tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Hoffer <dhoff...@gmail.com>
Subject Re: How to configure Tomcat 6.0 with JAAS?
Date Mon, 11 May 2009 19:29:58 GMT
Update.

It looks like the problem is with the Tomcat Realm configuration.  If I move
the jar that contains these custom classes to the Tomcat lib folder then it
works!

However this is not a workable solution.  I can't deploy jars like this.
How can I delay JAAS realm configuration to my web app?  After all what is
the purpose of useContextClassLoader?  Ideally I would like to move the
configuration out of server.xml to my web app so this is self-contained.

What is the right way to do this?

-Dave

On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoffer6@gmail.com> wrote:

> No matter what I do...I always get an 'HTTP Status 403 - Access to the
> requested resource has been denied error' displayed after authenticating in
> Tomcat with JAAS.  Here is my configuration.
>
> Tomcat 6.0.x
>
> server.xml:
> ...
> <Host name="localhost"  appBase="webapps" unpackWARs="true"
> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
>
> <!-- JAAS config -->
> <Realm className="org.apache.catalina.realm.JAASRealm"
>     appName="CDF_TestApp"
>     userClassNames="ipt.tas.security.login.TASUserPrincipal"
>     roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
>     useContextClassLoader="true"
>     debug="99"/>
>       </Host>
>     </Engine>
>   </Service>
> </Server>
>
> Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
> yet (they are in my web app) hasn't started how can I delay configuration
> until my web app has started? (Doubt this is cause of error however).
>
> My WebApp web.xml:
>
> <!--Test code to get JAAS to work-->
>     <servlet>
>         <servlet-name>StartupServlet</servlet-name>
>         <servlet-class>
>             com.issinc.cdf.servlet.StartupServlet
>         </servlet-class>
>         <load-on-startup>1</load-on-startup>
>     </servlet>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Test App</web-resource-name>
>             <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>members</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <security-role>
>         <description>
>         </description>
>         <role-name>members</role-name>
>     </security-role>
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>Test App Realm</realm-name>
>     </login-config>
>     <!--End JAAS code-->
>
> Note that StartupServlet configures JAASConfiguration to load my custom
> LoginModule.
>
> When my web app starts I do get the authentication dialog and I enter my
> login info.  I have debugged my custom LoginModule and login() and commit()
> both succeed/return true for the user.  However when the app continues I get
> the 403 error stated above.
>
> What am I doing wrong?  I don't understand if/how the role-name(s) specifed
> in the web.xml are validated at this point.  Do I have to tie my Subject
> Principal to these roles somehow?  Or are these roles just used by the JAAS
> logic after authenication is complete?  I will say that if I remove the
> auth-constraint section then the login dialog is not even displayed.
>
> Can someone point me to my error?
>
> -Dave
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message