You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Wendy Smoak <ja...@wendysmoak.com> on 2005/08/13 00:22:24 UTC
[OT] Tomcat, JAAS and Kerberos
As I mentioned earlier today, we've licensed a (Struts-based, so I'm not
*entirely* off topic) third-party webapp that comes pre-configured to do
LDAP authentication. We, of course, do not have LDAP. We have Kerberos.
Easy enough, I thought... surely there's a KerberosRealm I can configure and
plug in. Apparently not.
I can successfully authenticate with Kerberos at the command line using the
code in the tutorial:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
I can not, however, figure out what I'm supposed to do to fit that part into
the Catalina JAASRealm, as described here:
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JAASRealm
The first thing it says is "Write your own LoginModule". (Frightening...
*I* have to talk to the Kerberos service?) But there's already
com.sun.security.auth.module.Krb5LoginModule which is used in the tutorial,
so maybe not. I have that in $CATALINA_HOME/conf/jaas.config with JAVA_OPTS
set properly.
And that's about as far as I can get. When I go to configure server.xml, it
wants class names for users and roles:
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="JaasSample"
userClassNames="???"
roleClassNames="???"
debug="99"/>
Even if I write a couple of classes and fill in the blanks, I don't see
what's ever going to instantiate them.
What am I missing? This can't be as hard as I'm making it.
Thanks,
Wendy Smoak
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by Wendy Smoak <ja...@wendysmoak.com>.
From: "netsql" <ne...@roomity.com>
> JAAS I think acts a bit like a filter, it just gets called. In your
> web-xml you tell it what url you want secured and somehow map how the
> users see it. Bea site has a good doc on web.xml.
I'm okay with web.xml, it's configuring the Realm that I'm stuck on--
actually, writing a LoginModule. and I have been wandering around the JAAS
tutorials and the Catalina source code for way too long now. I think I also
took an accidental side trip into 'JAAS Authorization' which I _don't_
need-- just Authentication.
This tutorial might be the key, we'll see...
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/AcnAndAzn.html
> (or just go JDBC relms... map JDBC to LDAP :-)
If I had JDBC and/or LDAP, I would be done by now. One day I will work
somewhere that has normal systems...
Thanks,
Wendy
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by netsql <ne...@roomity.com>.
1st answer is I duno.
But...
JAAS I think acts a bit like a filter, it just gets called. In your
web-xml you tell it what url you want secured and somehow map how the
users see it. Bea site has a good doc on web.xml.
So I assume that when you get to the secure url, those classes fire and
see who the users is.
(or just go JDBC relms... map JDBC to LDAP :-)
.V
Wendy Smoak wrote:
>
> Even if I write a couple of classes and fill in the blanks, I don't see
> what's ever going to instantiate them.
>
> What am I missing? This can't be as hard as I'm making it.
>
> Thanks,
> Wendy Smoak
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by Wendy Smoak <ja...@wendysmoak.com>.
From: "Adam Hardy" <ah...@cyberspaceroad.com>
> Yes that's more or less what I did when writing a JBoss login module.
> Unfortunately the JBoss stuff was really still in beta and I had to do a
> fair amount of debugging to work out how to make it work.
Same here... after hours spent with JSwat stepping through the Catalina
source code, I came up with three examples of Kerberos authentication with
Tomcat's JAASRealm:
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJspExamples
I ended up going with a custom Realm that does nothing more than extend
JAASRealm and override the 'authenticate' method. I have to construct a new
GenericPrincipal with the roles that I need, since they don't come from
Kerberos.
--
Wendy Smoak
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Wendy Smoak on 16/08/05 17:26, wrote:
>> The User and Role classes are more or less simple DTOs, one User object
>> for the user and x Role objects for each role the User is in.
>
>
> This is where I'm stuck. Right now I'm playing with extending
> Krb5LoginModule, just wrapping it and passing through all the method calls
> except 'commit' where I'll need to add more Principals (Users & Roles) to
> the Subject. I think. It made sense yesterday... Does that sound
> remotely correct?
Yes that's more or less what I did when writing a JBoss login module.
Unfortunately the JBoss stuff was really still in beta and I had to do a
fair amount of debugging to work out how to make it work.
Good luck
Adam
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by Wendy Smoak <ja...@wendysmoak.com>.
From: "Adam Hardy" <ah...@cyberspaceroad.com>
> if you set up tomcat to use the JAAS realm, then tomcat will set up a
> LoginContext, which is what you configure by pointing it to your
> LoginModule(s).
>
> You either code your LoginModule or perhaps use the Sun one you mention
> (if the code does what it's meant to), you just need to configure it with
> the right options.
Thanks! I finally managed to get the Tomcat 5.0 'jsp-examples' webapp to
use Kerberos for authentication:
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJspExamples
It's very much a hack-- in my environment, Sun's LoginModule only comes back
with a single KerberosPrincipal, so I had to add user@<krb realm> as a
'role' in the webapp's web.xml to allow access.
> The User and Role classes are more or less simple DTOs, one User object
> for the user and x Role objects for each role the User is in.
This is where I'm stuck. Right now I'm playing with extending
Krb5LoginModule, just wrapping it and passing through all the method calls
except 'commit' where I'll need to add more Principals (Users & Roles) to
the Subject. I think. It made sense yesterday... Does that sound remotely
correct?
> Getting the classes all in the classpath is obviously important, and
> depending on how tomcat does it, you might need to jar them up seperately
> from your app and put them in the internal tomcat lib dir.
Interesting note... on
http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JAASRealm
the 'useContextClassLoader' attribute seems to work *backwards*. If you set
it to true... Tomcat will not find a LoginModule implementation in
WEB-INF/lib, you have to put it in /server/lib. I think the attribute name
should really be 'useContainerClassLoader. (This only applies to your own
LoginModule implementation-- it can find Sun's Krb5LoginModule regardless.)
I *still* cannot believe no one else has done this yet. If they have,
Google doesn't know about it. I can't even find a commercial
implementation.
--
Wendy Smoak
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
Hi Wendy,
if you set up tomcat to use the JAAS realm, then tomcat will set up a
LoginContext, which is what you configure by pointing it to your
LoginModule(s).
You either code your LoginModule or perhaps use the Sun one you mention
(if the code does what it's meant to), you just need to configure it
with the right options.
The User and Role classes are more or less simple DTOs, one User object
for the user and x Role objects for each role the User is in.
Getting the classes all in the classpath is obviously important, and
depending on how tomcat does it, you might need to jar them up
seperately from your app and put them in the internal tomcat lib dir.
HTH
Adam
C.F. Scheidecker Antunes on 13/08/05 00:54, wrote:
> Wendy,
>
> Check out this article on JAAS with LDAP. I am sure that it might not be
> as hard to use Kerberos. I've seen an example of the userClassNames and
> roleClassNames somewhere this week. Let me see if I find it and I will
> forward it to you.
>
> The article on JAAS is at:
> http://www.theserverside.com/articles/article.tss?l=Pramati-JAAS
>
> Wendy Smoak wrote:
>
>> As I mentioned earlier today, we've licensed a (Struts-based, so I'm
>> not *entirely* off topic) third-party webapp that comes pre-configured
>> to do LDAP authentication. We, of course, do not have LDAP. We have
>> Kerberos. Easy enough, I thought... surely there's a KerberosRealm I
>> can configure and plug in. Apparently not.
>>
>> I can successfully authenticate with Kerberos at the command line
>> using the code in the tutorial:
>>
>> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
>>
>>
>> I can not, however, figure out what I'm supposed to do to fit that
>> part into the Catalina JAASRealm, as described here:
>>
>> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JAASRealm
>>
>>
>> The first thing it says is "Write your own LoginModule".
>> (Frightening... *I* have to talk to the Kerberos service?) But
>> there's already com.sun.security.auth.module.Krb5LoginModule which is
>> used in the tutorial, so maybe not. I have that in
>> $CATALINA_HOME/conf/jaas.config with JAVA_OPTS set properly.
>>
>> And that's about as far as I can get. When I go to configure
>> server.xml, it wants class names for users and roles:
>> <Realm className="org.apache.catalina.realm.JAASRealm"
>> appName="JaasSample"
>> userClassNames="???"
>> roleClassNames="???"
>> debug="99"/>
>>
>> Even if I write a couple of classes and fill in the blanks, I don't
>> see what's ever going to instantiate them.
>>
>> What am I missing? This can't be as hard as I'm making it.
>>
>> Thanks,
>> Wendy Smoak
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [OT] Tomcat, JAAS and Kerberos
Posted by "C.F. Scheidecker Antunes" <na...@antunes.eti.br>.
Wendy,
Check out this article on JAAS with LDAP. I am sure that it might not be
as hard to use Kerberos. I've seen an example of the userClassNames and
roleClassNames somewhere this week. Let me see if I find it and I will
forward it to you.
The article on JAAS is at:
http://www.theserverside.com/articles/article.tss?l=Pramati-JAAS
Wendy Smoak wrote:
> As I mentioned earlier today, we've licensed a (Struts-based, so I'm
> not *entirely* off topic) third-party webapp that comes pre-configured
> to do LDAP authentication. We, of course, do not have LDAP. We have
> Kerberos. Easy enough, I thought... surely there's a KerberosRealm I
> can configure and plug in. Apparently not.
>
> I can successfully authenticate with Kerberos at the command line
> using the code in the tutorial:
>
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
>
>
> I can not, however, figure out what I'm supposed to do to fit that
> part into the Catalina JAASRealm, as described here:
>
> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JAASRealm
>
>
> The first thing it says is "Write your own LoginModule".
> (Frightening... *I* have to talk to the Kerberos service?) But
> there's already com.sun.security.auth.module.Krb5LoginModule which is
> used in the tutorial, so maybe not. I have that in
> $CATALINA_HOME/conf/jaas.config with JAVA_OPTS set properly.
>
> And that's about as far as I can get. When I go to configure
> server.xml, it wants class names for users and roles:
> <Realm className="org.apache.catalina.realm.JAASRealm"
> appName="JaasSample"
> userClassNames="???"
> roleClassNames="???"
> debug="99"/>
>
> Even if I write a couple of classes and fill in the blanks, I don't
> see what's ever going to instantiate them.
>
> What am I missing? This can't be as hard as I'm making it.
>
> Thanks,
> Wendy Smoak
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org