You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Michael Vorburger <vo...@verticali.com> on 2004/10/13 18:29:13 UTC
Authenticate against realm in web app: JAAS TomcatRealmProxyLoginModule?
(WAS: The good way of making JAAS and Realm authentication use the same back-end
authentication system?)
Hi,
How do you authenticate uid/pwd against a Tomcat realm, from within a
web application?
We have a half-baked JMX-based solution; but it is not satisfactory
because we would have to move JARs around because of classloader issues.
Whether the code in the web app does this authentication JAAS-based or
another way is somewhat irrelevant, although JAAS would seem natural.
The main problem really is: How to find the "current" Tomcat Realm, from
within a custom written (easy; done) JAAS LoginModule? If others agree
that this would be nice to have, how can we get something like a
TomcatRealmProxyLoginModule into Tomcat?
More background below, if interested.
Thanks a lot,
Michael
===
Background: On e.g. WebLogic or WebSphere, we can use the JAAS API to
authenticate uid/pwd from within a web application, because they both
have built-in JAAS LoginModule implementations which "forward" to
whatever they call a realm. This is sometimes very useful. (For BEA
there is a weblogic.security.auth.login.UsernamePasswordLoginModule; for
WebSphere simply using "ClientContainer" as Application/LoginModuleName
when constructing the LoginContext does the trick, it uses their
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.)
On Tomcat, we have not found a clean way to authenticate uid/pwd against
a Tomcat realm, from within a web application; unless we miss the
obvious? This is an alternative use of JAAS, different from the
JAASRealm included with Tomcat, it's sort of "opposite", makes sense?
In fact, Tomcat does include one class that may be conceptually vaguely
similar to what I am trying to achieve: The JAASMemoryLoginModule...
what we are looking for is help for a cleaner and more generic
re-implementation of the same idea, so that it works e.g. on top of a
JNDIRealm too, or indeed any maybe custom-written Tomcat Realm.
A few words on why we'd like to get this "Access Tomcat Realm through
JAAS API from app" JAASMemoryLoginModule-like approach working, instead
of the JAASRealm-based one: To e.g. use the JAASRealm with a simple text
file, I had to patch com.tagish.auth.FileLogin to be able to use it with
Tomcat; to simply do what MemoryRealm already does. To use this with
LDAP is a mess as there doesn't seem be a working JAAS LDAP LoginModule
(the JNDI-based one included with JDK doesn't work too well, see also
earlier posts on this list) - what really works is your Tomcat
JNDIRealm. This is why the interest in this approach. Now, granted, I
could write a JAAS LoginModule copy/pasting the code from Tomcat
JNDIRealm, and then use the JAASRealm... but... agreed "the other way
around" would be nicer? Also easier for deployment; people use to
realms, but confused with JAAS.
If people on this list think that this "other way around" is not the way
to go for some reason (despite e.g. WebLogic or WebSphere doing it like
that; haven't looked at JAAS in JBoss yet, anybody?) please do respond, too.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org