6 Replies Latest reply on Apr 14, 2005 11:09 AM by Oleg Timoshenko

    JAAS on Tomcat 5 & Jboss 4

    Oleg Timoshenko Newbie

      Hi all,
      we integrate two formerly independent systems - web application on Tomcat 5 and application logic on JBoss 4 (adding web-interface to allready existing business logic).
      Each of these systems use JAAS to determine access to web pages and to EJB methods.
      Both systems are deployed in different web/application archives on different servers over network and both use the same database to retrieve user/role information.

      As I understand, the remote EJB's method invocation done from Tomcat will not be JAAS-authenticated for JBoss, even if the session is JAAS-authenticated on Tomcat.
      What we want is to authenticate the user once on the web-layer so that the privileges will be still valid for EJB which we call.

      Is there a common solution to this authorization issue?

        • 1. Re: JAAS on Tomcat 5 & Jboss 4
          Scott Stark Master

          You need to add a security association valve that propgates the web container security identity to the ejb layer as is done with the bundled jboss/tomcat version.

          • 2. Re: JAAS on Tomcat 5 & Jboss 4
            Oleg Timoshenko Newbie

             

            "scott.stark@jboss.org" wrote:
            You need to add a security association valve that propgates the web container security identity to the ejb layer as is done with the bundled jboss/tomcat version.


            Thank You Scott, I'll try that!

            • 3. Re: JAAS on Tomcat 5 & Jboss 4
              Oleg Timoshenko Newbie

              Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?

              • 4. Re: JAAS on Tomcat 5 & Jboss 4
                Davide De Benedictis Newbie

                 

                "Legga" wrote:
                Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?


                I'm a jaas newbie but, If I understodd well the "valve" scott is speaking about is the ClientLoginModule shipped with JBoss. This login module do not perform authentication but merely pass to the ejb layer the credential coming from elsewhere (web layer).
                Look here:

                http://www.jboss.org/wiki/Wiki.jsp?page=ClientLoginModule

                Scott wrote a JAAS howto which explains nearly everything (I still have a lot of question):

                http://sourceforge.net/docman/display_doc.php?docid=18240&group_id=22866

                So for example you configure tomcat whit a form login authentication and you pass these info on the server side where you can perform the server authentication on db or ldap. Then the ClientLoginModule acts as a valve...

                Bye

                --
                Davide
                [/url]

                • 5. Re: JAAS on Tomcat 5 & Jboss 4
                  Scott Stark Master

                   

                  Do I understand right that I need an implementation of Valve interface running as a valve on Tomcat and for every request that has not been authenticated yet, it should connect to JBoss, perform the authentication and populate local subkect with principals received remotely from JBoss?


                  No. You have to establish the caller identity that is going to be authenticated as part of the ejb call by the jboss server. See the JAAS Howto or chap 8 of the admin/devel guide for how security integrates. The ClientLoginModule referenced by bocio is the standard way to propagate the security identity to the jboss ejb transport layer. If you are not obtaining the security identity from tomcat then you don't need a Valve implementation. You can use a standard servlet filter. See the JaasLoginFilter in the JAAS Howto.


                  • 6. Re: JAAS on Tomcat 5 & Jboss 4
                    Oleg Timoshenko Newbie

                    Thank you, I thought about it, but in this case (I have BASIC authentication on Tomcat) I have to supply my LoginContext with a callback object which, in turn, supplies the system with login and password.
                    How shall I get the login and password from Tomcat? It prompts the user by itself and then creates user's identity and stores internally, if I'm not mistaken...