specify "default" page, i.e. the page where jetty forwards 
> 
> after 
> 
> 
> 
>>direct post to /j_security_check (no previous request to restricted 
> 
> 
> 
>>area has been made). Or instead is it possible to programmatically 
> 
> 
> 
>>login the user? I need this to place login form on the homepage. 
> 
> 
> 
>>  2) programmaticaly logout the user without destroying entire 
> 
> session 
> 
> 
> 
> ------------------------ Yahoo! Groups Sponsor
---------------------~--> 
> Get 128 Bit SSL Encryption! 
> http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/CefplB/TM 
>
---------------------------------------------------------------------~->

> 
> For the latest information about Jetty, please see
http://jetty.mortbay.org 
> 
>  
> 
> Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/ 
> 



-- 
Greg Wilkins<gregw@xxxxxxxxxxx>             Phone/fax: +44 7092063462 
Mort Bay Consulting Australia and UK.          http://www.mortbay.com 

Yahoo! Groups Sponsor
ADVERTISEMENT




For the latest information about Jetty, please see
http://jetty.mortbay.org



Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get 128 Bit SSL Encryption!
http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/CefplB/TM
---------------------------------------------------------------------~->

For the latest information about Jetty, please see http://jetty.mortbay.org

 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/