4 Replies Latest reply on Mar 3, 2002 2:52 PM by Roger

    Authenticating with Tomcat and JBoss

    Sergei Batiuk Newbie

      Hi all,

      I need to authenticate with Tomcat, and than pass security credentials to JBoss. How do I achieve this? is there an integrated solution, so that I didn't have to write one security module for Tomcat, and another for JBoss?

      Sincerely,
      Sergei Batiuk.

        • 1. Re: Authenticating with Tomcat and JBoss
          Jeffrey Wescott Newbie

          Using JBoss-2.4.4 and Tomcat-4.0.1 integrated, with the default configuration, as long as you set up your auth.conf properly and have a working JBoss server-side login module, JBoss sets up the embedded tomcat with a JBossRealm that passes the credentials on through. Works like a charm!

          • 2. Re: Authenticating with Tomcat and JBoss
            Roger Newbie

            How do you set up auth.conf "correctly"?
            And can the JBoss supplied UsersRolesLoginModule be used?

            Thanks
            Roger

            • 3. Re: Authenticating with Tomcat and JBoss
              Farid Bellameche Newbie

              Hi,

              I use JBoss 2.4.4 with tomcat 4.0.

              I have a webapp configured like this :

              <web-app>

              <servlet-name>addEmploye</servlet-name>
              <servlet-class>com.xtierdev.formation.controler.AjouterEmployeServlet</servlet-class>


              <servlet-name>employeDetail</servlet-name>
              <servlet-class>com.xtierdev.formation.controler.AfficherDetailEmployeServlet</servlet-class>


              <servlet-name>listEmploye</servlet-name>
              <servlet-class>com.xtierdev.formation.controler.GererListeEmployesServlet</servlet-class>

              <servlet-mapping>
              <servlet-name>addEmploye</servlet-name>
              <url-pattern>/addEmploye</url-pattern>
              </servlet-mapping>
              <servlet-mapping>
              <servlet-name>employeDetail</servlet-name>
              <url-pattern>/employeDetail</url-pattern>
              </servlet-mapping>
              <servlet-mapping>
              <servlet-name>listEmploye</servlet-name>
              <url-pattern>/listEmploye</url-pattern>
              </servlet-mapping>
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>Collection1</web-resource-name>
              Protected area
              <url-pattern>/employeDetail</url-pattern>
              <url-pattern>/listEmploye</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
              Domain Users
              <role-name>Domain Users</role-name>
              </auth-constraint>
              <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <security-constraint>
              <web-resource-collection>
              <web-resource-name>Collection2</web-resource-name>
              <url-pattern>/addEmploye</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
              Domain Users
              <role-name>Domain Users</role-name>
              </auth-constraint>
              <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>server-login</realm-name>
              </login-config>
              <security-role>
              Domain Users
              <role-name>Domain Users</role-name>
              </security-role>
              </web-app>

              and a file standardjboss.xml beginning like this :


              <security-domain>java:/jaas/server-login</security-domain>
              ...

              and and server auth.conf file like this :

              // Put login modules providing authentication and realm mappings
              // for security domains.


              simple {
              // Very simple login module:
              // any user name is accepted.
              // password should either coincide with user name or be null,
              // all users have role "guest",
              // users with non-null password also have role "user"
              org.jboss.security.auth.spi.SimpleServerLoginModule required;
              };

              // Used by clients within the application server VM such as
              // mbeans and servlets that access EJBs.
              client-login {
              org.jboss.security.ClientLoginModule required;
              };

              // The default server login module
              other {
              // A simple server login module, which can be used when the number
              // of users is relatively small. It uses two properties files:
              // users.properties, which holds users (key) and their password (value).
              // roles.properties, which holds users (key) and a comma-separated list of their roles (value).
              // The unauthenticatedIdentity property defines the name of the principal
              // that will be used when a null username and password are presented as is
              // the case for an unuathenticated web client or MDB. If you want to
              // allow such users to be authenticated add the property, e.g.,
              // unauthenticatedIdentity="nobody"
              org.jboss.security.auth.spi.UsersRolesLoginModule required
              ;

              };
              server-login
              {
              com.myriap.security.jaas.loginmodule.NtServerLoginModule required
              ntDomainName="myriap"
              unauthenticatedIdentity="jms"
              ;
              };

              a client auth.conf like this :

              server-login
              {
              // Put your login modules that work without jBoss here

              // jBoss LoginModule
              org.jboss.security.ClientLoginModule required;

              // Put your login modules that need jBoss here
              };


              When I deploy my webapp and use it no authentication dialog appear when accessing the protected areas of my webapp. Wath's wrong with this deployement ?

              Thank's a lot.

              Farid

              • 4. Re: Authenticating with Tomcat and JBoss
                Roger Newbie

                I think the problem is that you are using BASIC login and this does not work with Tomcat 4.0.1, as I understand the documentation. You need to use FORM based login instead.

                Roger