aspose file tools*
The moose likes Security and the fly likes JAAS programatically Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS programatically" Watch "JAAS programatically" New topic
Author

JAAS programatically

Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
Hi All,

am facing a problem applying JAAS on top of my Oracle AS or even the embedded OC4J, the problem is that i need to make the login process done programmaticly not only when user request a J2EE resource and being forwarded to the login form, how could i after executing the login and getting the user subject seat it on the session or any scope in order for the container to see this user as authenticated. any help is appreciated.

Thanks.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
Welcome to JavaRanch.

What kind of client is this? How is it accessing the server?


Ping & DNS - my free Android networking tools app
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
the client is a browser(thin), and am using the form based authentication
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
That's tricky, since JAAS and the Servlet API were never fully integrated; you may have to user vendor-specific extensions. See this article for a description of the difficulties.
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
am using Oracle application server and i notices that it adds an attribuit to the session with the key "jaas.subject" and an object of the user subject.

i do the programatic login and i get the subject and i add it to the session myself but this does not make the constrained resources open, please if you have any idea let me know.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
I'm not sure if it helps with Oracle specifically, but you could check out http://jguard.net/ which adapts JAAS to web apps.
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
Thanks for your help
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
For integration of JAAS code with a Java web server, you need to configure the following system property:

java.security.auth.login.config

The value of this property should be set to the physical location of the JAAS configuration file, e.g. X:\TOMCAT\CONF\application-jaas.conf
QiJun Yang
Greenhorn

Joined: Dec 01, 2008
Posts: 3
i think his problem is authorization, i get the same question.
i get a subject from the authentication and then don't know what to do.

how to authorize, especially authorizing those resources in database.


sorry to my poor english.
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
you right jerry, but i think this is unsolvalble problem as JAAS in origin was not built to support web application, hence we stuck on this issue, you may have to see jguard in this case
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
Not too sure, but we have been using the JAAS API for security in web applications for some time (without any third-party add-ons). It works fine.
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
the issue here James is that JAAS will not work probably when you run the login page directly without referring first to some constrained resource.
add to that if we apply the login method programatically and initialize a subject for the logged in user, we cant find the way to set the user subject or principal into the request so that the following code will result on the object we set not null poiter
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
It seems that the issue stems from "how" you are attempting to use JAAS. This is not a fault of the API itself. Again, it is "how" you are trying to code the authentication.

A login JSP page should authenticate via JAAS module by calling on a Business Delegate which then calls a POJO. The code in the POJO uses JAAS modules to authenticate. There is no need to refer to "some contrained resource" to execute the login module.

JAAS Subject objects should not be set in a HttpRequest or HttpSession.

Everything mentioned above assumes a strict Model-View-Controller implementation. If you are attempting to do JAAS authentication directly from JSP pages, then you most likely will have difficulty in many places.

You need to have state in the Model application, this will hold references to the JAAS Subjects returned once a user is authenticated.

Good luck!
QiJun Yang
Greenhorn

Joined: Dec 01, 2008
Posts: 3
hi, maybe the below code is helpful to you.

final SecurityManager sm;
if (System.getSecurityManager() == null) {
sm = new SecurityManager();
} else {
sm = System.getSecurityManager();
}
Subject subject = ....;
Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() {

public Object run() throws Exception {
// TODO Auto-generated method stub
Permission p = new URLPermission("/demo/soft/query.jsp");
sm.checkPermission(p);

return true;
}
}, null);

you can put this code into a javax.servlet.Filter or ActionServlet and get the request url, and then construct a Permission. of course you need a URLPermission.

if the subject has access to the url "/demo/soft/query.jsp", the above code will give you a return, or throw an exception otherwise.

your security policy file should like this.

grant Principal org.xfree.jaas.exam.SimplePrincipal "manager"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "admin"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "tom"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal "jerry"{
permission org.xfree.jaas.exam.URLPermission "/demo/soft/*";
permission org.xfree.jaas.exam.URLPermission "/demo/jsf/*";
};

grant Principal org.xfree.jaas.exam.SimplePrincipal *{
permission org.xfree.jaas.exam.URLPermission "/demo/login.jsp";
permission org.xfree.jaas.exam.URLPermission "/demo/error.jsp";
};


the above configuration represent permission collection of two roles and two users respectively.

you can get your configuration information from database. what you need is a policy class extending javax.security.auth.Policy.java, the default policy class is FilePolicy which extends class Policy and reads file %java_home%\jre\lib\security\java.policy.

reference: http://www.mooreds.com/jaas.html
QiJun Yang
Greenhorn

Joined: Dec 01, 2008
Posts: 3
code of URLPermission:
http://www.koders.com/java/fidC12C6A4B391CA70EE8535CAC410B27403E8A2A31.aspx
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42602
    
  65
"jerry yang",
please check your private messages.
Rami Hailat
Greenhorn

Joined: Nov 26, 2008
Posts: 20
hi James, if we dont set the subject or the principal into the request or session, how would any request return the use principal when using
for example.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
A request does not return anything. A request is sent to a server. The server returns a response.

In regards to the isUserInRole() method, this method returns a boolean value, not a JAAS Subject object.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS programatically