How to use JSecurity

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use JSecurity

daniel_asv
Hi, i have a webservice from a stateless session bean running in a GlassFish Application Server. The webservice is consumed by a swing application, i want to agregate a login to the swing application, the user and password will be stored in a SQL Server 2005 database managed by JPA (Hibernate).

What i need to do for use JSecurity in my login window using the webservice?
Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

daniel_asv
I have implemented this class that inherited from AuthorizingRealm

package presentacion;

import java.util.LinkedHashSet;
import java.util.Set;

import org.jsecurity.authc.AccountException;
import org.jsecurity.authc.AuthenticationException;
import org.jsecurity.authc.AuthenticationInfo;
import org.jsecurity.authc.AuthenticationToken;
import org.jsecurity.authc.SimpleAuthenticationInfo;
import org.jsecurity.authc.UnknownAccountException;
import org.jsecurity.authc.UsernamePasswordToken;
import org.jsecurity.authz.AuthorizationException;
import org.jsecurity.authz.AuthorizationInfo;
import org.jsecurity.authz.SimpleAuthorizationInfo;
import org.jsecurity.realm.AuthorizingRealm;
import org.jsecurity.subject.PrincipalCollection;

import acciones.God;
import acciones.Permiso;
import acciones.Rol;
import acciones.Usuario;

public class EjbRealm extends AuthorizingRealm {
        private God servicios;

        public EjbRealm(God servicios) {
                this.servicios = servicios;
        }

        private Set<String> getRoles(Usuario u) {
                Set<String> roles = new LinkedHashSet<String>();
                for (Rol rol : u.getRoles()) {
                        roles.add(rol.getNombre());
                }
                return roles;
        }

        private Set<String> getPermisos(Usuario u) {
                Set<String> permisos = new LinkedHashSet<String>();
                for (Rol rol : u.getRoles()) {
                        for (Permiso p : rol.getPermisos()) {
                                permisos.add(p.getNombre());
                        }
                }
                return permisos;
        }

        @Override
        protected AuthorizationInfo doGetAuthorizationInfo(
                        PrincipalCollection principals) {
                if (principals == null) {
                        throw new AuthorizationException(
                                        "El parametro PrincipalCollection no puede ser null.");
                }
                String apodo = (String) principals.fromRealm(getName()).iterator()
                                .next();
                Usuario u = servicios.consultarUsuario(apodo);
                SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(getRoles(u));
                info.setStringPermissions(getPermisos(u));
                return info;
        }

        @Override
        protected AuthenticationInfo doGetAuthenticationInfo(
                        AuthenticationToken token) throws AuthenticationException {
                UsernamePasswordToken upToken = (UsernamePasswordToken) token;
                String apodo = upToken.getUsername();
                if (apodo == null) {
                        throw new AccountException(
                                        "No se permiten apodos Null en este realm.");
                }
                AuthenticationInfo info = null;
                String contrasenia = servicios.consultarContrasenia(apodo);
                if (contrasenia == null) {
                        throw new UnknownAccountException("No se encontro el usuario ["
                                        + apodo + "]");
                }
                info = new SimpleAuthenticationInfo(apodo, contrasenia, getName());
                return info;
        }

}

And in my login window i have implemented in a button this code
        private GodService god = new GodService();
        protected void button_actionPerformed(ActionEvent arg0) {
                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
                ejbRealm.setCredentialsMatcher(new Sha256CredentialsMatcher());
                DefaultSecurityManager securityManager = new DefaultSecurityManager(
                                ejbRealm);
                UsernamePasswordToken token = new UsernamePasswordToken(apodoText
                                .getText(), contraseniaText.getPassword());
                try {
                        Subject user = securityManager.login(token);
                        if (user.isAuthenticated()) {
                                MenuForm window = new MenuForm(god);
                                window.show();
                                dispose();
                        }
                } catch (AuthenticationException e) {
                        mostrarMensaje("Usuario o contraseña incorrectos");
                } finally {
                        securityManager.destroy();
                }
        }

But now i want to know how to secure my webservice (God) using JSecurity. What i need to do?

daniel_asv wrote
Hi, i have a webservice from a stateless session bean running in a GlassFish Application Server. The webservice is consumed by a swing application, i want to agregate a login to the swing application, the user and password will be stored in a SQL Server 2005 database managed by JPA (Hibernate).

What i need to do for use JSecurity in my login window using the webservice?
Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

Les Hazlewood
Administrator
Hi Daniel,

Have you configured JSecurity via a servlet filter in web.xml?  I'm just trying to see what your runtime environment is like first before I recommend a solution.

Les

On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[hidden email]> wrote:

I have implemented this class that inherited from AuthorizingRealm

package presentacion;

import java.util.LinkedHashSet;
import java.util.Set;

import org.jsecurity.authc.AccountException;
import org.jsecurity.authc.AuthenticationException;
import org.jsecurity.authc.AuthenticationInfo;
import org.jsecurity.authc.AuthenticationToken;
import org.jsecurity.authc.SimpleAuthenticationInfo;
import org.jsecurity.authc.UnknownAccountException;
import org.jsecurity.authc.UsernamePasswordToken;
import org.jsecurity.authz.AuthorizationException;
import org.jsecurity.authz.AuthorizationInfo;
import org.jsecurity.authz.SimpleAuthorizationInfo;
import org.jsecurity.realm.AuthorizingRealm;
import org.jsecurity.subject.PrincipalCollection;

import acciones.God;
import acciones.Permiso;
import acciones.Rol;
import acciones.Usuario;

public class EjbRealm extends AuthorizingRealm {
       private God servicios;

       public EjbRealm(God servicios) {
               this.servicios = servicios;
       }

       private Set<String> getRoles(Usuario u) {
               Set<String> roles = new LinkedHashSet<String>();
               for (Rol rol : u.getRoles()) {
                       roles.add(rol.getNombre());
               }
               return roles;
       }

       private Set<String> getPermisos(Usuario u) {
               Set<String> permisos = new LinkedHashSet<String>();
               for (Rol rol : u.getRoles()) {
                       for (Permiso p : rol.getPermisos()) {
                               permisos.add(p.getNombre());
                       }
               }
               return permisos;
       }

       @Override
       protected AuthorizationInfo doGetAuthorizationInfo(
                       PrincipalCollection principals) {
               if (principals == null) {
                       throw new AuthorizationException(
                                       "El parametro PrincipalCollection no puede ser null.");
               }
               String apodo = (String) principals.fromRealm(getName()).iterator()
                               .next();
               Usuario u = servicios.consultarUsuario(apodo);
               SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(getRoles(u));
               info.setStringPermissions(getPermisos(u));
               return info;
       }

       @Override
       protected AuthenticationInfo doGetAuthenticationInfo(
                       AuthenticationToken token) throws AuthenticationException {
               UsernamePasswordToken upToken = (UsernamePasswordToken) token;
               String apodo = upToken.getUsername();
               if (apodo == null) {
                       throw new AccountException(
                                       "No se permiten apodos Null en este realm.");
               }
               AuthenticationInfo info = null;
               String contrasenia = servicios.consultarContrasenia(apodo);
               if (contrasenia == null) {
                       throw new UnknownAccountException("No se encontro el usuario ["
                                       + apodo + "]");
               }
               info = new SimpleAuthenticationInfo(apodo, contrasenia, getName());
               return info;
       }

}

And in my login window i have implemented in a button this code
       private GodService god = new GodService();
       protected void button_actionPerformed(ActionEvent arg0) {
               EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
               ejbRealm.setCredentialsMatcher(new Sha256CredentialsMatcher());
               DefaultSecurityManager securityManager = new DefaultSecurityManager(
                               ejbRealm);
               UsernamePasswordToken token = new UsernamePasswordToken(apodoText
                               .getText(), contraseniaText.getPassword());
               try {
                       Subject user = securityManager.login(token);
                       if (user.isAuthenticated()) {
                               MenuForm window = new MenuForm(god);
                               window.show();
                               dispose();
                       }
               } catch (AuthenticationException e) {
                       mostrarMensaje("Usuario o contraseña incorrectos");
               } finally {
                       securityManager.destroy();
               }
       }

But now i want to know how to secure my webservice (God) using JSecurity.
What i need to do?


daniel_asv wrote:
>
> Hi, i have a webservice from a stateless session bean running in a
> GlassFish Application Server. The webservice is consumed by a swing
> application, i want to agregate a login to the swing application, the user
> and password will be stored in a SQL Server 2005 database managed by JPA
> (Hibernate).
>
> What i need to do for use JSecurity in my login window using the
> webservice?
>

--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

daniel_asv
Hi Les, i don´t use servlet and don´t configure web.xml.

I have three jar:
1. servidor.jar an ejb deployed in glassfish, this contain my stateless session bean (god) which exposes all his methods as webservice and my jpa entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso, Persona, Rol, Tratamiento, Usuario).
2. servicios.jar with the generated web service client from wsdl in glassfish using JAX-WS and JAXB.
3. cliente.jar the swing application that consumes the webservices (here i use JSecurity).

My problem is in the webservices. I don´t know how to call them using a user and password.

Les Hazlewood wrote
Hi Daniel,

Have you configured JSecurity via a servlet filter in web.xml?  I'm just
trying to see what your runtime environment is like first before I recommend
a solution.

Les

On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <daniel@macropro.com.mx> wrote:

>
> I have implemented this class that inherited from AuthorizingRealm
>
> package presentacion;
>
> import java.util.LinkedHashSet;
> import java.util.Set;
>
> import org.jsecurity.authc.AccountException;
> import org.jsecurity.authc.AuthenticationException;
> import org.jsecurity.authc.AuthenticationInfo;
> import org.jsecurity.authc.AuthenticationToken;
> import org.jsecurity.authc.SimpleAuthenticationInfo;
> import org.jsecurity.authc.UnknownAccountException;
> import org.jsecurity.authc.UsernamePasswordToken;
> import org.jsecurity.authz.AuthorizationException;
> import org.jsecurity.authz.AuthorizationInfo;
> import org.jsecurity.authz.SimpleAuthorizationInfo;
> import org.jsecurity.realm.AuthorizingRealm;
> import org.jsecurity.subject.PrincipalCollection;
>
> import acciones.God;
> import acciones.Permiso;
> import acciones.Rol;
> import acciones.Usuario;
>
> public class EjbRealm extends AuthorizingRealm {
>        private God servicios;
>
>        public EjbRealm(God servicios) {
>                this.servicios = servicios;
>        }
>
>        private Set<String> getRoles(Usuario u) {
>                Set<String> roles = new LinkedHashSet<String>();
>                for (Rol rol : u.getRoles()) {
>                        roles.add(rol.getNombre());
>                }
>                return roles;
>        }
>
>        private Set<String> getPermisos(Usuario u) {
>                Set<String> permisos = new LinkedHashSet<String>();
>                for (Rol rol : u.getRoles()) {
>                        for (Permiso p : rol.getPermisos()) {
>                                permisos.add(p.getNombre());
>                        }
>                }
>                return permisos;
>        }
>
>        @Override
>        protected AuthorizationInfo doGetAuthorizationInfo(
>                        PrincipalCollection principals) {
>                if (principals == null) {
>                        throw new AuthorizationException(
>                                        "El parametro PrincipalCollection no
> puede ser null.");
>                }
>                String apodo = (String)
> principals.fromRealm(getName()).iterator()
>                                .next();
>                Usuario u = servicios.consultarUsuario(apodo);
>                SimpleAuthorizationInfo info = new
> SimpleAuthorizationInfo(getRoles(u));
>                info.setStringPermissions(getPermisos(u));
>                return info;
>        }
>
>        @Override
>        protected AuthenticationInfo doGetAuthenticationInfo(
>                        AuthenticationToken token) throws
> AuthenticationException {
>                UsernamePasswordToken upToken = (UsernamePasswordToken)
> token;
>                String apodo = upToken.getUsername();
>                if (apodo == null) {
>                        throw new AccountException(
>                                        "No se permiten apodos Null en este
> realm.");
>                }
>                AuthenticationInfo info = null;
>                String contrasenia = servicios.consultarContrasenia(apodo);
>                if (contrasenia == null) {
>                        throw new UnknownAccountException("No se encontro el
> usuario ["
>                                        + apodo + "]");
>                }
>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
> getName());
>                return info;
>        }
>
> }
>
> And in my login window i have implemented in a button this code
>        private GodService god = new GodService();
>        protected void button_actionPerformed(ActionEvent arg0) {
>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>                ejbRealm.setCredentialsMatcher(new
> Sha256CredentialsMatcher());
>                DefaultSecurityManager securityManager = new
> DefaultSecurityManager(
>                                ejbRealm);
>                UsernamePasswordToken token = new
> UsernamePasswordToken(apodoText
>                                .getText(), contraseniaText.getPassword());
>                try {
>                        Subject user = securityManager.login(token);
>                        if (user.isAuthenticated()) {
>                                MenuForm window = new MenuForm(god);
>                                window.show();
>                                dispose();
>                        }
>                } catch (AuthenticationException e) {
>                        mostrarMensaje("Usuario o contraseña incorrectos");
>                } finally {
>                        securityManager.destroy();
>                }
>        }
>
> But now i want to know how to secure my webservice (God) using JSecurity.
> What i need to do?
>
>
> daniel_asv wrote:
> >
> > Hi, i have a webservice from a stateless session bean running in a
> > GlassFish Application Server. The webservice is consumed by a swing
> > application, i want to agregate a login to the swing application, the
> user
> > and password will be stored in a SQL Server 2005 database managed by JPA
> > (Hibernate).
> >
> > What i need to do for use JSecurity in my login window using the
> > webservice?
> >
>
> --
> View this message in context:
> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

Les Hazlewood
Administrator
Ah, I see now.

The default JSecurity SecurityManager implemenations are almost always intended to reside in the business tier, not in the client.  In an EJB3 application, this means it should reside along side of (a peer to) your Stateless Session Bean - in the server, not in the client gui.

So, if you want to secure a web service, JSecurity has to be configured to handle http communication - this is done by configuring JSecurity as a servlet filter in web.xml, to intercept the webservice Servlet Requests that will eventually call the underlying EJB.

See this JavaDoc for how to configure the filter:  http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

So, for example, if all of your web service calls go

http://your.host.ip/myapp/webservices

you would configure the JSecurity filter to intercept all the /webservices/** urls.  For example:

<filter>
        <filter-name>JSecurityFilter</filter-name>
        <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>

        <init-param>
            <param-name>config</param-name>
            <param-value>
                # The JSecurityFilter configuration is very powerful and flexible, while still remaining succinct.
                # Please read the comprehensive example, with full comments and explanations, in the JavaDoc:
                #
                # http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

                [filters]
                jsecurity.loginUrl = /s/login
                authc.successUrl = /s/index

                [urls]
                # specify any of the above filters here, depending on the type of security you want:
                /webservices/**=authc

            </param-value>
        </init-param>

    </filter>

<filter-mapping>
        <filter-name>JSecurityFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

Does this help?

On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <[hidden email]> wrote:

Hi Les, i don´t use servlet and don´t configure web.xml.

I have three jar:
1. servidor.jar an ejb deployed in glassfish, this contain my stateless
session bean (god) which exposes all his methods as webservice and my jpa
entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
Persona, Rol, Tratamiento, Usuario).
2. servicios.jar with the generated web service client from wsdl in
glassfish using JAX-WS and JAXB.
3. cliente.jar the swing application that consumes the webservices (here i
use JSecurity).

My problem is in the webservices. I don´t know how to call them using a user
and password.


Les Hazlewood wrote:
>
> Hi Daniel,
>
> Have you configured JSecurity via a servlet filter in web.xml?  I'm just
> trying to see what your runtime environment is like first before I
> recommend
> a solution.
>
> Les
>
> On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[hidden email]>
> wrote:
>
>>
>> I have implemented this class that inherited from AuthorizingRealm
>>
>> package presentacion;
>>
>> import java.util.LinkedHashSet;
>> import java.util.Set;
>>
>> import org.jsecurity.authc.AccountException;
>> import org.jsecurity.authc.AuthenticationException;
>> import org.jsecurity.authc.AuthenticationInfo;
>> import org.jsecurity.authc.AuthenticationToken;
>> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> import org.jsecurity.authc.UnknownAccountException;
>> import org.jsecurity.authc.UsernamePasswordToken;
>> import org.jsecurity.authz.AuthorizationException;
>> import org.jsecurity.authz.AuthorizationInfo;
>> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> import org.jsecurity.realm.AuthorizingRealm;
>> import org.jsecurity.subject.PrincipalCollection;
>>
>> import acciones.God;
>> import acciones.Permiso;
>> import acciones.Rol;
>> import acciones.Usuario;
>>
>> public class EjbRealm extends AuthorizingRealm {
>>        private God servicios;
>>
>>        public EjbRealm(God servicios) {
>>                this.servicios = servicios;
>>        }
>>
>>        private Set<String> getRoles(Usuario u) {
>>                Set<String> roles = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        roles.add(rol.getNombre());
>>                }
>>                return roles;
>>        }
>>
>>        private Set<String> getPermisos(Usuario u) {
>>                Set<String> permisos = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        for (Permiso p : rol.getPermisos()) {
>>                                permisos.add(p.getNombre());
>>                        }
>>                }
>>                return permisos;
>>        }
>>
>>        @Override
>>        protected AuthorizationInfo doGetAuthorizationInfo(
>>                        PrincipalCollection principals) {
>>                if (principals == null) {
>>                        throw new AuthorizationException(
>>                                        "El parametro PrincipalCollection
>> no
>> puede ser null.");
>>                }
>>                String apodo = (String)
>> principals.fromRealm(getName()).iterator()
>>                                .next();
>>                Usuario u = servicios.consultarUsuario(apodo);
>>                SimpleAuthorizationInfo info = new
>> SimpleAuthorizationInfo(getRoles(u));
>>                info.setStringPermissions(getPermisos(u));
>>                return info;
>>        }
>>
>>        @Override
>>        protected AuthenticationInfo doGetAuthenticationInfo(
>>                        AuthenticationToken token) throws
>> AuthenticationException {
>>                UsernamePasswordToken upToken = (UsernamePasswordToken)
>> token;
>>                String apodo = upToken.getUsername();
>>                if (apodo == null) {
>>                        throw new AccountException(
>>                                        "No se permiten apodos Null en
>> este
>> realm.");
>>                }
>>                AuthenticationInfo info = null;
>>                String contrasenia =
>> servicios.consultarContrasenia(apodo);
>>                if (contrasenia == null) {
>>                        throw new UnknownAccountException("No se encontro
>> el
>> usuario ["
>>                                        + apodo + "]");
>>                }
>>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> getName());
>>                return info;
>>        }
>>
>> }
>>
>> And in my login window i have implemented in a button this code
>>        private GodService god = new GodService();
>>        protected void button_actionPerformed(ActionEvent arg0) {
>>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>                ejbRealm.setCredentialsMatcher(new
>> Sha256CredentialsMatcher());
>>                DefaultSecurityManager securityManager = new
>> DefaultSecurityManager(
>>                                ejbRealm);
>>                UsernamePasswordToken token = new
>> UsernamePasswordToken(apodoText
>>                                .getText(),
>> contraseniaText.getPassword());
>>                try {
>>                        Subject user = securityManager.login(token);
>>                        if (user.isAuthenticated()) {
>>                                MenuForm window = new MenuForm(god);
>>                                window.show();
>>                                dispose();
>>                        }
>>                } catch (AuthenticationException e) {
>>                        mostrarMensaje("Usuario o contraseña
>> incorrectos");
>>                } finally {
>>                        securityManager.destroy();
>>                }
>>        }
>>
>> But now i want to know how to secure my webservice (God) using JSecurity.
>> What i need to do?
>>
>>
>> daniel_asv wrote:
>> >
>> > Hi, i have a webservice from a stateless session bean running in a
>> > GlassFish Application Server. The webservice is consumed by a swing
>> > application, i want to agregate a login to the swing application, the
>> user
>> > and password will be stored in a SQL Server 2005 database managed by
>> JPA
>> > (Hibernate).
>> >
>> > What i need to do for use JSecurity in my login window using the
>> > webservice?
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

Les Hazlewood
Administrator
P.S.  You can look at the sample applications (and their source code) distributed with the JSecurity release to see working examples of this configuration.

On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <[hidden email]> wrote:
Ah, I see now.

The default JSecurity SecurityManager implemenations are almost always intended to reside in the business tier, not in the client.  In an EJB3 application, this means it should reside along side of (a peer to) your Stateless Session Bean - in the server, not in the client gui.

So, if you want to secure a web service, JSecurity has to be configured to handle http communication - this is done by configuring JSecurity as a servlet filter in web.xml, to intercept the webservice Servlet Requests that will eventually call the underlying EJB.

See this JavaDoc for how to configure the filter:  http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

So, for example, if all of your web service calls go

http://your.host.ip/myapp/webservices

you would configure the JSecurity filter to intercept all the /webservices/** urls.  For example:

<filter>
        <filter-name>JSecurityFilter</filter-name>
        <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>

        <init-param>
            <param-name>config</param-name>
            <param-value>
                # The JSecurityFilter configuration is very powerful and flexible, while still remaining succinct.
                # Please read the comprehensive example, with full comments and explanations, in the JavaDoc:
                #
                # http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

                [filters]
                jsecurity.loginUrl = /s/login
                authc.successUrl = /s/index

                [urls]
                # specify any of the above filters here, depending on the type of security you want:
                /webservices/**=authc

            </param-value>
        </init-param>

    </filter>

<filter-mapping>
        <filter-name>JSecurityFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

Does this help?


On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <[hidden email]> wrote:

Hi Les, i don´t use servlet and don´t configure web.xml.

I have three jar:
1. servidor.jar an ejb deployed in glassfish, this contain my stateless
session bean (god) which exposes all his methods as webservice and my jpa
entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
Persona, Rol, Tratamiento, Usuario).
2. servicios.jar with the generated web service client from wsdl in
glassfish using JAX-WS and JAXB.
3. cliente.jar the swing application that consumes the webservices (here i
use JSecurity).

My problem is in the webservices. I don´t know how to call them using a user
and password.


Les Hazlewood wrote:
>
> Hi Daniel,
>
> Have you configured JSecurity via a servlet filter in web.xml?  I'm just
> trying to see what your runtime environment is like first before I
> recommend
> a solution.
>
> Les
>
> On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[hidden email]>
> wrote:
>
>>
>> I have implemented this class that inherited from AuthorizingRealm
>>
>> package presentacion;
>>
>> import java.util.LinkedHashSet;
>> import java.util.Set;
>>
>> import org.jsecurity.authc.AccountException;
>> import org.jsecurity.authc.AuthenticationException;
>> import org.jsecurity.authc.AuthenticationInfo;
>> import org.jsecurity.authc.AuthenticationToken;
>> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> import org.jsecurity.authc.UnknownAccountException;
>> import org.jsecurity.authc.UsernamePasswordToken;
>> import org.jsecurity.authz.AuthorizationException;
>> import org.jsecurity.authz.AuthorizationInfo;
>> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> import org.jsecurity.realm.AuthorizingRealm;
>> import org.jsecurity.subject.PrincipalCollection;
>>
>> import acciones.God;
>> import acciones.Permiso;
>> import acciones.Rol;
>> import acciones.Usuario;
>>
>> public class EjbRealm extends AuthorizingRealm {
>>        private God servicios;
>>
>>        public EjbRealm(God servicios) {
>>                this.servicios = servicios;
>>        }
>>
>>        private Set<String> getRoles(Usuario u) {
>>                Set<String> roles = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        roles.add(rol.getNombre());
>>                }
>>                return roles;
>>        }
>>
>>        private Set<String> getPermisos(Usuario u) {
>>                Set<String> permisos = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        for (Permiso p : rol.getPermisos()) {
>>                                permisos.add(p.getNombre());
>>                        }
>>                }
>>                return permisos;
>>        }
>>
>>        @Override
>>        protected AuthorizationInfo doGetAuthorizationInfo(
>>                        PrincipalCollection principals) {
>>                if (principals == null) {
>>                        throw new AuthorizationException(
>>                                        "El parametro PrincipalCollection
>> no
>> puede ser null.");
>>                }
>>                String apodo = (String)
>> principals.fromRealm(getName()).iterator()
>>                                .next();
>>                Usuario u = servicios.consultarUsuario(apodo);
>>                SimpleAuthorizationInfo info = new
>> SimpleAuthorizationInfo(getRoles(u));
>>                info.setStringPermissions(getPermisos(u));
>>                return info;
>>        }
>>
>>        @Override
>>        protected AuthenticationInfo doGetAuthenticationInfo(
>>                        AuthenticationToken token) throws
>> AuthenticationException {
>>                UsernamePasswordToken upToken = (UsernamePasswordToken)
>> token;
>>                String apodo = upToken.getUsername();
>>                if (apodo == null) {
>>                        throw new AccountException(
>>                                        "No se permiten apodos Null en
>> este
>> realm.");
>>                }
>>                AuthenticationInfo info = null;
>>                String contrasenia =
>> servicios.consultarContrasenia(apodo);
>>                if (contrasenia == null) {
>>                        throw new UnknownAccountException("No se encontro
>> el
>> usuario ["
>>                                        + apodo + "]");
>>                }
>>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> getName());
>>                return info;
>>        }
>>
>> }
>>
>> And in my login window i have implemented in a button this code
>>        private GodService god = new GodService();
>>        protected void button_actionPerformed(ActionEvent arg0) {
>>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>                ejbRealm.setCredentialsMatcher(new
>> Sha256CredentialsMatcher());
>>                DefaultSecurityManager securityManager = new
>> DefaultSecurityManager(
>>                                ejbRealm);
>>                UsernamePasswordToken token = new
>> UsernamePasswordToken(apodoText
>>                                .getText(),
>> contraseniaText.getPassword());
>>                try {
>>                        Subject user = securityManager.login(token);
>>                        if (user.isAuthenticated()) {
>>                                MenuForm window = new MenuForm(god);
>>                                window.show();
>>                                dispose();
>>                        }
>>                } catch (AuthenticationException e) {
>>                        mostrarMensaje("Usuario o contraseña
>> incorrectos");
>>                } finally {
>>                        securityManager.destroy();
>>                }
>>        }
>>
>> But now i want to know how to secure my webservice (God) using JSecurity.
>> What i need to do?
>>
>>
>> daniel_asv wrote:
>> >
>> > Hi, i have a webservice from a stateless session bean running in a
>> > GlassFish Application Server. The webservice is consumed by a swing
>> > application, i want to agregate a login to the swing application, the
>> user
>> > and password will be stored in a SQL Server 2005 database managed by
>> JPA
>> > (Hibernate).
>> >
>> > What i need to do for use JSecurity in my login window using the
>> > webservice?
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
Sent from the JSecurity User mailing list archive at Nabble.com.



Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

Les Hazlewood
Administrator
In reply to this post by Les Hazlewood
Just out of curiosity, are you using EJB3?

On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <[hidden email]> wrote:
Ah, I see now.

The default JSecurity SecurityManager implemenations are almost always intended to reside in the business tier, not in the client.  In an EJB3 application, this means it should reside along side of (a peer to) your Stateless Session Bean - in the server, not in the client gui.

So, if you want to secure a web service, JSecurity has to be configured to handle http communication - this is done by configuring JSecurity as a servlet filter in web.xml, to intercept the webservice Servlet Requests that will eventually call the underlying EJB.

See this JavaDoc for how to configure the filter:  http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

So, for example, if all of your web service calls go

http://your.host.ip/myapp/webservices

you would configure the JSecurity filter to intercept all the /webservices/** urls.  For example:

<filter>
        <filter-name>JSecurityFilter</filter-name>
        <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>

        <init-param>
            <param-name>config</param-name>
            <param-value>
                # The JSecurityFilter configuration is very powerful and flexible, while still remaining succinct.
                # Please read the comprehensive example, with full comments and explanations, in the JavaDoc:
                #
                # http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

                [filters]
                jsecurity.loginUrl = /s/login
                authc.successUrl = /s/index

                [urls]
                # specify any of the above filters here, depending on the type of security you want:
                /webservices/**=authc

            </param-value>
        </init-param>

    </filter>

<filter-mapping>
        <filter-name>JSecurityFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

Does this help?


On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <[hidden email]> wrote:

Hi Les, i don´t use servlet and don´t configure web.xml.

I have three jar:
1. servidor.jar an ejb deployed in glassfish, this contain my stateless
session bean (god) which exposes all his methods as webservice and my jpa
entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
Persona, Rol, Tratamiento, Usuario).
2. servicios.jar with the generated web service client from wsdl in
glassfish using JAX-WS and JAXB.
3. cliente.jar the swing application that consumes the webservices (here i
use JSecurity).

My problem is in the webservices. I don´t know how to call them using a user
and password.


Les Hazlewood wrote:
>
> Hi Daniel,
>
> Have you configured JSecurity via a servlet filter in web.xml?  I'm just
> trying to see what your runtime environment is like first before I
> recommend
> a solution.
>
> Les
>
> On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[hidden email]>
> wrote:
>
>>
>> I have implemented this class that inherited from AuthorizingRealm
>>
>> package presentacion;
>>
>> import java.util.LinkedHashSet;
>> import java.util.Set;
>>
>> import org.jsecurity.authc.AccountException;
>> import org.jsecurity.authc.AuthenticationException;
>> import org.jsecurity.authc.AuthenticationInfo;
>> import org.jsecurity.authc.AuthenticationToken;
>> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> import org.jsecurity.authc.UnknownAccountException;
>> import org.jsecurity.authc.UsernamePasswordToken;
>> import org.jsecurity.authz.AuthorizationException;
>> import org.jsecurity.authz.AuthorizationInfo;
>> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> import org.jsecurity.realm.AuthorizingRealm;
>> import org.jsecurity.subject.PrincipalCollection;
>>
>> import acciones.God;
>> import acciones.Permiso;
>> import acciones.Rol;
>> import acciones.Usuario;
>>
>> public class EjbRealm extends AuthorizingRealm {
>>        private God servicios;
>>
>>        public EjbRealm(God servicios) {
>>                this.servicios = servicios;
>>        }
>>
>>        private Set<String> getRoles(Usuario u) {
>>                Set<String> roles = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        roles.add(rol.getNombre());
>>                }
>>                return roles;
>>        }
>>
>>        private Set<String> getPermisos(Usuario u) {
>>                Set<String> permisos = new LinkedHashSet<String>();
>>                for (Rol rol : u.getRoles()) {
>>                        for (Permiso p : rol.getPermisos()) {
>>                                permisos.add(p.getNombre());
>>                        }
>>                }
>>                return permisos;
>>        }
>>
>>        @Override
>>        protected AuthorizationInfo doGetAuthorizationInfo(
>>                        PrincipalCollection principals) {
>>                if (principals == null) {
>>                        throw new AuthorizationException(
>>                                        "El parametro PrincipalCollection
>> no
>> puede ser null.");
>>                }
>>                String apodo = (String)
>> principals.fromRealm(getName()).iterator()
>>                                .next();
>>                Usuario u = servicios.consultarUsuario(apodo);
>>                SimpleAuthorizationInfo info = new
>> SimpleAuthorizationInfo(getRoles(u));
>>                info.setStringPermissions(getPermisos(u));
>>                return info;
>>        }
>>
>>        @Override
>>        protected AuthenticationInfo doGetAuthenticationInfo(
>>                        AuthenticationToken token) throws
>> AuthenticationException {
>>                UsernamePasswordToken upToken = (UsernamePasswordToken)
>> token;
>>                String apodo = upToken.getUsername();
>>                if (apodo == null) {
>>                        throw new AccountException(
>>                                        "No se permiten apodos Null en
>> este
>> realm.");
>>                }
>>                AuthenticationInfo info = null;
>>                String contrasenia =
>> servicios.consultarContrasenia(apodo);
>>                if (contrasenia == null) {
>>                        throw new UnknownAccountException("No se encontro
>> el
>> usuario ["
>>                                        + apodo + "]");
>>                }
>>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> getName());
>>                return info;
>>        }
>>
>> }
>>
>> And in my login window i have implemented in a button this code
>>        private GodService god = new GodService();
>>        protected void button_actionPerformed(ActionEvent arg0) {
>>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>                ejbRealm.setCredentialsMatcher(new
>> Sha256CredentialsMatcher());
>>                DefaultSecurityManager securityManager = new
>> DefaultSecurityManager(
>>                                ejbRealm);
>>                UsernamePasswordToken token = new
>> UsernamePasswordToken(apodoText
>>                                .getText(),
>> contraseniaText.getPassword());
>>                try {
>>                        Subject user = securityManager.login(token);
>>                        if (user.isAuthenticated()) {
>>                                MenuForm window = new MenuForm(god);
>>                                window.show();
>>                                dispose();
>>                        }
>>                } catch (AuthenticationException e) {
>>                        mostrarMensaje("Usuario o contraseña
>> incorrectos");
>>                } finally {
>>                        securityManager.destroy();
>>                }
>>        }
>>
>> But now i want to know how to secure my webservice (God) using JSecurity.
>> What i need to do?
>>
>>
>> daniel_asv wrote:
>> >
>> > Hi, i have a webservice from a stateless session bean running in a
>> > GlassFish Application Server. The webservice is consumed by a swing
>> > application, i want to agregate a login to the swing application, the
>> user
>> > and password will be stored in a SQL Server 2005 database managed by
>> JPA
>> > (Hibernate).
>> >
>> > What i need to do for use JSecurity in my login window using the
>> > webservice?
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
>

--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
Sent from the JSecurity User mailing list archive at Nabble.com.



Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

daniel_asv
In reply to this post by Les Hazlewood
Okey Les, i will check the JSecurityFilter for use it with my webservice, thanks for your recomendations.

Les Hazlewood wrote
Ah, I see now.

The default JSecurity SecurityManager implemenations are almost always
intended to reside in the business tier, not in the client.  In an EJB3
application, this means it should reside along side of (a peer to) your
Stateless Session Bean - in the server, not in the client gui.

So, if you want to secure a web service, JSecurity has to be configured to
handle http communication - this is done by configuring JSecurity as a
servlet filter in web.xml, to intercept the webservice Servlet Requests that
will eventually call the underlying EJB.

See this JavaDoc for how to configure the filter:
http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

So, for example, if all of your web service calls go

http://your.host.ip/myapp/webservices

you would configure the JSecurity filter to intercept all the
/webservices/** urls.  For example:

<filter>
        <filter-name>JSecurityFilter</filter-name>

<filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>

        <init-param>
            <param-name>config</param-name>
            <param-value>
                # The JSecurityFilter configuration is very powerful and
flexible, while still remaining succinct.
                # Please read the comprehensive example, with full comments
and explanations, in the JavaDoc:
                #
                #
http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html

                [filters]
                jsecurity.loginUrl = /s/login
                authc.successUrl = /s/index

                [urls]
                # specify any of the above filters here, depending on the
type of security you want:
                /webservices/**=authc

            </param-value>
        </init-param>

    </filter>

<filter-mapping>
        <filter-name>JSecurityFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

Does this help?

On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <daniel@macropro.com.mx> wrote:

>
> Hi Les, i don´t use servlet and don´t configure web.xml.
>
> I have three jar:
> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
> session bean (god) which exposes all his methods as webservice and my jpa
> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
> Persona, Rol, Tratamiento, Usuario).
> 2. servicios.jar with the generated web service client from wsdl in
> glassfish using JAX-WS and JAXB.
> 3. cliente.jar the swing application that consumes the webservices (here i
> use JSecurity).
>
> My problem is in the webservices. I don´t know how to call them using a
> user
> and password.
>
>
> Les Hazlewood wrote:
> >
> > Hi Daniel,
> >
> > Have you configured JSecurity via a servlet filter in web.xml?  I'm just
> > trying to see what your runtime environment is like first before I
> > recommend
> > a solution.
> >
> > Les
> >
> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <daniel@macropro.com.mx>
> > wrote:
> >
> >>
> >> I have implemented this class that inherited from AuthorizingRealm
> >>
> >> package presentacion;
> >>
> >> import java.util.LinkedHashSet;
> >> import java.util.Set;
> >>
> >> import org.jsecurity.authc.AccountException;
> >> import org.jsecurity.authc.AuthenticationException;
> >> import org.jsecurity.authc.AuthenticationInfo;
> >> import org.jsecurity.authc.AuthenticationToken;
> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
> >> import org.jsecurity.authc.UnknownAccountException;
> >> import org.jsecurity.authc.UsernamePasswordToken;
> >> import org.jsecurity.authz.AuthorizationException;
> >> import org.jsecurity.authz.AuthorizationInfo;
> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
> >> import org.jsecurity.realm.AuthorizingRealm;
> >> import org.jsecurity.subject.PrincipalCollection;
> >>
> >> import acciones.God;
> >> import acciones.Permiso;
> >> import acciones.Rol;
> >> import acciones.Usuario;
> >>
> >> public class EjbRealm extends AuthorizingRealm {
> >>        private God servicios;
> >>
> >>        public EjbRealm(God servicios) {
> >>                this.servicios = servicios;
> >>        }
> >>
> >>        private Set<String> getRoles(Usuario u) {
> >>                Set<String> roles = new LinkedHashSet<String>();
> >>                for (Rol rol : u.getRoles()) {
> >>                        roles.add(rol.getNombre());
> >>                }
> >>                return roles;
> >>        }
> >>
> >>        private Set<String> getPermisos(Usuario u) {
> >>                Set<String> permisos = new LinkedHashSet<String>();
> >>                for (Rol rol : u.getRoles()) {
> >>                        for (Permiso p : rol.getPermisos()) {
> >>                                permisos.add(p.getNombre());
> >>                        }
> >>                }
> >>                return permisos;
> >>        }
> >>
> >>        @Override
> >>        protected AuthorizationInfo doGetAuthorizationInfo(
> >>                        PrincipalCollection principals) {
> >>                if (principals == null) {
> >>                        throw new AuthorizationException(
> >>                                        "El parametro PrincipalCollection
> >> no
> >> puede ser null.");
> >>                }
> >>                String apodo = (String)
> >> principals.fromRealm(getName()).iterator()
> >>                                .next();
> >>                Usuario u = servicios.consultarUsuario(apodo);
> >>                SimpleAuthorizationInfo info = new
> >> SimpleAuthorizationInfo(getRoles(u));
> >>                info.setStringPermissions(getPermisos(u));
> >>                return info;
> >>        }
> >>
> >>        @Override
> >>        protected AuthenticationInfo doGetAuthenticationInfo(
> >>                        AuthenticationToken token) throws
> >> AuthenticationException {
> >>                UsernamePasswordToken upToken = (UsernamePasswordToken)
> >> token;
> >>                String apodo = upToken.getUsername();
> >>                if (apodo == null) {
> >>                        throw new AccountException(
> >>                                        "No se permiten apodos Null en
> >> este
> >> realm.");
> >>                }
> >>                AuthenticationInfo info = null;
> >>                String contrasenia =
> >> servicios.consultarContrasenia(apodo);
> >>                if (contrasenia == null) {
> >>                        throw new UnknownAccountException("No se encontro
> >> el
> >> usuario ["
> >>                                        + apodo + "]");
> >>                }
> >>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
> >> getName());
> >>                return info;
> >>        }
> >>
> >> }
> >>
> >> And in my login window i have implemented in a button this code
> >>        private GodService god = new GodService();
> >>        protected void button_actionPerformed(ActionEvent arg0) {
> >>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
> >>                ejbRealm.setCredentialsMatcher(new
> >> Sha256CredentialsMatcher());
> >>                DefaultSecurityManager securityManager = new
> >> DefaultSecurityManager(
> >>                                ejbRealm);
> >>                UsernamePasswordToken token = new
> >> UsernamePasswordToken(apodoText
> >>                                .getText(),
> >> contraseniaText.getPassword());
> >>                try {
> >>                        Subject user = securityManager.login(token);
> >>                        if (user.isAuthenticated()) {
> >>                                MenuForm window = new MenuForm(god);
> >>                                window.show();
> >>                                dispose();
> >>                        }
> >>                } catch (AuthenticationException e) {
> >>                        mostrarMensaje("Usuario o contraseña
> >> incorrectos");
> >>                } finally {
> >>                        securityManager.destroy();
> >>                }
> >>        }
> >>
> >> But now i want to know how to secure my webservice (God) using
> JSecurity.
> >> What i need to do?
> >>
> >>
> >> daniel_asv wrote:
> >> >
> >> > Hi, i have a webservice from a stateless session bean running in a
> >> > GlassFish Application Server. The webservice is consumed by a swing
> >> > application, i want to agregate a login to the swing application, the
> >> user
> >> > and password will be stored in a SQL Server 2005 database managed by
> >> JPA
> >> > (Hibernate).
> >> >
> >> > What i need to do for use JSecurity in my login window using the
> >> > webservice?
> >> >
> >>
> >> --
> >> View this message in context:
> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
> >> Sent from the JSecurity User mailing list archive at Nabble.com.
> >>
> >>
> >
> >
>
> --
> View this message in context:
> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

daniel_asv
In reply to this post by Les Hazlewood
I'am using JBuilder 2008 and i choose to Create an EJB Modeling project for the servidor.jar. I only have 2 months programming in java maybe that's why i'm doing wrong usage of ejb with jsecurity.

Les Hazlewood wrote
Just out of curiosity, are you using EJB3?

On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <les@hazlewood.com> wrote:

> Ah, I see now.
>
> The default JSecurity SecurityManager implemenations are almost always
> intended to reside in the business tier, not in the client.  In an EJB3
> application, this means it should reside along side of (a peer to) your
> Stateless Session Bean - in the server, not in the client gui.
>
> So, if you want to secure a web service, JSecurity has to be configured to
> handle http communication - this is done by configuring JSecurity as a
> servlet filter in web.xml, to intercept the webservice Servlet Requests that
> will eventually call the underlying EJB.
>
> See this JavaDoc for how to configure the filter:
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
> So, for example, if all of your web service calls go
>
> http://your.host.ip/myapp/webservices
>
> you would configure the JSecurity filter to intercept all the
> /webservices/** urls.  For example:
>
> <filter>
>         <filter-name>JSecurityFilter</filter-name>
>
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>
>         <init-param>
>             <param-name>config</param-name>
>             <param-value>
>                 # The JSecurityFilter configuration is very powerful and
> flexible, while still remaining succinct.
>                 # Please read the comprehensive example, with full comments
> and explanations, in the JavaDoc:
>                 #
>                 #
> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>
>                 [filters]
>                 jsecurity.loginUrl = /s/login
>                 authc.successUrl = /s/index
>
>                 [urls]
>                 # specify any of the above filters here, depending on the
> type of security you want:
>                 /webservices/**=authc
>
>             </param-value>
>         </init-param>
>
>     </filter>
>
> <filter-mapping>
>         <filter-name>JSecurityFilter</filter-name>
>         <url-pattern>*</url-pattern>
>     </filter-mapping>
>
> Does this help?
>
>
> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv <daniel@macropro.com.mx>wrote:
>
>>
>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>
>> I have three jar:
>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>> session bean (god) which exposes all his methods as webservice and my jpa
>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>> Persona, Rol, Tratamiento, Usuario).
>> 2. servicios.jar with the generated web service client from wsdl in
>> glassfish using JAX-WS and JAXB.
>> 3. cliente.jar the swing application that consumes the webservices (here i
>> use JSecurity).
>>
>> My problem is in the webservices. I don´t know how to call them using a
>> user
>> and password.
>>
>>
>> Les Hazlewood wrote:
>> >
>> > Hi Daniel,
>> >
>> > Have you configured JSecurity via a servlet filter in web.xml?  I'm just
>> > trying to see what your runtime environment is like first before I
>> > recommend
>> > a solution.
>> >
>> > Les
>> >
>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <daniel@macropro.com.mx>
>> > wrote:
>> >
>> >>
>> >> I have implemented this class that inherited from AuthorizingRealm
>> >>
>> >> package presentacion;
>> >>
>> >> import java.util.LinkedHashSet;
>> >> import java.util.Set;
>> >>
>> >> import org.jsecurity.authc.AccountException;
>> >> import org.jsecurity.authc.AuthenticationException;
>> >> import org.jsecurity.authc.AuthenticationInfo;
>> >> import org.jsecurity.authc.AuthenticationToken;
>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>> >> import org.jsecurity.authc.UnknownAccountException;
>> >> import org.jsecurity.authc.UsernamePasswordToken;
>> >> import org.jsecurity.authz.AuthorizationException;
>> >> import org.jsecurity.authz.AuthorizationInfo;
>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>> >> import org.jsecurity.realm.AuthorizingRealm;
>> >> import org.jsecurity.subject.PrincipalCollection;
>> >>
>> >> import acciones.God;
>> >> import acciones.Permiso;
>> >> import acciones.Rol;
>> >> import acciones.Usuario;
>> >>
>> >> public class EjbRealm extends AuthorizingRealm {
>> >>        private God servicios;
>> >>
>> >>        public EjbRealm(God servicios) {
>> >>                this.servicios = servicios;
>> >>        }
>> >>
>> >>        private Set<String> getRoles(Usuario u) {
>> >>                Set<String> roles = new LinkedHashSet<String>();
>> >>                for (Rol rol : u.getRoles()) {
>> >>                        roles.add(rol.getNombre());
>> >>                }
>> >>                return roles;
>> >>        }
>> >>
>> >>        private Set<String> getPermisos(Usuario u) {
>> >>                Set<String> permisos = new LinkedHashSet<String>();
>> >>                for (Rol rol : u.getRoles()) {
>> >>                        for (Permiso p : rol.getPermisos()) {
>> >>                                permisos.add(p.getNombre());
>> >>                        }
>> >>                }
>> >>                return permisos;
>> >>        }
>> >>
>> >>        @Override
>> >>        protected AuthorizationInfo doGetAuthorizationInfo(
>> >>                        PrincipalCollection principals) {
>> >>                if (principals == null) {
>> >>                        throw new AuthorizationException(
>> >>                                        "El parametro
>> PrincipalCollection
>> >> no
>> >> puede ser null.");
>> >>                }
>> >>                String apodo = (String)
>> >> principals.fromRealm(getName()).iterator()
>> >>                                .next();
>> >>                Usuario u = servicios.consultarUsuario(apodo);
>> >>                SimpleAuthorizationInfo info = new
>> >> SimpleAuthorizationInfo(getRoles(u));
>> >>                info.setStringPermissions(getPermisos(u));
>> >>                return info;
>> >>        }
>> >>
>> >>        @Override
>> >>        protected AuthenticationInfo doGetAuthenticationInfo(
>> >>                        AuthenticationToken token) throws
>> >> AuthenticationException {
>> >>                UsernamePasswordToken upToken = (UsernamePasswordToken)
>> >> token;
>> >>                String apodo = upToken.getUsername();
>> >>                if (apodo == null) {
>> >>                        throw new AccountException(
>> >>                                        "No se permiten apodos Null en
>> >> este
>> >> realm.");
>> >>                }
>> >>                AuthenticationInfo info = null;
>> >>                String contrasenia =
>> >> servicios.consultarContrasenia(apodo);
>> >>                if (contrasenia == null) {
>> >>                        throw new UnknownAccountException("No se
>> encontro
>> >> el
>> >> usuario ["
>> >>                                        + apodo + "]");
>> >>                }
>> >>                info = new SimpleAuthenticationInfo(apodo, contrasenia,
>> >> getName());
>> >>                return info;
>> >>        }
>> >>
>> >> }
>> >>
>> >> And in my login window i have implemented in a button this code
>> >>        private GodService god = new GodService();
>> >>        protected void button_actionPerformed(ActionEvent arg0) {
>> >>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>> >>                ejbRealm.setCredentialsMatcher(new
>> >> Sha256CredentialsMatcher());
>> >>                DefaultSecurityManager securityManager = new
>> >> DefaultSecurityManager(
>> >>                                ejbRealm);
>> >>                UsernamePasswordToken token = new
>> >> UsernamePasswordToken(apodoText
>> >>                                .getText(),
>> >> contraseniaText.getPassword());
>> >>                try {
>> >>                        Subject user = securityManager.login(token);
>> >>                        if (user.isAuthenticated()) {
>> >>                                MenuForm window = new MenuForm(god);
>> >>                                window.show();
>> >>                                dispose();
>> >>                        }
>> >>                } catch (AuthenticationException e) {
>> >>                        mostrarMensaje("Usuario o contraseña
>> >> incorrectos");
>> >>                } finally {
>> >>                        securityManager.destroy();
>> >>                }
>> >>        }
>> >>
>> >> But now i want to know how to secure my webservice (God) using
>> JSecurity.
>> >> What i need to do?
>> >>
>> >>
>> >> daniel_asv wrote:
>> >> >
>> >> > Hi, i have a webservice from a stateless session bean running in a
>> >> > GlassFish Application Server. The webservice is consumed by a swing
>> >> > application, i want to agregate a login to the swing application, the
>> >> user
>> >> > and password will be stored in a SQL Server 2005 database managed by
>> >> JPA
>> >> > (Hibernate).
>> >> >
>> >> > What i need to do for use JSecurity in my login window using the
>> >> > webservice?
>> >> >
>> >>
>> >> --
>> >> View this message in context:
>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: How to use JSecurity

Les Hazlewood
Administrator
No worries Daniel - its good to see that you're trying to get it all under control!  Keep us posted with any questions along the way.

Cheers,

Les

On Thu, Aug 14, 2008 at 12:26 PM, daniel_asv <[hidden email]> wrote:

I'am using JBuilder 2008 and i choose to Create an EJB Modeling project for
the servidor.jar. I only have 2 months programming in java maybe that's why
i'm doing wrong usage of ejb with jsecurity.


Les Hazlewood wrote:
>
> Just out of curiosity, are you using EJB3?
>
> On Thu, Aug 14, 2008 at 10:08 AM, Les Hazlewood <[hidden email]> wrote:
>
>> Ah, I see now.
>>
>> The default JSecurity SecurityManager implemenations are almost always
>> intended to reside in the business tier, not in the client.  In an EJB3
>> application, this means it should reside along side of (a peer to) your
>> Stateless Session Bean - in the server, not in the client gui.
>>
>> So, if you want to secure a web service, JSecurity has to be configured
>> to
>> handle http communication - this is done by configuring JSecurity as a
>> servlet filter in web.xml, to intercept the webservice Servlet Requests
>> that
>> will eventually call the underlying EJB.
>>
>> See this JavaDoc for how to configure the filter:
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>> So, for example, if all of your web service calls go
>>
>> http://your.host.ip/myapp/webservices
>>
>> you would configure the JSecurity filter to intercept all the
>> /webservices/** urls.  For example:
>>
>> <filter>
>>         <filter-name>JSecurityFilter</filter-name>
>>
>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>>
>>         <init-param>
>>             <param-name>config</param-name>
>>             <param-value>
>>                 # The JSecurityFilter configuration is very powerful and
>> flexible, while still remaining succinct.
>>                 # Please read the comprehensive example, with full
>> comments
>> and explanations, in the JavaDoc:
>>                 #
>>                 #
>> http://www.jsecurity.org/api/org/jsecurity/web/servlet/JSecurityFilter.html
>>
>>                 [filters]
>>                 jsecurity.loginUrl = /s/login
>>                 authc.successUrl = /s/index
>>
>>                 [urls]
>>                 # specify any of the above filters here, depending on the
>> type of security you want:
>>                 /webservices/**=authc
>>
>>             </param-value>
>>         </init-param>
>>
>>     </filter>
>>
>> <filter-mapping>
>>         <filter-name>JSecurityFilter</filter-name>
>>         <url-pattern>*</url-pattern>
>>     </filter-mapping>
>>
>> Does this help?
>>
>>
>> On Wed, Aug 13, 2008 at 6:54 PM, daniel_asv
>> <[hidden email]>wrote:
>>
>>>
>>> Hi Les, i don´t use servlet and don´t configure web.xml.
>>>
>>> I have three jar:
>>> 1. servidor.jar an ejb deployed in glassfish, this contain my stateless
>>> session bean (god) which exposes all his methods as webservice and my
>>> jpa
>>> entitys (Cita, CitaDetalle, Clave, Direccion, Medico, Paciente, Permiso,
>>> Persona, Rol, Tratamiento, Usuario).
>>> 2. servicios.jar with the generated web service client from wsdl in
>>> glassfish using JAX-WS and JAXB.
>>> 3. cliente.jar the swing application that consumes the webservices (here
>>> i
>>> use JSecurity).
>>>
>>> My problem is in the webservices. I don´t know how to call them using a
>>> user
>>> and password.
>>>
>>>
>>> Les Hazlewood wrote:
>>> >
>>> > Hi Daniel,
>>> >
>>> > Have you configured JSecurity via a servlet filter in web.xml?  I'm
>>> just
>>> > trying to see what your runtime environment is like first before I
>>> > recommend
>>> > a solution.
>>> >
>>> > Les
>>> >
>>> > On Wed, Aug 13, 2008 at 5:38 PM, daniel_asv <[hidden email]>
>>> > wrote:
>>> >
>>> >>
>>> >> I have implemented this class that inherited from AuthorizingRealm
>>> >>
>>> >> package presentacion;
>>> >>
>>> >> import java.util.LinkedHashSet;
>>> >> import java.util.Set;
>>> >>
>>> >> import org.jsecurity.authc.AccountException;
>>> >> import org.jsecurity.authc.AuthenticationException;
>>> >> import org.jsecurity.authc.AuthenticationInfo;
>>> >> import org.jsecurity.authc.AuthenticationToken;
>>> >> import org.jsecurity.authc.SimpleAuthenticationInfo;
>>> >> import org.jsecurity.authc.UnknownAccountException;
>>> >> import org.jsecurity.authc.UsernamePasswordToken;
>>> >> import org.jsecurity.authz.AuthorizationException;
>>> >> import org.jsecurity.authz.AuthorizationInfo;
>>> >> import org.jsecurity.authz.SimpleAuthorizationInfo;
>>> >> import org.jsecurity.realm.AuthorizingRealm;
>>> >> import org.jsecurity.subject.PrincipalCollection;
>>> >>
>>> >> import acciones.God;
>>> >> import acciones.Permiso;
>>> >> import acciones.Rol;
>>> >> import acciones.Usuario;
>>> >>
>>> >> public class EjbRealm extends AuthorizingRealm {
>>> >>        private God servicios;
>>> >>
>>> >>        public EjbRealm(God servicios) {
>>> >>                this.servicios = servicios;
>>> >>        }
>>> >>
>>> >>        private Set<String> getRoles(Usuario u) {
>>> >>                Set<String> roles = new LinkedHashSet<String>();
>>> >>                for (Rol rol : u.getRoles()) {
>>> >>                        roles.add(rol.getNombre());
>>> >>                }
>>> >>                return roles;
>>> >>        }
>>> >>
>>> >>        private Set<String> getPermisos(Usuario u) {
>>> >>                Set<String> permisos = new LinkedHashSet<String>();
>>> >>                for (Rol rol : u.getRoles()) {
>>> >>                        for (Permiso p : rol.getPermisos()) {
>>> >>                                permisos.add(p.getNombre());
>>> >>                        }
>>> >>                }
>>> >>                return permisos;
>>> >>        }
>>> >>
>>> >>        @Override
>>> >>        protected AuthorizationInfo doGetAuthorizationInfo(
>>> >>                        PrincipalCollection principals) {
>>> >>                if (principals == null) {
>>> >>                        throw new AuthorizationException(
>>> >>                                        "El parametro
>>> PrincipalCollection
>>> >> no
>>> >> puede ser null.");
>>> >>                }
>>> >>                String apodo = (String)
>>> >> principals.fromRealm(getName()).iterator()
>>> >>                                .next();
>>> >>                Usuario u = servicios.consultarUsuario(apodo);
>>> >>                SimpleAuthorizationInfo info = new
>>> >> SimpleAuthorizationInfo(getRoles(u));
>>> >>                info.setStringPermissions(getPermisos(u));
>>> >>                return info;
>>> >>        }
>>> >>
>>> >>        @Override
>>> >>        protected AuthenticationInfo doGetAuthenticationInfo(
>>> >>                        AuthenticationToken token) throws
>>> >> AuthenticationException {
>>> >>                UsernamePasswordToken upToken =
>>> (UsernamePasswordToken)
>>> >> token;
>>> >>                String apodo = upToken.getUsername();
>>> >>                if (apodo == null) {
>>> >>                        throw new AccountException(
>>> >>                                        "No se permiten apodos Null en
>>> >> este
>>> >> realm.");
>>> >>                }
>>> >>                AuthenticationInfo info = null;
>>> >>                String contrasenia =
>>> >> servicios.consultarContrasenia(apodo);
>>> >>                if (contrasenia == null) {
>>> >>                        throw new UnknownAccountException("No se
>>> encontro
>>> >> el
>>> >> usuario ["
>>> >>                                        + apodo + "]");
>>> >>                }
>>> >>                info = new SimpleAuthenticationInfo(apodo,
>>> contrasenia,
>>> >> getName());
>>> >>                return info;
>>> >>        }
>>> >>
>>> >> }
>>> >>
>>> >> And in my login window i have implemented in a button this code
>>> >>        private GodService god = new GodService();
>>> >>        protected void button_actionPerformed(ActionEvent arg0) {
>>> >>                EjbRealm ejbRealm = new EjbRealm(god.getGodPort());
>>> >>                ejbRealm.setCredentialsMatcher(new
>>> >> Sha256CredentialsMatcher());
>>> >>                DefaultSecurityManager securityManager = new
>>> >> DefaultSecurityManager(
>>> >>                                ejbRealm);
>>> >>                UsernamePasswordToken token = new
>>> >> UsernamePasswordToken(apodoText
>>> >>                                .getText(),
>>> >> contraseniaText.getPassword());
>>> >>                try {
>>> >>                        Subject user = securityManager.login(token);
>>> >>                        if (user.isAuthenticated()) {
>>> >>                                MenuForm window = new MenuForm(god);
>>> >>                                window.show();
>>> >>                                dispose();
>>> >>                        }
>>> >>                } catch (AuthenticationException e) {
>>> >>                        mostrarMensaje("Usuario o contraseña
>>> >> incorrectos");
>>> >>                } finally {
>>> >>                        securityManager.destroy();
>>> >>                }
>>> >>        }
>>> >>
>>> >> But now i want to know how to secure my webservice (God) using
>>> JSecurity.
>>> >> What i need to do?
>>> >>
>>> >>
>>> >> daniel_asv wrote:
>>> >> >
>>> >> > Hi, i have a webservice from a stateless session bean running in a
>>> >> > GlassFish Application Server. The webservice is consumed by a swing
>>> >> > application, i want to agregate a login to the swing application,
>>> the
>>> >> user
>>> >> > and password will be stored in a SQL Server 2005 database managed
>>> by
>>> >> JPA
>>> >> > (Hibernate).
>>> >> >
>>> >> > What i need to do for use JSecurity in my login window using the
>>> >> > webservice?
>>> >> >
>>> >>
>>> >> --
>>> >> View this message in context:
>>> >> http://n2.nabble.com/How-to-use-JSecurity-tp679197p722874.html
>>> >> Sent from the JSecurity User mailing list archive at Nabble.com.
>>> >>
>>> >>
>>> >
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/How-to-use-JSecurity-tp679197p723001.html
>>> Sent from the JSecurity User mailing list archive at Nabble.com.
>>>
>>>
>>
>
>

--
View this message in context: http://n2.nabble.com/How-to-use-JSecurity-tp679197p724494.html
Sent from the JSecurity User mailing list archive at Nabble.com.