2 Replies Latest reply on Dec 4, 2001 8:36 PM by Adam Young

    Catalina Realms & JBoss 2.4.3

    Curt Johnson Newbie

      This is a cross post from the security forum where I haven't gotten any response....

      First I posted....

      I'm trying to figure out how to integrate Catalina Realms with JBoss. I want to have servlets/JSPs that use BASIC authentication. I have been unsuccessful with using the MemoryRealm from Catalina with the Manager web app that ships with Catalina.

      This should use the $CATALINA_HOME/conf/tomcat-users.xml file for authentication of users and roles. I have not changed anything in the tomcat configuration, just created a war file from the $CATALINA_HOME/wepapps/manager directory and successfully deployed it in $JBOSS_HOME/jboss/deploy. It works fine, but does not authenticate before allowing access to the manager application. I would ultimately like to use JNDI with LDAP for BASIC and FORM authentication. I am worried that I may need to have a JNDI Realm for Tomcat and a JAAS Module for Jboss in order to do this.

      Does anyone have any information on how to make these pieces work together? Should I write a custom Realm module for Catalina that passes authentication to JBossSX? Is there a JBossSX module I can use that will intercept BASIC authentication from Catalina?
      I'm pretty confused on how this works... If anyone knows where any docs describing how Catalina and JBoss are integrated and goes into service details that might point me in the right direction, I'd sure appreciate it.

      Then after playing around some more I replied to myself:

      OK... I think I'm almost there.

      I added the jboss-web.xml to the manager.war in WEB-INF, it contains:
      <?xml version="1.0"?>
      <jboss-web>
      <security-domain>java:/jaas/manager</security-domain>
      </jboss-web>

      auth.conf contains
      manager {
      org.jboss.security.auth.spi.UsersRolesLoginModule required
      unauthenticatedIdentity="nobody";
      };

      I placed a users.properties and roles.properties in $JBOSS_HOME/jboss/conf/catalina with the contents of

      users.properties:
      admin=admin

      roles.properties:
      admin=manager

      The web.xml for the manager.war is unchanged from the distro, the security-constraint and login-config look like:
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Entire Application</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <!-- NOTE: This role is not present in the default users file -->
      <role-name>manager</role-name>
      </auth-constraint>
      </security-constraint>

      <!-- Define the Login Configuration for this Application -->
      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Tomcat Manager Application</realm-name>
      </login-config>

      I'm now getting a 403 whenever I connect to http://localhost:8080/manager yet I should be getting a BASIC auth prompt from the server. Can anyone tell me where I'm getting this wrong?


      TIA

        • 1. Re: Catalina Realms & JBoss 2.4.3
          Ove Ranheim Novice

          I'm using JBoss 2.4.4 and Catalina 4.0.1.

          I changed the auth.conf file to;

          manager {
          org.jboss.security.auth.spi.UsersRolesLoginModule required
          //unauthenticatedIdentity="nobody"
          ;
          };

          When trying to open localhost:8080/manager the auth-prompt shows up. After successfull loggon (admin/admin) I receive this error:

          [21:14:02,386,AutoDeployer] Auto deploy of file:/D:/JBoss/jboss/deploy/manager.ear
          [21:14:02,386,J2eeDeployer] Deploy J2EE application: file:/D:/JBoss/jboss/deploy/manager.ear
          [21:14:02,396,J2eeDeployer] Create application manager.ear
          [21:14:02,406,J2eeDeployer] inflate and install WEB module manager.war
          [21:14:02,426,ContainerFactory] Deploying:file:/D:/JBoss/jboss/tmp/deploy/Default/manager.ear
          [21:14:02,446,ContainerFactory] Deployed application: file:/D:/JBoss/jboss/tmp/deploy/Default/manager.ear
          [21:14:02,446,J2eeDeployer] Starting module manager.war
          [21:14:02,456,EmbeddedCatalinaServiceSX] deploy, ctxPath=/manager, warUrl=file:/D:/JBoss/jboss/tmp/deploy/Default/manager.ear/web1017/
          [21:14:02,466,EmbeddedCatalinaServiceSX] WebappLoader[/manager]: Deploying class repositories to work directory D:\JBoss\catalina\work\localhost\manager
          [21:14:02,476,EmbeddedCatalinaServiceSX] StandardManager[/manager]: Seeding random number generator class java.security.SecureRandom
          [21:14:02,486,EmbeddedCatalinaServiceSX] StandardManager[/manager]: Seeding of random number generator has been completed
          [21:14:02,586,EmbeddedCatalinaServiceSX] ContextConfig[/manager]: Added certificates -> request attribute Valve
          [21:14:02,596,EmbeddedCatalinaServiceSX] ContextConfig[/manager]: Configured an authenticator for method BASIC
          [21:14:02,596,EmbeddedCatalinaServiceSX] Context.lifecycleEvent, event=org.apache.catalina.LifecycleEvent[source=StandardEngine[null].StandardHost[localhost].StandardContext[/manager]]
          [21:14:02,626,EmbeddedCatalinaServiceSX] AbstractWebContainer.parseWebAppDescriptors, Begin
          [21:14:02,626,EmbeddedCatalinaServiceSX] Linking java:comp/UserTransaction to JNDI name: UserTransaction
          [21:14:02,626,EmbeddedCatalinaServiceSX] addEnvEntries
          [21:14:02,626,EmbeddedCatalinaServiceSX] linkResourceEnvRefs
          [21:14:02,626,EmbeddedCatalinaServiceSX] linkResourceRefs
          [21:14:02,626,EmbeddedCatalinaServiceSX] linkEjbRefs
          [21:14:02,626,EmbeddedCatalinaServiceSX] linkSecurityDomain
          [21:14:02,626,EmbeddedCatalinaServiceSX] Linking security/securityMgr to JNDI name: java:/jaas/manager
          [21:14:02,626,EmbeddedCatalinaServiceSX] AbstractWebContainer.parseWebAppDescriptors, End
          [21:14:02,626,EmbeddedCatalinaServiceSX] StandardWrapper[/manager:default]: Loading container servlet default
          [21:14:02,636,EmbeddedCatalinaServiceSX] default: init
          [21:14:02,636,EmbeddedCatalinaServiceSX] StandardWrapper[/manager:invoker]: Loading container servlet invoker
          [21:14:02,646,EmbeddedCatalinaServiceSX] invoker: init
          [21:14:02,646,EmbeddedCatalinaServiceSX] jsp: init
          [21:14:02,686,EmbeddedCatalinaServiceSX] Initialized: {WebApplication: /D:/JBoss/jboss/tmp/deploy/Default/manager.ear/web1017/, URL: file:/D:/JBoss/jboss/tmp/deploy/Default/manager.ear/web1017/, classLoader: java.net.FactoryURLClassLoader@101d01:1056001}
          [21:14:02,686,J2eeDeployer] J2EE application: file:/D:/JBoss/jboss/deploy/manager.ear is deployed.
          [21:14:14,864,EmbeddedCatalinaServiceSX] StandardWrapper[/manager:Manager]: Loading container servlet Manager
          [21:14:14,864,EmbeddedCatalinaServiceSX] StandardWrapperValve[Manager]: Allocate exception for servlet Manager
          javax.servlet.ServletException: Error allocating a servlet instance
          at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:619)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:518)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
          at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
          at java.lang.Thread.run(Thread.java:484)
          [21:14:14,894,EmbeddedCatalinaServiceSX] ----- Root Cause -----
          java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.ManagerServlet is privileged and cannot be loaded by this web application
          at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:836)
          at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:615)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:518)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
          at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
          at java.lang.Thread.run(Thread.java:484)
          [21:14:27,432,UsersRolesLoginModule] Bad password for username=null
          [21:14:30,536,EmbeddedCatalinaServiceSX] StandardWrapper[/manager:Manager]: Loading container servlet Manager
          [21:14:30,536,EmbeddedCatalinaServiceSX] StandardWrapperValve[Manager]: Allocate exception for servlet Manager
          javax.servlet.ServletException: Error allocating a servlet instance
          at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:619)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:518)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
          at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
          at java.lang.Thread.run(Thread.java:484)
          [21:14:30,566,EmbeddedCatalinaServiceSX] ----- Root Cause -----
          java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.ManagerServlet is privileged and cannot be loaded by this web application
          at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:836)
          at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:615)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:201)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:518)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2344)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:163)
          at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
          at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
          at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
          at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:1011)
          at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1106)
          at java.lang.Thread.run(Thread.java:484)



          Ove :)

          • 2. Re: Catalina Realms & JBoss 2.4.3
            Adam Young Newbie

            I've just started playing with this. YMMV

            I got basic tomcat authentication working, first by using the sample app (localhost:8080/admin) and adding in a entry to tomcat-users.xml that had the admin permission. See if you can get that far.I used a tomcat download without jboss to start.

            Next, I followed the steps to do basic authentication against the database, with the difference that I used the postgresql driver. I had to remove the default authenctication entry from server.xml to make it work, or it tried to authenticate against both.

            Third I changed the setup to use my apps tables. I had to make a view to get the roles table formated correctly, but evetually it worked.


            Here is the server.xml portion:




            Then it dawned on me. Standard authentication is saved in the URL. I wanted permissions to time out with the session. So I looked into form based security. THe Tomcat docs for these are pretty good, and I was able to get it working by changing just the web.xml. This last part was acutally done under tomcat 2 due to the need to get it working with my curent app.

            I've noticed in the JBoss code that there is an authentication against a DB that is available (look in the docs under JAAS). So you should use the two custom login mechanisms to authenticate against the same set of DB tables. You are bascially going to need this anyway, as I am sure some part of your UI will be different based on roles, and some portion of your EJB code as well.