Authorization without authentication

2011-03-17
2013-05-08
  • Mones Damak

    Mones Damak - 2011-03-17

    hi,
    I wonder if i can use jGuard just to filer URls acces. So can i just use jGuardAuthorization.

     
  • Charles Lescot

    Charles Lescot - 2011-03-17

    HI,
    one solution is to not expose authentication , and assign the permissions you want to the guest user.

    hope it helps,

    Charles.

     
  • Vinicius Pitta Lima de Araujo

    I am curious. What is the point to check if a unauthenticated/guest user has permission to access an URL? There is some area (group of URLs) of your system that is blocked?

     
  • Mones Damak

    Mones Damak - 2011-03-30

    thanks for the replies.
    i have another problem in STRUTS Action:
    When the administrator add a new user, i use java code to assign a domain to that new user like this:

    /******************** Create new user *****************/
    AuthenticationManager am = (AuthenticationManager) request
    .getSession().getServletContext()
    .getAttribute(SecurityConstants.AUTHENTICATION_MANAGER);
    AuthorizationManager authorizationManager = (AuthorizationManager) request
    .getSession().getServletContext()
    .getAttribute(SecurityConstants.AUTHORIZATION_MANAGER);
    RolePrincipal principal = new RolePrincipal(login, request
    .getSession().getServletContext().getServletContextName());
    SubjectTemplate st = new SubjectTemplate();

    // Private required credentials
    Set privRequiredCred = new HashSet();
    addCredential(privRequiredCred, "login", login);
    addCredential(privRequiredCred, "password", password);
    // add private required credentials to user
    st.setPrivateRequiredCredentials(privRequiredCred);

    // Public required creadentials
    Set publicRequiredCred = new HashSet();
    addCredential(publicRequiredCred, "firstname", nom);
    addCredential(publicRequiredCred, "lastname", prenom);
    addCredential(publicRequiredCred, "location", "tn");
    // add public required credentials to user
    st.setPublicRequiredCredentials(publicRequiredCred);

    // Private optional credentials
    Set privOptionalCred = new HashSet();
    // add private optional credentials to user
    st.setPrivateOptionalCredentials(privOptionalCred);

    // Public optional credentials
    Set publicOptionalCred = new HashSet();
    // add public optional credentials to user
    st.setPublicOptionalCredentials(publicOptionalCred);

    // add principals
    st.getPrincipals().clear();
    String principalsNames = login;
    System.out.println(" create user: principalsNames from form ="
    + principalsNames);

    try {
    SubjectTemplate stClone = (SubjectTemplate) am
    .getSubjectTemplate("default").clone();
    stClone.getPrincipals().clear();

    // ** ** get the specific domain(group)
    String domainNames = "public#";
    String domNames = domainNames.split("#");
    // ** ** Add the domain to the principal (set the list of permissions)
    Set doms = authorizationManager.getDomains(Arrays.asList(domNames));
    //System.out.println("Domain list" +doms);
    principal.setDomains(doms);
    principal.setName(login);
    principal.setApplicationName("SOVWeb");
    Set principalsSet = new HashSet();
    principalsSet.add(principal);
    stClone.setPrincipals(principalsSet);
    Subject userCreated = am.createUser(st, stClone);
    System.out
    .println(" ************ user created =" + userCreated);
    } catch (RegistrationException e) {
    System.out.println(e.getMissingPrivateCredential());
    System.out.println(e.getMissingPublicCredential());
    e.printStackTrace();
    } catch (AuthenticationException e) {
    e.printStackTrace();
    } catch (CloneNotSupportedException e) {
    e.printStackTrace();
    }

    the user is created and can authenticate, from the output the domain is set to the principal but when i want to navigate to any action(.do) i get redirected to the accessDenied !!
    I use jGuard xml for login module and for authorization

     
  • Charles Lescot

    Charles Lescot - 2011-03-30

    Hi,
    maybe you're problem comes from an URL which does not match any permisisons owned by the principal (directly, or indirectly through the domain owned by the principal).
    to check that, you should set the net.sf;jguard logger level to debug, and publish the output of the log when the check is done.

    cheers,

    charles.

     
  • Mones Damak

    Mones Damak - 2011-03-31

    hey Charls,
    how could i set the net.sf.jguard logger?

    ps: when i configure the user and the permissions manually it works :(

     
  • Mones Damak

    Mones Damak - 2011-03-31

    this is the output i get when the administrator create a new user:
    10:34:10,946 INFO    create user: principalsNames from form =zz
    10:34:10,977 INFO    ************ user created =Objet :
    Principal :  principal class name =net.sf.jguard.core.principals.RolePrincipal
    principal localName =zz
    principal application name =SOVWeb
    principal domains =[
    name=public
    permissions=name: Home
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@141bf9f
    pattern: /home.do
    uri: /home.do
    description: ANY

    name: LogonProcess
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@13b2b95
    pattern: /LogonProcess.do
    uri: /LogonProcess.do
    description: ANY

    name: MenuSOVLookup
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@155e32a
    pattern: /MenuSOVLookup.do
    uri: /MenuSOVLookup.do
    description: ANY
    ]
    principal permissions =[name: Home
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@141bf9f
    pattern: /home.do
    uri: /home.do
    description: ANY
    ,  name: LogonProcess
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@13b2b95
    pattern: /LogonProcess.do
    uri: /LogonProcess.do
    description: ANY
    ,name: MenuSOVLookup
    scheme: ANY
    parameters: net.sf.jguard.core.authorization.permissions.URLParameterCollection@155e32a
    pattern: /MenuSOVLookup.do
    uri: /MenuSOVLookup.do
    description: ANY
    ]
    principal descendants =

    Identité publique :
    id=firstname
    value=zz

    Identité publique :
    id=location
    value=tn

    Identité publique :
    id=lastname
    value=zz

    Identité privée :
    id=login
    value=zz

    Identité privée :
    id=password
    value=zz
    10:34:10,977 INFO   /**********/ read only === >false

    and when i login with this user i get this output :

    10:39:57,168 ERROR  31 mars 2011 10:39:57 net.sf.jguard.ext.audit.AuditManager addEvent
    INFO:  user=  :  user is authenticated  implies  redirect to home.jsp

    when i try to access any page i get :

    10:41:17,366 ERROR  31 mars 2011 10:41:17 net.sf.jguard.ext.audit.AuditManager addEvent
    INFO:  user=  :  subject hasn't got the permission name=permissionFromUser actions=/MenuSOVLookup.do,ANY,POSTpermission build from the user request implies  accessdenied phase
    10:41:17,366 ERROR  31 mars 2011 10:41:17 net.sf.jguard.ext.audit.AuditManager addEvent
    INFO:  user=  :  access is denied to/SOV/MenuSOVLookup.do implies  user is redirected to accessDeniedURI/AccessDenied.do
    10:41:17,381 ERROR  31 mars 2011 10:41:17 net.sf.jguard.ext.audit.AuditManager addEvent
    INFO:  user=  : subject is not null and URI/AccessDenied.do= accessDeniedURI( /AccessDenied.do) implies  access authorized

    what is the prob :((

     
  • Mones Damak

    Mones Damak - 2011-03-31

    Hey Charles,

    i think that i found it ;)
    i just add the new principal to the authentication and the authorization manager and it works fine :)

    Other thing: When the user authenticate without a login and password jGuard gives him a guest role so
    my new question is: how can i force the user to write his login and password to get access?

     
  • Charles Lescot

    Charles Lescot - 2011-03-31

    HI,
    you need to grant access with guest to a page which will redirect to the login page….
    you can also prevent the user (but this is only for ergonomy), to enter empty fields with some javascript validation.

    hope it helps,

    Charles.

     
  • Mones Damak

    Mones Damak - 2011-03-31

    Thanks Chales :)

     
  • Mones Damak

    Mones Damak - 2011-04-08

    hey charles :)

    another issue :( i'm using now Database for authorization and authentication.
    I insert data in jGuard tables with my java application.
    The administrator add a user, assign the user to a group and logout.
    the new user authenticate, get access to the application.
    the problem is that the user get always the guest rôle :((
    When i restart the server(Jboss V4.2.3-GA) the user gets the roles of the assigned group !!!!!
    (the authorization are assigned only when i restart the group)

    Any idea??

     
  • Charles Lescot

    Charles Lescot - 2011-04-09

    HI,
    effectively, it seems weird…..
    do you use the jguard API to update the role by adding more permissions?
    or do you insert directly additional permissions to the role with an SQL  query?

    to work, you need to use the jguard API, through the AUthorizationManager.

    hope it helps,

    Charles.

     
  • Mones Damak

    Mones Damak - 2011-04-11

    hey charles
    thanks for the reply :) Well i use SQL query. i thought about adding the RolePrincipal to the authoriztion manager, but i did not find how to get i from the subject :((

     
  • Mones Damak

    Mones Damak - 2011-04-11

    Hey charles,

    I resolved the problem with the jguard API :)))

    Thanks for the help.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks