You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by LERBSCHER Jean-Pierre <je...@cofiroute.fr> on 2004/07/27 19:07:17 UTC
[jaas integration between tomcat/weblogic]
Hi,
I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure
environment (using j2ee roles). I
configure a custom JAAS Realm that uses client side LoginModule connecting
to WLS
(weblogic.security.auth.login.UsernamePasswordLoginModule).
I put weblogic.jar into common/lib directory and my login module classes in
common/classes.
I configure webapp context like this :
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="Sample"
userClassNames="weblogic.security.principal.WLSUserImpl"
roleClassNames="weblogic.security.principal.WLSGroupImpl"
debug="99"/>
I grant all permission (for test only) in Catalina.policy.
And I run Catalina with -security option.
At this stage tomcat uses login module (and weblogic authentification
provider) to authenticate the user.
Everything works fine.
The subject build by weblogic is used to create a GenericPrincipal used
internally by Tomcat.
My problem is that I need to use weblogic security api to propagate
implicitly the subject when i call the ejb component with the security data
provided by weblogic authentification provider (the subject).
First I try to run Tomcat with the security option and the permission,
enables me to get the tomcat subject (for example like this
javax.security.auth.Subject mySubject =
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text()); ) and call the weblogic security api with that subject.
However the Tomcat GenericPrincipal is not serializable and I get an
exception [java.io.NotSerializableException:
org.apache.catalina.realm.GenericPrincipal]...
Secondly I try to rebuild the weblogic subject with the subject generated
by
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text());
I get an java.lang.SecurityException: [Security:090398]Invalid Subject:
principals=[my_username] exception generated by weblogic.
It seems obviously that there are problems of integration!
My suggestions are to keep a trace of original subject (for example in
session with a specific key) or in a classe that is accessible to
application classes (and not dependent on tomcat specific api).
Do you have any others suggestions ?
Environment:
Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02
WLS 8 sp2, running on w2k, java 1.4.2_02
(= both on same machine, same environment)