I wish a was a bit more thorough in the first run, sorry about that. My question is more of "How do I implement JAAS in Tomcat?" I know this is a broad question so lets break it down. 1. How do I configure Tomcat so that it uses JAAS? 2. What configuration files ( Java Secutiy & Tomcat ) do I need to accomplish question #1? 3. Programmatically, I believe I have to extend org.apache.catalina.realm.JAASMemoryLoginModule but how does Tomcat validates users using JAASRealm? For #1 the following: // server.xml <Realm className="org.apache.catalina.realm.JAASRealm" debug="99" appName="JAASPolicy" userClassNames="java.security.Principal" roleClassNames="java.security.Principal"/> For #2 the following: // jaas.config JAASPolicy { cdmanager.security.tomcat.JAASLoginModule required debug=true; }; // jaas.policy grant codeBase "file:${catalina.home}/webapps/cdmanager/WEB-INF/classes/- { permission java.util.PropertyPermission "java.security.auth.login.config", "read"; permission java.util.PropertyPermission "java.security.auth.policy", "read"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAsPrivileged"; }; For #3 the following: // JAASLoginModule public class JAASLoginModule extends org.apache.catalina.realm.JAASMemoryLoginModule { // initial state private Subject subject; private CallbackHandler callbackHandler; <snip> public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { this.subject = subject; this.callbackHandler = callbackHandler; this.sharedState = sharedState; this.options = options; <snip>
// ContainerAuthentication.java <snip> cdmanager.security.tomcat.JAASLoginCallbackHandler handler = new cdmanager.security.tomcat.JAASLoginCallbackHandler(request); loginContext = new LoginContext("JAASPolicy", new cdmanager.security.tomcat.JAASLoginCallbackHandler(request)); loginContext = new LoginContext("JAASPolicy", handler ); loginContext.login(); // EXCEPTION HERE <snip> "Shapira, Yoav" <[EMAIL PROTECTED]> wrote: Howdy, Oh boy... See intermixed. >I've used this code in Weblogic 6.X without any problem. If >this could be done in Weblogic, then there is NO reason why we can't do it Of course there is. Tomcat's configuration is different than Weblogic's configuration. Weblogic provides a superset of the servlet specification, not to mention a complete J2EE container. Unless "this code", "this", and "it" in the above sentence relate directly to the servlet specification, v2.3, the above is false. >Can anyone tell me what am I doing wrong? Or perhaps point me in the right >direction. Read the JAASRealm JavaDoc for starters: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/catalina/docs/api/index. html Actually look at the example JAASRealm to see what attributes it takes. Don't just assume it takes the same attribute names as the weblogic equivalent. > debug="99" > loginContext="JAASPolicy" > callbackHandler="cdmanager.security.tomcat.JAASLoginCallbackHandler"/> This is meaningless as these are not the attributes expected by JAASRealm. >// ContainerAuthentication.java This is irrelevant as the JAASRealm is not configured correctly. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month!