8 Replies Latest reply on Dec 11, 2001 1:10 PM by Luke Taylor

    Too Complicated

    Kurt Olsen Newbie

      Hi everybody.

      I'm an senior developer and after at least 4 readings of the jaas security section of the manuals (i bought it) I still can't put all of this together in my head.
      This is probably because I must do this kind of thing after midnight, after work, after the family goes to bed.

      This is not supposed to be hard. As a web-app developer I need a very clear (no explanations of mechanics at all) guide that gets me setup to do the following from the web-client. Assume that I have ejb's that are xml'd for roles etc. that I need to access from a web client.

      I actually don't think I should need a guide to do this and that the server should be pre-configured for me...in any case here's all a web developer needs to start with.

      1. https access to the server for the login page so that passwords aren't transmitted in the clear and credit card info isn't easily snatched.

      2. To be able to edit the web.xml in the .war file to use form based auth.

      3. instructions on how to allow both the web-client (using tomcat) and the server tier to use database based authentication. Most web-sites will have some kind of 'signup' and account editing features. The signup has to add to the security database so that it forms a starting point for the 'account' which I will create.

      It's too hard people. I can't get it all running. I'm tired grouchy and irritated. I want to write web-apps that are for-real, and e-commercable quickly. I hate screwing around with the equivalent of ms-dos 3.1

      You may think I'm being overly harsh. Maybe I am, But you've gotta understand that I MUST focus on results fast or I will NOT be able to turn a profit on this technology. I live in hawaii. We're taking a big hit in the travel industry (which still provides most of the work around here) and I need to be able to deploy ecommercable webapps FAST.

      Technology is great. J2ee is cool. JBoss is outstanding. But I need, and feel that your success will truly rise when developers don't have to be JBoss experts in order to get the full capability suite up-n-running.

      Regarding my 'ms-dos 3.1' comment. I started programming on an RCA cosmac VIP before the appleII. I've been programming 12 hours a day non-stop since then. I've seen and programmed most everything. When I strip away the marketing clamor and bullshit I still see a console window spewing tons-o-stuff, (yours, weblogics, iplanets, everybodys j2 stuff) fight classpath, fight xml configs, properties, dtd's, tlds and don't yet have a development tool that can fully deal with jsp pages worth a damm. I'm not bitching per-se because I know this technology is still in it's teen-age years and isn't mature. I hope I'm still programming when it is.

      Argh....what is the simplest path to the goal of getting a form-based auth'd https'd web-client that can access my ejb's without requiring 40 hours of 'overhead' that I have to eat the cost on?

      I could sure use some help with a quick-start guide.
      I'll write it I somebody could explain what has to be done without telling me WHY it has to be done. I don't care.

        • 1. Re: Too Complicated
          Kurt Olsen Newbie

          Quick followup....
          I have mysql. I have users, roles, etc. I have tomcat running secure. I don't have the form-based auth using the database. That's where I'm stuck. Can it even be done?

          • 2. Re: Too Complicated
            Allen Fogleson Newbie

            yes.... form based authentication can happen. If you have tomcat secured (ssl) thats most of your battle.

            to get your authentication working is pretty simple really.

            you need to add an entry to auth.conf, and reference it in your jboss-web.xml.

            I posted on this topic in depth at http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ that doesnt work feel free to email me at afogleson@aol.com.


            • 3. Re: Too Complicated
              Kurt Olsen Newbie

              Thanks Al, I've appreciated your help on the last two topics I needed help on. I'll try to pass that favor along to others.

              I've been using jboss on/off for a year now. I've watched it develop into a server I feel I can both depend on and recommend. I still can't quickly bring all the subsystems that a production system needs online in a timely manner however. There are so many external pieces, I know this. Still, I feel there is great benefit in writing "jboss docs for time-pressed consultants".

              Scott, I believe you wrote the jaas section of the manual right? Well, good job. Thanks for it and the examples. I'm in no way criticizing your work. I understand why you presented your material and examples in the way you did. Because you had to. It is a good job, your examples worked and kudos.

              I'm asking us all to try to see jboss differently now. JBoss group, I'd suggest that a full-time technical writer might be one of the most beneficial positions you could fill in the near future. Someone who can transalate dev-speak into app developer speak.

              Thanks for listening,
              Comments, suggestions, criticisms will all be appreciated.


              • 4. Re: Too Complicated
                Allen Fogleson Newbie

                no problem Kurt. Believe me when you work with it daily it gets easier. I dont really find it any more difficult than weblogic. Of course the main difference being that weblogic has everything in one giant properties file, and jboss breaks it up into other files.

                The really cool things i love about jboss is the autodeploy/redeploy features. Its a small footprint, Bugs end up being fixed a LOT faster :). Plus hey you cant beat the price. With 3.0 coming along, and the clustering it will hopefully provide (yes i see it in there but I havent played with it) Jboss could end up as a weblogic killer really fast.

                Now if I could get my EJB-QL to work in finders and not just ejbSelects i would be happy hehe. But I expect these vagaries when using the alpha.


                • 5. Re: Too Complicated
                  Felipe Leme Newbie

                  By speaking of jaas authentication, I have a question too:
                  I have my authentication working fine (using my own LoginModule class), so when the user succesfully login he is redirected to his user page and when he fails it goes to the login error page (defined at web.xml). The problem is, at the login error I need to get the j_username attribute from the request object, but that attribute doesn't seems to be available. Is there an "elegant" way to get that information?
                  Looking at the code (TGIOSS :), it seems that the problem is on org.jboss.tomcat.security.JBossSecurityMgrRealm, method authenticate:

                  if( securityMgr.isValid(principal, passwordChars) ) {
                  request.setAttribute(subjectAttributeName, subject);

                  Unfortunately, I couldn't modify the code to test it though, as I'm using the jboss-2.4.1a_tomcat-3.2.3 binary distribution, and I got that code for the 2.4.3, and they look incompatible. BTW, how do I build jboss-2.4.1a_tomcat-3.2.3 from the sources?



                  • 6. Re: Too Complicated
                    Luke Taylor Newbie

                    The point of the j_username stuff is to offload the whole responsibility of managing authentication to the container, so it's out of bounds really. Modifying the server seems excessive for such a small gain - why do you need the name in the login error page? Besides, you will potentially be making your app non-portable by using server specific attribute names and so on.

                    • 7. Re: Too Complicated
                      Felipe Leme Newbie

                      I don't necessarily need to know the name, but I need to inform the user why he can't log in (his account could be blocked, for instance). The way we do now (with weblogic), we need the j_username to query the database to get the reason.
                      Another alternative would be to set a global error message (or something like that) at the container authentication class and then get that message from the jsp page. Would that be possible? If not, what do you think would be the correct (and hence more portable) solution?

                      Thanks again,


                      • 8. Re: Too Complicated

                        You should be able to get the username/principal from the approproiate methods on HttpRequest or EJBContext, depending on whether you're in the web or EJB portion of your app.