You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by LERBSCHER Jean-Pierre <je...@cofiroute.fr> on 2004/07/27 19:07:17 UTC

[jaas integration between tomcat/weblogic]

Hi,

 

I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure
environment (using j2ee roles). I

configure a custom JAAS Realm that uses client side LoginModule connecting
to WLS

(weblogic.security.auth.login.UsernamePasswordLoginModule).

 

I put weblogic.jar into common/lib directory and my login module classes in
common/classes. 

I configure webapp context like this :

      <Realm className="org.apache.catalina.realm.JAASRealm"


                        appName="Sample"       

 
userClassNames="weblogic.security.principal.WLSUserImpl"       

 
roleClassNames="weblogic.security.principal.WLSGroupImpl" 

                        debug="99"/>

I grant all permission (for test only) in Catalina.policy.

And I run Catalina with -security option.

 

At this stage tomcat uses login module (and weblogic authentification
provider) to authenticate the user.

 

Everything works fine.

 

The subject build by weblogic is used to create a GenericPrincipal used
internally by Tomcat.

 

My problem is that I need to use weblogic security api to propagate
implicitly the subject when i call the ejb component with the security data
provided by weblogic authentification provider (the subject).

 

First I try to run Tomcat with the security option and the permission,
enables me to get the tomcat subject (for example like this
javax.security.auth.Subject mySubject =
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text()); ) and call the weblogic security api with that subject.

 

However the Tomcat GenericPrincipal is not serializable and I get an
exception [java.io.NotSerializableException:

org.apache.catalina.realm.GenericPrincipal]...

 

Secondly  I try to rebuild the weblogic subject  with the subject generated
by
javax.security.auth.Subject.getSubject(java.security.AccessController.getCon
text());

I get an java.lang.SecurityException: [Security:090398]Invalid Subject:
principals=[my_username] exception generated by weblogic.

 

It seems obviously that there are problems of integration!

 

My suggestions are to keep a trace of original subject (for example in
session with a specific key) or in a classe that is accessible to
application classes (and not dependent on tomcat specific api).

 

Do you have any others suggestions ?

 

Environment:

 

Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02

WLS 8 sp2, running on w2k, java 1.4.2_02

(= both on same machine, same environment)