RE : TR : [jaas integration between tomcat/weblogic]
Any responses? Does somebody think that it could be a bug or like an improvement? Thanks. -Message d'origine- De : LERBSCHER Jean-Pierre [mailto:[EMAIL PROTECTED] Envoyé : mardi 27 juillet 2004 19:07 À : '[EMAIL PROTECTED]' Objet : [jaas integration between tomcat/weblogic] Hi, I would like to make EJB-calls from Tomcat to EJB in Weblogic in secure environment (using j2ee roles). I configure a custom JAAS Realm that uses client side LoginModule connecting to WLS (weblogic.security.auth.login.UsernamePasswordLoginModule). I put weblogic.jar into common/lib directory and my login module classes in common/classes. I configure webapp context like this : Realm className=org.apache.catalina.realm.JAASRealm appName=Sample userClassNames=weblogic.security.principal.WLSUserImpl roleClassNames=weblogic.security.principal.WLSGroupImpl debug=99/ I grant all permission (for test only) in Catalina.policy. And I run Catalina with -security option. At this stage tomcat uses login module (and weblogic authentification provider) to authenticate the user. Everything works fine. The subject build by weblogic is used to create a GenericPrincipal used internally by Tomcat. My problem is that I need to use weblogic security api to propagate implicitly the subject when i call the ejb component with the security data provided by weblogic authentification provider (the subject). First I try to run Tomcat with the security option and the permission, enables me to get the tomcat subject (for example like this javax.security.auth.Subject mySubject = javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); ) and call the weblogic security api with that subject. However the Tomcat GenericPrincipal is not serializable and I get an exception [java.io.NotSerializableException: org.apache.catalina.realm.GenericPrincipal]... Secondly I try to rebuild the weblogic subject with the subject generated by javax.security.auth.Subject.getSubject(java.security.AccessController.getCon text()); I get an java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[my_username] exception generated by weblogic. It seems obviously that there are problems of integration! My suggestions are to keep a trace of original subject (for example in session with a specific key) or in a classe that is accessible to application classes (and not dependent on tomcat specific api). Do you have any others suggestions ? Environment: Tomcat 5.0.27 (full install), running on xp, java 1.4.2_02 WLS 8 sp2, running on w2k, java 1.4.2_02 (= both on same machine, same environment) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TR : [jaas integration between tomcat/weblogic]
On 30 Jul, 2004, at 9:59 am, LERBSCHER Jean-Pierre wrote: (weblogic.security.auth.login.UsernamePasswordLoginModule). ... The subject build by weblogic is used to create a GenericPrincipal used internally by Tomcat. I got a bit further than this using our own custom-made JAASLoginModule to retrieve Principals from a database. We encountered the fact that Tomcat only returns a generic Principal (not the Principal that we created, despite it being configured that way in server.xml), so we did what you did... extracted the information from the GenericPrincipal (username and password), then made our own UserPrincipal, which we stored in a session. This was in Tomcat 5.0.19 and everything worked, although we had this nagging feeling that it wasn't quite right. Why weren't we receiving our own UserPrincipal? Then we tried upgrading to Tomcat 5.0.25 (and later). When we try to log in to a page configured to be protected, we get the following error: javax.servlet.ServletException: WILDCARD_PRINCIPAL_CLASS org.apache.jasper.servlet.JspServlet.service(JspServlet.java:244) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) ... root cause java.lang.ClassCircularityError: WILDCARD_PRINCIPAL_CLASS java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:219) sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1335) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1238) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1201) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1144) sun.security.provider.PolicyFile.implies(PolicyFile.java:1099) java.security.ProtectionDomain.implies(ProtectionDomain.java:189) ... This is pretty confusing. Has anyone seen this? What does it mean? I can't find any mention of anything that helps in the Tomcat documentation, and so far nothing in various JAAS and Security documentation. Does anyone have a working JAASRealm module, with example server.xml, catalina.policy, web.xml and other files? I'd give my right arm to have an answer to this. Currently, our only solution is to stick with 5.0.19. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
