Authentication between Tomcat and JBoss depends on how you are running
them.
Scenario 1.
TomCat is started on its own (not as Embedded or MBean)
JBoss started on its own.
Answer: I've tried running this, there are issues with setting up JNDI
don't use this setup at all.
Scenario 2.
Tomcat is started as part of JBoss either as an MBean or as EmbeddedTomcat
service.
Answer:
With the latest version of JBoss, Tomcat is able to read standard Tomcat
server.xml. There are several entries in Tomcat's server.xml that are
essential for Tomcat+Jboss integration and some of the entries accomplish
setting up security stuff.
The way it works is like this.
A user tries to access a protected web page. TomCat authenticates it
through its BASIC/FORM or whatever authentication. TomCat sets the
username and password for this user if the authentication succeeded as
attributes of the current session. For successful authentication here you
would need to setup TomCat's authentication services, by default it checks
username/password pairs against the tomcat-users.xml file in its conf
directory.
Once a user authenticated him-/herself any further accesses to pages would
have the username/password attributes set in the session. Whenever TomCat
receives an HttpRequest, one of the hooks from JBoss which are configured
into Tomcat's server.xml (i.e. JbossRealm RequestInterceptor) would set
the appropriate SecurityAssociation parameters for the given thread.
(SecurityAssociation is a JBoss internal security implementation class)
Now, if your servlet tries to call an EJB, this thread has appropriate
security Principal associated with it which JBoss sees on any call to an
EJB.
The next step is to configure security in your EJB tier. You can ask JBoss
to handle all the security issues for you. Then you simply specify that
you want jboss to run in secure mode and specify in jboss.xml
container-configuration section for each ejb-jar that you want to use
java:/jaas/other as role-mapping-manager and authentication-module (see my
example below). By default, JBoss is not secured (check standardjboss.xml
in the conf directory). So your jboss.xml that you would place in META-INF
of an ejb-jar would be:
<jboss>
<container-configurations>
<container-configuration>
<container-name>Standard CMP EntityBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
<container-configuration>
<container-name>Standard Stateless SessionBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
<container-configuration>
<container-name>Standard Stateful SessionBean</container-name>
<role-mapping-manager>java:/jaas/other</role-mapping-manager>
<authentication-module>java:/jaas/other</authentication-module>
</container-configuration>
</container-configurations>
<!-- Plus whatever else you need to specify here -->
</jboss>
Check Jboss's auth.conf for which login module would be used as
java:/jaas/other service. By default, I think, it is
org.jboss.security.plugins.samples.JaasServerLoginModule which checks the
Principal's username and the password against file users.properties and
assigns roles according to roles.properties files from its conf directory.
You can implement your custom authentication module for the EJB
tier and specify its classname in auth.conf. Check documentation on JAAS
in JBoss.
The alternative to JBoss handling security for you, you can manage it
yourself from inside the EJBs, since the EJBs will see the current
Principal in their EnterpriseContext, you can check what the username is,
etc.
Hope this helps.
Anatoly.
On Tue, 6 Mar 2001, Alexander Sparkowsky wrote:
> Hello,
>
> I'm new to JBoss and I'm sorry if my questions have been answered before but
> I couldn't find them in the archive.
>
> We are currently using another Appserver and like to switch to JBoss +
> Tomcat (+Apache).
> 1. How is the authentification handled between Tomcat and JBoss? Do I have
> to authentificate to the tomcat (to take the user-data from the DB) AND to
> JBoss (using InitialContext or something like this)?
> 2. Is it possible to write an adapter or something like that to use an
> existing EJB to authentificate a user (e.g. user=home.findByPrimaryKey(...);
> user.authenticate(pw);...)
>
> Thanks
>
> Alexander Sparkowsky
> LambdaLogic Informationssysteme GmbH, Berlin, Germany
> Tel: +49-30-2936385-0, Fax: +49-30-2936385-9
> E-Mail: [EMAIL PROTECTED]
>
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
>
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
