4 Replies Latest reply on Feb 10, 2003 6:58 PM by Peter Kelley

    JAAS from Remote Tomcat

    Peter Kelley Newbie

      I need to accss JBoss from a Tomcat server running in a seperate JVM. I am using the JAAS realm in Tomcat to log in to JBoss on the web application form login and this is working. I then cache the Subject obtained from the JAAS login.

      I have written a Tomcat valve to get the cached subject based on the identity of the user. I use Subject.doAs() to invoke the rest of the JSP code with the identity of the cached subject.

      The problem is that JBoss is always using the identity of the user that last logged in and not the user that owns the Tomcat session. I have run the Tomcat code in the debugger and the correct subject is being retrieved from the cache and used on the DoAs call.

      How does JBoss tell which user is logged in and what do I need to do on the client side to change my identity ?

      Peter Kelley
      Moveit Pty Ltd

        • 1. Re: JAAS from Remote Tomcat
          J. Wolfgang Kaltz Novice

          Before calling JBoss you need to explicitly do the JBoss client side authentication, ClientLoginModule I think it's called. This will set the correct user for the call.

          Since calls from different users will go through the same servlet, you will need to do this for every new request.

          • 2. Re: JAAS from Remote Tomcat
            Cristian Golumbovici Newbie

            You'll also have to remember that client-side login is handled per thread, not per application, nor per user, nor per Subject.

            I.e., the correct way is to do the client-side login dance once per HTTP request. Preferrably, right at the beginning. You can (and of course should) cache the user login data, not the principal, but you'll have to tell it to JBoss again for each thread anyway.

            If you want to get technical, from what I can tell, client-side login really doesn't do much. Although it may seem that you've logged in and everything, at that point you're _not_ really logged into anything, and your Subject or Principal(s) aren't even worth the bits they're printed on. What client-side login really does is just attach the user name and password to the Thread. (Well, to a ThreadLocal, but same idea.)

            The actual authentication will happen on the server, the first time you call an EJB. (And in fact, _every_ time you call an EJB.) When a RMI/IIOP call happens, the RMI implementation looks into the ThreadLocal, and automatically bundles that name and password, if they exist, with the actual EJB call parameters. On the server side, JBoss extracts these extra parameters from the call, and calls the actual (server-side) login module to validate them and obtain an actual Subject and Principal. (These are _not_ the same Subject and Principal as the bogus ones you got when "logging in" client-side.) It's these, not the client-side ones, that will be used for the "declarative security" part and passed to the EJB's as part of the EJBContext.

            • 3. Re: JAAS from Remote Tomcat
              Peter Kelley Newbie

              OK, this now makes some sort of sense but now I have another problem. What I am doing is using the same login module I use on JBoss to provide user authentication and authorization on Tomcat. This module consumes some CPU time so I don't want to do this login on each request, once is enough. On the other hand I DO want to do the client login module on each request. Since I only have one auth.conf can you suggest a way to do this ?

              • 4. Re: JAAS from Remote Tomcat
                Peter Kelley Newbie

                Never mind, of course this is a standard JAAS thing to be able to have multiple login configurations in the auth.conf and be able to refer to them by name.