It is strange that it is so quiet about this issue. I can't be the only one who gets affected, many projects must have come across this.
Thank you On 4/18/06, Chapoor Chapoor <[EMAIL PROTECTED]> wrote: > > Hi, > > I m stucked in a security authentication/authorization issue, which I hope > you have some advice for me. > > In simple words, I want to use the Web container security (for > authorization) together with my own JAAS implementation (for > authentication). > > How to achieve this ? > > I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I want > to by pass these and hit my JAAS login model. > The reason is that we collect user information in different way, by an > exchange with the user in a front filter. > > I cant get this to work, even though that I have configured my > loginmodule, user, role and configured the JAASRealm in Tomcat, > > This is how I want to do it (in theory). > 1. User enters a URL (e.g. /mycontext/cars/), > 2. The SecFilter gets triggered, which ends by exchanging user > information, > 3. The MyLoginModule gets called with user information > 4. User is been looked up and get assigned a User/Role Principals. > 5. Login is OK > 6. Now the web container security can take place and checks in web.xml if > this user is-in-role to call /cars url. > > I've searched the entire web but could not see any good article about > this. Am I the only one who wants to by-pass the auth-methods but still can > provide good authentication and "standard" web-authorization. > > (I've seen some work-around such as: > http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but this is > a work-around, which I dont like). > > > > Please advice, > > > Thank you for reading, and sorry for the long email. >
