You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jukka Männistö <ju...@gmail.com> on 2005/05/23 11:06:59 UTC
Tomcat and JAASRealm
Hello :)
(this is my very first post to any mailing-list)
I've been trying to get Tomcat and its JAASRealm to work for maybe
four weeks now.
Even though the JAAS authentication succeeds, Tomcat does not pass me
through to the protected web-app, but says HTTP 403 instead!
I read somewhere that the JAASRealm implementations in Tomcat versions
under 5.0.30 were somehow broken, but right now I'm using the latest
version (5.5.9 + 1.4 compatibility pack), so that shouldn't be a
problem.
I've tried fiddling with how and what Principals are added to the
Subject and so on.. I've tried everyhing I've thought of and more..
Could someone please offer some suggestions on this? :)
Here's the JAASRealm configuration from server.xml:
______________________________________________
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="OutlookProxy"
userClassNames="org.apache.catalina.realm.GenericPrincipal"
roleClassNames="org.apache.catalina.realm.GenericPrincipal"
debug="99"/>
______________________________________________
Here's a snippet of my web.xml:
______________________________________________
<security-constraint>
<web-resource-collection>
<web-resource-name>OutlookProxy</web-resource-name>
<url-pattern>/exchange/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>outlook-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected Web-app</realm-name>
</login-config>
______________________________________________
The JAAS configuration for "OutlookProxy" contains one LoginModule.
There's a user in tomcat-userx.xml that has been associated with the
aforementioned role ("outlook-role").
The LoginModule class is in a jar file, under tomcat/server/lib.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat and JAASRealm
Posted by Jeroen Kransen <to...@jeroen.kransen.nl>.
Hello Jukka,
Jukka Männistö wrote:
>Hello :)
>
>
>(this is my very first post to any mailing-list)
>
>
Hope it will be a positive experience :-)
>I've been trying to get Tomcat and its JAASRealm to work for maybe
>four weeks now.
>
>Even though the JAAS authentication succeeds, Tomcat does not pass me
>through to the protected web-app, but says HTTP 403 instead!
>
>
403 means that authentication passed but authorization failed. In other
words, the user logged in all right, but does not posess the role
required to enter the webapp (in your case "outlook-role"), or at least
that Tomcat can't determine that he does.
>I've tried fiddling with how and what Principals are added to the
>Subject and so on.. I've tried everyhing I've thought of and more..
>
>
Make sure that you add Principals not only for the user, but also for
the role(s). I think if you didn't add the roles, that would explain the
above 403 error.
>______________________________________________
><Realm className="org.apache.catalina.realm.JAASRealm"
> appName="OutlookProxy"
> userClassNames="org.apache.catalina.realm.GenericPrincipal"
> roleClassNames="org.apache.catalina.realm.GenericPrincipal"
> debug="99"/>
>______________________________________________
>
>
>
I think you need to make a distinction between user and role Principals,
like UserPrincipal where the getName() returns the user name and a
RolePrincipal that returns "outlook-role" in getName(). Both Principals
need to be added in your LoginModule. Also, the first added Principal
has to be the user, and the next one(s) the role(s). I found this in the
Tomcat docs
(http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm):
"Although not specified in JAAS, you should create seperate classes to
distinguish between users and roles...." and
"Regardless, the first Principal returned is /always/ treated as the
user Principal."
>Here's a snippet of my web.xml:
>______________________________________________
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>OutlookProxy</web-resource-name>
> <url-pattern>/exchange/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>outlook-role</role-name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Protected Web-app</realm-name>
> </login-config>
>
>______________________________________________
>
>
>
You might want to add a
<security-role>
<role-name>outlook-role</role-name>
</security-role>
directly below the </login-config>, though I don't think that will make
the difference.
>There's a user in tomcat-userx.xml that has been associated with the
>aforementioned role ("outlook-role").
>
>
Now I'm quite sure you don't need this file at all. If Tomcat keeps
looking at this file, it means you're using MemoryRealm instead of
JAASRealm. Unless you use JAAS to access this file, but then you
probably wouldn't want to use JAAS in the first place. I assume you get
the user/role data from elsewhere, like from a database. If I am right,
better remove this file (or at least remove the users/roles that you're
testing) to avoid confusion.
Hope this helps. Please let me know either way, I'm also into JAAS
lately :-)
Regards, Jeroen
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat and JAASRealm
Posted by Jukka Uusisalo <ju...@dnainternet.net>.
Jukka Männistö wrote:
> Hello :)
>
>
> (this is my very first post to any mailing-list)
>
>
> I've been trying to get Tomcat and its JAASRealm to work for maybe
> four weeks now.
>
> Even though the JAAS authentication succeeds, Tomcat does not pass me
> through to the protected web-app, but says HTTP 403 instead!
>
> I read somewhere that the JAASRealm implementations in Tomcat versions
> under 5.0.30 were somehow broken, but right now I'm using the latest
> version (5.5.9 + 1.4 compatibility pack), so that shouldn't be a
> problem.
>
> I've tried fiddling with how and what Principals are added to the
> Subject and so on.. I've tried everyhing I've thought of and more..
>
> Could someone please offer some suggestions on this? :)
>
>
Hi,
My best guess is that 403 is due to trying map roles in
tomcat-user.xml file. If you put some role, which comes directly
from loginmodule, to web.xml security-constraint, i am pretty
sure this will work.
- Jukka -
>
>
>
> Here's the JAASRealm configuration from server.xml:
>
> ______________________________________________
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="OutlookProxy"
> userClassNames="org.apache.catalina.realm.GenericPrincipal"
> roleClassNames="org.apache.catalina.realm.GenericPrincipal"
> debug="99"/>
> ______________________________________________
>
>
>
>
> Here's a snippet of my web.xml:
> ______________________________________________
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>OutlookProxy</web-resource-name>
> <url-pattern>/exchange/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>outlook-role</role-name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Protected Web-app</realm-name>
> </login-config>
>
> ______________________________________________
>
>
> The JAAS configuration for "OutlookProxy" contains one LoginModule.
>
> There's a user in tomcat-userx.xml that has been associated with the
> aforementioned role ("outlook-role").
>
> The LoginModule class is in a jar file, under tomcat/server/lib.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org