two JAAS questions

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

two JAAS questions

Noel Bush-2
I am attempting to use the JAAS implementation provided with JettyPlus.
  Since this is my first attempt to use JAAS at all, my confusion is
probably just a result of inexperience with this technology.  So,
apologies in advance for my ignorance.

I have successfully followed the instructions at
http://jetty.mortbay.org/jetty/plus/index.html, and have integrated the
example code with my own app, so that when I first start up the app and
go to it in the browser, I am sent to the login form, and can be logged
in or denied depending on whether I enter a valid username/password combo.

But then the trouble starts.  First of all, it seems that after I have
logged in once, even if I shut down the app and restart it, I am
considered to be still "logged in".  Unless I restart the browser, when
I go to the app URL again, I am not prompted to log in.

Maybe this is *not* a problem -- after all, if my app crashes and is
automatically restarted, I don't want everyone to have to log in again.

But this is connected with my second question.  I first wanted to check
information about the logged-in user with
HttpServletRequest.getRemoteUser() or .getUserPrincipal().getName().
When I do a first startup, first browser open, then these methods return
the username of the logged-in user.  However, after an app restart
without browser restart, they return null values.

So, I read around, and got the hint that these methods of
HttpServletRequest should not be used -- that there are security
problems with this approach.  I am told that I should use the Subject,
which, in many JAAS implementations, is stored in the HttpSession.

As far as I can see, though, the JettyPlus JAAS implementation does not
put the Subject in the HttpSession.  I tried to see where I could do
this if I wanted to, and the most likely place I could find was
JAASUserRealm, but I can't see how I would get access to the session
from there.  Since the authenticate() method is getting a HttpRequest
(not HttpServletRequest) as a parameter, it doesn't have any access to
the session.

I see that, in Jetty's *Authenticator classes, the username and
Principal are being stored in the HttpRequest.  But I don't know how I
can "legitimately" get at the HttpRequest from inside my servlet.  (I am
still confused about the relationship between Jetty's HttpRequest and
the Servlet API's HttpServletRequest.)

So I am really at a loss.  Is this a "left as an exercise to the reader"
issue that I need to handle by implementing something using the provided
JAAS code as a starting point?  Or is there already a way for me to get
at information about the logged-in user using the JettyPlus JAAS
implementation?  Would I be better off finding another JAAS implementation?

Thanks in advance for all hints and advice.

Noel


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: two JAAS questions

jan_bartel
Hi Noel,

If Jetty is stopped, all state regarding who is authenticated is lost.
So, the effect you're seeing is not actually that you are authenticated
across application restarts. I suspect your problem could be to do with
the way that you have specified your security constraints in the webapp.
Or, maybe it is some kind of browser caching?

Regarding accessing the Subject, it is available as
((JAASUserPrincipal)request.getUserPrincipal()).getSubject()

There could be an argument to put the Subject into the request
attributes, but as the HttpSession actually has nothing to do with
authentication, it isn't really appropriate to put it in there.

cheers
Jan


Noel Bush wrote:

> I am attempting to use the JAAS implementation provided with JettyPlus.
>  Since this is my first attempt to use JAAS at all, my confusion is
> probably just a result of inexperience with this technology.  So,
> apologies in advance for my ignorance.
>
> I have successfully followed the instructions at
> http://jetty.mortbay.org/jetty/plus/index.html, and have integrated the
> example code with my own app, so that when I first start up the app and
> go to it in the browser, I am sent to the login form, and can be logged
> in or denied depending on whether I enter a valid username/password combo.
>
> But then the trouble starts.  First of all, it seems that after I have
> logged in once, even if I shut down the app and restart it, I am
> considered to be still "logged in".  Unless I restart the browser, when
> I go to the app URL again, I am not prompted to log in.
>
> Maybe this is *not* a problem -- after all, if my app crashes and is
> automatically restarted, I don't want everyone to have to log in again.
>
> But this is connected with my second question.  I first wanted to check
> information about the logged-in user with
> HttpServletRequest.getRemoteUser() or .getUserPrincipal().getName().
> When I do a first startup, first browser open, then these methods return
> the username of the logged-in user.  However, after an app restart
> without browser restart, they return null values.
>
> So, I read around, and got the hint that these methods of
> HttpServletRequest should not be used -- that there are security
> problems with this approach.  I am told that I should use the Subject,
> which, in many JAAS implementations, is stored in the HttpSession.
>
> As far as I can see, though, the JettyPlus JAAS implementation does not
> put the Subject in the HttpSession.  I tried to see where I could do
> this if I wanted to, and the most likely place I could find was
> JAASUserRealm, but I can't see how I would get access to the session
> from there.  Since the authenticate() method is getting a HttpRequest
> (not HttpServletRequest) as a parameter, it doesn't have any access to
> the session.
>
> I see that, in Jetty's *Authenticator classes, the username and
> Principal are being stored in the HttpRequest.  But I don't know how I
> can "legitimately" get at the HttpRequest from inside my servlet.  (I am
> still confused about the relationship between Jetty's HttpRequest and
> the Servlet API's HttpServletRequest.)
>
> So I am really at a loss.  Is this a "left as an exercise to the reader"
> issue that I need to handle by implementing something using the provided
> JAAS code as a starting point?  Or is there already a way for me to get
> at information about the logged-in user using the JettyPlus JAAS
> implementation?  Would I be better off finding another JAAS implementation?
>
> Thanks in advance for all hints and advice.
>
> Noel
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Re: two JAAS questions

Jeremy Boynes
Jan Bartel wrote:
>
> Regarding accessing the Subject, it is available as
> ((JAASUserPrincipal)request.getUserPrincipal()).getSubject()
>
> There could be an argument to put the Subject into the request
> attributes, but as the HttpSession actually has nothing to do with
> authentication, it isn't really appropriate to put it in there.
>

Could you use AccessController.getContext().getSubject() ?
This is assuming you have permission and that Jetty is running the
servlet with Subject.doAs()

--
Jeremy


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Re: two JAAS questions

djencks

On Jul 6, 2005, at 6:32 PM, Jeremy Boynes wrote:

> Jan Bartel wrote:
>> Regarding accessing the Subject, it is available as
>> ((JAASUserPrincipal)request.getUserPrincipal()).getSubject()
>> There could be an argument to put the Subject into the request
>> attributes, but as the HttpSession actually has nothing to do with
>> authentication, it isn't really appropriate to put it in there.
>
> Could you use AccessController.getContext().getSubject() ?
> This is assuming you have permission and that Jetty is running the
> servlet with Subject.doAs()
>

My experience is that this generally does not work, often returning
null even within a Subject.doAs().  I think I heard rumors that this is
a longstanding java bug.  At the time I could not spare the time to
investigate: if anyone has any more info I would really like to know
more or if I might have been doing something wrong.

thanks
david jencks

> --
> Jeremy
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> jetty-discuss mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Re: two JAAS questions

Jeremy Boynes
The code is actually:
         Principal principal = new TestPrincipal("bob");
         Subject subject = new Subject();
         subject.getPrincipals().add(principal);

         Subject.doAs(subject, new PrivilegedAction(){
             public Object run() {
                 Subject foo =
Subject.getSubject(AccessController.getContext());
                 Set<Principal> principals = foo.getPrincipals();
                 System.out.println(principals.size());
                 for (Iterator<Principal> i = principals.iterator();
i.hasNext();) {
                     Principal principal = i.next();
                     System.out.println("principal.getName() = " +
principal.getName());
                 }
                 return null;
             }
         });

This works for me on Sun 1.5 on Windows - YMMV.
--
Jeremy


David Jencks wrote:

>
> On Jul 6, 2005, at 6:32 PM, Jeremy Boynes wrote:
>
>> Jan Bartel wrote:
>>
>>> Regarding accessing the Subject, it is available as
>>> ((JAASUserPrincipal)request.getUserPrincipal()).getSubject()
>>> There could be an argument to put the Subject into the request
>>> attributes, but as the HttpSession actually has nothing to do with
>>> authentication, it isn't really appropriate to put it in there.
>>
>>
>> Could you use AccessController.getContext().getSubject() ?
>> This is assuming you have permission and that Jetty is running the
>> servlet with Subject.doAs()
>>
>
> My experience is that this generally does not work, often returning null
> even within a Subject.doAs().  I think I heard rumors that this is a
> longstanding java bug.  At the time I could not spare the time to
> investigate: if anyone has any more info I would really like to know
> more or if I might have been doing something wrong.
>
> thanks
> david jencks
>
>> --
>> Jeremy
>>
>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>> _______________________________________________
>> jetty-discuss mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> jetty-discuss mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-discuss



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: two JAAS questions

jan_bartel
FYI,

The code below works for me on JDK1.4.2 on Ubuntu linux.

Jan


Jeremy Boynes wrote:

> The code is actually:
>         Principal principal = new TestPrincipal("bob");
>         Subject subject = new Subject();
>         subject.getPrincipals().add(principal);
>
>         Subject.doAs(subject, new PrivilegedAction(){
>             public Object run() {
>                 Subject foo =
> Subject.getSubject(AccessController.getContext());
>                 Set<Principal> principals = foo.getPrincipals();
>                 System.out.println(principals.size());
>                 for (Iterator<Principal> i = principals.iterator();
> i.hasNext();) {
>                     Principal principal = i.next();
>                     System.out.println("principal.getName() = " +
> principal.getName());
>                 }
>                 return null;
>             }
>         });
>
> This works for me on Sun 1.5 on Windows - YMMV.
> --
> Jeremy
>
>
> David Jencks wrote:
>
>>
>> On Jul 6, 2005, at 6:32 PM, Jeremy Boynes wrote:
>>
>>> Jan Bartel wrote:
>>>
>>>> Regarding accessing the Subject, it is available as
>>>> ((JAASUserPrincipal)request.getUserPrincipal()).getSubject()
>>>> There could be an argument to put the Subject into the request
>>>> attributes, but as the HttpSession actually has nothing to do with
>>>> authentication, it isn't really appropriate to put it in there.
>>>
>>>
>>>
>>> Could you use AccessController.getContext().getSubject() ?
>>> This is assuming you have permission and that Jetty is running the
>>> servlet with Subject.doAs()
>>>
>>
>> My experience is that this generally does not work, often returning
>> null even within a Subject.doAs().  I think I heard rumors that this
>> is a longstanding java bug.  At the time I could not spare the time to
>> investigate: if anyone has any more info I would really like to know
>> more or if I might have been doing something wrong.
>>
>> thanks
>> david jencks
>>
>>> --
>>> Jeremy
>>>
>>>
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>> informative Webcasts and more! Get everything you need to get up to
>>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>>> _______________________________________________
>>> jetty-discuss mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>>>
>>
>>
>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>> _______________________________________________
>> jetty-discuss mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Re: two JAAS questions

David Jencks-2
In reply to this post by Jeremy Boynes
IIRC the code that gave me problems was something like this:

         Principal principal = new TestPrincipal("bob");
         Subject subject = new Subject();
         subject.getPrincipals().add(principal);

         Subject.doAs(subject, new PrivilegedAction(){
             public Object run() {
//call into various parts of Sun ORB and emerge inside the CSIv2
framework in an attempt to send an identity token
                 Subject foo =
Subject.getSubject(AccessController.getContext());
//foo is null
                 Set<Principal> principals = foo.getPrincipals();
                 System.out.println(principals.size());
                 for (Iterator<Principal> i = principals.iterator();
i.hasNext();) {
                     Principal principal = i.next();
                     System.out.println("principal.getName() = " +
principal.getName());
                 }
                 return null;
             }
         });

If I understood the rumor correctly it involved Subject.doAs(x) not
restoring the previous Subject when returning.  Again, I haven't
investigated extensively.  My theory is that the orb code calls
Subject.doAs(someone else) and returns before getting into the CSIv2
code.  I'll try to find a few minutes to investigate this further.

thanks
david jencks


On Jul 6, 2005, at 11:51 PM, Jeremy Boynes wrote:

> The code is actually:
>         Principal principal = new TestPrincipal("bob");
>         Subject subject = new Subject();
>         subject.getPrincipals().add(principal);
>
>         Subject.doAs(subject, new PrivilegedAction(){
>             public Object run() {
>                 Subject foo =
> Subject.getSubject(AccessController.getContext());
>                 Set<Principal> principals = foo.getPrincipals();
>                 System.out.println(principals.size());
>                 for (Iterator<Principal> i = principals.iterator();
> i.hasNext();) {
>                     Principal principal = i.next();
>                     System.out.println("principal.getName() = " +
> principal.getName());
>                 }
>                 return null;
>             }
>         });
>
> This works for me on Sun 1.5 on Windows - YMMV.
> --
> Jeremy
>
>
> David Jencks wrote:
>> On Jul 6, 2005, at 6:32 PM, Jeremy Boynes wrote:
>>> Jan Bartel wrote:
>>>
>>>> Regarding accessing the Subject, it is available as
>>>> ((JAASUserPrincipal)request.getUserPrincipal()).getSubject()
>>>> There could be an argument to put the Subject into the request
>>>> attributes, but as the HttpSession actually has nothing to do with
>>>> authentication, it isn't really appropriate to put it in there.
>>>
>>>
>>> Could you use AccessController.getContext().getSubject() ?
>>> This is assuming you have permission and that Jetty is running the
>>> servlet with Subject.doAs()
>>>
>> My experience is that this generally does not work, often returning
>> null even within a Subject.doAs().  I think I heard rumors that this
>> is a longstanding java bug.  At the time I could not spare the time
>> to investigate: if anyone has any more info I would really like to
>> know more or if I might have been doing something wrong.
>> thanks
>> david jencks
>>> --
>>> Jeremy
>>>
>>>
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by: Discover Easy Linux Migration
>>> Strategies
>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>> informative Webcasts and more! Get everything you need to get up to
>>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>>> _______________________________________________
>>> jetty-discuss mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>>>
>> -------------------------------------------------------
>> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>> informative Webcasts and more! Get everything you need to get up to
>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
>> _______________________________________________
>> jetty-discuss mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> jetty-discuss mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-discuss
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss