Re: FW: Re: jetty servlet security model: are there a ny extensions?

Alexey Yudichev wrote:
>   Well the filter does not save me because in any case current logged in 
> principal is propagated to EJB calls ONLY if the request belongs to 
> protected area. Can you advise how can I manage to keep principal 
> propagation to EJBs? 
You might try setting the "unauthenticatedIdentity" in your jboss 
auth.conf file to a valid user principal name. This sets the identity 
that EJB calls run as when there is no principal and credential set.

Either that or you might want to consider the security settings on 
your EJBs and evaluate which ones really need security protection and 
which ones can be accessed by anyone.



Jan

> I suppose I will use <role-name>*</role-name> 
> constraint for entire site but in this case I need to configure 
> authentication the way that any new user is being automatically logged 
> in. I have no idea how to do it. Can you help?
> 
> -----Original Message-----
> From: Alexey Yudichev
> Sent: Monday, December 09, 2002 17:45
> To: jetty-support@xxxxxxxxxxxxxxx
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there 
> any extensions?
> 
> 
>   I tried this, but it doesn't work for me because in this case each 
> request redirects to a login page. <role-name>*</role-name> does not 
> mean "everybody", it means "any AUTHENTICATED user".
> 
>   So for now I implemented a filter that wraps a request and overrides 
> getUserPrincipal() returning
> 
> (Principal)((HttpServletRequest)getRequest()).getSession().getAttribute("org.mortbay.jetty.Auth");
>  
> 
> 
>   I am migrating now from Resin where getUserPrincipal() is always 
> available. I also remember that Tomcat does the same way. And from my 
> point of view it makes more sense. I am voting for adding an option to 
> jetty config saying whether to expose principal to non-secure areas or not.
> 
>   I need principal propagation to EJBs otherwise I could use 
> securityfilter or another similar projects...
> 
> -----Original Message-----
> From: Eoin Woods [mailto:eoin@xxxxxxxxxxxx]
> Sent: Monday, December 09, 2002 17:26
> To: jetty-support@xxxxxxxxxxxxxxx
> Cc: Alexey Yudichev
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there 
> any extensions?
> 
> 
>  > I found out that with jetty request.getUserPrincipal() returns
>  > the principal ONLY for areas secured with <auth-constraint>.
>  > Is that the supposed and correct bahaviour?
> So it does.  That does seem a bit odd.
> 
> The servlet spec says that authentication information is meant to be
> held at the container rather than the webapp level, but isn't quite
> clear on whether it should be available to non secured webapps ...
> that's one for Greg and Co. I think.
> 
> Still, as a workaround, you could add something like this to the
> web.xml:
> 
>   <web-app>
>     ...
>     <security-constraint>
>        <web-resource-collection>
>          <web-resource-name>Everything</web-resource-name>
>          <url-pattern>/*</url-pattern>
>        </web-resource-collection>
>        <auth-constraint>
>          <description>Everybody</description>
>          <role-name>*</role-name>
>        </auth-constraint>
>     </security-constraint>
>    ...
>   </web-app>
> 
> This just says "everybody accesses everything" and appears to resolve
> the problem.
> 
> Cheers,
> 
> Eoin.
> -----Original Message-----
> From: Alexey Yudichev [mailto:alexey@xxxxxxxxxxxxx]
> Sent: 09 December 2002 10:38
> To: jetty-support@xxxxxxxxxxxxxxx
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there
> any extensions?
> 
> 
> Jboss 3.0.4 is actually bundled with jetty 4.1.3.
> In the meantime I faced a more serious problem. How can I have some area
> at the site (preferrably the whole site) having
> request.getUserPrincipal() returning either null or the principal of the
> logged-in user WITHOUT securing this area? I mean I want to change the
> behaviour of the site depending on if any user is logged in or not (for
> ex. show his/her name). I found out that with jetty
> request.getUserPrincipal() returns the principal ONLY for areas secured
> with <auth-constraint>. Is that the supposed and correct bahaviour?
> Here is my web.xml cutting:
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Entire Site</web-resource-name>
>       <url-pattern>/</url-pattern>
>     </web-resource-collection>
>   </security-constraint>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Secure Page</web-resource-name>
>       <url-pattern>/users/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>customer</role-name>
>       <role-name>operator</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>       <form-login-page>/main/login.html</form-login-page>
>       <form-error-page>/main/login.html?badLogin=true</form-error-page>
>     </form-login-config>
>   </login-config>
> after user is logged in, request.getUserPrincipal() returns null
> everywhere except inside /users/*.
> -----Original Message-----
> From: Greg Wilkins [mailto:gregw@xxxxxxxxxxx]
> Sent: Sunday, December 08, 2002 19:29
> To: jetty-support@xxxxxxxxxxxxxxx; Alexey Yudichev
> Subject: Re: [jetty-support] Re: jetty servlet security model: are there
> any extensions?
> 
> 
> 
> Sounds about right for Jetty 3.0...
> Give it a go!
> 
> 
> ayudichev wrote:> After looking at FormAuthenticator.java, I realized
> that
>  >
>  >
>  > 1) to forward to default page I need to set "org.mortbay.jetty.URI"
>  > session attribute before post to j_security_check
>  >
>  >
>  > 2) to logout I have to remove "org.mortbay.jetty.Auth" sesisn
>  > attribute.
>  >
>  >
>  > Will above be 100% working and is this a correct way?
>  >
>  >
>  >    
>  >
>  >
>  >
>  >
>  > --- In jetty-support@xxxxxxxxxxxxxxx, "ayudichev <alexey@xxxx>"
>  > <alexey@xxxx> wrote:
>  >
>  >
>  >
>  >>I use jboss 3.0.4 with jetty.
>  >
>  >
>  >
>  >>Using form-based auth is it possible to:
>  >
>  >
>  >
>  >>  1) specify "default" page, i.e. the page where jetty forwards
>  >
>  > after
>  >
>  >
>  >
>  >>direct post to /j_security_check (no previous request to restricted
>  >
>  >
>  >
>  >>area has been made). Or instead is it possible to programmatically
>  >
>  >
>  >
>  >>login the user? I need this to place login form on the homepage.
>  >
>  >
>  >
>  >>  2) programmaticaly logout the user without destroying entire
>  >
>  > session
>  >
>  >
>  >
>  > ------------------------ Yahoo! Groups Sponsor
> 
>  >
>  > For the latest information about Jetty, please see
> http://jetty.mortbay.org
>  >
>  > 
>  >
>  > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>  >
> 
> 
> 
> -- 
> Greg Wilkins<gregw@xxxxxxxxxxx>             Phone/fax: +44 7092063462
> Mort Bay Consulting Australia and UK.          http://www.mortbay.com
> 
> Yahoo! Groups Sponsor
> ADVERTISEMENT
> 
> 
> 
> 
> For the latest information about Jetty, please see
> http://jetty.mortbay.org
> 
> 
> 
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> 
> 
> For the latest information about Jetty, please see http://jetty.mortbay.org
> 
> 
> 
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service 
> <http://docs.yahoo.com/info/terms/>.



------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get 128 Bit SSL Encryption!
http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/CefplB/TM
---------------------------------------------------------------------~->

For the latest information about Jetty, please see http://jetty.mortbay.org

 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/