Hi Wendy, Sure I can explain what happens but not why.
When you call the LoginModule with an optional Subject and CallBack the code works fine for me, i.e. it calls the LoginModule and I do everything I need, placing the Principals into the Subject. However... and this is where I don't want to say anything sweeping in case I have just simply misunderstood.... the Subject that is authenticated via the LoginModule has no visibility to Tomcat. If I could find a way to replace the session Subject with the one passed back from the LoginModule.getSubject() I would be ok, but I couldn't, so I placed the authorised Subject in the session and overrode the request.isUserInRole() to authorise against the Subject I placed in the session. One of these days I might ask the Tomcat dev list what I was doing wrong but got comments from other developers saying they had the same problem [All the JAAS examples do it the way I have described in some shape or form] Its not that bid a deal, and if you just use the Request wrapper I have attached you know that in the future you can remove the filter if you go to WebSphere or something like that. -----Original Message----- From: Wendy Smoak [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 17:44 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO From: "Mark Benussi" <[EMAIL PROTECTED]> > However I can tell you about JAAS in Tomcat. In 5 certainly there are > issues. Essentially when you call the LoginModule to invoke your JAAS > config > it works but it does not authenticate the proper session Subject. Can you explain more about this? I just _finally_ got the jsp-examples webapp that ships with Tomcat changed over to Kerberos authentication. Am I about to run into problems? > What you end up doing (Or what I did) was place a request filter in the > app that > wraps the request with an overridden RequestWrapper and you write your own > inUserInRole against the Subject that the LoginModule returns (By placing > it > in the session) > > If you want some code, taken from Wendy Smoak ... .. who took it from one of Craig's tomcat-user posts. ;) http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatRequestWrapper -- Wendy Smoak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]