You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "P. Douglas Reeder" <re...@osu.edu> on 2006/09/15 20:26:09 UTC

JAASRealm, Kerberos, and Open Directory

I'd like to set up a Realm which gets it's authentication information  
using Kerberos, specifically Open Directory running under OS X Server  
10.3.9.  For initial testing, I'm running Tomcat 5.5.7 on the same  
machine (the copy the comes with NetBeans 4.1), and setting  
CATALINA_BASE to a directory of mine.  I can run Tomcat fine from my  
CATALINA_BASE, and configuration changes are being seen by Tomcat.    
The JAAS Kerberos example  
(http://java.sun.com/j2se/1.5.0/docs/guids/security/jgss/tutorials/ 
AcnONly.html) is able to authorize against my Open Directory server  
with no problems.

After reading the Tomcat docs, _Tomcat: The Definitive Guide_, and  
Wendy Smoak's examples at  
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberosConfigOnly, I  
configured a Realm in server.xml as follows:

       <Realm className="org.apache.catalina.realm.JAASRealm"
               
userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
               
roleClassNames="javax.security.auth.kerberos.KerberosPrincipal"
              useContextClassLoader="true"
              debug="99"
       />

I created .java.login.config in my home directory:

Tomcat {
     com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

my script to start Tomcat is:

#! /bin/bash

export JAVA_HOME=/Library/Java/Home

export  
CATALINA_HOME=/Applications/NetBeans4.1.app/Contents/Resources/ 
NetBeans/enterprise1/jakarta-tomcat-5.5.7

export CATALINA_BASE=$PWD

export JAVA_OPTS=-Djava.security.krb5.realm=TONKUNST.SOM.OHIO-STATE.EDU  
-Djava.security.krb5.kdc=tonkunst.som.ohio-state.edu  
-Djava.security.auth.login.config=$HOME/.java.login.config

$CATALINA_HOME/bin/startup.sh


Tomcat comes up without any errors, but whenever I try to access any  
servlet that requires authentication, the following error shows up in  
Tomcat's output:

javax.security.auth.login.LoginException: No LoginModules configured  
for Catalina

Although the browser puts up a password entry dialog, entering a valid  
username/password combination just results in the dialog coming back,  
signalling a failed authorization.

I get the same results when I try moving .java.login.config to   
CATALINA_HOME/conf and
updating java.security.auth.login.config in the login script  
accordingly.  (if I misspell the file name in setting  
java.security.auth.login.config, Tomcat complains about the missing  
file, so I know it's finding the .java.login.conf file.



Doug Reeder
Cognitive & Systematic Musicology Lab
OSU School of Music


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: JAASRealm, Kerberos, and Open Directory

Posted by Wendy Smoak <ws...@gmail.com>.

On 9/15/06, P. Douglas Reeder <re...@osu.edu> wrote:
> I'd like to set up a Realm which gets it's authentication information
> using Kerberos, specifically Open Directory running under OS X Server
> 10.3.9.
...
> After reading the Tomcat docs, _Tomcat: The Definitive Guide_, and
> Wendy Smoak's examples at
> http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberosConfigOnly, I
> configured a Realm in server.xml as follows:

This example sounds closer to what you're trying to do:

  http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJAASRealm

The one you linked to is the "do the simplest thing that can possibly
work" version, and does not involve a custom Realm.

HTH,
-- 
Wendy

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org