I will appreciate if you post the link to or copy of this tutorial you are writing. By now I'm trying to drill into JAASRealm.java and find out what is really happening there.
Hi Beloglazov,
I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use "isUserInRole()" to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO.
I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)).
The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject.
I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-)
Cheers,
Michiel
Beloglazov Maksim wrote:
Hello,
I've written a JAAS LoginModule and my web application successfully authorizes with it. But! While the authorization is successful, Tomcat does not recognize user Principals and roles which I assign in login module and returns that I have logged as a *null* user with no roles assigned to it.
server.xml: .... <Realm className="org.apache.catalina.realm.JAASRealm" appName="merx" userClassNames="ru.mb.security.jaas.RdbmsPrincipal" roleClassNames="ru.mb.security.jaas.RdbmsRole" debug="99"/> ....
ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole are implementations of java.security.Principal interface. How can I force Tomcat recognize these Principals in a proper way? Can be the problem with moving javax.security.Principal of earlier JDKs to java.security.Principal in modern ones?
Any help is greatly appreciated.
Beloglazov Maksim.
Maksim.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
