tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Field-Elliot" <>
Subject JAASRealm/LoginManager questions
Date Sun, 09 Feb 2003 22:48:11 GMT
We are building out a toolkit for distributed single sign-on, using (today) standards such
as SAML and Liberty. While the guts of this toolkit are mostly finished, we aren't actually
populating the Subject/Principals list, and we'd like to add features in that direction. I'm
admittedly quite new to JAAS, but I know enough to think that JAAS might be the right approach.

When a site is ready to request authentication, the SAML model (and our toolkit) like to redirect
the browser to another site, where first-level authentication occurs. Upon return from the
remote site, we get a signed login credential, which we validate, and ultimately hope to use
to populate the Subject/Principal.

We do all of our development on Tomcat, which we consider to be our reference platform.

The basic goal is, (in a standards-compliant way, likely to work on multiple vendors' Servlet
containers), handle authentication and populate the Subject.

My questions are:

1. Is JAAS the right way to go? I think it is. By using Catalina's JAASRealm, and building
our own LoginManager, I think we're on the right track. 

2. Can our LoginManager (fronted by Tomcat's JAASRealm) send redirects to the browser, and
somehow set up listeners for when the user eventually returns (could be a couple minutes,
and is certainly going to be on a different incoming HTTP request)? Again I'm new to JAAS,
but something in the Tomcat Javadocs alarms me that this may not be possible. From JAASCallbackHander:
Implementation of the JAAS CallbackHandler interface, used to negotiate delivery of the username
and credentials that were specified to our constructor. No interaction with the user is required
(or possible).

The last phrase ("No interaction with the user is...possible") seems to indicate that I might
be heading down a dead-end here.

3. Am I wrong that JAASRealm is the way to go? Maybe I need to drop down a layer and implement
a Catalina Realm directly, rather than use JAASRealm and implement a LoginManager?

Thanks very much,


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message