How to control URL Access in JAAS

Thread view:

mei - 29 Nov 2004 15:11 GMT

Hi All,
I am very new in JAAS. I have successfuly authendicate users using
RdbmsLoginModule (Retrieve the user info mation from the database).
But I don't know where and how to set the user's permission to control
the access to certain URL.

For Example:
In our database there is a user info table called USER_AUTH. Two
records:

USER PASSWORD GROUP
TEST1 TEST1 ADMIN
TEST2 TEST2 DEVELOPER

After Authentication, I'd like GROUP ADMIN can access jsp page
"AdminMenu.jsp", "User.jsp" , "Develop.jsp" etc, and DeVELOPER can
only Access "Develop.jsp". How can I do that?

Questions:

1. Do I need to grant any permission in the policy files? How?
2. Do I need to User Access Controller?
3. Where to set and config the policy file if I user JDEV 10g to run
the application?

Thanks very much for your advice.

Following are some sample code I have use

In the login Method in RdbmsLoginModule

public boolean login() throws LoginException {

if (debug)
System.out.println("\t\t[RdbmsLoginModule] login");

if (callbackHandler == null)
throw new LoginException("Error: no CallbackHandler
available " +
"to garner authentication information from the
user");

try {
// Setup default callback handlers.
Callback[] callbacks = new Callback[] {
new NameCallback("Username: "),
new PasswordCallback("Password: ", false)
};

callbackHandler.handle(callbacks);

String username = ((NameCallback)callbacks[0]).getName();
String password = new
String(((PasswordCallback)callbacks[1]).getPassword());

((PasswordCallback)callbacks[1]).clearPassword();

success = rdbmsValidate(username, password);

callbacks[0] = null;
callbacks[1] = null;

if (!success)
throw new LoginException("Authentication failed:
Password does not match");

return(true);
} catch (LoginException ex) {
throw ex;
} catch (Exception ex) {
success = false;
throw new LoginException(ex.getMessage());
}
}

***************************************

Method rdbmsValidate(String, String)

private boolean rdbmsValidate(String user, String pass) throws
Exception {

Connection con;
String query = "SELECT * FROM USER_AUTH where userid='" + user
+ "'";
Statement stmt;
RdbmsPrincipal p = null;
RdbmsCredential c = null;
boolean passwordMatch = false;

try {
Class.forName(driverClass);
}
catch (java.lang.ClassNotFoundException e) {
System.err.print("ClassNotFoundException: ");
System.err.println(e.getMessage());
throw new LoginException("Database driver class not found:
" + driverClass);
}

try {
if (debug)
System.out.println("\t\t[RdbmsLoginModule] Trying to
connect...");

/** con = DriverManager.getConnection(url, "SYSTEM",
"MANAGER"); */
con = DriverManager.getConnection(url, dbuser, dbpass);

if (debug)
System.out.println("\t\t[RdbmsLoginModule]
connected!");

stmt = con.createStatement();

if (debug)
System.out.println("\t\t[RdbmsLoginModule] "+query);

ResultSet result = stmt.executeQuery(query);
String dbPassword = null, dbUser = null, String dbGroup =
null;
boolean isEqual = false;

while (result.next()) {
if (!result.isFirst())
throw new LoginException("Ambiguous user (located
more than once): "+user);
dbPassword =
result.getString(result.findColumn("password"));
dbUser =
result.getString(result.findColumn("user"));
dbGroup =
result.getString(result.findColumn("group"));
}

if (dbPassword == null)
throw new LoginException("User " + user + " not
found");

if (debug)
System.out.println("\t\t[RdbmsLoginModule] '"+pass +
"' equals '" + dbPassword + "'?");

passwordMatch = pass.equals(dbPassword);
if (passwordMatch) {
if (debug) System.out.println("\t\t[RdbmsLoginModule]
passwords do NOT match!");
System.out.println("\t\t[RdbmsLoginModule]
passwords match!");

c = new RdbmsCredential();
c.setProperty("user", dbUser);
c.setProperty("group", dbGroup);
this.tempCredentials.add(c);
System.out.println("TempCredentials =
"+tempCredentials);
this.tempPrincipals.add(new RdbmsPrincipal(dbUser" " +
dbGroup));
} else {
if (debug)
System.out.println("\t\t[RdbmsLoginModule]
passwords do NOT match!");
}
stmt.close();
con.close();
}
catch (SQLException ex) {
System.err.print("SQLException: ");
System.err.println(ex.getMessage());
throw new LoginException("SQLException:
"+ex.getMessage());
}
return(passwordMatch);
}

******************
Commit() Method
public boolean commit() throws LoginException {

if (debug)
System.out.println("\t\t[RdbmsLoginModule] commit");

if (success) {

if (subject.isReadOnly()) {
throw new LoginException ("Subject is Readonly");
}

try {
Iterator it = tempPrincipals.iterator();

if (debug) {
while (it.hasNext())
System.out.println("\t\t[RdbmsLoginModule]
Principal: " + it.next().toString());
}

subject.getPrincipals().addAll(tempPrincipals);
subject.getPublicCredentials().addAll(tempCredentials);

tempPrincipals.clear();
tempCredentials.clear();

if(callbackHandler instanceof PassiveCallbackHandler)
((PassiveCallbackHandler)callbackHandler).clearPassword();

return(true);
} catch (Exception ex) {
ex.printStackTrace(System.out);
throw new LoginException(ex.getMessage());
}
} else {
tempPrincipals.clear();
tempCredentials.clear();
return(true);
}
}

Mei

Reply to this Message

cyberaom - 27 Dec 2004 04:12 GMT

I have same problem pls... help toooo..

>_<'

Thak a lot

Reply to this Message

cyberaom - 27 Dec 2004 04:13 GMT

I have same problem pls... help toooo..

>_<'

Thak a lot

Reply to this Message

Bob Van - 22 Feb 2005 23:18 GMT

This article says to use filters...

http://www.kopz.org/public/documents/tomcat/jaasintomcat.html

...but it too just offers ome incomplete 'sample code' that doesn't work
and leaves you scratching your head.

Can you provide your complete source code for all your modules?

I'm trying to get JAAS running on Tomcat 5, but can't find a full, working
RdbmsLoginModule to work with.

Reply to this Message

How to control URL Access in JAAS

Free Magazines