geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Genender <>
Subject Re: JAAS and Tomcat
Date Sat, 20 Nov 2004 20:29:52 GMT

I am running Tomcat within Geronimo, as a GBean.  The configuration of 
Tomcat is occuring through GBeans.  I had to make a few changes to the 
current Tomcat GBean as Catalina does not like relative paths to the 
conf file, so I made some internal changes to use an absolut path.

Yes I already changed the tests and am working on them now.  I noticed 
the changes when I did an update, so I made the alterations to my unit 
tests and am testing them now.

I am aware of the geronimo-tomcat.xml.  That is what I am striving for. 
  I first want to get this working within a server.xml which is easiest 
to get it operating.  Once I have that running, this will validate that 
its interoperating with Geronimo. Then I will write the Context 
Interceptor that will use a geronimo-tomcat.xml file, for dynamic Realm 
and Context reference within each individual web app (like Jetty does).

Thanks for the info on the subject stuff.  I will try to change the JAAS 
code on the Tomcat side as you suggested.


Aaron Mulder wrote:
> 	Are you trying to run Tomcat within Geronimo, or run both Tomcat 
> and Geronimo on the same box separately but talking to each other?
> 	In any case, unfortunately, you'll have to change your tests, 
> because the properties file realm just went away.  If you look at the 
> Jetty test you based your stuff on, you'll see how to replace that with a 
> PropertiesFileLoginModule and a GenericSecurityRealm (two GBeans).
> 	The problem you're having with authorization may be due to the
> Subject you're getting as a result of the login.  It's not actually
> populated with all the principals that the server generates, because the
> server only gives the "client" a single ID to identify itself as of now.  
> There's a change on the table to return more of the principals to the
> client, and you'll have to wait for that if you can't change the JAAS code
> on the Tomcat side.  Otherwise, you can insert a call like "subject =
> ContextManager.getServerSideSubject(subject);" to get the fully-populated
> Subject.
> 	But it kind of sounds like you're runing tomcat inside Geronimo, 
> in which case you've got a ways yet to go -- I think we want to configure 
> Tomcat fully through GBeans and geronimo-tomcat.xml (or whatever), and not 
> used server.xml, a JAAS config file, or anything like that.  If you were 
> at ApacheCon this week, there was a pretty detailed talk about embedding 
> Tomcat.  Anyway, I'm not sure if you're working toward this but not there 
> yet, or trying to get it to work in a different configuration.
> Aaron
> On Sat, 20 Nov 2004, Jeff Genender wrote:
>>I have semi-successfully gotten Tomcat to use the Geronimo JAAS 
>>component.  I say semi-successful because I wrote some unit tests, got 
>>Tomcat running along with some other security base GBeans, and was able 
>>to protect resources in a web application, and access them with the 
>>However, what does not seem to be working is the group/role side of 
>>things.  If I protect the resources in teh web.xml with the following:
>>     <role-name>*</role-name>
>>Then it works as planned.  But if I state a particular role/group, it 
>>does not work.  So I need see why Tomcat is accepting the authentication 
>>piece of this, but not the authorization.
>>For a synopsis of what I did, I essentially took the BasicSecurityTest 
>>and SecurityTest unit tests from Jetty and altered them to work with 
>>Tomcat.  I then used the war3 test-resource for Jetty to use as a 
>>protected web application.
>>Most of getting this to work was setting configuration files (i.e the 
>>server.xml with an appropriate context and ensuring the 
>> is set to point at a proper 
>>login.config file.
>>Right now, the context needs to be declared in the server.xml.  I don't 
>>like this.  I need to write a ContextInterceptor so the context can be 
>>dynamically loaded from a geronimo-web.xml in the WEB-INF.  Hence, after 
>>I get the role/group to work, I will write the interceptor, and I think 
>>Geronimo JAAS will dynamically work with Tomcat.
>>For the security experts, please have a look at my unit test and configs 
>>below and see if you think I missed anything relative to getting the 
>>group to work:
>>Here is the login.config used by
>>jaasTest {
>> required
>>     realm="demo-properties-realm"
>>     kernel="geronimo.kernel";
>>In the server.cml:
>><Context path="/test" docBase="war3" debug="99" reloadable="true">
>>     <Logger className="org.apache.catalina.logger.FileLogger"
>>             prefix="test_log." suffix=".txt"
>>             timestamp="true"/>
>>     <Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
>>                            appName="jaasTest" 


>>      />
>>I used the following code to fire up the necessary GBeans ina unit test:
>>containerName = new ObjectName("geronimo.tomcat:role=Container");
>>containerPatterns = Collections.singleton(containerName);
>>appName = new ObjectName("geronimo.tomcat:app=test");
>>tmName = new ObjectName("geronimo.test:role=TransactionManager");
>>tcmName = new ObjectName("geronimo.test:role=TransactionContextManager");
>>tcaName = new 
>>kernel = new Kernel("geronimo.kernel");
>>serverInfoGBean = new GBeanMBean(ServerInfo.GBEAN_INFO);
>>serverInfoName = new ObjectName("geronimo.system:role=ServerInfo");
>>serverInfoGBean.setAttribute("baseDirectory", ".");
>>container = new GBeanMBean(TomcatGBean.GBEAN_INFO);
>>securityServiceGBean = new 
>>securityServiceName = new 
>>loginServiceGBean = new 
>>loginServiceName = new 
>>//        loginServiceGBean.setAttribute("reclaimPeriod", new Long(1000 
>>* 1000));
>>loginServiceGBean.setAttribute("algorithm", "HmacSHA1");
>>loginServiceGBean.setAttribute("password", "secret");
>>propertiesRealmGBean = new 
>>propertiesRealmName = new 
>>propertiesRealmGBean.setAttribute("realmName", "demo-properties-realm");
>>propertiesRealmGBean.setAttribute("defaultPrincipal", "metro");
>>propertiesRealmGBean.setAttribute("maxLoginModuleAge", new Long(1 * 1000));
>>propertiesRealmGBean.setAttribute("usersURI", (new File(new File("."), 
>>propertiesRealmGBean.setAttribute("groupsURI", (new File(new File("."), 
>>start(serverInfoName, serverInfoGBean);
>>start(propertiesRealmName, propertiesRealmGBean);
>>start(containerName, container);
>>start(securityServiceName, securityServiceGBean);
>>start(loginServiceName, loginServiceGBean);
>>tm = new GBeanMBean(GeronimoTransactionManager.GBEAN_INFO);
>>tm.setAttribute("defaultTransactionTimeoutSeconds", new Integer(10));
>>Set patterns = new HashSet();
>>tm.setReferencePatterns("ResourceManagers", patterns);
>>start(tmName, tm);
>>tcm = new GBeanMBean(TransactionContextManager.GBEAN_INFO);
>>tcm.setReferencePattern("TransactionManager", tmName);
>>start(tcmName, tcm);
>>ctc = new GBeanMBean(ConnectionTrackingCoordinator.GBEAN_INFO);
>>start(tcaName, ctc);

View raw message