Authenticate against realm in web app: JAAS TomcatRealmProxyLoginModule? (WAS: The good way of making JAAS and Realm authentication use the same back-end authentication system?)

[Michael Vorburger <vo...@verticali.com>]

Hi,

How do you authenticate uid/pwd against a Tomcat realm, from within a 
web application?

We have a half-baked JMX-based solution; but it is not satisfactory 
because we would have to move JARs around because of classloader issues. 
Whether the code in the web app does this authentication JAAS-based or 
another way is somewhat irrelevant, although JAAS would seem natural. 
The main problem really is: How to find the "current" Tomcat Realm, from 
within a custom written (easy; done) JAAS LoginModule?  If others agree 
that this would be nice to have, how can we get something like a 
TomcatRealmProxyLoginModule into Tomcat?

More background below, if interested.

Thanks a lot,
Michael

===
Background: On e.g. WebLogic or WebSphere, we can use the JAAS API to 
authenticate uid/pwd from within a web application, because they both 
have built-in JAAS LoginModule implementations which "forward" to 
whatever they call a realm.  This is sometimes very useful. (For BEA 
there is a weblogic.security.auth.login.UsernamePasswordLoginModule; for 
WebSphere simply using "ClientContainer" as Application/LoginModuleName 
when constructing the LoginContext does the trick, it uses their 
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.)

On Tomcat, we have not found a clean way to authenticate uid/pwd against 
a Tomcat realm, from within a web application; unless we miss the 
obvious?  This is an alternative use of JAAS, different from the 
JAASRealm included with Tomcat, it's sort of "opposite", makes sense?

In fact, Tomcat does include one class that may be conceptually vaguely 
similar to what I am trying to achieve: The JAASMemoryLoginModule... 
what we are looking for is help for a cleaner and more generic 
re-implementation of the same idea, so that it works e.g. on top of a 
JNDIRealm too, or indeed any maybe custom-written Tomcat Realm.

A few words on why we'd like to get this "Access Tomcat Realm through 
JAAS API from app" JAASMemoryLoginModule-like approach working, instead 
of the JAASRealm-based one: To e.g. use the JAASRealm with a simple text 
file, I had to patch com.tagish.auth.FileLogin to be able to use it with 
Tomcat; to simply do what MemoryRealm already does.  To use this with 
LDAP is a mess as there doesn't seem be a working JAAS LDAP LoginModule 
(the JNDI-based one included with JDK doesn't work too well, see also 
earlier posts on this list) - what really works is your Tomcat 
JNDIRealm.  This is why the interest in this approach.  Now, granted, I 
could write a JAAS LoginModule copy/pasting the code from Tomcat 
JNDIRealm, and then use the JAASRealm... but... agreed "the other way 
around" would be nicer? Also easier for deployment; people use to 
realms, but confused with JAAS.

If people on this list think that this "other way around" is not the way 
to go for some reason (despite e.g. WebLogic or WebSphere doing it like 
that; haven't looked at JAAS in JBoss yet, anybody?) please do respond, too.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org