Thanks guys, I want to do my own authentication (in this case using JAAS) because the available once are not sufficient. The requirement are so, and I cant go deep in those.
So the basic, form, client-cert are not OK to use for authentication. That is why I do my own servlet/filter that will call the login context "myapp" which uses JAAS. After this I want to notify the container so it in some way can recognize that there is a user, (in getremoteuser, isuserinrole, etc). In this case I will be able to use the authorization provided from the container. Not only on web level but also later I could use the roles down in Ejb container. I want to keep the declarative security as much possible as it can be. Thank you On 4/20/06, Tim Lucia <[EMAIL PROTECTED]> wrote: > > Why do you wish to do this? Perhaps elaborating on the " exchange with > the > user in a front filter" bit will get you a more satisfactory answer? > > Tim > > -----Original Message----- > From: Chapoor Chapoor [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 20, 2006 4:34 AM > To: Tomcat Users List > Subject: Re: CMS and JAAS > > Thanks Rolf, but it is not what I m looking for. > The major difference in my structure is that I want do authentication > manually (like from a servlet/filter to call Jaas, I dont want to use > basic, > form, cert methods) and in some way notify the container with credentials > (so the authorization can be taken over by the server). > > Thank you > > > > On 4/20/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > The JSPWiki team has done something into the same direction. > > I tested the deployment of Andrews implementation and collected a > > checklist. > > It's not exactly what you are asking for but it could help to inspire > you > > where look for errors. > > > > > > > > http://wiki.jcrud.org/jcrud/Wiki.jsp?page=ChecklistForContainerManagedAuthen > tication > > > > (AAA stands for "Authentication And Authorization") > > > > Have fun > > > > Rolf > > > > > It is strange that it is so quiet about this issue. > > > I can't be the only one who gets affected, many projects must have > come > > > across this. > > > > > > Thank you > > > > > > > > > On 4/18/06, Chapoor Chapoor <[EMAIL PROTECTED]> wrote: > > >> > > >> Hi, > > >> > > >> I m stucked in a security authentication/authorization issue, which I > > >> hope > > >> you have some advice for me. > > >> > > >> In simple words, I want to use the Web container security (for > > >> authorization) together with my own JAAS implementation (for > > >> authentication). > > >> > > >> How to achieve this ? > > >> > > >> I don't want to use the BASIC, FORM, CLIENT-CERT etc auth-methods. I > > >> want > > >> to by pass these and hit my JAAS login model. > > >> The reason is that we collect user information in different way, by > an > > >> exchange with the user in a front filter. > > >> > > >> I cant get this to work, even though that I have configured my > > >> loginmodule, user, role and configured the JAASRealm in Tomcat, > > >> > > >> This is how I want to do it (in theory). > > >> 1. User enters a URL (e.g. /mycontext/cars/), > > >> 2. The SecFilter gets triggered, which ends by exchanging user > > >> information, > > >> 3. The MyLoginModule gets called with user information > > >> 4. User is been looked up and get assigned a User/Role Principals. > > >> 5. Login is OK > > >> 6. Now the web container security can take place and checks in > web.xml > > >> if > > >> this user is-in-role to call /cars url. > > >> > > >> I've searched the entire web but could not see any good article about > > >> this. Am I the only one who wants to by-pass the auth-methods but > still > > >> can > > >> provide good authentication and "standard" web-authorization. > > >> > > >> (I've seen some work-around such as: > > >> http://www.kopz.org/public/documents/tomcat/jaasintomcat.html but > this > > >> is > > >> a work-around, which I dont like). > > >> > > >> > > >> > > >> Please advice, > > >> > > >> > > >> Thank you for reading, and sorry for the long email. > > >> > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
