tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From LERBSCHER Jean-Pierre <>
Subject RE : TR : [jaas integration between tomcat/weblogic]
Date Thu, 05 Aug 2004 16:16:18 GMT
Any responses?
Does somebody think that it could be a bug or like an improvement?

-----Message d'origine-----
De : LERBSCHER Jean-Pierre [] 
Envoyé : mardi 27 juillet 2004 19:07
À : ''
Objet : [jaas integration between tomcat/weblogic]



I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure
environment (using j2ee roles). I

configure a custom JAAS Realm that uses client side LoginModule connecting
to WLS



I put weblogic.jar into common/lib directory and my login module classes in

I configure webapp context like this :

      <Realm className="org.apache.catalina.realm.JAASRealm"





I grant all permission (for test only) in Catalina.policy.

And I run Catalina with -security option.


At this stage tomcat uses login module (and weblogic authentification
provider) to authenticate the user.


Everything works fine.


The subject build by weblogic is used to create a GenericPrincipal used
internally by Tomcat.


My problem is that I need to use weblogic security api to propagate
implicitly the subject when i call the ejb component with the security data
provided by weblogic authentification provider (the subject).


First I try to run Tomcat with the security option and the permission,
enables me to get the tomcat subject (for example like this mySubject =
text()); ) and call the weblogic security api with that subject.


However the Tomcat GenericPrincipal is not serializable and I get an
exception [



Secondly  I try to rebuild the weblogic subject  with the subject generated

I get an java.lang.SecurityException: [Security:090398]Invalid Subject:
principals=[my_username] exception generated by weblogic.


It seems obviously that there are problems of integration!


My suggestions are to keep a trace of original subject (for example in
session with a specific key) or in a classe that is accessible to
application classes (and not dependent on tomcat specific api).


Do you have any others suggestions ?




Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02

WLS 8 sp2, running on w2k, java 1.4.2_02

(= both on same machine, same environment)


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message