Re: FW: Re: jetty servlet security model: are there a ny extensions?

Jetty adopts the policy that authentication is only performed (and hence the
security context) if the request passes a security constraint.

I have been discussing this with the JSR to see if the spec will go this
way or not.  I think it should because authentication can be an expensive
operation (potentially talking to a remote service) and you don't want to
have to do this on every request (eg everything in /images/*).

Tomcat takes the approach of caching the results of authentication to
try to reduce the hit of authenticating every request.  But caching
authentication is dangerous in environments where authentication can
be revoked (eg. if I keep hitting the server every hour I can stay connected
long after my credit has expired)

I think the compromise proposed is that the user name will be available if
it is given in a credential, but not the principal.  Either way -this is
only for the 2.4 spec and the current spec has this as undefined behaviour.

cheers



Alexey Yudichev wrote:>   Well the filter does not save me because in any case 
current logged in
> principal is propagated to EJB calls ONLY if the request belongs to 
> protected area. Can you advise how can I manage to keep principal 
> propagation to EJBs? I suppose I will use <role-name>*</role-name> 
> constraint for entire site but in this case I need to configure 
> authentication the way that any new user is being automatically logged 
> in. I have no idea how to do it. Can you help?
> 
> -----Original Message-----
> From: Alexey Yudichev
> Sent: Monday, December 09, 2002 17:45
> To: jetty-support@xxxxxxxxxxxxxxx
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there 
> any extensions?
> 
> 
>   I tried this, but it doesn't work for me because in this case each 
> request redirects to a login page. <role-name>*</role-name> does not 
> mean "everybody", it means "any AUTHENTICATED user".
> 
>   So for now I implemented a filter that wraps a request and overrides 
> getUserPrincipal() returning
> 
> (Principal)((HttpServletRequest)getRequest()).getSession().getAttribute("org.mortbay.jetty.Auth");
>  
> 
> 
>   I am migrating now from Resin where getUserPrincipal() is always 
> available. I also remember that Tomcat does the same way. And from my 
> point of view it makes more sense. I am voting for adding an option to 
> jetty config saying whether to expose principal to non-secure areas or not.
> 
>   I need principal propagation to EJBs otherwise I could use 
> securityfilter or another similar projects...
> 
> -----Original Message-----
> From: Eoin Woods [mailto:eoin@xxxxxxxxxxxx]
> Sent: Monday, December 09, 2002 17:26
> To: jetty-support@xxxxxxxxxxxxxxx
> Cc: Alexey Yudichev
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there 
> any extensions?
> 
> 
>  > I found out that with jetty request.getUserPrincipal() returns
>  > the principal ONLY for areas secured with <auth-constraint>.
>  > Is that the supposed and correct bahaviour?
> So it does.  That does seem a bit odd.
> 
> The servlet spec says that authentication information is meant to be
> held at the container rather than the webapp level, but isn't quite
> clear on whether it should be available to non secured webapps ...
> that's one for Greg and Co. I think.
> 
> Still, as a workaround, you could add something like this to the
> web.xml:
> 
>   <web-app>
>     ...
>     <security-constraint>
>        <web-resource-collection>
>          <web-resource-name>Everything</web-resource-name>
>          <url-pattern>/*</url-pattern>
>        </web-resource-collection>
>        <auth-constraint>
>          <description>Everybody</description>
>          <role-name>*</role-name>
>        </auth-constraint>
>     </security-constraint>
>    ...
>   </web-app>
> 
> This just says "everybody accesses everything" and appears to resolve
> the problem.
> 
> Cheers,
> 
> Eoin.
> -----Original Message-----
> From: Alexey Yudichev [mailto:alexey@xxxxxxxxxxxxx]
> Sent: 09 December 2002 10:38
> To: jetty-support@xxxxxxxxxxxxxxx
> Subject: RE: [jetty-support] Re: jetty servlet security model: are there
> any extensions?
> 
> 
> Jboss 3.0.4 is actually bundled with jetty 4.1.3.
> In the meantime I faced a more serious problem. How can I have some area
> at the site (preferrably the whole site) having
> request.getUserPrincipal() returning either null or the principal of the
> logged-in user WITHOUT securing this area? I mean I want to change the
> behaviour of the site depending on if any user is logged in or not (for
> ex. show his/her name). I found out that with jetty
> request.getUserPrincipal() returns the principal ONLY for areas secured
> with <auth-constraint>. Is that the supposed and correct bahaviour?
> Here is my web.xml cutting:
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Entire Site</web-resource-name>
>       <url-pattern>/</url-pattern>
>     </web-resource-collection>
>   </security-constraint>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Secure Page</web-resource-name>
>       <url-pattern>/users/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>customer</role-name>
>       <role-name>operator</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>       <form-login-page>/main/login.html</form-login-page>
>       <form-error-page>/main/login.html?badLogin=true</form-error-page>
>     </form-login-config>
>   </login-config>
> after user is logged in, request.getUserPrincipal() returns null
> everywhere except inside /users/*.
> -----Original Message-----
> From: Greg Wilkins [mailto:gregw@xxxxxxxxxxx]
> Sent: Sunday, December 08, 2002 19:29
> To: jetty-support@xxxxxxxxxxxxxxx; Alexey Yudichev
> Subject: Re: [jetty-support] Re: jetty servlet security model: are there
> any extensions?
> 
> 
> 
> Sounds about right for Jetty 3.0...
> Give it a go!
> 
> 
> ayudichev wrote:> After looking at FormAuthenticator.java, I realized
> that
>  >
>  >
>  > 1) to forward to default page I need to set "org.mortbay.jetty.URI"
>  > session attribute before post to j_security_check
>  >
>  >
>  > 2) to logout I have to remove "org.mortbay.jetty.Auth" sesisn
>  > attribute.
>  >
>  >
>  > Will above be 100% working and is this a correct way?
>  >
>  >
>  >    
>  >
>  >
>  >
>  >
>  > --- In jetty-support@xxxxxxxxxxxxxxx, "ayudichev <alexey@xxxx>"
>  > <alexey@xxxx> wrote:
>  >
>  >
>  >
>  >>I use jboss 3.0.4 with jetty.
>  >
>  >
>  >
>  >>Using form-based auth is it possible to:
>  >
>  >
>  >
>  >>  1) specify "default" page, i.e. the page where jetty forwards
>  >
>  > after
>  >
>  >
>  >
>  >>direct post to /j_security_check (no previous request to restricted
>  >
>  >
>  >
>  >>area has been made). Or instead is it possible to programmatically
>  >
>  >
>  >
>  >>login the user? I need this to place login form on the homepage.
>  >
>  >
>  >
>  >>  2) programmaticaly logout the user without destroying entire
>  >
>  > session
>  >
>  >
>  >
>  > ------------------------ Yahoo! Groups Sponsor
> 
>  >
>  > For the latest information about Jetty, please see
> http://jetty.mortbay.org
>  >
>  > 
>  >
>  > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
>  >
> 
> 
> 
> -- 
> Greg Wilkins<gregw@xxxxxxxxxxx>             Phone/fax: +44 7092063462
> Mort Bay Consulting Australia and UK.          http://www.mortbay.com
> 
> Yahoo! Groups Sponsor
> ADVERTISEMENT
> 
> 
> 
> 
> For the latest information about Jetty, please see
> http://jetty.mortbay.org
> 
> 
> 
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
> 
> 
> For the latest information about Jetty, please see http://jetty.mortbay.org
> 
> 
> 
> Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service 
> <http://docs.yahoo.com/info/terms/>.



-- 
Greg Wilkins<gregw@xxxxxxxxxxx>             Phone/fax: +44 7092063462
Mort Bay Consulting Australia and UK.          http://www.mortbay.com


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get 128 Bit SSL Encryption!
http://us.click.yahoo.com/CBxunD/vN2EAA/xGHJAA/CefplB/TM
---------------------------------------------------------------------~->

For the latest information about Jetty, please see http://jetty.mortbay.org

 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/