tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Brocard - Vertical*i S.A." <>
Subject The good way of making JAAS and Realm authentication use the same back-end authentication system?
Date Tue, 12 Oct 2004 07:51:46 GMT
Maybe this question should be in the User mailing list, but I think it
could interest some Developers...

The problem I had to solve is the following:

My application needs J2EE container authentication AND JAAS (to
authenticates requests coming from
an application that don't support standard authentication scheme, like
BASIC or FORM). The back-end
authentication system is an LDAP server. I would like that both J2EE
authentication and JAAS access
the same LDAP server.

As a first try I set up the following configuration:

Use the Tomcat JAASRealm for J2EE authentication.
Use the JDNILoginModule as JAAS login module, to access the LDAP   server.

The problem was that the JDNILoginModule was known to have bugs, and I
dind't succeeded to make this
configuration work.

The other solution is to make JAAS use the current J2EE authentication;
in other words make the JAAS
login module access the current Tomcat Realm and forward authentication
requests on it. I look for such
a module, without success.

I decided to write one myself, using the following hacks:

In order to access the current Realm from inside a loginmodule, I used
JMX. I copied some code from the
Tomcat sources. At this point I was able to get the current Realm but I
realized that the "authenticate"
method wasn't manageable through JMX.
To solve that, I decided to subclass the standard Tomcat Realm and to
make them accessible through JMX
by modifying the mbeans-descriptor.xml file. Finally it worked fine.

The last problem I had was related to location of .jar files.  In order
to make this work, I had to move the
content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is
not very elegant and can lead to security
issues in some cases. Moreover clients are often reluctant to do such

My question(s) is(are) the following:

1)Is there is better/simpler procedure to make JAAS and J2EE container
authentication use the same back-end
mechanism? Maybe I missed a step somewhere...

1bis) If not, is there a simpler way of getting the current Realm from
Java code, instead of the ugly JMX
hack I used?

2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with
Weblogic or Websphere? It seems that
"JAAS asking Realm" is the "standard" way of doing, not the "Realm
asking JAAS" one used by Tomcat...

Thanks in advance for your help

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message