Per Violet wrote:
>
>
> Hi Erveryone.
>
>
>
> I have a problem using the glassfish security manager with JAAS.
>
> What I want to do is writing an form-based login and then a rolebased
> access to the webressources.
>
>
>
> I wrote a Servlet, which takes a username and a password from a webpage
> and passes them to a logincontext.
Per Violet,
I may not be understanding exactly what you have done and what you seek
to do but I will try to help. You indidicate that you are using
glassfish which is good, since glassfish features some improvements to
the pluggabble realms infrastructure.
> I wrote a loginmodule for JAAS and I wrote a cusomreaml for the
> glassfish, just like the example of the glassfish-page
> (http://developers.sun.com/appserver/reference/techart/as8_authentication/index.html)
>
assuming that you are using the existing FormAuthenticator (valve) of
the Glassfish servlet container, then it sounds like what you are trying
to do is change the underling password validation system by implementing
a custom Realm and associated Login module. If this is your plan, then
you would designate a custom login page, which would be returned by the
web container when an attempt is made to visit a protected page. You
would not need to make jaas calls from the login page or from a servlet.
these calls would be made on your behalf by the FormAuthenticator.
If you want to do something that goes beyond replacing the underling
password validation system, then I can help you do that, but the
approach would likely be different (i.e., use the jsr 196 support in
Glassfish) Glassfish is the reference implementation for JSR 196 and as
such provides effective facilities for injecting new authentication
mechanisms in the httpServlet and SOAP message processing layers.
>
> Im using the a glassfish 9.x and so I took this part of the page.
>
> Everything works fine. I got an instance of the class subject and within
> this instance some principals (in the case the login was successful)
>
>
>
> Now I tried to secure some JSPs with the deployment descriptors, using
> the well described Xml-Tags.
>
> But when I request the secured JSP, i cant, because, the
> security-manager denied. It seemed, that my Instance of the subject
> isn’t known by the applicationserver. But there is no way decribed in
> the documents I read, how to tell the applicationserver of my
> JAAS-subject.
If you are relying on the existing FormAuthenticator to invoke your
custom realm and login module, then it will take care of making sure
that the results of the authentication will wind up in the security
context used by the application server.
I tried to pass it to a HTTPSession within the
> login-servlet, but it don’t works. Within my secured JSP, I don’t
> receive the role, my subject is the owner from. (I think, because there
> is no subject anymore – there must be a way, to pass the subject to the
> Applicationserver, but otherwise I thought, that’s what the
> Glassfishrealm does)
that is correct. If you are assigning an authentication identity using
custom principals, you will need to make sure that the prinicipal to
role mapping defined by your app, specifies the principal types (as an
attribute to the mapping elements) associated with each principal name.
see the schema in sun-application_5_0-0.dtd
<!ELEMENT security-role-mapping (role-name, (principal-name | group-name)+)>
<!ELEMENT role-name (#PCDATA)>
<!ELEMENT principal-name (#PCDATA)>
<!ATTLIST principal-name class-name CDATA #IMPLIED>
<!ELEMENT group-name (#PCDATA)>
> Another Problem is, that I don’t se, how to make a logout, because I
> loose my logincontext, when switching to another Page.
if it is acceptable that the hhtp session be invalidated, then you can
call httpSession.invalidate(), and in so doing invalidate the web
authentication session.
Ron
>
>
> Perhaps somebody is kind enough to help me. I’m almost going crazy.
>
>
>
> Greetings from Germany , Per Violet
>
>
>
>
> --
> Internal Virus Database is out-of-date.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 269.10.2/890 - Release Date:
> 07.07.2007 15:26
>