You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by LERBSCHER Jean-Pierre <je...@cofiroute.fr> on 2004/10/12 10:53:08 UTC
RE : The good way of making JAAS and Realm authentication use the
same back-end authentication system?
It seems that the simplest way is to write your own login module or try to
use/configure/debug the existing JNDI login module.
Regards,
-----Message d'origine-----
De : Antoine Brocard - Vertical*i S.A. [mailto:brocard@verticali.com]
Envoyé : mardi 12 octobre 2004 09:52
À : tomcat-dev@jakarta.apache.org
Objet : The good way of making JAAS and Realm authentication use the same
back-end authentication system?
Maybe this question should be in the User mailing list, but I think it
could interest some Developers...
The problem I had to solve is the following:
My application needs J2EE container authentication AND JAAS (to
authenticates requests coming from
an application that don't support standard authentication scheme, like
BASIC or FORM). The back-end
authentication system is an LDAP server. I would like that both J2EE
authentication and JAAS access
the same LDAP server.
As a first try I set up the following configuration:
Use the Tomcat JAASRealm for J2EE authentication.
Use the JDNILoginModule as JAAS login module, to access the LDAP server.
The problem was that the JDNILoginModule was known to have bugs, and I
dind't succeeded to make this
configuration work.
The other solution is to make JAAS use the current J2EE authentication;
in other words make the JAAS
login module access the current Tomcat Realm and forward authentication
requests on it. I look for such
a module, without success.
I decided to write one myself, using the following hacks:
In order to access the current Realm from inside a loginmodule, I used
JMX. I copied some code from the
Tomcat sources. At this point I was able to get the current Realm but I
realized that the "authenticate"
method wasn't manageable through JMX.
To solve that, I decided to subclass the standard Tomcat Realm and to
make them accessible through JMX
by modifying the mbeans-descriptor.xml file. Finally it worked fine.
The last problem I had was related to location of .jar files. In order
to make this work, I had to move the
content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is
not very elegant and can lead to security
issues in some cases. Moreover clients are often reluctant to do such
operations...
My question(s) is(are) the following:
1)Is there is better/simpler procedure to make JAAS and J2EE container
authentication use the same back-end
mechanism? Maybe I missed a step somewhere...
1bis) If not, is there a simpler way of getting the current Realm from
Java code, instead of the ugly JMX
hack I used?
2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with
Weblogic or Websphere? It seems that
"JAAS asking Realm" is the "standard" way of doing, not the "Realm
asking JAAS" one used by Tomcat...
Thanks in advance for your help
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: RE : The good way of making JAAS and Realm authentication use
the same back-end authentication system?
Posted by "Antoine Brocard - Vertical*i S.A." <br...@verticali.com>.
Yes, certainly for this specific case...
But from a more "philosophical" point of view, why do I have to do that?
I mean why isn't it provided in standard with Tomcat (it is not a critic
it's only a question)?
Does my code interest the Tomcat community?
LERBSCHER Jean-Pierre wrote:
> It seems that the simplest way is to write your own login module or try to
> use/configure/debug the existing JNDI login module.
> Regards,
>
> -----Message d'origine-----
> De : Antoine Brocard - Vertical*i S.A. [mailto:brocard@verticali.com]
> Envoyé : mardi 12 octobre 2004 09:52
> À : tomcat-dev@jakarta.apache.org
> Objet : The good way of making JAAS and Realm authentication use the same
> back-end authentication system?
>
> Maybe this question should be in the User mailing list, but I think it
> could interest some Developers...
>
>
> The problem I had to solve is the following:
>
> My application needs J2EE container authentication AND JAAS (to
> authenticates requests coming from
> an application that don't support standard authentication scheme, like
> BASIC or FORM). The back-end
> authentication system is an LDAP server. I would like that both J2EE
> authentication and JAAS access
> the same LDAP server.
>
>
> As a first try I set up the following configuration:
>
> Use the Tomcat JAASRealm for J2EE authentication.
> Use the JDNILoginModule as JAAS login module, to access the LDAP server.
>
> The problem was that the JDNILoginModule was known to have bugs, and I
> dind't succeeded to make this
> configuration work.
>
>
> The other solution is to make JAAS use the current J2EE authentication;
> in other words make the JAAS
> login module access the current Tomcat Realm and forward authentication
> requests on it. I look for such
> a module, without success.
>
> I decided to write one myself, using the following hacks:
>
> In order to access the current Realm from inside a loginmodule, I used
> JMX. I copied some code from the
> Tomcat sources. At this point I was able to get the current Realm but I
> realized that the "authenticate"
> method wasn't manageable through JMX.
> To solve that, I decided to subclass the standard Tomcat Realm and to
> make them accessible through JMX
> by modifying the mbeans-descriptor.xml file. Finally it worked fine.
>
> The last problem I had was related to location of .jar files. In order
> to make this work, I had to move the
> content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is
> not very elegant and can lead to security
> issues in some cases. Moreover clients are often reluctant to do such
> operations...
>
>
> My question(s) is(are) the following:
>
> 1)Is there is better/simpler procedure to make JAAS and J2EE container
> authentication use the same back-end
> mechanism? Maybe I missed a step somewhere...
>
> 1bis) If not, is there a simpler way of getting the current Realm from
> Java code, instead of the ugly JMX
> hack I used?
>
> 2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with
> Weblogic or Websphere? It seems that
> "JAAS asking Realm" is the "standard" way of doing, not the "Realm
> asking JAAS" one used by Tomcat...
>
> Thanks in advance for your help
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org