-
1. Re: HttpServletRequest.authenticate error
jfclere Jun 30, 2010 2:45 AM (in response to javaspack)Just for comparison, I downloaded the Tomcat 7.0 branch (because it is my understanding that that is where the new servlet 3.0 is implemented, maybe I'm wrong?) and the Request class has a different authenticate method
JBossWeb has its own implementation of Servlet 3.0.
BTW: I am afraid the Tomcat code will throw a NullPointerException in your case.
Or am I just missing something?
It seems you need to configure the authenticator and/or have a constraints in the webapp you are using.
-
2. Re: HttpServletRequest.authenticate error
javaspack Jun 30, 2010 12:03 PM (in response to javaspack)It seems you need to configure the authenticator and/or have a constraints in the webapp you are using
In my context.xml file, I define a Valve
<Context>
<Valve className="com.mycompany.auth.MyValve" />
</Context>Doesn't this become my configured authenticator for the context? MyValve extends AuthenticatorBase which implements Authenticator. It is a valid authenticator.
I have also tried numerous changes in the web.xml with and without constraints. But it is my understanding that one of the reasons for this functionality is to remove the dependency of having constraints and just allowing a dynamic login.
(http://blogs.sun.com/nithya/entry/new_security_features_in_glassfish1)
Anyway, here is my current web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5"><servlet>
<servlet-name>AuthenticationServlet</servlet-name>
<servlet-class>mycompany.AuthenticationServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthenticationServlet</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping><welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Security Constraints with Authorization</display-name>
<web-resource-collection>
<web-resource-name>AuthorizedPages</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint><security-role>
<description>Authorized user roles</description>
<role-name>*</role-name>
</security-role><login-config>
<auth-method>BASIC</auth-method>
<realm-name>authentication</realm-name>
</login-config></web-app>
Maybe JBoss has sample code that shows how this works? Or maybe there is a different way to configure an authenticator?
-
3. Re: HttpServletRequest.authenticate error
javaspack Jun 30, 2010 11:29 PM (in response to javaspack)Ok. I have found a way to get it to work but it has become unnecessarily complex.
In the Valve::start() method, if I add
this.context.setAuthenticator(this)
then it works. The real problem is that the setAuthenticator method only exists in the new servlet 3.0 so it can't be assumed to be there, which means you have to create a way to handle this.
I guess what I was expecting was something like this:
<Context>
<Valve className="com.mycompany.auth.MyValve" setAuthenticator="true"/>
</Context>Then it is easy to configure and the Valve can easily throw any values it doesn't recognize (for code that predates the setAuthenticator stuff)
Is this the expected way of handling this? Is there a better way?
-
4. Re: HttpServletRequest.authenticate error
jaikiran Jul 1, 2010 2:01 AM (in response to javaspack)Sean Whyte wrote:
Does this help http://community.jboss.org/message/532453 (I don't know if that thread applies to programatic authentication).
-
5. Re: HttpServletRequest.authenticate error
javaspack Jul 1, 2010 1:59 PM (in response to javaspack)Unfortunately, not quite the same. A context can now have a default Authenticator associated with it, which is what I am trying to accomplish. The new 'setAuthenticator()' method appears to be specific to the JBossWeb implementation as no such method exists in the Tomcat code (even Tomcat7)
My suggestion would be for JBoss to provide a more elegant way of configuring this, much like the login-config.xml is used as a better way to configure where Tomcat requires a jaas.conf file. I think it would be nice to provide this in the context.xml file like I suggested earlier.
Do any of the JBossWeb developers ever see suggestions from here?
-
6. Re: HttpServletRequest.authenticate error
jfclere Jul 2, 2010 5:37 AM (in response to javaspack)hm if you use a programatic logic in valves I think it makes more sense to program all instead mixing configuration file and program, no?
-
7. Re: HttpServletRequest.authenticate error
jfclere Jul 2, 2010 5:44 AM (in response to jfclere)See JBossWeb SVN: r1499 - trunk/java/org/apache/catalina/startup... I think that is what you need, you will have in M4
-
8. Re: HttpServletRequest.authenticate error
javaspack Jul 2, 2010 1:48 PM (in response to javaspack)Yes, I think that is it. The ContextConfig class has a method authenticatorConfig() which will configure a Valve that implements Authenticator as the default authenticator.
I will look forward to trying the M4 release.