tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew R Feller" <>
Subject Web app classloader loading JAAS LoginModule instead of server
Date Mon, 12 Nov 2007 20:58:28 GMT
While developing a custom JAAS module to use Hibernate for users'
authorization profiles on a new application, we found that the Hibernate
login module was being initialized not by the server's classloader but
the webapp's classloader!  As we want to have different Realms declared
for each web application, we don't want to set a realm and security
constraints at the server level.


This issue came up while stepping through Tomcat's log.  Whenever the
application was being initialized, then its hibernate.cfg.xml was loaded
up from /WEB-INF/classes by the webappClassLoader.  Later on whenever
the protected resource was requested and the JAAS login module was
invoked, the login module was ALSO loaded by the webappClassLoader and
the hibernate.cfg.xml it requested was loaded from the
webappClassLoader's cache instead of searching for the one in



1.	Why is the webapp's classloader loading classes for the login
module?  Is this the intended behavior?
2.	How is it possible to make Tomcat initialize the login module
without the login module being declared for the entire server?





Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

(office) 225.578.3737


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message