RE: unable to instantiate LoginConfiguration while using jaas in servlet

["Ye, Tao" <ty...@consilient.com>]

Hi, Charlie,

Thanks for the reply. I had AllPermission set on jaas.jar. It's not because
of the permissions, but we have solved the problem. It seems to be a known
problem in the servlet world.

The problem lies in the behavior of jaas loading LoginModule, and
LoginConfiguration objects. It only looks on the system classpath. Therefore
any LoginModule or LoginConfiguration objects that lives in servlets (which
are loaded by the servlet container's custom loader) will not be found,
hence the error. The error is not very descriptive (class not found, or file
not found, what load it's using?), so it took us a while to figure it out. 

I also read this limitation will be lifted in 1.4. The temporary work around
is to use some sort of a proxy to load the loginModule class from the Thread
context ClassLoader, which JBoss app server actually implements.

bye, 

Tao 

> -----Original Message-----
> From: Charlie Lai [mailto:charlie@angeles.eng.sun.com]
> Sent: Monday, August 13, 2001 11:06 AM
> To: tye@consilient.com
> Cc: java-security@sun.com
> Subject: Re: unable to instantiate LoginConfiguration while using jaas
> in serv
> 
> 
> > We hit a problem in trying to use JAAS in some servlet 
> code. We are using
> > tomcat, with our servlet, which is calling jaas to get a 
> LoginContext to
> > login. We are using our own LoginModule. This code works 
> fine when it's a
> > standalone application, but as servlet it fails to get a 
> LoginConfiguration.
> > (See stack trace below)
> 
> the first thing to check is whether jaas.jar has 
> java.security.AllPermission.
> if you believe the permission is granted correctly,
> you can confirm this by setting the system property,
> 	java.security.debug=access,failure
> if the debug output shows that the protection domain for jaas.jar
> is the "domain the failed", you know the permission setting 
> is not correct.
> 
> if this turns out not to be the problem,
> please send another email and we can try
> other steps to determine what may be going on.
> 
> thanks,
> charlie
> 
> > @@[01/08/12 01:59:59PM][ERROR][Thread-52      
> ][*b.CslVerbDispatchServlet]
> > java.lang.SecurityException: unable to instantiate 
> LoginConfiguration
> >  at
> > 
> javax.security.auth.login.Configuration.getConfiguration(Confi
> guration.java:
> > 212)
> >  at 
> javax.security.auth.login.LoginContext$1.run(LoginContext.java:166)
> >  at java.security.AccessController.doPrivileged(Native Method)
> >  at 
> javax.security.auth.login.LoginContext.init(LoginContext.java:163)
> >  at 
> javax.security.auth.login.LoginContext.<init>(LoginContext.java:319)
> >  at 
> com.myco.api.security.MyLoginContext.<init>(SiteletLoginContex
> t.java:42)
> >  at
> > 
> com.myco.engine.verb.CslVerbDispatchServlet.doGet(CslVerbDispa
> tchServlet.jav
> > a:285)
> >  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
> >  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> >  at 
> org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper
> .java:405)
> >  at org.apache.tomcat.core.Handler.service(Handler.java:287)
> >  at 
> org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
> >  at
> > 
> org.apache.tomcat.core.ContextManager.internalService(ContextM
> anager.java:85
> > 5)
> >  at 
> org.apache.tomcat.core.ContextManager.service(ContextManager.java:801)
> >  at
> > 
> org.apache.tomcat.service.http.HttpConnectionHandler.processCo
> nnection(HttpC
> > onnectionHandler.java:213)
> >  at
> > 
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoin
> t.java:416)
> >  at
> > 
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPo
> ol.java:501)
> >  at java.lang.Thread.run(Thread.java:484)
> > 
>