You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by joe bob <kr...@gmail.com> on 2007/07/26 00:54:14 UTC
kerberos,JAAS, and container managed security
Hi,
I would like to use kerberos in conjunction with container managed
security. I have configured a JAASRealm with Sun's kerberos LoginModule and
a basic scenario works fine. I.e, if a user accesses a protected URL, he is
challenged with a login screen. The user/password he enters is validated
against the kerberos system correctly.
We now have a requirement to honor kerberos password policies, for example
the "mandatory-password-change" flag. When set, the user gets a valid ticket
but all he can do is change his password. I tried doing this via my standard
configuration and the kerberos LoginModule throws an exception indicating
the user must change his password but the tomcat form authentication logic
seems to treat this as an invalid login and just redirects the user to the
error page with no way for the application to differentiate this situation.
Is it possible to honor kerberos password policies using JAAS and container
managed security? I have looked through the source and the answer appears
no. JAASRealm seems to catch various exceptions (e.g.
AccountExpiredException) but in the end just returns null to
FormAuthenticator as the authenticate() signature does not allow any checked
exceptions to be thrown and the FormAuthenticator implementation doesn't
seem to anticipate any runtime exceptions from this method.
I would much prefer to use container managed security for the usual reasons
but also to get (clustered) SSO support. Does anyone see something I missed
or have any ideas? Can I use the standard SSO valve with application managed
security somehow? Seems doubtful.
Thanks.
Kireet <us...@tom>
Re: kerberos,JAAS, and container managed security
Posted by hanasaki <ha...@hanaden.com>.
Take a look at CAS. It has the added value of:
- keeps passwords away from your container and its applications
- gives SSO !
- integrates well behind apache for a balancer and other mod_*
- works with other languages
- existing application integration
I have used it with success and replaced an expensive commercial
proprietary application for SSO with it.
http://www.ja-sig.org/products/cas/
email me off line if you need a hand with this.
- hanasaki-tomcatuser20070728@hanaden.com
joe bob wrote:
> Hi,
> I would like to use kerberos in conjunction with container managed
> security. I have configured a JAASRealm with Sun's kerberos LoginModule and
> a basic scenario works fine. I.e, if a user accesses a protected URL, he is
> challenged with a login screen. The user/password he enters is validated
> against the kerberos system correctly.
>
> We now have a requirement to honor kerberos password policies, for example
> the "mandatory-password-change" flag. When set, the user gets a valid
> ticket
> but all he can do is change his password. I tried doing this via my
> standard
> configuration and the kerberos LoginModule throws an exception indicating
> the user must change his password but the tomcat form authentication logic
> seems to treat this as an invalid login and just redirects the user to the
> error page with no way for the application to differentiate this situation.
>
> Is it possible to honor kerberos password policies using JAAS and container
> managed security? I have looked through the source and the answer appears
> no. JAASRealm seems to catch various exceptions (e.g.
> AccountExpiredException) but in the end just returns null to
> FormAuthenticator as the authenticate() signature does not allow any
> checked
> exceptions to be thrown and the FormAuthenticator implementation doesn't
> seem to anticipate any runtime exceptions from this method.
>
> I would much prefer to use container managed security for the usual reasons
> but also to get (clustered) SSO support. Does anyone see something I missed
> or have any ideas? Can I use the standard SSO valve with application
> managed
> security somehow? Seems doubtful.
>
> Thanks.
> Kireet <us...@tom>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org