8 Replies Latest reply on Sep 18, 2002 12:46 PM by Mauricio De Diana

    Tomcat + JBoss + JAAS

    Mauricio De Diana Newbie

      Hi all,

      We are trying to setup a technical architecture where the WebContainer (Catalina) and the EJB container (JBoss) are separated. So far, we have been successful in setting the
      connection between a servlet and an EJB from 2 different servers. Now, we want to setup a 'secure' connection, or basically define 'users/roles', so only authenticated servlets could connect to our EJBs.

      Another requirement is that we don't want to setup Principals/Roles programmatically on the servlets. So, we are trying to use a pre-defined JAASRealm inside the Webapp context.

      Is there any documentation/HOW-TO on how to do it? Did
      anybody sucessfully connected Tomcat+JBoss using JAAS ?

      We posted this message on tomcat-user list but haven´t got any responses yet.

      Thanks

      Dediana

        • 1. Re: Tomcat + JBoss + JAAS
          Kenneth Roper Newbie

          The HOW-TO for JBoss JAAS configuration can be found here:

          http://www.jboss.org/online-manual/HTML/ch11s78.html

          If you are concerned about the security of the RMI calls between your sevlets and the EJBs, a thread you may find interesting is here:

          http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/

          • 2. Re: Tomcat + JBoss + JAAS
            Mauricio De Diana Newbie

            Thanks for answering me, but this article doesn´t solve the problem because I need to have "security unaware" applications. In the article, both client app and servlet make calls to JAAS (through LoginContext). I want the servlet container (Tomcat) to be responsible for calls to JAAS, so applications can be written without knowing anything about the EJB container (JBoss) security and JAAS. And all this have to be running the containers in separated JVMs (probably in separated machines).
            Any clue on how to do it?

            Thanks

            Dediana

            • 3. Re: Tomcat + JBoss + JAAS
              seanxu Newbie

              I was thinking about doing container-container authentication too. One solution I have in mind is to develope a security interceptor which uses JAAS to provide authentication. I have not find time to implement it. It will work as long as you can obtain authentication info from client side(either a standlone program or a servlet container).

              Let me know what you think.

              • 4. Re: Tomcat + JBoss + JAAS
                Kenneth Roper Newbie

                Dediana

                OK, I now understand what you are trying to do. I'm afraid I haven't done it myself from Tomcat - JBoss, but I did do it in Borland's Enterprise Server which uses a Tomcat derivative.

                This involved setting up a BSSRealm in the tomcat web.xml file, which referred to the Security Realm understood by the container. For JBoss I would imagine this involves setting up a realm in JBoss's auth.conf, referenced from the jboss.xml file in the EJB jar. Unfortunately, I don't know if the BSSRealm idea is Borland specific. In the end we had to ditch BES because the 5.0 security architecture was so flaky!

                If this doesn't work, I would advise looking at Tomcat's JNDI realm, as JBoss looks up the security realm in the JNDI java:/jaas/MyRealm style. More info on that can be found here:

                http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html

                Sorry this is a bit vague, but hope it sets you on the right track.

                Regards
                Kenneth

                • 5. Re: Tomcat + JBoss + JAAS
                  Mauricio De Diana Newbie

                  SeanX: I am avoiding rewriting anything that isn´t pluggable. Then I would consider rewrite classes that is configurable in JBoss via MBeans, but not the SecurityInterceptor. My main reason to do this is to avoid compatibility problems with JBoss´ future versions. But if this is the only way, I will try it.

                  kenneth: I read the help about Borland´s approach (at http://info.borland.com/techpubs/books/bes/htmls/DevelopersGuide5/DevelopersGuide/WebService.html) and that is pretty much what I´d like to do. But Tomcat doesn´t have any BSSRealm to use (and I didn´t find any information about how it works so I can write one). The other approach you suggested (use a JNDIRealm) isn´t possible
                  here because this realm is used to authenticate in an LDAP server.

                  What I´m trying now is to make a secured webapp use a Tomcat´s JAASRealm that calls JBoss´ ClientLoginModule. Both sides work fine separately (I can authenticate a simple application in JBoss and I can authenticate a user using JAASRealm and other LoginModule in Tomcat), but they don´t do it together. Credentials never get to JBoss (it doesn´t permit access to EJBs because principal is always null).

                  Thanks for all the help and please keep with the suggestions.

                  Dediana

                  • 6. Re: Tomcat + JBoss + JAAS
                    Mauricio De Diana Newbie

                    I think I got something. Basically, there´s two solutions working.
                    The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need authentication.
                    The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
                    The JAASRealm or the Valve is nested in Context.

                    Does anyone see any problem on this? If so, please let me know.

                    Thanks,
                    Dediana

                    • 7. Re: Tomcat + JBoss + JAAS
                      Mauricio De Diana Newbie

                      I think I got something. Basically, there´s two solutions working.
                      The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need aunthentication.
                      The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
                      The JAASRealm or the Valve is nested in Context.

                      Does anyone see any problem on this? If so, please let me know.

                      Thanks,
                      Dediana

                      • 8. Re: Tomcat + JBoss + JAAS
                        Mauricio De Diana Newbie

                        I think I got something. Basically, there´s two solutions working.
                        The first uses JAASRealm and 2 LoginModules (one to authenticate in Tomcat and the ClientLoginModule to pass username and credentials to JBoss). This one can be used if both web app and EJBs need authentication.
                        The other solution is to write a Valve that simply pass the information to JBoss using the ClientLoginModule. On every request the code inside Valve invoke method is executed.
                        The JAASRealm or the Valve is nested in Context.

                        Does anyone see any problem on this? If so, please let me know.

                        Thanks,
                        Dediana