3 Replies Latest reply on Mar 3, 2004 5:06 AM by arunyeshi2000

    Tomcat Authentication 3.2.2

    danl_thompson
    danl_thompson Oct 28, 2003 12:20 PM

      The above clearly either doesn't work or isn't implemented in the Embedded Tomcat in JBoss 3.2.2

      Any attempt to use FORM or BASIC authentication in web.xml produces warning during initialization: Unable to invoke setDelegate on class loader...

      Any combination of username/password will authenticate regardless. And any isUserInRole willl return true.

      All example code seems to be geared to implementing custom JAAS in EJBs, rather than embedded Web Container.

      Furthermore the only setDelegate method defined in the entire JBoss codebase is in the WebCtxLoader class, while the NoSuchMethodException is thrown on its inner class, ENCLoader from within an event listener that calls contextInit.

      While all this seems quite wacky I'm sure I'm just looking at it wrong, since Basic and Forms based Auth must be implemented as part of the J2EE spec.

      HELP!!!!

      dt






      Any guidance would be appreicated.

      dt

      • 2047 Views
      • Tags:
        • 1. Re: Tomcat Authentication 3.2.2
          danl_thompson
          danl_thompson Oct 28, 2003 7:37 PM (in response to danl_thompson)

          OK, took 2 days, but I can almost make it work. (BTW, this stuff works right out of the box on any decent J2EE server. Only JBoss makes it a real challenge with their out-of-date, cryptic documenation. But we do like a challenge...)

          The trick is to add the following tag to the jboss-web.xml

          <security-domain>java:/jaas/other</security-domain>

          And then adding users.properties and roles.properties to the base directory of your classes at WEB-INF/classes. These are described in the source code, and there are sample files in the deployment.

          The jaas/other security domain is defined in the login-conf.xml and tells jboss to use the username password in these properties files.

          I learned all this by downloading the JBoss source, and adding log statements until I could see what was really going on.

          I'm not quite there yet however. The roles.properties file doesn't seem to do the job. Even though I'm getting authenticated, the role is not rolling up to the security constraint in the web.xml...

          More tomorrow...

          dt

            • Actions
          • 2. Re: Tomcat Authentication 3.2.2
            danl_thompson
            danl_thompson Nov 8, 2003 6:14 AM (in response to danl_thompson)

            Sorry about the crack about the out-of-date / cryptic documentation. On the plus side at least there is not much of it.

            Turning on basic authentication suitable for a simple dev environment is quite easy. See previous post, and the users.properties and roles.properties must be in the classes directory under WEB-INF.

            dt

              • Actions
            • 3. Re: Tomcat Authentication 3.2.2
              arunyeshi2000
              arunyeshi2000 Mar 3, 2004 5:06 AM (in response to danl_thompson)

              Hi,

              Where to put my custom defined DatabaseRealm class. The class name is com.rex.DIPDatabaseRealm. In this class i m returning my custom defined Principal. In which Jboss configuration file should i mention this ? and where to put these classes.

              When I tried this in standalone Tomcat, it was working fine when i put the CustomPrincipal class in tomcat/server/classes directory.

              Thanks
              Arun

                • Actions