jaspic

Is it possible to use container-managed authentication with password salting?

夙愿已清 提交于 2020-01-01 05:42:06
问题 I know how to set up vanilla container-managed security that uses form authentication and uses digested passwords (say, SHA-256). Something like this: web.xml <login-config> <auth-method>FORM</auth-method> <realm-name>jdbc</realm-name> <form-login-config> <form-login-page>/login.jsf</form-login-page> <form-error-page>/login-error.jsf</form-error-page> </form-login-config> </login-config> login.xhtml <form action="j_security_check"> <p><label> Username:<br/> <input type="text" name="j_username

Form based authentication in JSF

不问归期 提交于 2019-12-23 13:28:07
问题 I would like to implement a simple authentication in an JSF/Primefaces application. I have tried lots of different things, e.g. Dialog - Login Demo makes a simple test on a dialog, but it does not login a user or? I also have taken a look at Java Security, like: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/protected/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>GET</http

Jaspic ServerAuthModule delegating to JAAS Krb5LoginModule

半世苍凉 提交于 2019-12-12 12:43:05
问题 I have to write a custom Jaspic ServerAuthModule (which needs to add a proprietary Authentication Cookie to the HTTP Response AND HTTP Request to be propagated to the applications running on the App Server). The Authentication must be done using Kerberos, SPNEGO. The Application Server to be used is JBOSS EAP 6.4.x I managed to get the Authentication using the JAAS Krb5LoginModule working. The JBOSS EAP Standone.xml I use: <security-domain name="host" cache-type="default"> <authentication>

JSP login with declarative security - How does the actual authentication happen?

北战南征 提交于 2019-12-10 15:41:27
问题 I've been a little puzzled with this as I have not seen many examples that gave me the complete picture. The best explanation I found so far is this. By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_password), how/where does the actual authentication occur? I plan to use a custom authentication using username/passwords (hashes) stored in the database. When the

Jaspic module not propagating principal to local EJB in JBoss 7.4

安稳与你 提交于 2019-12-06 10:23:29
问题 I have a custom, JSR-196 module, that basically delegates to a service that delegates roles to a OAuth "grants" call. It does work from a servlet (request.getUserPrincipal() works fine). It does not propagate to EJB calls, where SessionContext.getCallerPrincipal() returns a SimplePrincipal with "anonymous" instead of expected username / roles. MycompanyPrincipal is a simple class, with a simple getName() and some custom properties. It seems that SubjectInfo.getAuthenticatedSubject() has no

How to save an authenticated user in JASPIC?

不羁的心 提交于 2019-12-06 08:47:27
问题 I have developed a Security Authentication Module (SAM) and implemented the validateRequest method. I also have a simple webapp configured to use this SAM. In my validateRequest method, I check the clientSubject and set a CallerPrincipalCallback with a hardcoded username and a GroupPrincipalCallback with a hardcoded group name: final CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, "anonymous"); final GroupPrincipalCallback groupPrincipalCallback =

Tomcat-Jaas - How to retrieve subject?

十年热恋 提交于 2019-12-05 00:33:10
问题 I'm studying JAAS and I'm implementing a simple example to use in a webapp using Tomcat with a JaasRealm. Now my problem is that I don't know how to retrieve the subject since code like Subject subject = Subject.getSubject(AccessController.getContext()); always returns null. I'm using Tomcat 7.0.27. Is there something I've missed? In other terms how can I manage authorization in Java EE with JAAS? For example how can I implement an action within the secure context of JAAS? 回答1: i knew that

Jaspic module not propagating principal to local EJB in JBoss 7.4

倖福魔咒の 提交于 2019-12-04 17:17:58
I have a custom, JSR-196 module, that basically delegates to a service that delegates roles to a OAuth "grants" call. It does work from a servlet (request.getUserPrincipal() works fine). It does not propagate to EJB calls, where SessionContext.getCallerPrincipal() returns a SimplePrincipal with "anonymous" instead of expected username / roles. MycompanyPrincipal is a simple class, with a simple getName() and some custom properties. It seems that SubjectInfo.getAuthenticatedSubject() has no principal. I managed to make an ugly workaround for that, see "// WORKAROUND" below. Still, I'd want to

How to save an authenticated user in JASPIC?

自作多情 提交于 2019-12-04 12:47:15
I have developed a Security Authentication Module (SAM) and implemented the validateRequest method. I also have a simple webapp configured to use this SAM. In my validateRequest method, I check the clientSubject and set a CallerPrincipalCallback with a hardcoded username and a GroupPrincipalCallback with a hardcoded group name: final CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, "anonymous"); final GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(clientSubject, new String[] {"user"}); try { this.handler.handle(new

Java Web Application: Using a custom realm

时光怂恿深爱的人放手 提交于 2019-12-03 12:43:04
问题 I'm writing a java web application which need to perform login through a webservice. Of course, none of the realms supplied with the application server I'm using (glassfish v2) can do the trick. I therefore had to write my own. It seems however, that the realm implementation that I wrote is completely tied to glassfish and cannot be used as is in any other application servers. Is there any standard or widely supported way to implement a custom Realm? Is it in any way possible to deploy that
订阅 jaspic