3 Replies Latest reply on Mar 3, 2004 5:06 AM by arunyeshi2000

    Tomcat Authentication 3.2.2

    Dan Thompson Newbie

      The above clearly either doesn't work or isn't implemented in the Embedded Tomcat in JBoss 3.2.2

      Any attempt to use FORM or BASIC authentication in web.xml produces warning during initialization: Unable to invoke setDelegate on class loader...

      Any combination of username/password will authenticate regardless. And any isUserInRole willl return true.

      All example code seems to be geared to implementing custom JAAS in EJBs, rather than embedded Web Container.

      Furthermore the only setDelegate method defined in the entire JBoss codebase is in the WebCtxLoader class, while the NoSuchMethodException is thrown on its inner class, ENCLoader from within an event listener that calls contextInit.

      While all this seems quite wacky I'm sure I'm just looking at it wrong, since Basic and Forms based Auth must be implemented as part of the J2EE spec.



      Any guidance would be appreicated.


        • 1. Re: Tomcat Authentication 3.2.2
          Dan Thompson Newbie

          OK, took 2 days, but I can almost make it work. (BTW, this stuff works right out of the box on any decent J2EE server. Only JBoss makes it a real challenge with their out-of-date, cryptic documenation. But we do like a challenge...)

          The trick is to add the following tag to the jboss-web.xml


          And then adding users.properties and roles.properties to the base directory of your classes at WEB-INF/classes. These are described in the source code, and there are sample files in the deployment.

          The jaas/other security domain is defined in the login-conf.xml and tells jboss to use the username password in these properties files.

          I learned all this by downloading the JBoss source, and adding log statements until I could see what was really going on.

          I'm not quite there yet however. The roles.properties file doesn't seem to do the job. Even though I'm getting authenticated, the role is not rolling up to the security constraint in the web.xml...

          More tomorrow...


          • 2. Re: Tomcat Authentication 3.2.2
            Dan Thompson Newbie

            Sorry about the crack about the out-of-date / cryptic documentation. On the plus side at least there is not much of it.

            Turning on basic authentication suitable for a simple dev environment is quite easy. See previous post, and the users.properties and roles.properties must be in the classes directory under WEB-INF.


            • 3. Re: Tomcat Authentication 3.2.2
              arunyeshi2000 Newbie


              Where to put my custom defined DatabaseRealm class. The class name is com.rex.DIPDatabaseRealm. In this class i m returning my custom defined Principal. In which Jboss configuration file should i mention this ? and where to put these classes.

              When I tried this in standalone Tomcat, it was working fine when i put the CustomPrincipal class in tomcat/server/classes directory.