Well the filter does not save me because in any case current logged in principal is propagated to EJB calls ONLY if the request belongs to protected area. Can you advise how can I manage to keep principal propagation to EJBs? I suppose I will use <role-name>*</role-name> constraint for entire site but in this case I need to configure authentication the way that any new user is being automatically logged in. I have no idea how to do it. Can you help?
-----Original Message-----
From: Alexey Yudichev
Sent: Monday, December 09, 2002 17:45
To: jetty-support@xxxxxxxxxxxxxxx
Subject: RE: [jetty-support] Re: jetty servlet security model: are there any extensions?
I tried this, but it doesn't work for me because in this case each request redirects to a login page. <role-name>*</role-name> does not mean "everybody", it means "any AUTHENTICATED user".
So for now I implemented a filter that wraps a request and overrides getUserPrincipal() returning
(Principal)((HttpServletRequest)getRequest()).getSession().getAttribute("org.mortbay.jetty.Auth");
I am migrating now from Resin where getUserPrincipal() is always available. I also remember that Tomcat does the same way. And from my point of view it makes more sense. I am voting for adding an option to jetty config saying whether to expose principal to non-secure areas or not.
I need principal propagation to EJBs otherwise I could use securityfilter or another similar projects...
-----Original Message-----
From: Eoin Woods [mailto:eoin@xxxxxxxxxxxx]
Sent: Monday, December 09, 2002 17:26
To: jetty-support@xxxxxxxxxxxxxxx
Cc: Alexey Yudichev
Subject: RE: [jetty-support] Re: jetty servlet security model: are there any extensions?
> I found out that with jetty request.getUserPrincipal() returns
> the principal ONLY for areas secured with <auth-constraint>.
> Is that the supposed and correct bahaviour?
So it does. That does seem a bit odd.
The servlet spec says that authentication information is meant to be
held at the container rather than the webapp level, but isn't quite
clear on whether it should be available to non secured webapps ...
that's one for Greg and Co. I think.
Still, as a workaround, you could add something like this to the
web.xml:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Everybody</description>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
...
</web-app>
This just says "everybody accesses everything" and appears to resolve
the problem.
Cheers,
Eoin.
-----Original Message-----
From: Alexey Yudichev [mailto:alexey@xxxxxxxxxxxxx]
Sent: 09 December 2002 10:38
To: jetty-support@xxxxxxxxxxxxxxx
Subject: RE: [jetty-support] Re: jetty servlet security model: are there
any extensions?
Jboss 3.0.4 is actually bundled with jetty 4.1.3.
In the meantime I faced a more serious problem. How can I have some area
at the site (preferrably the whole site) having
request.getUserPrincipal() returning either null or the principal of the
logged-in user WITHOUT securing this area? I mean I want to change the
behaviour of the site depending on if any user is logged in or not (for
ex. show his/her name). I found out that with jetty
request.getUserPrincipal() returns the principal ONLY for areas secured
with <auth-constraint>. Is that the supposed and correct bahaviour?
Here is my web.xml cutting:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Site</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Page</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
<role-name>operator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/main/login.html</form-login-page>
<form-error-page>/main/login.html?badLogin=true</form-error-page>
</form-login-config>
</login-config>
after user is logged in, request.getUserPrincipal() returns null
everywhere except inside /users/*.
-----Original Message-----
From: Greg Wilkins [mailto:gregw@xxxxxxxxxxx]
Sent: Sunday, December 08, 2002 19:29
To: jetty-support@xxxxxxxxxxxxxxx; Alexey Yudichev
Subject: Re: [jetty-support] Re: jetty servlet security model: are there
any extensions?
Sounds about right for Jetty 3.0...
Give it a go!
ayudichev wrote:> After looking at FormAuthenticator.java, I realized
that
>
>
> 1) to forward to default page I need to set "org.mortbay.jetty.URI"
> session attribute before post to j_security_check
>
>
> 2) to logout I have to remove "org.mortbay.jetty.Auth" sesisn
> attribute.
>
>
> Will above be 100% working and is this a correct way?
>
>
>
>
>
>
>
> --- In jetty-support@xxxxxxxxxxxxxxx, "ayudichev <alexey@xxxx>"
> <alexey@xxxx> wrote:
>
>
>
>>I use jboss 3.0.4 with jetty.
>
>
>
>>Using form-based auth is it possible to:
>
>
>
>> 1) specify "default" page, i.e. the page where jetty forwards
>
> after
>
>
>
>>direct post to /j_security_check (no previous request to restricted
>
>
>
>>area has been made). Or instead is it possible to programmatically
>
>
>
>>login the user? I need this to place login form on the homepage.
>
>
>
>> 2) programmaticaly logout the user without destroying entire
>
> session
>
>
>
> ------------------------ Yahoo! Groups Sponsor
---------------------~-->
> Get 128 Bit SSL Encryption!
> http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/CefplB/TM
>
---------------------------------------------------------------------~->
>
> For the latest information about Jetty, please see
http://jetty.mortbay.org
>
>
>
> Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/
>
--
Greg Wilkins<gregw@xxxxxxxxxxx> Phone/fax: +44 7092063462
Mort Bay Consulting Australia and UK. http://www.mortbay.com
Yahoo! Groups Sponsor
ADVERTISEMENT
For the latest information about Jetty, please see
http://jetty.mortbay.org
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
For the latest information about Jetty, please see http://jetty.mortbay.org
Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
