tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Hoffer <dhoff...@gmail.com>
Subject Re: How to configure Tomcat 6.0 with JAAS?
Date Tue, 12 May 2009 02:19:16 GMT
Okay that sounds good I'll try that.  Next newbie question...will this be
server agnostic?  I need to support Tomcat/JBoss/WebLogic.

-Dave

On Mon, May 11, 2009 at 4:17 PM, Pid <p@pidster.com> wrote:

> David Hoffer wrote:
> > Update.
> >
> > It looks like the problem is with the Tomcat Realm configuration.  If I
> move
> > the jar that contains these custom classes to the Tomcat lib folder then
> it
> > works!
> >
> > However this is not a workable solution.  I can't deploy jars like this.
> > How can I delay JAAS realm configuration to my web app?  After all what
> is
> > the purpose of useContextClassLoader?  Ideally I would like to move the
> > configuration out of server.xml to my web app so this is self-contained.
> >
> > What is the right way to do this?
>
> Configure the realm at the context level - ie in the
> META-INF/context.xml of your WAR, or application directory.
>
> p
>
> > -Dave
> >
> > On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoffer6@gmail.com>
> wrote:
> >
> >> No matter what I do...I always get an 'HTTP Status 403 - Access to the
> >> requested resource has been denied error' displayed after authenticating
> in
> >> Tomcat with JAAS.  Here is my configuration.
> >>
> >> Tomcat 6.0.x
> >>
> >> server.xml:
> >> ...
> >> <Host name="localhost"  appBase="webapps" unpackWARs="true"
> >> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">
> >>
> >> <!-- JAAS config -->
> >> <Realm className="org.apache.catalina.realm.JAASRealm"
> >>     appName="CDF_TestApp"
> >>     userClassNames="ipt.tas.security.login.TASUserPrincipal"
> >>     roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
> >>     useContextClassLoader="true"
> >>     debug="99"/>
> >>       </Host>
> >>     </Engine>
> >>   </Service>
> >> </Server>
> >>
> >> Issues here...since TASUserPrincipal & TASGroupPrincipal are not
> available
> >> yet (they are in my web app) hasn't started how can I delay
> configuration
> >> until my web app has started? (Doubt this is cause of error however).
> >>
> >> My WebApp web.xml:
> >>
> >> <!--Test code to get JAAS to work-->
> >>     <servlet>
> >>         <servlet-name>StartupServlet</servlet-name>
> >>         <servlet-class>
> >>             com.issinc.cdf.servlet.StartupServlet
> >>         </servlet-class>
> >>         <load-on-startup>1</load-on-startup>
> >>     </servlet>
> >>     <security-constraint>
> >>         <web-resource-collection>
> >>             <web-resource-name>Test App</web-resource-name>
> >>             <url-pattern>/*</url-pattern>
> >>         </web-resource-collection>
> >>         <auth-constraint>
> >>             <role-name>members</role-name>
> >>         </auth-constraint>
> >>     </security-constraint>
> >>     <security-role>
> >>         <description>
> >>         </description>
> >>         <role-name>members</role-name>
> >>     </security-role>
> >>     <login-config>
> >>         <auth-method>BASIC</auth-method>
> >>         <realm-name>Test App Realm</realm-name>
> >>     </login-config>
> >>     <!--End JAAS code-->
> >>
> >> Note that StartupServlet configures JAASConfiguration to load my custom
> >> LoginModule.
> >>
> >> When my web app starts I do get the authentication dialog and I enter my
> >> login info.  I have debugged my custom LoginModule and login() and
> commit()
> >> both succeed/return true for the user.  However when the app continues I
> get
> >> the 403 error stated above.
> >>
> >> What am I doing wrong?  I don't understand if/how the role-name(s)
> specifed
> >> in the web.xml are validated at this point.  Do I have to tie my Subject
> >> Principal to these roles somehow?  Or are these roles just used by the
> JAAS
> >> logic after authenication is complete?  I will say that if I remove the
> >> auth-constraint section then the login dialog is not even displayed.
> >>
> >> Can someone point me to my error?
> >>
> >> -Dave
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message