Actually, you need to make sure that container-managed authentication
is enabled in JSPWiki. You can do this by **uncommenting** the
security constraints in web.xml. That is the opposite of what you said
you did (you said you commented them out).
Here's the methodology I'd use to solve the problem.
1. Turn on container-managed auth in JSPWiki by uncommenting the
security constraints.
2. Once you have turned on container-managed auth in JSPWiki, you need
to make sure the container realm itself is working properly, You might
want to use a very simple container realm first (for example, the
memory realm that consults conf/tomcat-users.xml), instead of your
custom JAAS realm. When you log via the container's realm, you should
be able to see this principal propagated to JSPWiki.
SecurityConfig.jsp should confirm that container auth works.
3. After verifying that 1) basic container authentication works and 2)
JSPWiki recognizes the credentials, next try using Tomcat's JAASRealm
instead, using your custom JAAS authentication module.
If this doesn't work, you should try using one of Tomcat's supplied
JAAS LoginModules instead to verify that it really is with your
module. If you've determined that the problem is with your custom JAAS
LoginModule, start Tomcat via "$CATALINA_HOME/bin/catalina.sh jpda
start," fire up Eclipse and attach a debugger to the module. You'll
find the problem soon enough.
4. Finally, once you get done with that, then you can turn on the SSO
valve.
Andrew
On Jun 24, 2008, at 2:06 PM, Ramya KGrama wrote:
Hello,
I have been trying to implement JAAS login with JSPWiki on Tomcat.
We are
using JSPWiki 2.6.2 with Tomcat5.5
We have an existing web application (mainApp) that does not use JAAS.
However, we would like to use JSPWiki as a portal with a single-sign-
on
feature -
meaning when the user logs into our mainApp the user clicks on a
link to
JSPWiki application. At this point, we would like to automatically
authenticate
the user with appropriate roles and permissions and log him into
JSPWiki.
To acheive this, I have done the following but doesn't seem to work:
1. Tomcat server.xml:
a. I've added a <Context> tag for JSPWiki application and <Context>
tag for
mainApp with crossContext=true in both.
b. Added a <Realm> entry as such:
<Realm
className="org.apache.catalina.realm.JAASRealm"
appName="JSPWiki-custom"
userClassNames="com.ecyrd.jspwiki.user.DefaultUserProfile"
roleClassNames="com.ecyrd.jspwiki.auth.authorize.Role"
debug="99"/>
c. Enabled SingleSignOn by adding the <Valve> tag within the <Host>
tag as
such:
<Valve
className="org.apache.catalina.authenticator.SingleSignOn"
/>
2. Placed my login module (JAASLoginModule's) jar file
JAASLoginLM.jar in
%TOMCAT_HOME%/common/lib folder.
In the JAASLoginModule itself I am using HttpRequestCallback just
like
the SiteMinderLoginModule example:
http://www.jspwiki.org/wiki/Security2.3WishList
3. I added the entries for the login module in jspwiki.policy
towards the
end as such:
// grant LoginModule permissions
grant codebase "file:${catalina.home}/common/lib/JaasLoginLM.jar" {
permission javax.security.auth.AuthPermission "modifyPrincipals";
};
grant codebase "file:${catalina.home}/common/lib/JaasLoginAzn.jar" {
permission javax.security.auth.AuthPermission
"createLoginContext.jaaslogin";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
4. In jspwiki.properties file I enabled JAAS as such:
jspwiki.security = jaas
5. On tomcat startup I specify the policy file and jaas file
settings as
such:
-Djava.security.auth.login.config==C:\Program Files\Apache Software
Foundation\Tomcat 5.5\webapps\JSPWiki\WEB-INF\jspwiki.jaas
-Djava.security.policy==C:\Program Files\Apache Software Foundation
\Tomcat
5.5\webapps\JSPWiki\WEB-INF\jspwiki.policy
6. Disabled container managed authentication in
<TOMCAT_HOME>/webapps/web.xml by commenting the <security-constraint>
section and
in jspwiki.properties set jspwiki.userdatabase.isSharedWithContainer
= false
Now, I restart the server and launch the mainApp and login. After
logging
in, I click on the link to JSPWiki (http://<hostname:port>/JSPWiki/
Wiki.jsp)
-
which takes me to the main page as an "Anonymous" user.
I dont see JAAS being used. The logs do not show any debug messages
from my
JAASLoginModule. Instead it says -
"Checking JAAS configuration...JAAS already configured by some other
application (leaving it alone...)"
My security configuration verifier (SecurityConfig.jsp) says that it
found
jspwiki.jaas. It doesn't show any errors - except that it says
"We found some errors with your configuration: Policy file does not
have a
keystore... at least not one that we can locate."
Do I need jspwiki.jks file and an entry in policy file - keystore
jspwiki.jks? - Currently I DO NOT have the keystore file.
Do I need to programmatically create the LoginContext and call the
login()
method in the JSP?
My understanding was that all that would happen automatically in the
background.
I am sure I'm missing something.
Your help is greatly appreciated!
Thanks.
