tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine Brocard - Vertical*i S.A." <broc...@verticali.com>
Subject Re: RE : The good way of making JAAS and Realm authentication use the same back-end authentication system?
Date Tue, 12 Oct 2004 09:00:30 GMT
Yes, certainly for this specific case...

But from a more "philosophical" point of view, why do I have to do that?
I mean why isn't it provided in standard with Tomcat (it is not a critic
it's only a question)?

Does my code interest the Tomcat community?


LERBSCHER Jean-Pierre wrote:
> It seems that the simplest way is to write your own login module or try to
> use/configure/debug the existing JNDI login module.
> Regards,
> 
> -----Message d'origine-----
> De : Antoine Brocard - Vertical*i S.A. [mailto:brocard@verticali.com] 
> Envoyé : mardi 12 octobre 2004 09:52
> À : tomcat-dev@jakarta.apache.org
> Objet : The good way of making JAAS and Realm authentication use the same
> back-end authentication system?
> 
> Maybe this question should be in the User mailing list, but I think it
> could interest some Developers...
> 
> 
> The problem I had to solve is the following:
> 
> My application needs J2EE container authentication AND JAAS (to
> authenticates requests coming from
> an application that don't support standard authentication scheme, like
> BASIC or FORM). The back-end
> authentication system is an LDAP server. I would like that both J2EE
> authentication and JAAS access
> the same LDAP server.
> 
> 
> As a first try I set up the following configuration:
> 
> Use the Tomcat JAASRealm for J2EE authentication.
> Use the JDNILoginModule as JAAS login module, to access the LDAP   server.
> 
> The problem was that the JDNILoginModule was known to have bugs, and I
> dind't succeeded to make this
> configuration work.
> 
> 
> The other solution is to make JAAS use the current J2EE authentication;
> in other words make the JAAS
> login module access the current Tomcat Realm and forward authentication
> requests on it. I look for such
> a module, without success.
> 
> I decided to write one myself, using the following hacks:
> 
> In order to access the current Realm from inside a loginmodule, I used
> JMX. I copied some code from the
> Tomcat sources. At this point I was able to get the current Realm but I
> realized that the "authenticate"
> method wasn't manageable through JMX.
> To solve that, I decided to subclass the standard Tomcat Realm and to
> make them accessible through JMX
> by modifying the mbeans-descriptor.xml file. Finally it worked fine.
> 
> The last problem I had was related to location of .jar files.  In order
> to make this work, I had to move the
> content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is
> not very elegant and can lead to security
> issues in some cases. Moreover clients are often reluctant to do such
> operations...
> 
> 
> My question(s) is(are) the following:
> 
> 1)Is there is better/simpler procedure to make JAAS and J2EE container
> authentication use the same back-end
> mechanism? Maybe I missed a step somewhere...
> 
> 1bis) If not, is there a simpler way of getting the current Realm from
> Java code, instead of the ugly JMX
> hack I used?
> 
> 2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with
> Weblogic or Websphere? It seems that
> "JAAS asking Realm" is the "standard" way of doing, not the "Realm
> asking JAAS" one used by Tomcat...
> 
> Thanks in advance for your help
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message