Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 13017 invoked from network); 12 Oct 2004 09:02:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 12 Oct 2004 09:02:25 -0000 Received: (qmail 94752 invoked by uid 500); 12 Oct 2004 09:02:04 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 94698 invoked by uid 500); 12 Oct 2004 09:02:04 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 94662 invoked by uid 99); 12 Oct 2004 09:02:02 -0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SUBJ_HAS_SPACES X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [212.254.223.170] (HELO titeuf.verticali.com) (212.254.223.170) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 12 Oct 2004 02:02:02 -0700 Received: (qmail 18632 invoked by uid 0); 12 Oct 2004 09:01:59 -0000 Received: from unknown (HELO ?192.168.1.37?) (192.168.1.37) by titeuf.verticali.com with SMTP; 12 Oct 2004 09:01:59 -0000 Message-ID: <416B9D2E.8000002@verticali.com> Date: Tue, 12 Oct 2004 11:00:30 +0200 From: "Antoine Brocard - Vertical*i S.A." User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: RE : The good way of making JAAS and Realm authentication use the same back-end authentication system? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Yes, certainly for this specific case... But from a more "philosophical" point of view, why do I have to do that? I mean why isn't it provided in standard with Tomcat (it is not a critic it's only a question)? Does my code interest the Tomcat community? LERBSCHER Jean-Pierre wrote: > It seems that the simplest way is to write your own login module or try to > use/configure/debug the existing JNDI login module. > Regards, > > -----Message d'origine----- > De : Antoine Brocard - Vertical*i S.A. [mailto:brocard@verticali.com] > Envoy� : mardi 12 octobre 2004 09:52 > � : tomcat-dev@jakarta.apache.org > Objet : The good way of making JAAS and Realm authentication use the same > back-end authentication system? > > Maybe this question should be in the User mailing list, but I think it > could interest some Developers... > > > The problem I had to solve is the following: > > My application needs J2EE container authentication AND JAAS (to > authenticates requests coming from > an application that don't support standard authentication scheme, like > BASIC or FORM). The back-end > authentication system is an LDAP server. I would like that both J2EE > authentication and JAAS access > the same LDAP server. > > > As a first try I set up the following configuration: > > Use the Tomcat JAASRealm for J2EE authentication. > Use the JDNILoginModule as JAAS login module, to access the LDAP server. > > The problem was that the JDNILoginModule was known to have bugs, and I > dind't succeeded to make this > configuration work. > > > The other solution is to make JAAS use the current J2EE authentication; > in other words make the JAAS > login module access the current Tomcat Realm and forward authentication > requests on it. I look for such > a module, without success. > > I decided to write one myself, using the following hacks: > > In order to access the current Realm from inside a loginmodule, I used > JMX. I copied some code from the > Tomcat sources. At this point I was able to get the current Realm but I > realized that the "authenticate" > method wasn't manageable through JMX. > To solve that, I decided to subclass the standard Tomcat Realm and to > make them accessible through JMX > by modifying the mbeans-descriptor.xml file. Finally it worked fine. > > The last problem I had was related to location of .jar files. In order > to make this work, I had to move the > content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is > not very elegant and can lead to security > issues in some cases. Moreover clients are often reluctant to do such > operations... > > > My question(s) is(are) the following: > > 1)Is there is better/simpler procedure to make JAAS and J2EE container > authentication use the same back-end > mechanism? Maybe I missed a step somewhere... > > 1bis) If not, is there a simpler way of getting the current Realm from > Java code, instead of the ugly JMX > hack I used? > > 2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with > Weblogic or Websphere? It seems that > "JAAS asking Realm" is the "standard" way of doing, not the "Realm > asking JAAS" one used by Tomcat... > > Thanks in advance for your help > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org