JNDIRealm in Tomcat 5
Hello All, I searched the archive but have not seen a situation like mine. I am in the process of upgrading to tomcat 5.0.16 from 4.1.29. I'm happy to say that my webapp seems to be running fine under tomcat 5 with one important exception. My configured JNDIRealm seems to be failing. The main problem is that I cannot seem to get the logger to report the realm's errors to me. I have the realm within engine and both engine and realm are set to debug=99. Is there something else I need to do? Thanks. Vincent smime.p7s Description: S/MIME Cryptographic Signature
Re: JNDIRealm in tomcat
The patch is included in tomcat 4.1.10 John. Vincent Stoessel wrote: Vincent Stoessel wrote: I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. Ok, I sent this out before I read this: http://marc.theaimsgroup.com/?l=tomcat-devm=101515968207676w=2 this patch seems very cool, has it been incorporated into tomcat? If so what version? Thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm in tomcat
I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com smime.p7s Description: S/MIME Cryptographic Signature
Re: JNDIRealm in tomcat
Vincent Stoessel wrote: I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. Ok, I sent this out before I read this: http://marc.theaimsgroup.com/?l=tomcat-devm=101515968207676w=2 this patch seems very cool, has it been incorporated into tomcat? If so what version? Thanks. -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com smime.p7s Description: S/MIME Cryptographic Signature
JndiRealm for Tomcat 4.0 and 3.2x alpha2 is available
Title: JndiRealm for Tomcat 4.0 and 3.2x alpha2 is available
JndiRealm for Tomcat 3.2 and Tomcat 4.0 readme:
http://www.peacetech.com/java/files/apache/tomcat/jndi-auth.html
JndiRealm for Tomcat 3.2 and Tomcat 4 Alpha 2 download:
http://www.peacetech.com/java/files/apache/tomcat/jndi_auth_alpha2.jar
(Please use java jar or zip utility to extract files)
I would greatly appreciate your feedback
Alex Roytman
[EMAIL PROTECTED]
!-- JndiRealm authenticates and Authorizes users against JNDI. It was developed and tested
against LDAP JNDI (Sun's and Netscape's jndi provider)
JndiRealm uses JNDI_SECURITY_PRINCIPAL and JNDI_SECURITY_CREDENTIALS to connect to a directory.
Then it looks for exactly one user name matching jndiSearchFilter in entire subtree
of jndiInitialContext. If one and only one matching directory object is found it will use this
object and tomcat supplied credentials to authenticate and fetch roles.
If succesful it will fetch user roles using JNDI attributes listed in jndiRolesAttributes
If roleMapperClass is specified it will use it to map user roles onto application roles
specific for each web context (tomcat 3.2x).
Provided SimpleRoleMapper implementation will read role map from either roleMapperSourceUrl or
tomcat 3.2x only WEB-INF/role-map.xml file in each web context
className=com.peacetech.webtools.tomcat.JndiRealm TOMCAT 3.2x
className=com.peacetech.webtools.tomcat.JndiRealmCatalina TOMCAT 4.0
Following are JNDI Environment parameters which are passed to straight to
new javax.jndi.directory.InitialDirContext(Hashtable env)
JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory
(or com.netscape.jndi.ldap.LdapContextFactory netscape's seems to be faster)
JNDI_PROVIDER_URL = ldap://207.176.93.66:389
JNDI_SECURITY_AUTHENTICATION = simple
JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti //finds authorizing users by filter in directory
JNDI_SECURITY_CREDENTIALS = peacetech
JNDI_SECURITY_PROTOCOL =
jndiInitialContext = o=pti
Root context for user lookups
jndiSearchFilter = cn={0}
Filter to lookup authorizing user. Support java.text.MessageFormat.
The only parameter is to java.text.MessageFormat pattern authorizing username.
i.e. jndiSearchFilter = cn={0} for user alex will result in lookup for cn=alex
jndiRolesAttributes = securityEquals
One or more directory attributes separated with semicolon which contains security roles
attributes can be multivalued. If blank no attempt to retrieve roles from directory will be done
roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper/
ATTNTION: It requires SAX2/JAX1.1 (Apache Xerces or Sun JAXP1.1 distribution)
Implemntation of RoleMapper interface to be used to transform user directory roles
to application roles. In tomcat 3.2x MapperClass is server wide but actual mapping data
is context specific (unless you specified roleMapperSourceUrl)
in tomcat 4.0 both RoleMapper and mapping data are Realm specific and you have to specify
roleMapperSourceUrl. If it is blank no role mapping will occur
roleMapperSourceUrl=file:///d:/tomcat4/conf/my-role-map.xml
URL to RoleMapper source. In tomcat 3.2x if it is not specified we try to find file
WEB-INF/role-map.xml in every initializing tomcat context.
contextDirMaxPoolSize = 20
JNDI does not allow multi-threaded access to a single context instance. We chose to pool contexts which
do user filter lookup instead creating and re-authenticating every time. Access to pool
is synchronized
--
!-- Tomcat 3.2 --
RequestInterceptor
className=com.peacetech.webtools.tomcat.JndiRealm
debug=1
JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory
JNDI_PROVIDER_URL = ldap://207.176.93.66:389
JNDI_SECURITY_AUTHENTICATION = simple
JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti
JNDI_SECURITY_CREDENTIALS = mypassword
JNDI_SECURITY_PROTOCOL =
jndiInitialContext = o=pti
jndiSearchFilter = cn={0}
jndiRolesAttributes = securityEquals
contextDirMaxPoolSize = 20
roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper/
!-- Tomcat 4 --
Realm className=com.peacetech.webtools.tomcat.JndiRealmCatalina
debug=1
JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory
JNDI_PROVIDER_URL = ldap://207.176.93.66:389
JNDI_SECURITY_AUTHENTICATION = simple
JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti
JNDI_SECURITY_CREDENTIALS = mypassword
JNDI_SECURITY_PROTOCOL =
jndiInitialContext = o=pti
jndiSearchFilter = cn={0}
jndiRolesAttributes = securityEquals
contextDirMaxPoolSize = 20
roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper
roleMapperSourceUrl=file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml /
!-- *** End of PeaceTech JNDI Authentication Support ** --
Re: [CONTRIBUTION] JndiRealm for Tomcat. LDAP Authentication via JNDIis Available
This is great news! I'll definitely check it out. mfs "Roytman, Alex" wrote: JndiRealm for Tomcat Please download ALPHA version of JndiRealm (compiled and source code) from http://peacetech.com/java/files/apache/tomcat/jndi-auth.html JndiRealm authenticates and Authorizes users against JNDI. It was developed and tested against LDAP JNDI (Sun's and Netscape's jndi provider) JndiRealm looks for exactly one user name matching jndiSearchFilter + usename in entire subtree of jndiInitialContext and use tomcat supplied credentials to authenticate. If succesful, it will fetch user roles using JNDI attributes listed in jndiRolesAttributes and if roleMapperClass is specified it will use it to map user roles onto application roles specific for each web context. Provided SimpleRoleMapper implementation will read WEB-INF/role-map.xml file in each web context and will do mappings accordingly JndiRealm works a little bit different from SimpleRealm or JdbcRealm. They extract user/password from user Session for Form based authentication (from headers for Basic authentication) and then for *every request* perform authentication and authorization. This however might be a problem if password on backend changes constantly. Password cached in User Session Cached or Request Header will expire in lets say 15 second and any subsequent attempt to get user roles from directory One solution to the problem would be to cache all authentication/authorization info in user session (as tomcat already already doing with username and password for form based authentication) and use it as a poof of successful authentication for all subsequent request. I am not very familiar with Tomcat's security infrastructure so it would be nice if somebody from tomcat team take a look in my source code If it proves to be useful I will port it to tomcat 4 Alex Roytman For samples, please see tomcat/conf/server.xml and WEB-INF/role-map.xml files in the distribution
