tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From LERBSCHER Jean-Pierre <jean-pierre.lerbsc...@cofiroute.fr>
Subject RE : TR : [jaas integration between tomcat/weblogic]
Date Thu, 05 Aug 2004 16:16:18 GMT
Any responses?
Does somebody think that it could be a bug or like an improvement?
Thanks.

-----Message d'origine-----
De : LERBSCHER Jean-Pierre [mailto:jean-pierre.lerbscher@cofiroute.fr] 
Envoyé : mardi 27 juillet 2004 19:07
À : 'tomcat-dev@jakarta.apache.org'
Objet : [jaas integration between tomcat/weblogic]

Hi,

 

I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure
environment (using j2ee roles). I

configure a custom JAAS Realm that uses client side LoginModule connecting
to WLS

(weblogic.security.auth.login.UsernamePasswordLoginModule).

 

I put weblogic.jar into common/lib directory and my login module classes in
common/classes. 

I configure webapp context like this :

      <Realm className="org.apache.catalina.realm.JAASRealm"


                        appName="Sample"       

 
userClassNames="weblogic.security.principal.WLSUserImpl"       

 
roleClassNames="weblogic.security.principal.WLSGroupImpl" 

                        debug="99"/>

I grant all permission (for test only) in Catalina.policy.

And I run Catalina with -security option.

 

At this stage tomcat uses login module (and weblogic authentification
provider) to authenticate the user.

 

Everything works fine.

 

The subject build by weblogic is used to create a GenericPrincipal used
internally by Tomcat.

 

My problem is that I need to use weblogic security api to propagate
implicitly the subject when i call the ejb component with the security data
provided by weblogic authentification provider (the subject).

 

First I try to run Tomcat with the security option and the permission,
enables me to get the tomcat subject (for example like this
javax.security.auth.Subject mySubject =
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text()); ) and call the weblogic security api with that subject.

 

However the Tomcat GenericPrincipal is not serializable and I get an
exception [java.io.NotSerializableException:

org.apache.catalina.realm.GenericPrincipal]...

 

Secondly  I try to rebuild the weblogic subject  with the subject generated
by
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text());

I get an java.lang.SecurityException: [Security:090398]Invalid Subject:
principals=[my_username] exception generated by weblogic.

 

It seems obviously that there are problems of integration!

 

My suggestions are to keep a trace of original subject (for example in
session with a specific key) or in a classe that is accessible to
application classes (and not dependent on tomcat specific api).

 

Do you have any others suggestions ?

 

Environment:

 

Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02

WLS 8 sp2, running on w2k, java 1.4.2_02

(= both on same machine, same environment)

 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message