tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <>
Subject RE: JAAS authenticated user fails authorization check
Date Mon, 05 May 2008 18:11:44 GMT
> From: Robin Coe [] 
> Subject: RE: JAAS authenticated user fails authorization check

It appears that the problem is you haven't fully configured the JAAS
environment.  See below for details.

> I tested the implementation of isUserInRole() by wild-carding 
> the role, to force Tomcat to authenticate but not authorize:

It doesn't work that way.  A <role-name> of * means that authorization
is allowed for any of the listed <security-role>s, not that
authorization is ignored.

> As a side note, I wrote my own implementation of the login 
> process, using a servlet to hook into my login module, thus
> avoiding the declarative security. 

Why did you choose to reinvent the wheel here?  Use the declarative
security - it's much easier.

> <Context>
>         <Realm className="org.apache.catalina.realm.JAASRealm"
>            appName="landscape"

The appName is not some arbitrary value; it needs to point to the entry
in the file pointed to by the system
property (see below).

> The JAAS module is not based on a security policy file, I 
> wrote it to work from a database.

Not relevant to the discussion.  You still have to tell Tomcat's
JAASRealm what your LoginModule class name is via the file pointed to by
the system property.  For example,
here's ours:

The conf/security/tomcatLogin.config file contains:

TomcatLogin { required;

Have you done that?

 - Chuck

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message