3 Replies Latest reply on Mar 5, 2008 6:57 AM by rsanka

    Tomcat 5.5 login module compatibility?

    jptalberg
    jptalberg Feb 21, 2008 1:17 PM

      We are currently running JBoss AS 4.2.1 and having difficulty configuring the login-config.xml to use a login module that was written for tomcat 5.5.

      In particular, the authentication aspect seems to be working. It only lets valid usernames/passwords through as we expect from our login module. However, our web application is not able to retrieve our custom principal object out of the request; instead we get a org.jboss.security.SimplePrincipal object.

      We don't have direct access to the source code for the login module code, should AS 4.2.1 (default all configuration) be able to use a tomcat 5.5 login module without modification?

      I have seen http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith which seems to state the the custom principal must have a constructor with a string username, or be installed under the Subject using a java.security.acl.group named "CallerPrincipal". I don't think our custom login module does either of these, but I could be wrong as the login-module is not under our control.

      In our login-conf.xml we are specifying the following module-options for our custom login-module: appName, principalClass, userClassNames, roleClassNames. I would provide the files but they are on a non accessible network.

      Any help in this matter would greatly be appreciated!

      Also is there any way to turn up more debug login framework?

      Thanks,
      Jeff

      • 2168 Views
      • Tags:
        • 1. Re: Tomcat 5.5 login module compatibility?
          barramundi
          barramundi Feb 22, 2008 4:14 AM (in response to jptalberg)

          You can enable debug. Refer to question 4
          http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

          The last time i mess with custom principal, I end up having to "extend" SimplePrincipal to be compliant.

          Worse case, you can always decompile your current module to verify your suspicions

            • Actions
          • 2. Re: Tomcat 5.5 login module compatibility?
            jptalberg
            jptalberg Feb 23, 2008 7:30 PM (in response to jptalberg)

            Thanks for the pointer on how to enable debug.

            We actually were in the process of decompiling the byte code in the jars already.

            This is what we've found. The libraries are definitely geared towards Tomcat 5.5. They implement a custom LoginModule, but they also rely on a custom JAASRealm which extends org.apache.catalina.realm.RealmBase. Further the custom principal they are creating from their Realm extends org.apache.catalina.realm.GenericPrincipal.

            Is there any way to configure the default AS 4.2.1 to use this Tomcat 5.5 module/realm without requiring modification to the source code?             Our big dilemma, is that the LoginModule and Realm our outside our control; and further there is a development jar and a production jar which have essentially the same configurations but different behavior -- so us modifying the development one and testing with it will not necessarily help us be ready for production. We'd much rather figure out how to configure the security without needing modification to security modules we are being provided.

            We have been able to configure the login module, and it seems to be working. But we aren't sure how to configure in the Realm, or if you even can. Ultimately what we need is to be able to get the Custom Principal object back from request.getUserPrincipal().

            Thanks for your help!

            Jeff

              • Actions
            • 3. Re: Tomcat 5.5 login module compatibility?
              rsanka
              rsanka Mar 5, 2008 6:57 AM (in response to jptalberg)

              I am facing a similar problem;
              Per the instructions in the http://wiki.jboss.org/wiki/Wiki.jsp?page=UsingCustomPrincpalsWith, I set up the login module that extends from UsernamePasswordLoginModule, configured it in the login-config.xml (with the principalClass option set to point to my custom principal).

              request.getUserPrincipal returns my custom principal but
              ejbContext.getUserPrincipal returns a SimplePrincipal.

              What am I missing? Any help will be greatly appreciated.

              side note:
              I am debugging into the JBoss source code but I am having to use the 4.2.1 source code because I am unable to locate the security source in the 5.0.0-beta3 or beta4 source code (for jbosssx.jar)

                • Actions