You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Gentilin <ge...@eyecatching.com> on 2002/07/26 23:14:52 UTC
Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
In a Servlet design I am working on, I want to implement a security
policy where the Servlet mechanisms knows if the user is allowed and
what roles they are allowed to operate in, but falls back to the native
O/S to validate the users password. The JAAS interface seems like the
perfect mechanism using the NT Login mechanism along with a Login
manager that I would implement.
The question I have is, can JAAS be implemented in a Servlet
environment.
It appears that the classes need to be present at JVM boot time and not
in
the WEB-INF/lib directory (an issue with 1.3 JVM's) and an apparent
platform
issue with providing policy files. i.e. The need to load the
.java2.policy from
the user home directory which has little context in a servlet
environment.
It seems like I can get it to work but it would require a lot of
tweaking with
the System JVM and Tomcat installation and not something that is
generically
available at an ISP.
Any suggestions would be greatly appreciated.
Thanks in advance
John G
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
Posted by John Gentilin <ge...@eyecatching.com>.
I can get JAAS working as a Servlet just fine under Tomcat when I configure
Tomcat
with a static classpath under the JBuilder environment. When I take that same
code and
run Tomcat in stand alone mode, the LoginModule (a JAAS Class) can not find any
of
of the LoginModule's define in the configuration. I have tried both including the
JAAS
JAR in my project and in the jre/lib/ect directory
If I only include the jaas.jat in my WAR file, the class
javax.security.auth.SubjectDomainCombiner
can not be found.
If I put the jaas.jar in my WAR and in the jre/lib/ext directory, then I can't
locate any of my login modules.
This all happens in the LoginContext.login member function.
Regards
John G
Will Hartung wrote:
> From: "John Gentilin" <ge...@eyecatching.com>
> Sent: Friday, July 26, 2002 2:14 PM
> Subject: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
>
> > In a Servlet design I am working on, I want to implement a security
> > policy where the Servlet mechanisms knows if the user is allowed and
> > what roles they are allowed to operate in, but falls back to the native
> > O/S to validate the users password. The JAAS interface seems like the
> > perfect mechanism using the NT Login mechanism along with a Login
> > manager that I would implement.
> >
> > The question I have is, can JAAS be implemented in a Servlet
> > environment.
>
> Mind you, this is after taking a good, solid 5 minutes to glance at the JAAS
> docs at Sun, so I'm sure you've been through this already.
>
> It was not clear that the classes have to be anywhere but available to the
> ClassLoader (as prepared by Tomcat) versus having to be in the System
> classpath at JVM start, but that may be covered somplace else in Java
> Security.
>
> However, everything else looks reasonably straightforward...
>
> For example, the Login Configuration is "simply" an abstract class that can
> be reimplemented so that your servlet can populate it appropriately, rather
> than relying on files. The LoginContext interacts with the
> LoginConfiguration, so that should give you quite a bit of control over the
> environment, though not necessarily "Out Of The Jar". You may have to do
> some work yourself in this case.
>
> For authorization, it appears to want a policy file. And it appears to be
> getting the file from a system property. I don't see any obvious reason why
> you should be able to create your own policy file, and then set that system
> property to your file before any appropriate calls are made.
>
> Anyway, I don't know the answers to your questions directly, as I'm not a
> Java Security person, and I've never encountered JAAS before now, but I bet
> you can adopt an "embrace and extend" technique to get the framework to work
> for you, it just may not work correctly out of the box.
>
> And, of course, if for some reason the classes are needed by the core JVM,
> then you may have other issues.
>
> With 1.4 it won't be an issue at all, as it's built in. With 1.3 you may
> have to convince an ISP to install it as an extension.
>
> Anyway, food for thought. Love to hear how it turns out.
>
> Best Regards,
>
> Will Hartung
> (willh@msoft.com)
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
--------------------------------------
John Gentilin
Eye Catching Solutions Inc.
18314 Carlwyn Drive
Castro Valley CA 94546
Contact Info
gentijo@eyecatching.com
Ca Office 1-510-881-4821
NJ Office 1-732-422-4917
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
Posted by Will Hartung <wi...@msoft.com>.
From: "John Gentilin" <ge...@eyecatching.com>
Sent: Friday, July 26, 2002 2:14 PM
Subject: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
> In a Servlet design I am working on, I want to implement a security
> policy where the Servlet mechanisms knows if the user is allowed and
> what roles they are allowed to operate in, but falls back to the native
> O/S to validate the users password. The JAAS interface seems like the
> perfect mechanism using the NT Login mechanism along with a Login
> manager that I would implement.
>
> The question I have is, can JAAS be implemented in a Servlet
> environment.
Mind you, this is after taking a good, solid 5 minutes to glance at the JAAS
docs at Sun, so I'm sure you've been through this already.
It was not clear that the classes have to be anywhere but available to the
ClassLoader (as prepared by Tomcat) versus having to be in the System
classpath at JVM start, but that may be covered somplace else in Java
Security.
However, everything else looks reasonably straightforward...
For example, the Login Configuration is "simply" an abstract class that can
be reimplemented so that your servlet can populate it appropriately, rather
than relying on files. The LoginContext interacts with the
LoginConfiguration, so that should give you quite a bit of control over the
environment, though not necessarily "Out Of The Jar". You may have to do
some work yourself in this case.
For authorization, it appears to want a policy file. And it appears to be
getting the file from a system property. I don't see any obvious reason why
you should be able to create your own policy file, and then set that system
property to your file before any appropriate calls are made.
Anyway, I don't know the answers to your questions directly, as I'm not a
Java Security person, and I've never encountered JAAS before now, but I bet
you can adopt an "embrace and extend" technique to get the framework to work
for you, it just may not work correctly out of the box.
And, of course, if for some reason the classes are needed by the core JVM,
then you may have other issues.
With 1.4 it won't be an issue at all, as it's built in. With 1.3 you may
have to convince an ISP to install it as an extension.
Anyway, food for thought. Love to hear how it turns out.
Best Regards,
Will Hartung
(willh@msoft.com)
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.1.x JAASRealm Implementation
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 9 Aug 2002, James Krygowski wrote:
> Date: Fri, 9 Aug 2002 14:39:57 -0400
> From: James Krygowski <ja...@shaws.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Tomcat 4.1.x JAASRealm Implementation
>
> Hey All (Craig particularly)-
>
> Going through the code that exists in 4.1.8, I noticed that in the JAASRealm
> comments, Craig makes mention of using classes implementing the Principal
> interface to represent Users and Roles. This sounds like a good approach
> given the vagueness surrounding the JAAS implementation once you get into
> implementing it. In the JAASRealm class, there are setters for configuring
> the JAASRealm with the names of Principal classes that contain Users and
> Roles. After running a "Find Usages" with IDEA, I wasn't able to find any
> code which references these methods. So, how does the JAASRealm find out
> what classes contain users vs. roles? Is there some kind of magic going on
> with the realm config node in server.xml? I'd like to start using JAAS on
> Tomcat since we currently use JAAS for our JRun servers and converting the
> existing LoginModules won't be too much of a pain.
>
As you've undoubtedly discovered, the JAAS spec doesn't provide any
guidance for figuring out which Principal is which in the Subject that
gets returned. Looking inside some of the existing implementations (such
as the one that can access an NT domain), this was being done by hard
coded instanceof checks on particular Principal subclasses.
So, to generalize this a little, JAASRealm lets you declare the fully
qualified class names of classes that represent your roles (in the
"roleClasses" property). You can see it used in the createPrincipal()
method inside JAASRealm, where it is checking the classname of each
returned Principal against the list of class names you provided. When it
finds a match, it assumes that principal.getName() on that Principal will
return the role name that has been authorized for this user.
The "userClasses" property serves a similar purpose for saying which
classes actually represent the user.
NOTE: The implementation classes themselves need to be visible to
Catalina's internal class loaders for all of this to work. The simplest
thing to do is put them in a JAR file in $CATALINA_HOME/server/lib, or as
unpacked classes under $CATALINA_HOME/server/classes.
NOTE: You won't see any direct references to the setRoleClasses() or
setUserClasses() methods. The code that parses server.xml (the Digester
module) has magic code (well, it's actually separately available in
commons-beanutils :-) in it that matches up attributes in the XML
elements to the corresponding property setters in the class. So, you
configure one of these beasts like this:
<Realm className="org.apache.catalina.realm.JAASRealm"
roleClasses="com.foo.MyFirstRole,com.bar.MySecondRole"
... />
and the setter gets called for you via Java's introspection and
reflection capabilities.
> jk
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Tomcat 4.1.x JAASRealm Implementation
Posted by James Krygowski <ja...@shaws.com>.
Hey All (Craig particularly)-
Going through the code that exists in 4.1.8, I noticed that in the JAASRealm
comments, Craig makes mention of using classes implementing the Principal
interface to represent Users and Roles. This sounds like a good approach
given the vagueness surrounding the JAAS implementation once you get into
implementing it. In the JAASRealm class, there are setters for configuring
the JAASRealm with the names of Principal classes that contain Users and
Roles. After running a "Find Usages" with IDEA, I wasn't able to find any
code which references these methods. So, how does the JAASRealm find out
what classes contain users vs. roles? Is there some kind of magic going on
with the realm config node in server.xml? I'd like to start using JAAS on
Tomcat since we currently use JAAS for our JRun servers and converting the
existing LoginModules won't be too much of a pain.
jk
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
Posted by John Gentilin <ge...@eyecatching.com>.
If you use the JNDI Realm, besides understanding how realm's work, it
really steps up the complexity of getting a JNDI Server up and running
also. My goal here is to have a simple webapp that I can just drop into
a standard Tomcat installation.
I have the JAAS Hello World working in a servlet now. Its really crufty
since the servlet prompts STDOUT and accepts the response on STDIN.
Two issues I still need to work out are; making a complete server, currently
I am debugging in the JBuilder Environment which gives you a non standard
system classpath. Also the version of JAAS (SUN 1.0) I am using will only
load a login configuration file from USER_HOME./.java.login.config. I would
rather have it loaded from a resource stream so it can be packaged in my WAR
file.
I will post the results.
Regards
John G
Andrew Conrad wrote:I'm not positive if you can make an NT Login, but TC 4.1.x
has a
> JAASRealm class which extends the Realm class.
>
> I didn't see any docs except the source. You probably want to get
> familiar with Realms first, then tackle JAASRealm. As a side not, if
> you are using Active Directory, you could use JNDIRealm and connect to
> through LDAP to AD.
>
> If you get JAAS to work, post it so we all can learn.
>
> - Andrew
>
> > -----Original Message-----
> > From: John Gentilin [mailto:gentijo@eyecatching.com]
> > Sent: Friday, July 26, 2002 5:15 PM
> > To: Apache TomCat Project
> > Subject: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
> >
> >
> > In a Servlet design I am working on, I want to implement a
> > security policy where the Servlet mechanisms knows if the
> > user is allowed and what roles they are allowed to operate
> > in, but falls back to the native O/S to validate the users
> > password. The JAAS interface seems like the perfect mechanism
> > using the NT Login mechanism along with a Login manager that
> > I would implement.
> >
> > The question I have is, can JAAS be implemented in a Servlet
> > environment. It appears that the classes need to be present
> > at JVM boot time and not in the WEB-INF/lib directory (an
> > issue with 1.3 JVM's) and an apparent platform issue with
> > providing policy files. i.e. The need to load the
> > .java2.policy from the user home directory which has little
> > context in a servlet environment. It seems like I can get it
> > to work but it would require a lot of tweaking with the
> > System JVM and Tomcat installation and not something that is
> > generically available at an ISP.
> >
> > Any suggestions would be greatly appreciated.
> >
> > Thanks in advance
> > John G
> >
> >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> > For
> > additional commands,
> > e-mail: <ma...@jakarta.apache.org>
> >
> >
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
Posted by Andrew Conrad <an...@msn.com>.
I'm not positive if you can make an NT Login, but TC 4.1.x has a
JAASRealm class which extends the Realm class.
I didn't see any docs except the source. You probably want to get
familiar with Realms first, then tackle JAASRealm. As a side not, if
you are using Active Directory, you could use JNDIRealm and connect to
through LDAP to AD.
If you get JAAS to work, post it so we all can learn.
- Andrew
> -----Original Message-----
> From: John Gentilin [mailto:gentijo@eyecatching.com]
> Sent: Friday, July 26, 2002 5:15 PM
> To: Apache TomCat Project
> Subject: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment
>
>
> In a Servlet design I am working on, I want to implement a
> security policy where the Servlet mechanisms knows if the
> user is allowed and what roles they are allowed to operate
> in, but falls back to the native O/S to validate the users
> password. The JAAS interface seems like the perfect mechanism
> using the NT Login mechanism along with a Login manager that
> I would implement.
>
> The question I have is, can JAAS be implemented in a Servlet
> environment. It appears that the classes need to be present
> at JVM boot time and not in the WEB-INF/lib directory (an
> issue with 1.3 JVM's) and an apparent platform issue with
> providing policy files. i.e. The need to load the
> .java2.policy from the user home directory which has little
> context in a servlet environment. It seems like I can get it
> to work but it would require a lot of tweaking with the
> System JVM and Tomcat installation and not something that is
> generically available at an ISP.
>
> Any suggestions would be greatly appreciated.
>
> Thanks in advance
> John G
>
>
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>