3 Replies Latest reply on Sep 29, 2005 6:24 AM by Maarten Winkels

    Tomcat JAASRealm configuration

    Maarten Winkels Newbie

      Hello,

      I would like to use a custom principal within Tomcat security. I use tomcat embedded in JBoss. Tomcat (in this situation) by default uses a JAASRealm to do authentication and authorization. I use a configured LoginConfig, that creates and authenticates the custom principal and subject correctly.

      The problem begins when the constructed custm principal is returned to the JAASRealm: The JAASRealm iterates over all returned principal to check for a principal with the correct class name (as specified in UserClassNames property). This property is not set.

      How can I configure this property of the JAASRealm? I can find this object as an MBean in the JMX-console (jboss.web:type=Realm), but when I try to change the property there, I get an "NoSuchMethodException: org.apache.catalina.realm.JAASRealm.setModelerType(java.lang.String)", which happens to be a field on the same form. Browsing through the JBoss/Tomcat config files (jboss-service.xml/server.xml) I do not see a JAASRealm object or MBean configures anywhere.

      Is it oke to add a config element to the server.xml, possibly overriding the default realm settings?

      Any help is appreciated!

      -Maarten Winkels

        • 1. Re: Tomcat JAASRealm configuration
          Maarten Winkels Newbie

          Hello,

          I tried the following:

          Added to JBoss /deploy/jbossweb-tomcat55.sar/server.xml

          <Realm
           className="org.apache.catalina.realm.JAASRealm"
           appName="jboss.web"
           userClassNames="myPrincipal"
           roleClassNames="org.jboss.security.SimpleGroup"/>


          In myWebApp /WEB-INF/web.xml

          <security-constraint>
           <web-resource-collection>
           <web-resource-name>Whole site</web-resource-name>
           <url-pattern>/*</url-pattern>
           </web-resource-collection>
           <auth-constraint>
           <role-name>*</role-name>
           </auth-constraint>
          </security-constraint>
          
          <login-config>
           <auth-method>BASIC</auth-method>
           <realm-name>mySecurityDomain</realm-name>
          </login-config>


          In myWebApp jboss.xml

          <security-domain>java:/jaas/mySecurityDomain</security-domain>


          In JBoss /conf/login-xonfig.xml

          <application-policy name="jboss.web">
           <authentication>
           <login-module code="myPrincipalCreatingLoginModule" flag="required"/>
           <login-module code="org.jboss.security.ClientLoginModule" flag="required">
           <module-option name="password-stacking">useFirstPass</module-option>
           <module-option name="multi-threaded">true</module-option>
           </login-module>
           <login-module code="myAuthenticatingLoginModule" flag="required"/>
           </authentication>
          </application-policy>


          Now I can login to the web app, my custom principal is created and authenticated by the (custom) login module and propagated to the ejb layer. Great!

          Here come the problems:

          1) Every HTTP request creates a new Principal. The principal is not stored/cached in the session.
          2) I cannot switch to form authentication (this doesn't seem to work, is this a known tomcat/jboss bug?)
          3) I cannot specify a role in the auth-constraint. The JAASRealm seems not to understand the SimpleGroup. The name is not recognised.

          Has anybody experienced these problems before? Am I missing something?

          Thanks in advance!

          -Maarten Winkels

          • 2. Re: Tomcat JAASRealm configuration
            Maarten Winkels Newbie

            When I switch to FORM authentication using:

            <login-config>
             <auth-method>FORM</auth-method>
             <realm-name>mySecurityDomain</realm-name>
             <form-login-config>
             <form-login-page>/login.jsp</form-login-page>
             <form-error-page>/authorization-error.jsp</form-error-page>
             </form-login-config>
            </login-config>


            The principal is not propagated to the EJB layer. The authorization is performed correctly, but when invoking a method on an EJB a security exception is thrown.

            Any help is greatly appreciated.

            -Maarten Winkels

            • 3. Re: Tomcat JAASRealm configuration
              Maarten Winkels Newbie

              I think I have found why the principal is not propagated. The SessionAssociationValve, that is supposed to propagate the principal from the Web tier to the EJB tier checks the type of the principal and only sets it on the security association if the principal is a JBossGenericPrincipal. This is a package privat type in the tomcat55-service.jar, the tomcat adaptor that JBoss uses.