tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "joe bob" <>
Subject kerberos,JAAS, and container managed security
Date Wed, 25 Jul 2007 22:54:14 GMT
     I would like to use kerberos in conjunction with container managed
security. I have configured a JAASRealm with Sun's kerberos LoginModule and
a basic scenario works fine. I.e, if a user accesses a protected URL, he is
challenged with a login screen. The user/password he enters is validated
against the kerberos system correctly.

We now have a requirement to honor kerberos password policies, for example
the "mandatory-password-change" flag. When set, the user gets a valid ticket
but all he can do is change his password. I tried doing this via my standard
configuration and the kerberos LoginModule throws an exception indicating
the user must change his password but the tomcat form authentication logic
seems to treat this as an invalid login and just redirects the user to the
error page with no way for the application to differentiate this situation.

Is it possible to honor kerberos password policies using JAAS and container
managed security? I have looked through the source and the answer appears
no. JAASRealm seems to catch various exceptions (e.g.
AccountExpiredException) but in the end just returns null to
FormAuthenticator as the authenticate() signature does not allow any checked
exceptions to be thrown and the FormAuthenticator implementation doesn't
seem to anticipate any runtime exceptions from this method.

I would much prefer to use container managed security for the usual reasons
but also to get (clustered) SSO support. Does anyone see something I missed
or have any ideas? Can I use the standard SSO valve with application managed
security somehow? Seems doubtful.

Kireet <>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message