JNDIRealm in Tomcat 5
Hello All, I searched the archive but have not seen a situation like mine. I am in the process of upgrading to tomcat 5.0.16 from 4.1.29. I'm happy to say that my webapp seems to be running fine under tomcat 5 with one important exception. My configured JNDIRealm seems to be failing. The main problem is that I cannot seem to get the logger to report the realm's errors to me. I have the realm within engine and both engine and realm are set to debug=99. Is there something else I need to do? Thanks. Vincent smime.p7s Description: S/MIME Cryptographic Signature
Re: JNDIRealm in tomcat
The patch is included in tomcat 4.1.10 John. Vincent Stoessel wrote: Vincent Stoessel wrote: I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. Ok, I sent this out before I read this: http://marc.theaimsgroup.com/?l=tomcat-devm=101515968207676w=2 this patch seems very cool, has it been incorporated into tomcat? If so what version? Thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
JNDIRealm in tomcat
I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com smime.p7s Description: S/MIME Cryptographic Signature
Re: JNDIRealm in tomcat
Vincent Stoessel wrote: I was thinking about trying to create a JNDIRealm inside of Tomcat 4.0.4 (java 1.4se) , I've already written a cool little bean to that allows me to autheticate against our ldap/nds server, but I see that tomcat authetication is role based, are roles something that would have to be added to the netware 5/6 ldap/nds schema. Any Novell heads out here? I would rather user our existing system than build a new employee db. Thanks. Ok, I sent this out before I read this: http://marc.theaimsgroup.com/?l=tomcat-devm=101515968207676w=2 this patch seems very cool, has it been incorporated into tomcat? If so what version? Thanks. -- Vincent Stoessel Linux Systems Developer vincent xaymaca.com smime.p7s Description: S/MIME Cryptographic Signature
JndiRealm for Tomcat 4.0 and 3.2x alpha2 is available
Title: JndiRealm for Tomcat 4.0 and 3.2x alpha2 is available JndiRealm for Tomcat 3.2 and Tomcat 4.0 readme: http://www.peacetech.com/java/files/apache/tomcat/jndi-auth.html JndiRealm for Tomcat 3.2 and Tomcat 4 Alpha 2 download: http://www.peacetech.com/java/files/apache/tomcat/jndi_auth_alpha2.jar (Please use java jar or zip utility to extract files) I would greatly appreciate your feedback Alex Roytman [EMAIL PROTECTED] !-- JndiRealm authenticates and Authorizes users against JNDI. It was developed and tested against LDAP JNDI (Sun's and Netscape's jndi provider) JndiRealm uses JNDI_SECURITY_PRINCIPAL and JNDI_SECURITY_CREDENTIALS to connect to a directory. Then it looks for exactly one user name matching jndiSearchFilter in entire subtree of jndiInitialContext. If one and only one matching directory object is found it will use this object and tomcat supplied credentials to authenticate and fetch roles. If succesful it will fetch user roles using JNDI attributes listed in jndiRolesAttributes If roleMapperClass is specified it will use it to map user roles onto application roles specific for each web context (tomcat 3.2x). Provided SimpleRoleMapper implementation will read role map from either roleMapperSourceUrl or tomcat 3.2x only WEB-INF/role-map.xml file in each web context className=com.peacetech.webtools.tomcat.JndiRealm TOMCAT 3.2x className=com.peacetech.webtools.tomcat.JndiRealmCatalina TOMCAT 4.0 Following are JNDI Environment parameters which are passed to straight to new javax.jndi.directory.InitialDirContext(Hashtable env) JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory (or com.netscape.jndi.ldap.LdapContextFactory netscape's seems to be faster) JNDI_PROVIDER_URL = ldap://207.176.93.66:389 JNDI_SECURITY_AUTHENTICATION = simple JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti //finds authorizing users by filter in directory JNDI_SECURITY_CREDENTIALS = peacetech JNDI_SECURITY_PROTOCOL = jndiInitialContext = o=pti Root context for user lookups jndiSearchFilter = cn={0} Filter to lookup authorizing user. Support java.text.MessageFormat. The only parameter is to java.text.MessageFormat pattern authorizing username. i.e. jndiSearchFilter = cn={0} for user alex will result in lookup for cn=alex jndiRolesAttributes = securityEquals One or more directory attributes separated with semicolon which contains security roles attributes can be multivalued. If blank no attempt to retrieve roles from directory will be done roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper/ ATTNTION: It requires SAX2/JAX1.1 (Apache Xerces or Sun JAXP1.1 distribution) Implemntation of RoleMapper interface to be used to transform user directory roles to application roles. In tomcat 3.2x MapperClass is server wide but actual mapping data is context specific (unless you specified roleMapperSourceUrl) in tomcat 4.0 both RoleMapper and mapping data are Realm specific and you have to specify roleMapperSourceUrl. If it is blank no role mapping will occur roleMapperSourceUrl=file:///d:/tomcat4/conf/my-role-map.xml URL to RoleMapper source. In tomcat 3.2x if it is not specified we try to find file WEB-INF/role-map.xml in every initializing tomcat context. contextDirMaxPoolSize = 20 JNDI does not allow multi-threaded access to a single context instance. We chose to pool contexts which do user filter lookup instead creating and re-authenticating every time. Access to pool is synchronized -- !-- Tomcat 3.2 -- RequestInterceptor className=com.peacetech.webtools.tomcat.JndiRealm debug=1 JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory JNDI_PROVIDER_URL = ldap://207.176.93.66:389 JNDI_SECURITY_AUTHENTICATION = simple JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti JNDI_SECURITY_CREDENTIALS = mypassword JNDI_SECURITY_PROTOCOL = jndiInitialContext = o=pti jndiSearchFilter = cn={0} jndiRolesAttributes = securityEquals contextDirMaxPoolSize = 20 roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper/ !-- Tomcat 4 -- Realm className=com.peacetech.webtools.tomcat.JndiRealmCatalina debug=1 JNDI_INITIAL_CONTEXT_FACTORY = com.sun.jndi.ldap.LdapCtxFactory JNDI_PROVIDER_URL = ldap://207.176.93.66:389 JNDI_SECURITY_AUTHENTICATION = simple JNDI_SECURITY_PRINCIPAL = cn=ldap-user,o=pti JNDI_SECURITY_CREDENTIALS = mypassword JNDI_SECURITY_PROTOCOL = jndiInitialContext = o=pti jndiSearchFilter = cn={0} jndiRolesAttributes = securityEquals contextDirMaxPoolSize = 20 roleMapperClass = com.peacetech.webtools.tomcat.SimpleRoleMapper roleMapperSourceUrl=file:///z:/Projects/Gao/gwiz/web/gwiz/WEB-INF/role-map.xml / !-- *** End of PeaceTech JNDI Authentication Support ** --
Re: [CONTRIBUTION] JndiRealm for Tomcat. LDAP Authentication via JNDIis Available
This is great news! I'll definitely check it out. mfs "Roytman, Alex" wrote: JndiRealm for Tomcat Please download ALPHA version of JndiRealm (compiled and source code) from http://peacetech.com/java/files/apache/tomcat/jndi-auth.html JndiRealm authenticates and Authorizes users against JNDI. It was developed and tested against LDAP JNDI (Sun's and Netscape's jndi provider) JndiRealm looks for exactly one user name matching jndiSearchFilter + usename in entire subtree of jndiInitialContext and use tomcat supplied credentials to authenticate. If succesful, it will fetch user roles using JNDI attributes listed in jndiRolesAttributes and if roleMapperClass is specified it will use it to map user roles onto application roles specific for each web context. Provided SimpleRoleMapper implementation will read WEB-INF/role-map.xml file in each web context and will do mappings accordingly JndiRealm works a little bit different from SimpleRealm or JdbcRealm. They extract user/password from user Session for Form based authentication (from headers for Basic authentication) and then for *every request* perform authentication and authorization. This however might be a problem if password on backend changes constantly. Password cached in User Session Cached or Request Header will expire in lets say 15 second and any subsequent attempt to get user roles from directory One solution to the problem would be to cache all authentication/authorization info in user session (as tomcat already already doing with username and password for form based authentication) and use it as a poof of successful authentication for all subsequent request. I am not very familiar with Tomcat's security infrastructure so it would be nice if somebody from tomcat team take a look in my source code If it proves to be useful I will port it to tomcat 4 Alex Roytman For samples, please see tomcat/conf/server.xml and WEB-INF/role-map.xml files in the distribution