You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Denis Cossutta <de...@gmail.com> on 2008/02/18 16:14:29 UTC
JAAS Principal propagation from Tomcat to JBoss
I have the following situation (I try to simplify it):
1. I have a standalone Apache Tomcat server (5.5.26), on which is
running a web application:
- A Welcome jsp page (Welcome.jsp) and 2 Servlets: CalculatorServlet
and MyProtectedServlet
- The CalculatorSevlet servlet has to access remotly a stateless
session bean on a JBoss application server:
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY,"
org.jnp.interfaces.NamingContextFactory");
env.put(Context.URL_PKG_PREFIXES, "org.jnp.interfaces");
env.put(Context.PROVIDER_URL, "localhost:1099");
Context c = new InitialContext(env);
MyCalculatorRemote calculator = c.lookup
("MyCalculatorBean/remote");
int result = calculator.sum(a, b);
1. I have a standalone JBoss server (version 4.2.2), on which is
running an EJB3 application
- A Stateless session bean (MyCalculatorBean), which exposes a sum(nt
a, int b) method through the remote interface:
@Stateless
@SecurityDomain("MyRealm")
public class MyCalculatorBean implements MyCalculatorRemote {
@RolesAllowed("math")
public Integer sum(int a, int b) {
return a + b;
}
}
- The Session bean is defined under the jboss security domain called
"MyRealm", which is defined in the jboss login-config.xml and in fact
uses a MySql database for authentication and authorization:
<application-policy name = "MyRealm">
<authentication>
<login-module code = "
org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
<module-option name = "debug">true</module-option>
<module-option name =
"dsJndiName">java:/MysqlDS</module-option>
<module-option name = "principalsQuery">SELECT
PASSWORD FROM USERS WHERE EMAIL=?</module-option>
<module-option name = "rolesQuery">SELECT ROLE,
'Roles' FROM ROLES WHERE EMAIL=?</module-option>
</login-module>
</authentication>
</application-policy>
- The method sum(int a, int b) of the Session bean can be called only
by authenticated users with "math" role:
@RolesAllowed("math")
public Integer sum(int a, int b) {
return a + b;
}
Since the Session bean is secured with jboss security mechanism, which is
based on JAAS, to access the bean I have to setup JAAS authentication on the
web application (Single sign on authentication):
- I defined a JAASRealm in the Tomcat server.xml
<Context path="/MyWebApplication" docBase="/MyWebApplication">
<Resource name="jdbc/MyDB" auth="Container" type="
javax.sql.DataSource"
maxActive="100" maxIdle="30" maxWait="10000"
username="root" password="admin" driverClassName="
org.gjt.mm.mysql.Driver"
url="jdbc:mysql://localhost/mydb?autoReconnect=true"/>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="MyRealm"
userClassNames="org.jboss.security.SimplePrincipal"
roleClassNames="org.jboss.security.SimpleGroup"
debug="99"/>
</Context>
- I defined a login.config file to be used by the JAASRealm; the file
defines the login module to be used for jaas authentication and I define to
use the JBoss DatabaseServerLoginModule (I imported the jboss security
library into the tomcat common/lib folder):
MyRealm{
org.jboss.security.auth.spi.DatabaseServerLoginModulesufficient
debug="true"
dsJndiName="java:comp/env/jdbc/MyDB"
principalsQuery="select password from users where
email=?"
rolesQuery="select role, 'Roles' from roles where
email=?";
};
- I set up Tomcat to specify the location of the login.config file,
changing the catalina.bat script:
set JAVA_OPTS=%JAVA_OPTS% -
Djava.security.auth.login.config==%CATALINA_HOME%/conf/login.config
- I set up the web.xml of my web application to define the login
configuration and the security constrains like follows:
<security-constraint>
<display-name>Constraint</display-name>
<web-resource-collection>
<web-resource-name>Proteced Servlet</web-resource-name>
<description/>
<url-pattern>/MyProtectedServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Auth</description>
<role-name>math</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Math role</description>
<role-name>math</role-name>
</security-role>
- I defined finally the login.jsp page as required for jaas
authentication:
<html>
<head>
<title>Login Page</title>
<form action='j_security_check' name="loginForm" method="POST">
<table border="0" cellspacing="5">
<tr>
<th align="right">Username:</th>
<td align="left"><input type="text" name="j_username"
id="username"></td>
</tr>
<tr>
<th align="right">Password:</th>
<td align="left"><input type="password" name="j_password"
id="password"></td>
</tr>
<tr>
<td align="right"><input type="submit" value="Log In"></td>
<td align="left"><input type="reset"></td>
</tr>
</table>
</form>
</html>
Now, the flow is the following one:
- I acces the web application root (http:\\localhost:8081\MyWebApplicaiton)
through the web browser and it displays the Welcom page (Welcome.jsp)
- I click on a link on the Welcome page to the MyProtectedServlet
- Since the MyProtectedServlet is a protected resource I'm redirected
to the login page
- I enter my credentials in the login page form and submit
- the browser displays the MyProtectedServlet which has a link to the
MyServlet servelt
- Clicking on the link, I'm redirect to MyServlet, which calls the
remote session bean (passing automatically the Principal of the logged in
user, which is supposed to be stored in the HttpServletRequest) and the
result of the call is displayed on the page
Unfortunatelly I have to following issue trying to accomplish this process:
- When submitting my credentials through the login page, I'm
authenticated correctly (I'm not rediredted to the error.jsp page) and
redirect to MyProtectedServlet. Then I tried to access the MyServlet servlet
after the authentication (i.e. firstly I try to access the
MyProtectedServlet, than I get the login page, than I submit the
credentials, than I'm redirect to MyProtectedServlet and finally I access
the MyServlet servlet ). Doing some debugging I discovered that just before
calling the remote session bean method, the principal of the logged in user
is stored in the HTTPServletRequest (request.getUserPrincipal). But
when it performes the remote call I get an EJBAccessException saying "No
matching username found in principals" and I discovered the reason of this
problem is that on JBoss side the Principal name (username) is null. This
means that the Principal is not propagated to JBoss context through the
request
Has anyone of you any idea of why I have this problems and how to solve them
because I'm really blocked. Thank you in advice for any suggestion
Re: What version of Tomcat??
Posted by David Smith <dn...@cornell.edu>.
Hi Mike.
First, could you fix your system time? Your email came through w/ a
time stamp of 5/11/2004, 11:04am. Unless you've found a really cool
time machine somewhere and can sent email in to the future, this is just
slightly annoying to me.
Regarding your question, if your effort is to eliminate bugs in the
tomcat server, moving to the most recent available 5.5.x tomcat is
probably the best advice. Tomcat 6 isn't a huge change, but there is
some refactoring and folder layout changes that might introduce issues
rather than eliminate them. Plus I suspect there is not a compatibility
package for tomcat 6 like there was for tomcat 5 or 5.5. You'd have to
upgrade your Java version to run tomcat 6.
--David
Michael McQuade wrote:
> Hi Folks....
>
> Sorry I'm not very knowledgeable about technical aspects of Tomcat..... I
> am having some problems with an application I am running acting rather
> weird..... So what I want to do is download a newer version of Tomcat to
> try and rule out some possibilities.....
> Currently I am running the following....
>
> Tomcat version 5.0.28
> Java SDK Standard Edition Version 1.4.2
> Java 2 runtime environment
>
> To go to Tomcat 6.xx, can someone please tell me what I need to download...
>
> Binary Distributions Core ZIP ??? I assume, for a windows environment
>
> Where I get confused is the Catalina stuff, or any other small pieces I need
> to add to it...... What version of Java do I need to grab....
>
> This is a Paste....
>
> "Tomcat 6.0 is designed to run on JSE 5.0 and later.
>
> In addition, Tomcat 6.0 uses the Eclipse JDT Java compiler for compiling
> JSP pages. This means you no longer need to have the complete
> Java Development Kit (JDK) to run Tomcat, but a Java Runtime Environment
> (JRE) is sufficient. The Eclipse JDT Java compiler is bundled with the
> binary Tomcat distributions. Tomcat can also be configured to use the
> compiler from the JDK to compile JSPs, or any other Java compiler supported
> by Apache Ant. "
>
> So can I remove the Java SDK environment from my server and just download a
> a new JRE version 5???? Anyone got this link????
>
> Im sorry for being so inept at this, Im working on improving....
>
> Thank-you to anyone who can answer this for me....
>
> Mike
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org