users@glassfish.java.net

Re: http authentification and access log

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Thu, 04 Jun 2009 13:06:24 -0700

On 06/ 4/09 03:29 AM, glassfish_at_javadesktop.org wrote:
> i created a simple webservice (EJB) which used the existing JDBCRealm:
> ==========
> @WebService
> public class HelloWorld {
> @WebMethod
> public String sayHelloWorldFrom() {
> return "OK";
> }
> }
>

I'm not sure how the JDBC realm has been integrated into GlassFish (I'll
defer to
the security team to comment on that), but it seems that the
authenticated user
principal is not being set on the request object.

As I mentioned, the access logging impl determines the client id (which
is what gets access-logged) by calling HttpServletRequest#getRemoteUser,
which returns the value of Principal#getName.

Following are partial stack traces for calls to Request#setUserPrincipal
in the
case of BASIC and FORM authentication when using a file-based realm:

BASIC:

org.apache.catalina.connector.Request.setUserPrincipal(Request.java:2419)
org.apache.catalina.authenticator.AuthenticatorBase.register(AuthenticatorBase.java:931)
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:171)
com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1189)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:612)
[...]

FORM:

org.apache.catalina.connector.Request.setUserPrincipal(Request.java:2419)
org.apache.catalina.authenticator.AuthenticatorBase.register(AuthenticatorBase.java:931)
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:208)
com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1189)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:612)
[...]


It seems that in your case, Request#setUserPrincipal is never called by
the RealmAdapter.


Jan



> ==========
> <sun-ejb-jar>
> <security-role-mapping>
> <role-name>kitchen</role-name>
> <group-name>kitchen</group-name>
> </security-role-mapping>
> <enterprise-beans>
> <ejb>
> <ejb-name>HelloWorld</ejb-name>
> <jndi-name>HelloWorld</jndi-name>
> <webservice-endpoint>
> <port-component-name>HelloWorld</port-component-name>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm>kitchen</realm>
> </login-config>
> </webservice-endpoint>
> </ejb>
> </enterprise-beans>
> </sun-ejb-jar>
> ======
>
> with the correct login/password:
> "127.0.0.1" "NULL-AUTH-USER" "04/Jun/2009:12:21:17 +0100" "POST /HelloWorldService/HelloWorld HTTP/1.1" 200 225
>
> with an incorrect login/passwd:
> "127.0.0.1" "NULL-AUTH-USER" "04/Jun/2009:12:28:26 +0100" "POST /HelloWorldService/HelloWorld HTTP/1.1" 401 1036
>
> and my simple client gets:
> Exception in thread "main" com.sun.xml.internal.ws.client.ClientTransportException: request requires HTTP authentication: Unauthorized
> [Message sent by forum member 'dakol' (dakol)]
>
> http://forums.java.net/jive/thread.jspa?messageID=349093
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.