JAAS/ClassLoader questions
Hi, folks: I'm trying to work out a variation of what appears to be a problem previously encountered via JNDI/JMS and Tomcat. My specific configuration has a little bit of a different slant, though. I'm attempting to follow this route: JSP-JAAS-EJB-database Previously, I was able to use a JSP to retrieve data through an entity EJB and it worked fine. When I started working with authentication via JAAS, I bundled a .jar file with my security classes, including the LoginModule-derived class that would be used to authenticate a user, and included it in my webapp/WEB-INF/lib directory. When I attempt to authenticate via the JSP, however, I get the following exception: Error: 500 Location: /scheduler/Login.jsp Internal Servlet Error: javax.servlet.ServletException: unable to find LoginModule class: org.sofbex.security.login.SchedulerModule at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:457) at Login_1._jspService(Login_1.java:110) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java) at org.apache.tomcat.facade.ServletHandler.doService(ServletHandler.java:500) at org.apache.tomcat.core.Handler.service(Handler.java:226) at org.apache.tomcat.facade.ServletHandler.service(ServletHandler.java:448) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:777) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:699) at org.apache.tomcat.modules.server.Http10Interceptor.processConnection(Http10Interceptor.java:142) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:426) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:497) at java.lang.Thread.run(Thread.java:484) Root cause: javax.security.auth.login.LoginException: unable to find LoginModule class: org.sofbex.security.login.SchedulerModule at javax.security.auth.login.LoginContext.invoke(LoginContext.java:649) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:124) at javax.security.auth.login.LoginContext$3.run(LoginContext.java:530) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:527) at javax.security.auth.login.LoginContext.login(LoginContext.java:448) at Login_1._jspService(Login_1.java:81) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:119) at javax.servlet.http.HttpServlet.service(HttpServlet.java) at org.apache.tomcat.facade.ServletHandler.doService(ServletHandler.java:500) at org.apache.tomcat.core.Handler.service(Handler.java:226) at org.apache.tomcat.facade.ServletHandler.service(ServletHandler.java:448) at org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:777) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:699) at org.apache.tomcat.modules.server.Http10Interceptor.processConnection(Http10Interceptor.java:142) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:426) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:497) at java.lang.Thread.run(Thread.java:484) As I said, the org.sofbex.security.login.SchedulerModule class is included in security.jar, which is in the webapp/WEB-INF/lib directory. The jaas.jar and jaas_lm.jar files (supplied by the IBM JAAS for Linux implementation) are also included in the lib directory. I had written a main() method into the SchedulerModule class to test its operation, and it worked fine, so I don't think it's a security issue. I checked the supplied tomcat.policy file and added full security permissions for the webapp directory and below, to no avail. Was there a resolution found for this problem? Thanks for your help. Roby Gamboa - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: JAAS/ClassLoader questions
It doesn't look like this approach will work. JAAS=Java Authentication and Authorization Service, a Sun Java extension (http://java.sun.com/products/jaas). For authentication, you construct a module for handling authentication services for your application, and it has to implement javax.security.auth.spi.LoginModule from jaas.jar. In my case, this was the class that wasn't found in the original exception trace that I posted. In addition, you have to add entries for 'providers' to the java.security file, like so: login.configuration.provider=com.ibm.security.auth.login.ConfigFile login.config.url.1=file:/opt/Projects/Scheduler/webapp/WEB-INF/lib/scheduler.conf auth.policy.provider=com.ibm.security.auth.PolicyFile auth.policy.url.1=file:/opt/Projects/Scheduler/webapp/WEB-INF/lib/scheduler.policy In this case, IBM has supplied the JAAS implementation for Linux (Sun only has Windows and Solaris implementations available). The problem is that neither of the classes mentioned implement java.security.Provider, so they can't be added via Security.addProvider(). You then construct the configuration and policy files referenced. In the configuration file indicated above, I've got the following entry: Scheduler { org.sofbex.security.login.SchedulerModule Required repository=schedule; }; The format is: [Application] { [Login Module] [Constraint] [Options]; ... }; In my case, I'm only using one type of login module for authentication purposes, SchedulerModule. Although these classes provide the mechanism for getting at the security configuration and policy, the class that manages access to the JAAS portion of the security framework is javax.security.auth.login.LoginContext. You create a new instance of this class, using your application's name as entered in the .conf file indicated above ('Scheduler', in my case). When I attempt to instantiate the LoginContext object, I get the exception that I referenced in my original message. Are there alternate mechanisms for loading providers? - Roby David Wall wrote: I'm trying to work out a variation of what appears to be a problem previously encountered via JNDI/JMS and Tomcat. My specific configuration has a little bit of a different slant, though. I'm attempting to follow this route: JSP-JAAS-EJB-database I figured out a work-around for JNDI/JMS. Actually, in my case it was just for JNDI, though I was only using JNDI to use JMS! I have not used JAAS before. Is it an extension? How is the extension loaded? You'll want to make sure that the extension is loaded your code, and not by anything that would be found in the standard CLASSPATH (as used by Tomcat), and it cannot be done by including configuration information in a properties file or the like. For example, to use JCE, I had used the method of installing the provider by putting an entry in the jre/lib/security/java.security file, and this had the unfortunate side effect of causing those classes to be loaded by the system class loaders rather than the JSP classloader that's going to look in WEB-INF/lib for you. By loading the provider in my code instead (Security.addProvider()) I was able to solve it. Hope this helps... David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]