Return-Path: 
 <users-return-179545-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 38976 invoked from network); 5 May 2008 18:12:30 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 5 May 2008 18:12:30 -0000
Received: (qmail 8498 invoked by uid 500); 5 May 2008 18:12:19 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 8475 invoked by uid 500); 5 May 2008 18:12:19 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 8464 invoked by uid 99); 5 May 2008 18:12:19 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 May 2008 11:12:19 -0700
X-ASF-Spam-Status: No, hits=-4.0 required=10.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [192.61.61.105] (HELO usea-naimss3.unisys.com) (192.61.61.105)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 May 2008 18:11:32 +0000
Received: from usea-nagw3.na.uis.unisys.com ([129.224.72.20]) by usea-naimss3
 with InterScan Message Security Suite; Mon, 05 May 2008 13:16:34 -0500
Received: from usea-nagw3.na.uis.unisys.com ([129.224.72.55]) by
 usea-nagw3.na.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Mon, 5 May 2008 13:11:45 -0500
Received: from USEA-EXCH2.na.uis.unisys.com ([129.224.72.37]) by
 usea-nagw3.na.uis.unisys.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Mon, 5 May 2008 13:11:44 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: JAAS authenticated user fails authorization check
Date: Mon, 5 May 2008 13:11:44 -0500
Message-ID: 
 <2828B04F0113CD468E6D1D51DF4362A406043629@USEA-EXCH2.na.uis.unisys.com>
In-Reply-To: 
 <51E7CE4611C8A84DBCC951639E453E735A7F9F6423@exch-mtv-000.nextnewgig.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: JAAS authenticated user fails authorization check
Thread-Index: Aciuym7d9xzu+Ba/QZWEeDUX0XEISAAANDkAAAKAwFAAAQZoQA==
References: 
 <51E7CE4611C8A84DBCC951639E453E735A7F9F63A7@exch-mtv-000.nextnewgig.com><2828B04F0113CD468E6D1D51DF4362A406043463@USEA-EXCH2.na.uis.unisys.com>
 <51E7CE4611C8A84DBCC951639E453E735A7F9F6423@exch-mtv-000.nextnewgig.com>
From: "Caldarale, Charles R" <Chuck.Caldarale@unisys.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
X-OriginalArrivalTime: 05 May 2008 18:11:44.0923 (UTC)
 FILETIME=[7A1386B0:01C8AEDB]
X-Virus-Checked: Checked by ClamAV on apache.org

> From: Robin Coe [mailto:Robin.Coe@kaleidescape.com]=20
> Subject: RE: JAAS authenticated user fails authorization check

It appears that the problem is you haven't fully configured the JAAS
environment.  See below for details.

> I tested the implementation of isUserInRole() by wild-carding=20
> the role, to force Tomcat to authenticate but not authorize:

It doesn't work that way.  A <role-name> of * means that authorization
is allowed for any of the listed <security-role>s, not that
authorization is ignored.

> As a side note, I wrote my own implementation of the login=20
> process, using a servlet to hook into my login module, thus
> avoiding the declarative security.=20

Why did you choose to reinvent the wheel here?  Use the declarative
security - it's much easier.

> <Context>
>         <Realm className=3D"org.apache.catalina.realm.JAASRealm"
>            appName=3D"landscape"

The appName is not some arbitrary value; it needs to point to the entry
in the file pointed to by the java.security.auth.login.config system
property (see below).

> The JAAS module is not based on a security policy file, I=20
> wrote it to work from a database.

Not relevant to the discussion.  You still have to tell Tomcat's
JAASRealm what your LoginModule class name is via the file pointed to by
the java.security.auth.login.config system property.  For example,
here's ours:

-Djava.security.auth.login.config=3Dconf/security/tomcatLogin.config

The conf/security/tomcatLogin.config file contains:

TomcatLogin {
  com.unisys.os2200.security.TomcatLoginModule required;
};

Have you done that?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org