JAAS and Tomcat

[Jeff Genender]

I have semi-successfully gotten Tomcat to use the Geronimo JAAS 
component.  I say semi-successful because I wrote some unit tests, got 
Tomcat running along with some other security base GBeans, and was able 
to protect resources in a web application, and access them with the 
org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm.
However, what does not seem to be working is the group/role side of 
things.  If I protect the resources in teh web.xml with the following:

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>
Then it works as planned.  But if I state a particular role/group, it 
does not work.  So I need see why Tomcat is accepting the authentication 
piece of this, but not the authorization.

For a synopsis of what I did, I essentially took the BasicSecurityTest 
and SecurityTest unit tests from Jetty and altered them to work with 
Tomcat.  I then used the war3 test-resource for Jetty to use as a 
protected web application.

Most of getting this to work was setting configuration files (i.e the 
server.xml with an appropriate context and ensuring the 
-Djava.security.auth.login.config is set to point at a proper 
login.config file.

Right now, the context needs to be declared in the server.xml.  I don't 
like this.  I need to write a ContextInterceptor so the context can be 
dynamically loaded from a geronimo-web.xml in the WEB-INF.  Hence, after 
I get the role/group to work, I will write the interceptor, and I think 
Geronimo JAAS will dynamically work with Tomcat.

For the security experts, please have a look at my unit test and configs 
below and see if you think I missed anything relative to getting the 
group to work:

Here is the login.config used by java.security.auth.login.config:
jaasTest {
    org.apache.geronimo.security.jaas.JaasLoginCoordinator required
    realm="demo-properties-realm"
    kernel="geronimo.kernel";
};
In the server.cml:
<Context path="/test" docBase="war3" debug="99" reloadable="true">
    <Logger className="org.apache.catalina.logger.FileLogger"
            prefix="test_log." suffix=".txt"
            timestamp="true"/>
    <Realm className="org.apache.catalina.realm.JAASRealm" debug="99"
                           appName="jaasTest" 
userClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" 

roleClassNames="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal" 

     />
</Context>
I used the following code to fire up the necessary GBeans ina unit test:
containerName = new ObjectName("geronimo.tomcat:role=Container");
containerPatterns = Collections.singleton(containerName);
appName = new ObjectName("geronimo.tomcat:app=test");
tmName = new ObjectName("geronimo.test:role=TransactionManager");
tcmName = new ObjectName("geronimo.test:role=TransactionContextManager");
tcaName = new 
ObjectName("geronimo.test:role=ConnectionTrackingCoordinator");

kernel = new Kernel("geronimo.kernel");
kernel.boot();
serverInfoGBean = new GBeanMBean(ServerInfo.GBEAN_INFO);
serverInfoName = new ObjectName("geronimo.system:role=ServerInfo");
serverInfoGBean.setAttribute("baseDirectory", ".");
container = new GBeanMBean(TomcatGBean.GBEAN_INFO);
container.setAttribute("CatalinaHome","target/var/catalina");
container.setAttribute("CatalinaBase","target/var/catalina");
container.setAttribute("CatalinaConfig","target/var/catalina/conf/server.xml");
container.setReferencePatterns("ServerInfo",Collections.singleton(serverInfoName));
securityServiceGBean = new 
GBeanMBean("org.apache.geronimo.security.SecurityService");
securityServiceName = new 
ObjectName("geronimo.security:type=SecurityService");
securityServiceGBean.setReferencePatterns("Realms", 
Collections.singleton(new 
ObjectName("geronimo.security:type=SecurityRealm,*")));
securityServiceGBean.setAttribute("policyConfigurationFactory", 
"org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory");

loginServiceGBean = new 
GBeanMBean("org.apache.geronimo.security.jaas.JaasLoginService");
loginServiceName = new 
ObjectName("geronimo.security:type=JaasLoginService");
loginServiceGBean.setReferencePatterns("Realms", 
Collections.singleton(new 
ObjectName("geronimo.security:type=SecurityRealm,*")));
//        loginServiceGBean.setAttribute("reclaimPeriod", new Long(1000 
* 1000));
loginServiceGBean.setAttribute("algorithm", "HmacSHA1");
loginServiceGBean.setAttribute("password", "secret");

propertiesRealmGBean = new 
GBeanMBean("org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm");
propertiesRealmName = new 
ObjectName("geronimo.security:type=SecurityRealm,realm=demo-properties-realm");
propertiesRealmGBean.setReferencePatterns("ServerInfo", 
Collections.singleton(serverInfoName));
propertiesRealmGBean.setAttribute("realmName", "demo-properties-realm");
propertiesRealmGBean.setAttribute("defaultPrincipal", "metro");
propertiesRealmGBean.setAttribute("maxLoginModuleAge", new Long(1 * 1000));
propertiesRealmGBean.setAttribute("usersURI", (new File(new File("."), 
"src/test-resources/data/users.properties")).toURI());
propertiesRealmGBean.setAttribute("groupsURI", (new File(new File("."), 
"src/test-resources/data/groups.properties")).toURI());

start(serverInfoName, serverInfoGBean);
start(propertiesRealmName, propertiesRealmGBean);
start(containerName, container);
start(securityServiceName, securityServiceGBean);
start(loginServiceName, loginServiceGBean);
tm = new GBeanMBean(GeronimoTransactionManager.GBEAN_INFO);
tm.setAttribute("defaultTransactionTimeoutSeconds", new Integer(10));
Set patterns = new HashSet();
patterns.add(ObjectName.getInstance("geronimo.server:j2eeType=JCAManagedConnectionFactory,*"));
tm.setReferencePatterns("ResourceManagers", patterns);
start(tmName, tm);
tcm = new GBeanMBean(TransactionContextManager.GBEAN_INFO);
tcm.setReferencePattern("TransactionManager", tmName);
start(tcmName, tcm);
ctc = new GBeanMBean(ConnectionTrackingCoordinator.GBEAN_INFO);
start(tcaName, ctc);