-
1. Re: Tomcat + JBoss + JAAS
The HOW-TO for JBoss JAAS configuration can be found here:
http://www.jboss.org/online-manual/HTML/ch11s78.html
If you are concerned about the security of the RMI calls between your sevlets and the EJBs, a thread you may find interesting is here:
http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ -
2. Re: Tomcat + JBoss + JAAS
Thanks for answering me, but this article doesn´t solve the problem because I need to have "security unaware" applications. In the article, both client app and servlet make calls to JAAS (through LoginContext). I want the servlet container (Tomcat) to be responsible for calls to JAAS, so applications can be written without knowing anything about the EJB container (JBoss) security and JAAS. And all this have to be running the containers in separated JVMs (probably in separated machines).
Any clue on how to do it?
Thanks
Dediana -
3. Re: Tomcat + JBoss + JAAS
I was thinking about doing container-container authentication too. One solution I have in mind is to develope a security interceptor which uses JAAS to provide authentication. I have not find time to implement it. It will work as long as you can obtain authentication info from client side(either a standlone program or a servlet container).
Let me know what you think. -
4. Re: Tomcat + JBoss + JAAS
Dediana
OK, I now understand what you are trying to do. I'm afraid I haven't done it myself from Tomcat - JBoss, but I did do it in Borland's Enterprise Server which uses a Tomcat derivative.
This involved setting up a BSSRealm in the tomcat web.xml file, which referred to the Security Realm understood by the container. For JBoss I would imagine this involves setting up a realm in JBoss's auth.conf, referenced from the jboss.xml file in the EJB jar. Unfortunately, I don't know if the BSSRealm idea is Borland specific. In the end we had to ditch BES because the 5.0 security architecture was so flaky!
If this doesn't work, I would advise looking at Tomcat's JNDI realm, as JBoss looks up the security realm in the JNDI java:/jaas/MyRealm style. More info on that can be found here:
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
Sorry this is a bit vague, but hope it sets you on the right track.
Regards
Kenneth -
5. Re: Tomcat + JBoss + JAAS
SeanX: I am avoiding rewriting anything that isn´t pluggable. Then I would consider rewrite classes that is configurable in JBoss via MBeans, but not the SecurityInterceptor. My main reason to do this is to avoid compatibility problems with JBoss´ future versions. But if this is the only way, I will try it.
kenneth: I read the help about Borland´s approach (at http://info.borland.com/techpubs/books/bes/htmls/DevelopersGuide5/DevelopersGuide/WebService.html) and that is pretty much what I´d like to do. But Tomcat doesn´t have any BSSRealm to use (and I didn´t find any information about how it works so I can write one). The other approach you suggested (use a JNDIRealm) isn´t possible
here because this realm is used to authenticate in an LDAP server.
What I´m trying now is to make a secured webapp use a Tomcat´s JAASRealm that calls JBoss´ ClientLoginModule. Both sides work fine separately (I can authenticate a simple application in JBoss and I can authenticate a user using JAASRealm and other LoginModule in Tomcat), but they don´t do it together. Credentials never get to JBoss (it doesn´t permit access to EJBs because principal is always null).
Thanks for all the help and please keep with the suggestions.
Dediana -
6. Re: Tomcat + JBoss + JAAS
I think I got something. Basically, there´s two solutions working.
The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need authentication.
The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
The JAASRealm or the Valve is nested in Context.
Does anyone see any problem on this? If so, please let me know.
Thanks,
Dediana -
7. Re: Tomcat + JBoss + JAAS
I think I got something. Basically, there´s two solutions working.
The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need aunthentication.
The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
The JAASRealm or the Valve is nested in Context.
Does anyone see any problem on this? If so, please let me know.
Thanks,
Dediana -
8. Re: Tomcat + JBoss + JAAS
I think I got something. Basically, there´s two solutions working.
The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need authentication.
The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
The JAASRealm or the Valve is nested in Context.
Does anyone see any problem on this? If so, please let me know.
Thanks,
Dediana