The value proposition of externalizing identity is starting to increase where many sites now accept OpenID, CardSpace or federated identity. However, many developers haven't yet taken the next step to externalize authorization and use approaches based on XACML. Is the reason lack of awareness or something else? How would you expect to l...
I'm trying to support single sign-on with JETTY and we have 2 subdomains running webservers that will support single sign-on through Jetty's SSO support. account.test.com app.test.com We have a SSOSession cookie that is set to *.test.com, but to support sign-off I need to ensure that my Jetty server running at app.test.com has it's JSE...
Really ripping my hair out on this one. I have a JAAS Authentication Provider configured for my Spring webapp. I've created a bean definition for it as follows: <beans:bean id="jaasAuthenticationProvider" class="org.springframework.security.providers.jaas.JaasAuthenticationProvider"> <custom-authentication-provider /> <b...
Using only standard JEE API (JAAS, Servlet API, JSF) How can I switch back from a CONFIDENTIAL channel to a Unsecured one? In my example I already managed to switch from an Unsecured channel to a Secured one for the resources in "*/secured/**", but I'm in need to switch back to an unsecured channel after a successful Authentication as t...
What is the best way to go about implementing authentication and authorization for a JSF web application? Preferrably I'd still want to use container-based security, as I need to call EJBs that require the principal. I realize form-based authentication is a major struggle with JSF, but can I perhaps use a PhaseListener or something simi...
I've been looking into a way of passing the client ip as well as the userid and password from a JAAS login page to the JAAS login module implementation in my web code. JAAS only allows the user id and password to be passed to the login module. My idea is to have a java script code to append the ip address to the user id and then call t...
Hi, I have been looking at JAAS and implementations like jGuard, Acegi etc over the last two weeks , but still couldn't decide/understand which to go for in my application. Here's a brief description of my application:- A social game kind of app(with open collaborative forums/discussions/groups) with Flex on the Front end and J2EE on th...
Hi all, I'm developing a custom LoginModule and corresponding Realm for using in SJSAS 8.2. Basically four fields will be necessary in my authentication strategy. Is there a way to use custom fields in my login form (additionally to j_username and j_password) in order to take advantage of declarative approach? I don't want to concaten...
I am using JAAS to authenticate against Microsoft Active Directory and unlike AD its current behavior is case-sensitive. Does anyone have any tips on making JAAS LoginModules case-insensitive? ...
I am working with a piece of code implementing JAAS LoginModule and in the commit method I set the principal with user UUID: subject.getPrincipals().add(new SimplePrincipal(userUUID) But for some reason when I access the user from EJB Context: context.getCallerPrincipal().getName() I receive the login name of the user instead of t...
Hello, Please help me on a kerberos+Java problem. I have a simple Java program to authenticate to a Windows Active Directory using Kerberos. The following java code works fine without any problems and prints true- public class KerberosAuthenticator { public static void main(String[] args) { String jaasConfigFilePath = "/myD...
Hello, The following code is for authenticating to a windows AD server using Java+Kerberos and it works fine- public class KerberosAuthenticator { public static void main(String[] args) { String jaasConfigFilePath = "/myDir/jaas.conf"; System.setProperty("java.security.auth.login.config", jaasConfigFilePath); String krb...
We use JAAS in a heavily loaded web server. The configuration file is loaded from a file, System.setProperty("java.security.auth.login.config", "/config/jaas.config"); During profiling, we noticed that the configuration is loaded from file for every login attempt. This is an I/O operation we try to avoid. Is there anyway to store th...
I have a Tomcat configuration that uses Kerberos 5 to authenticate the user against AD server and then uses LDAP to obtain roles for authorization against a security-constraint. server.xml has this: <Realm className="org.apache.catalina.realm.JAASRealm" appName="vt-ldap" userClassNames="edu.vt.mid...
We currently have an application that runs an embedded jetty 6.1.14 server to which we need to add authentication via Kerberos. I'm new to Kerberos, which makes the task about 100x harder that maybe it should be. I've scoured the internet and have found conflicting reports as to whether or not it is even possible but nothing much to pr...
Is there any way to extend the authentication operation which connects a client application to an EJB, using standard JAAS/container-based security? I'm looking for a way to use more than just a username to authenticate the user (in this case a domain name is also needed). Ideally I'd like to be able to use the SessionContext.getCallerPr...
Hello all, A user is accessing a restricted web application with JAAS (on Glassfish 2.1). LDAPRealm is used, and authentication is successfully performed from LDAP. A password policy should be installed for the users, so that they are forced to change passwords, have passwords of certain complexity/length, password failures and last N p...
Here is the issue, The JAAS realm connects to the database fine, the user name and password match, the session is authenticated. HOWEVER, none of the roles seem to be getting into the Principal. Tomcat's isInUserRole returns false for every role, and tomcat security doesn't see them either. Here is the realm configuration in the Serv...
I'm trying to find a simple, flexible way to add JaaS authentication to REST. I found a post that I think leads me in the right direction (See StevenC's answer). It sounds like the servlet container is responsible for security, not the Jersey code itself. I like this idea, but need a little guidance on implementation. Grizzly is my s...
I'm attempting to enable SSL communication from a web service client (Axis2) using the certificate on the user's CAC card. Works like a charm....UNTIL the web server is CAC enabled. At that point the SSL connection is rejected with the error message that the other certificates in the chain were not included. I have ensured that the pr...