пятница, 26 февраля 2010 г.

End to end identity propagation with jboss 4, hibernate and oracle. Part 2

Complete web application to test oracle login module.



First of all we have to understand where username/password stored after successful authentication to reuse it for our future needs.
By default jboss and tomcat not allow you to get password via SecurityAssociation class, so need additional configuration in context.xml.
Tomcat (and derived jboss web server) has a very useful valve elements for configuration
and additional request/response processing
see http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html for more details.



Following changes in context.xml allow to get user password via SecurityAssociationValve class in jboss and tomcat


<Context cookies="true" crossContext="true">


<Valve className="org.jboss.web.tomcat.security.ExtendedFormAuthenticator"


includePassword="true" />


</Context>









As far as you remember from part 1 im try to minimize administrative overhead, but unfortunately i have to duplicate roles in web and db.

In any case lets create a simple web app with 3 pages and login form. Each role has access to one page only. See security-constraint nodes for page names and roles. web.xml shall looks like this:



web.xml


<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4"

xmlns="http://java.sun.com/xml/ns/j2ee"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">




<servlet>

<servlet-name>logon</servlet-name>

<servlet-class>com.crtime.web.Logon</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>logon</servlet-name>

<url-pattern>*.do</url-pattern>

</servlet-mapping>







<security-role>

<role-name>CRTIME_ADMIN</role-name>

</security-role>




<security-role>

<role-name>CRTIME_MANAGER</role-name>

</security-role>




<security-role>

<role-name>anonymous</role-name>

</security-role>




<security-role>

<role-name>CRTIME_SOMEOTHERROLE</role-name>

</security-role>




<security-constraint>

<display-name>CRTIME_ADMIN</display-name>

<web-resource-collection>

<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/crtime_admin.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>CRTIME_ADMIN</role-name>

</auth-constraint>

<user-data-constraint>

<description>SSL required</description>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>




<security-constraint>

<display-name>CRTIME_MANAGER</display-name>

<web-resource-collection>

<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/crtime_manager.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>CRTIME_MANAGER</role-name>

</auth-constraint>

<user-data-constraint>

<description>SSL required</description>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>




<security-constraint>

<display-name>CRTIME_SOMEOTHERROLE</display-name>

<web-resource-collection>

<web-resource-name>Protected Area</web-resource-name>

<url-pattern>/crtime_someotherrole.jsp</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>CRTIME_SOMEOTHERROLE</role-name>

</auth-constraint>

<user-data-constraint>

<description>SSL required</description>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>




<login-config>

<auth-method>FORM</auth-method>

<realm-name>CrTime</realm-name>

<form-login-config>

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/loginError.jsp</form-error-page>

</form-login-config>

</login-config>







<welcome-file-list>

<welcome-file>index.jsp</welcome-file>

</welcome-file-list>




<error-page>

<error-code>403</error-code>

<location>/login.jsp</location>

</error-page>




</web-app>




Login form:





<form name="logonForm" action="j_security_check" method=post>

<input type="text" name="j_username" maxlength=20>

<input type="password" name="j_password" maxlength=20>

<input type="submit" value="Login">

</form>




Login servlet



In case of successful authentication servlet will redirect to referred page.



package com.crtime.web;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.ServletException;
import java.io.IOException;
import org.jboss.web.tomcat.security.login.WebAuthentication;
import org.jboss.web.tomcat.security.SecurityAssociationValve;
import org.apache.catalina.connector.Request;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.Constants;

/**
* User: iazarny
* Date: 10.06.2008
* Time: 11:21:38
*
* see following link for more details
* http://roneiv.wordpress.com/2008/03/
* http://forum.java.sun.com/thread.jspa?threadID=5293266&tstart=0
* http://www.javaworld.com/javaforums/printthread.php?Board=JavaSecurity&main=2500&type=post
*
*
*/
public class Logon extends HttpServlet {


public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
try {

WebAuthentication webAuthentication = new WebAuthentication();


boolean stat = webAuthentication.login(request.getParameter("j_username"), request.getParameter("j_password"));

if (stat) {

Request activeRequest = (Request) SecurityAssociationValve.activeRequest.get();
Session session = activeRequest.getSessionInternal(false);
String userNameFromTomCatsession = (String)session.getNote(Constants.SESS_USERNAME_NOTE);
String userPasswordFromTomCatsession = (String)session.getNote(Constants.SESS_PASSWORD_NOTE);
System.out.println("\nuserNameFromTomCatsession =" + userNameFromTomCatsession);
System.out.println("\nuserPasswordFromTomCatsession =" + userPasswordFromTomCatsession);

String referer = request.getHeader("Referer");
System.out.println("\nreferer = " + referer);
response.sendRedirect(referer);
} else {
response.sendRedirect(request.getContextPath() + "/loginError.jsp");
}


} catch (Exception e) {
e.printStackTrace();
response.sendRedirect("loginError.jsp");
}


}


public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {

doGet(request, response);

}

}



To be continued ....

Комментариев нет:

Отправить комментарий