Using 2 Realms for authentication and access control
I have an application that runs on tomcat that by default uses a
JDBCRealm to query a database for authentication. I would like to use
Kerberos for the user password authentication but still use my JDBCRealm
for access control through roles. I was hoping you could point me in the
right direction. I am running on Solaris 9, java 1.5.0_10 with tomcat
5.5.17
I really appreciate any help you could give me!!!
Here is my tomcat config:
server.xml (snippet) -
jaas.conf -
Tomcat {
com.sun.security.auth.module.Krb5LoginModule required;
};
web.xml (snippet) -
Tomcat Server Configuration Security
Constraint
Protected Area
*.do
*.jsp
*.js
*.html
*.pieConfig
*.pieData
*.gridData
*.xls
*.excel
*.tre
*.tem
*.nc
*.menu
*.ext
tomcat_auth_role
FORM
ovaa-tomcat
/jsp/rootLogin.jsp
/jsp/rootLogin.jsp?error=1
The role that is required to log into Advanced
Access
tomcat_auth_role
Cheers
Joe
--
This email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else,
unless expressly approved by the sender or an authorized addressee, is
unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution or
any action omitted or taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error, please
contact the sender, delete this e-mail and destroy all copies.
==
RE: Using 2 Realms for authentication and access control
I have not seen any response to this . . . . Can anyone help? Please?!?
Cheers
Joe
From: Workman, Joe
Sent: Friday, December 15, 2006 12:30 PM
To: 'users@tomcat.apache.org'
Subject: Using 2 Realms for authentication and access control
I have an application that runs on tomcat that by default uses a
JDBCRealm to query a database for authentication. I would like to use
Kerberos for the user password authentication but still use my JDBCRealm
for access control through roles. I was hoping you could point me in the
right direction. I am running on Solaris 9, java 1.5.0_10 with tomcat
5.5.17
I really appreciate any help you could give me!!!
Here is my tomcat config:
server.xml (snippet) -
jaas.conf -
Tomcat {
com.sun.security.auth.module.Krb5LoginModule required;
};
web.xml (snippet) -
Tomcat Server Configuration Security
Constraint
Protected Area
*.do
*.jsp
*.js
*.html
*.pieConfig
*.pieData
*.gridData
*.xls
*.excel
*.tre
*.tem
*.nc
*.menu
*.ext
tomcat_auth_role
FORM
ovaa-tomcat
/jsp/rootLogin.jsp
/jsp/rootLogin.jsp?error=1
The role that is required to log into Advanced
Access
tomcat_auth_role
Cheers
Joe
Custom JAAS LoginModule not authorizing GenericPrincipal roles
I'm trying to use my own LoginModule. Its is successfully authenticating my username but the problem is when its trying to authorize my roles. Tried: 1. Here is the code snippet from my LoginModule commit method. Code: List roles = new ArrayList(); roles.add( "tomcat_auth_role" ); GenericPrincipal gp = new GenericPrincipal(null, username, null, roles); subject.getPrincipals().add(gp); 3. Added following to server.xml: Code: 3. Added following to web.xml: Code: tomcat_auth_role Any help would be greatly appreciated. Cheers Joe -- This email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies. ==
RE: Custom JAAS LoginModule not authorizing GenericPrincipal roles
I have found a work-around (although it seems like a hack to me): Here is the code snippet from my LoginModule commit method. Code: List roles = new ArrayList(); roles.add( "tomcat_auth_role" ); GenericPrincipal gp = new GenericPrincipal(null, username, null, roles); subject.getPrincipals().add(gp); String rolename = "tomcat_auth_role"; GenericPrincipal gp2 = new GenericPrincipal(realm, rolename, password); subject.getPrincipals().add(gp2); The server.xml and web.xml files are identical After playing around I found that if I were to create a second Principal with the username of the rolename, everything worked as expected. This behavior is not normal is it? I feel that the JAASRealm should be able to find the roles from the GenericPrincipal Class. Is there a bug that I am not aware of here? Cheers Joe -Original Message----- From: Workman, Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 1:49 PM To: users@tomcat.apache.org Subject: Custom JAAS LoginModule not authorizing GenericPrincipal roles I'm trying to use my own LoginModule. Its is successfully authenticating my username but the problem is when its trying to authorize my roles. Tried: 1. Here is the code snippet from my LoginModule commit method. Code: List roles = new ArrayList(); roles.add( "tomcat_auth_role" ); GenericPrincipal gp = new GenericPrincipal(null, username, null, roles); subject.getPrincipals().add(gp); 3. Added following to server.xml: Code: 3. Added following to web.xml: Code: tomcat_auth_role Any help would be greatly appreciated. Cheers Joe -- This email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies. == -- This email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies. == - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Custom JAAS LoginModule not authorizing GenericPrincipal roles
Thanks Charles and John, you were both a great help!!! I got it working
now.
Cheers
Joe
-Original Message-
From: John McPeek [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 19, 2006 6:50 PM
To: Tomcat Users List
Subject: Re: Custom JAAS LoginModule not authorizing GenericPrincipal
roles
Hi Joe,
This is my commit(). I think you are missing the User Principle.
When you say request.getUserPrincipal(), that
token (1) I am putting in first comes back. The Principles you add
after that are the roles you want to test against.
This stuff drove me nuts when I was setting it up. Hope that does it for
you.
John
public boolean commit() throws LoginException {
log.debug( "Commit login." );
if ( token != null ) {
if ( subject.isReadOnly() ) {
throw new LoginException( "Subject is Readonly" );
}
** (1) Add User Priciple first *
subject.getPrincipals().add( token );
List permissions = token.getPermissions();
Set jaasPermissions = subject.getPrincipals();
for ( Permission permission : permissions ) {
jaasPermissions.add( permission );
}
}
token = null;
return true;
}
>I'm trying to use my own LoginModule. Its is successfully
authenticating
>my username but the problem is when its trying to authorize my roles.
>
>Tried:
>1. Here is the code snippet from my LoginModule commit method.
>Code:
>
> List roles = new ArrayList();
> roles.add( "tomcat_auth_role" );
> GenericPrincipal gp = new GenericPrincipal(null, username, null,
>roles);
> subject.getPrincipals().add(gp);
>
>3. Added following to server.xml:
>Code:
>
> appName="Tomcat"
>
>userClassNames="org.apache.catalina.realm.GenericPrincipal"
>
>roleClassNames="org.apache.catalina.realm.GenericPrincipal"
> useContextClassLoader="true"
> debug="2"/>
>
>3. Added following to web.xml:
>Code:
>
>
> tomcat_auth_role
>
>
>Any help would be greatly appreciated.
>
>Cheers
>Joe
>
>---
---
>
>This email is confidential and may be legally privileged.
>
>It is intended solely for the addressee. Access to this email by anyone
else, unless expressly approved by the sender or an authorized
addressee, is unauthorized.
>
>If you are not the intended recipient, any disclosure, copying,
distribution or any action omitted or taken in reliance on it, is
prohibited and may be unlawful. If you believe that you have received
this email in error, please contact the sender, delete this e-mail and
destroy all copies.
>
>===
===
>
>
>
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
This email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else,
unless expressly approved by the sender or an authorized addressee, is
unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution or
any action omitted or taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error, please
contact the sender, delete this e-mail and destroy all copies.
==
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
