6 Replies Latest reply on Apr 14, 2005 11:09 AM by legga

    JAAS on Tomcat 5 & Jboss 4

    legga
    legga Apr 8, 2005 9:26 AM

      Hi all,
      we integrate two formerly independent systems - web application on Tomcat 5 and application logic on JBoss 4 (adding web-interface to allready existing business logic).
      Each of these systems use JAAS to determine access to web pages and to EJB methods.
      Both systems are deployed in different web/application archives on different servers over network and both use the same database to retrieve user/role information.

      As I understand, the remote EJB's method invocation done from Tomcat will not be JAAS-authenticated for JBoss, even if the session is JAAS-authenticated on Tomcat.
      What we want is to authenticate the user once on the web-layer so that the privileges will be still valid for EJB which we call.

      Is there a common solution to this authorization issue?

      • 3680 Views
      • Tags:
        • 1. Re: JAAS on Tomcat 5 & Jboss 4
          starksm64
          starksm64 Apr 11, 2005 9:57 AM (in response to legga)

          You need to add a security association valve that propgates the web container security identity to the ejb layer as is done with the bundled jboss/tomcat version.

            • Actions
          • 2. Re: JAAS on Tomcat 5 & Jboss 4
            legga
            legga Apr 11, 2005 10:08 AM (in response to legga)

             

            "scott.stark@jboss.org" wrote:
            You need to add a security association valve that propgates the web container security identity to the ejb layer as is done with the bundled jboss/tomcat version.


            Thank You Scott, I'll try that!

              • Actions
            • 3. Re: JAAS on Tomcat 5 & Jboss 4
              legga
              legga Apr 14, 2005 10:20 AM (in response to legga)

              Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?

                • Actions
              • 4. Re: JAAS on Tomcat 5 & Jboss 4
                bocio
                bocio Apr 14, 2005 10:42 AM (in response to legga)

                 

                "Legga" wrote:
                Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?


                I'm a jaas newbie but, If I understodd well the "valve" scott is speaking about is the ClientLoginModule shipped with JBoss. This login module do not perform authentication but merely pass to the ejb layer the credential coming from elsewhere (web layer).
                Look here:

                http://www.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule

                Scott wrote a JAAS howto which explains nearly everything (I still have a lot of question):

                http://sourceforge.net/docman/display_doc.php?docid=18240&group_id=22866

                So for example you configure tomcat whit a form login authentication and you pass these info on the server side where you can perform the server authentication on db or ldap. Then the ClientLoginModule acts as a valve...

                Bye

                --
                Davide
                [/url]

                  • Actions
                • 5. Re: JAAS on Tomcat 5 & Jboss 4
                  starksm64
                  starksm64 Apr 14, 2005 10:56 AM (in response to legga)

                   

                  Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?


                  No. You have to establish the caller identity that is going to be authenticated as part of the ejb call by the jboss server. See the JAAS Howto or chap 8 of the admin/devel guide for how security integrates. The ClientLoginModule referenced by bocio is the standard way to propagate the security identity to the jboss ejb transport layer. If you are not obtaining the security identity from tomcat then you don't need a Valve implementation. You can use a standard servlet filter. See the JaasLoginFilter in the JAAS Howto.


                    • Actions
                  • 6. Re: JAAS on Tomcat 5 & Jboss 4
                    legga
                    legga Apr 14, 2005 11:09 AM (in response to legga)

                    Thank you, I thought about it, but in this case (I have BASIC authentication on Tomcat) I have to supply my LoginContext with a callback object which, in turn, supplies the system with login and password.
                    How shall I get the login and password from Tomcat? It prompts the user by itself and then creates user's identity and stores internally, if I'm not mistaken...

                      • Actions