Web app classloader loading JAAS LoginModule instead of server

[Andrew R Feller <af...@lsu.edu>]

While developing a custom JAAS module to use Hibernate for users'
authorization profiles on a new application, we found that the Hibernate
login module was being initialized not by the server's classloader but
the webapp's classloader!  As we want to have different Realms declared
for each web application, we don't want to set a realm and security
constraints at the server level.

 

This issue came up while stepping through Tomcat's log.  Whenever the
application was being initialized, then its hibernate.cfg.xml was loaded
up from /WEB-INF/classes by the webappClassLoader.  Later on whenever
the protected resource was requested and the JAAS login module was
invoked, the login module was ALSO loaded by the webappClassLoader and
the hibernate.cfg.xml it requested was loaded from the
webappClassLoader's cache instead of searching for the one in
server/classes.

 

Questions:

1.	Why is the webapp's classloader loading classes for the login
module?  Is this the intended behavior?
2.	How is it possible to make Tomcat initialize the login module
without the login module being declared for the entire server?

 

Sincerely,

Andrew

 

Andrew R Feller, Analyst

Subversion Administrator

University Information Systems

Louisiana State University

afelle1@lsu.edu

(office) 225.578.3737

 

Re: Web app classloader loading JAAS LoginModule instead of server

[david delbecq <de...@oma.be>]

If your problem is that a webapp using hibernate loaded it's 
configuration from webappclassloader and then stored the hibernate 
loaded configuration in hibernate at common/ level, the problem is 
probably that you have put hibernate in common classloader (so common 
configuration, first webapp to configure it wins) instead of server 
level (that is, not reacheable by webapps).

Putting your hibernate realm stuff in server/lib should make it 
invisible to webapps and then not influenceable by webapps.
Andrew R Feller a écrit :
> While developing a custom JAAS module to use Hibernate for users'
> authorization profiles on a new application, we found that the Hibernate
> login module was being initialized not by the server's classloader but
> the webapp's classloader!  As we want to have different Realms declared
> for each web application, we don't want to set a realm and security
> constraints at the server level.
>
>  
>
> This issue came up while stepping through Tomcat's log.  Whenever the
> application was being initialized, then its hibernate.cfg.xml was loaded
> up from /WEB-INF/classes by the webappClassLoader.  Later on whenever
> the protected resource was requested and the JAAS login module was
> invoked, the login module was ALSO loaded by the webappClassLoader and
> the hibernate.cfg.xml it requested was loaded from the
> webappClassLoader's cache instead of searching for the one in
> server/classes.
>
>  
>
> Questions:
>
> 1.	Why is the webapp's classloader loading classes for the login
> module?  Is this the intended behavior?
> 2.	How is it possible to make Tomcat initialize the login module
> without the login module being declared for the entire server?
>
>  
>
> Sincerely,
>
> Andrew
>
>  
>
> Andrew R Feller, Analyst
>
> Subversion Administrator
>
> University Information Systems
>
> Louisiana State University
>
> afelle1@lsu.edu
>
> (office) 225.578.3737
>
>  
>
>
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Web app classloader loading JAAS LoginModule instead of server

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Andrew R Feller [mailto:afelle1@lsu.edu] 
> Subject: Web app classloader loading JAAS LoginModule instead 
> of server
> 
> we found that the Hibernate login module was being initialized 
> not by the server's classloader but the webapp's classloader!
> As we want to have different Realms declared for each web
> application, we don't want to set a realm and security
> constraints at the server level.

I'm confused; since you want different Realms for each webapp, isn't the
above observed behavior also the desired behavior?

> Whenever the application was being initialized, then its 
> hibernate.cfg.xml was loaded up from /WEB-INF/classes by
> the webappClassLoader.  Later on whenever the protected
> resource was requested and the JAAS login module was invoked,
> the login module was ALSO loaded by the webappClassLoader

So the same login module was loaded by the same classloader twice?  Or
is there an error in the above statement?

> the hibernate.cfg.xml it requested was loaded from the
> webappClassLoader's cache instead of searching for the
> one in server/classes.

Since you want separate Realms for each webapp, isn't the above what you
want?

> 1.	Why is the webapp's classloader loading classes for the login
> module?  Is this the intended behavior?

Depends on where your <Realm> is declared.  Take a look at:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Configuring%20a
%20Realm

> 2.	How is it possible to make Tomcat initialize the login module
> without the login module being declared for the entire server?

Again, see the above link.  From your description, it looks like you've
already achieved what you want.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org