tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid...@pidster.com>
Subject Re: How to configure Tomcat 6.0 with JAAS?
Date Mon, 11 May 2009 22:17:14 GMT
David Hoffer wrote:
> Update.
> 
> It looks like the problem is with the Tomcat Realm configuration.  If I move
> the jar that contains these custom classes to the Tomcat lib folder then it
> works!
> 
> However this is not a workable solution.  I can't deploy jars like this.
> How can I delay JAAS realm configuration to my web app?  After all what is
> the purpose of useContextClassLoader?  Ideally I would like to move the
> configuration out of server.xml to my web app so this is self-contained.
> 
> What is the right way to do this?

Configure the realm at the context level - ie in the
META-INF/context.xml of your WAR, or application directory.

p

> -Dave
> 
> On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoffer6@gmail.com> wrote:
> 
>> No matter what I do...I always get an 'HTTP Status 403 - Access to the
>> requested resource has been denied error' displayed after authenticating in
>> Tomcat with JAAS.  Here is my configuration.
>>
>> Tomcat 6.0.x
>>
>> server.xml:
>> ...
>> <Host name="localhost"  appBase="webapps" unpackWARs="true"
>> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
>>
>> <!-- JAAS config -->
>> <Realm className="org.apache.catalina.realm.JAASRealm"
>>     appName="CDF_TestApp"
>>     userClassNames="ipt.tas.security.login.TASUserPrincipal"
>>     roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
>>     useContextClassLoader="true"
>>     debug="99"/>
>>       </Host>
>>     </Engine>
>>   </Service>
>> </Server>
>>
>> Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
>> yet (they are in my web app) hasn't started how can I delay configuration
>> until my web app has started? (Doubt this is cause of error however).
>>
>> My WebApp web.xml:
>>
>> <!--Test code to get JAAS to work-->
>>     <servlet>
>>         <servlet-name>StartupServlet</servlet-name>
>>         <servlet-class>
>>             com.issinc.cdf.servlet.StartupServlet
>>         </servlet-class>
>>         <load-on-startup>1</load-on-startup>
>>     </servlet>
>>     <security-constraint>
>>         <web-resource-collection>
>>             <web-resource-name>Test App</web-resource-name>
>>             <url-pattern>/*</url-pattern>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <role-name>members</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>     <security-role>
>>         <description>
>>         </description>
>>         <role-name>members</role-name>
>>     </security-role>
>>     <login-config>
>>         <auth-method>BASIC</auth-method>
>>         <realm-name>Test App Realm</realm-name>
>>     </login-config>
>>     <!--End JAAS code-->
>>
>> Note that StartupServlet configures JAASConfiguration to load my custom
>> LoginModule.
>>
>> When my web app starts I do get the authentication dialog and I enter my
>> login info.  I have debugged my custom LoginModule and login() and commit()
>> both succeed/return true for the user.  However when the app continues I get
>> the 403 error stated above.
>>
>> What am I doing wrong?  I don't understand if/how the role-name(s) specifed
>> in the web.xml are validated at this point.  Do I have to tie my Subject
>> Principal to these roles somehow?  Or are these roles just used by the JAAS
>> logic after authenication is complete?  I will say that if I remove the
>> auth-constraint section then the login dialog is not even displayed.
>>
>> Can someone point me to my error?
>>
>> -Dave
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message