You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Antony Bowesman <ad...@teamware.com> on 2001/03/14 15:03:55 UTC
Plugging realms and JAAS into Tomcat 3.2
Hi,
I am trying to find out if it is possible to plug ones own proprietary
user realm into Tomcat 3.2. I have JAAS login modules that authenticate
against this user realm and populate the JAAS Subject with principals
(user names, groups, roles). However, I need to get this JAAS created
security context into the Web container's security context, so that, for
example, IsUserInRole() can be used to determine Roles from the original
user realm and any calls to EJB container will get the security context.
Rgds
Antony
--
Antony Bowesman
Teamware Group
adb@teamware.com
tel: +358 9 5128 2562
fax: +358 9 5128 2705
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: Plugging realms and JAAS into Tomcat 3.2
Posted by Antony Bowesman <ad...@teamware.com>.
Hi Costin,
Thanks for your comments. The whole security picture is somewhat
confusing and contradictory with regard to J2EE, JAAS and JDK1.4 and I
am trying to make sense of the various states of progress of security
implementations of the differing components.
We might be interested in doing something with either 3.2 or 3.3
however, we have quite a sohpisticated user realm and the problem is how
we can map the group and roles used in our realm into the security
context used in Web and EJB Containers. getCallerPrincipal and
getUserPrincipal only support a single Principal, does this mean we must
wrap a JAAS Subject in a Principal?
These Principals need to be available in Web, EJB (we also have an 'ORB
Container' implementation) and so they need to be propagated over RMI.
Is there any way to get the JAAS Subject into the container's context so
that it can be passed in the context to EJB.
I must admit my knowledge is a bit thin but how does the security
context get passed to EJB when a call is made RMI/IIOP from a servlet in
the web container?
As for Roles... Are the roles that can be populated into Tomcat passed
to EJB (or others) and how do these Roles relate to the
EJBContext.isCallerInRole() method? Are they the same roles or is there
some mapping that tomcat does or are they even passed at all? Are the
roles popluated intended to be Web Container depoloyment descriptor
roles?
Rgds
Antony
--
Antony Bowesman
Teamware Group
adb@teamware.com
tel: +358 9 5128 2562
fax: +358 9 5128 2705
> Hi Antony,
>
> Normally 3.2 is frozen, and only bug fixes should go in.
>
> But the good news is that for what you want, only a simple
> add-on module is needed ( and if it's available before 3.2
> is final, we can probably include it in package - if not
> it'll be a separate download ).
>
> It should be reasonably easy - all you need to do is implement
> a module, with setters for all properties that you need for
> configuration, using the Simple or JDBC authenticators as a
> template.
>
> In 3.2 you'll need to implement authorize() and authenticate()
> hooks.
>
> Tomcat 3.x doesn't care how the authentication is done - it
> just calls the authentication chain and if a module returns
> OK and sets the roles then everything is ok. ( same model as
> in Apache/IIS/NES )
>
> In 3.3 the auth code has been cleaned and reorganized, but
> it works in the same way.
>
> Please let me know if you need any help ( Nacho is probably a
> better source :-), it would be a great contribution.
>
> Costin
>
> On Wed, 14 Mar 2001, Antony Bowesman wrote:
>
> > Hi,
> >
> > I am trying to find out if it is possible to plug ones own proprietary
> > user realm into Tomcat 3.2. I have JAAS login modules that authenticate
> > against this user realm and populate the JAAS Subject with principals
> > (user names, groups, roles). However, I need to get this JAAS created
> > security context into the Web container's security context, so that, for
> > example, IsUserInRole() can be used to determine Roles from the original
> > user realm and any calls to EJB container will get the security context.
> >
> > Rgds
> > Antony
Re: Plugging realms and JAAS into Tomcat 3.2
Posted by cm...@yahoo.com.
Hi Antony,
Normally 3.2 is frozen, and only bug fixes should go in.
But the good news is that for what you want, only a simple add-on module
is needed ( and if it's available before 3.2 is final, we can probably
include it in package - if not it'll be a separate download ).
It should be reasonably easy - all you need to do is implement a module,
with setters for all properties that you need for configuration, using the
Simple or JDBC authenticators as a template.
In 3.2 you'll need to implement authorize() and authenticate() hooks.
Tomcat 3.x doesn't care how the authentication is done - it just calls the
authentication chain and if a module returns OK and sets the roles then
everything is ok. ( same model as in Apache/IIS/NES )
In 3.3 the auth code has been cleaned and reorganized, but it works in the
same way.
Please let me know if you need any help ( Nacho is probably a better
source :-), it would be a great contribution.
Costin
On Wed, 14 Mar 2001, Antony Bowesman wrote:
> Hi,
>
> I am trying to find out if it is possible to plug ones own proprietary
> user realm into Tomcat 3.2. I have JAAS login modules that authenticate
> against this user realm and populate the JAAS Subject with principals
> (user names, groups, roles). However, I need to get this JAAS created
> security context into the Web container's security context, so that, for
> example, IsUserInRole() can be used to determine Roles from the original
> user realm and any calls to EJB container will get the security context.
>
> Rgds
> Antony
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org