0 Replies Latest reply on Dec 13, 2008 7:31 AM by carcophan

    Using JAAS Authentication with JBOSS and Tomcat on different

    carcophan Newbie

      Hi,

      I am developing a Struts Webapp for a Team thats working on an EJB 2
      Enterprise Application using JBoss 4.0.3 and JAAS.
      The EJB Application is very large and takes long to deploy and start
      JBoss so I was wondering if it is possible to use a standalone Tomcat
      for developing the Webapp which connects to the services provided by
      the EJB application running on JBoss, without having to deploy it into
      the embedded Tomcat in JBoss. This would make testing and developing a
      lot more efficient.

      I've managed to deploy my webapp on a standalone Tomcat. The problem
      however is logging in and getting an authenticated session.
      When testing my webapp with the EAR in the same JBOSS everything works
      well, but how do I tell the standalone Tomcat to use the JAAS Security
      thats been configured for the EAR in JBoss?
      As you can see I'm pretty clueless about Java Security, EJBs and JBOSS
      Application Server.

      The way authentication is configured at the moment (when deploying the
      .ear and .war into the same JBOSS) is by having a jboss-web.xml inside
      my war archive with the following settings:

      <jboss-web>
       <security-domain>java:/jaas/ejb-app</security-domain>
      </jboss-web>


      I assume it looks up the settings in the login-config.xml with the
      following settings, which tells it where to get the user credentials
      from:

      <application-policy name = "ejb-app">
       <authentication>
       <login-module code =
      "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag =
      "required">
       <module-option name="dsJndiName">java:/ejbappDS</module-option>
       <module-option name="principalsQuery">SELECT PASSWORD FROM USERS
      WHERE LOGINNAME = ? AND INVALID = 0</module-option>
       <module-option name="rolesQuery">SELECT Role,'Roles' FROM USERS as
      u,USERSROLES as r WHERE u.id=r.refuserid and u.LOGINNAME =
      ?</module-option>
       <module-option name="hashCharset">ISO-8859-1</module-option>
       <module-option name="hashAlgorithm">MD5</module-option>
       <module-option name="hashEncoding">BASE64</module-option>
       <!-- module-option name = "unauthenticatedIdentity">nobody</module-option -->
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       </login-module>
       </authentication>
       </application-policy>


      However the login-config.xml and jboss-web.xml seem to be specific to
      jboss and not compatable with a tomcat-standalone. What do I need to
      the the login and authentication working on a standalone Tomcat?

      I would really be gratefull for any help on this matter.

      THX!

      Joe.