Hi,
How do you authenticate uid/pwd against a Tomcat realm, from within a web application?
We have a half-baked JMX-based solution; but it is not satisfactory because we would have to move JARs around because of classloader issues. Whether the code in the web app does this authentication JAAS-based or another way is somewhat irrelevant, although JAAS would seem natural. The main problem really is: How to find the "current" Tomcat Realm, from within a custom written (easy; done) JAAS LoginModule? If others agree that this would be nice to have, how can we get something like a TomcatRealmProxyLoginModule into Tomcat?
More background below, if interested.
Thanks a lot, Michael
===
Background: On e.g. WebLogic or WebSphere, we can use the JAAS API to authenticate uid/pwd from within a web application, because they both have built-in JAAS LoginModule implementations which "forward" to whatever they call a realm. This is sometimes very useful. (For BEA there is a weblogic.security.auth.login.UsernamePasswordLoginModule; for WebSphere simply using "ClientContainer" as Application/LoginModuleName when constructing the LoginContext does the trick, it uses their com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy.)
On Tomcat, we have not found a clean way to authenticate uid/pwd against a Tomcat realm, from within a web application; unless we miss the obvious? This is an alternative use of JAAS, different from the JAASRealm included with Tomcat, it's sort of "opposite", makes sense?
In fact, Tomcat does include one class that may be conceptually vaguely similar to what I am trying to achieve: The JAASMemoryLoginModule... what we are looking for is help for a cleaner and more generic re-implementation of the same idea, so that it works e.g. on top of a JNDIRealm too, or indeed any maybe custom-written Tomcat Realm.
A few words on why we'd like to get this "Access Tomcat Realm through JAAS API from app" JAASMemoryLoginModule-like approach working, instead of the JAASRealm-based one: To e.g. use the JAASRealm with a simple text file, I had to patch com.tagish.auth.FileLogin to be able to use it with Tomcat; to simply do what MemoryRealm already does. To use this with LDAP is a mess as there doesn't seem be a working JAAS LDAP LoginModule (the JNDI-based one included with JDK doesn't work too well, see also earlier posts on this list) - what really works is your Tomcat JNDIRealm. This is why the interest in this approach. Now, granted, I could write a JAAS LoginModule copy/pasting the code from Tomcat JNDIRealm, and then use the JAASRealm... but... agreed "the other way around" would be nicer? Also easier for deployment; people use to realms, but confused with JAAS.
If people on this list think that this "other way around" is not the way to go for some reason (despite e.g. WebLogic or WebSphere doing it like that; haven't looked at JAAS in JBoss yet, anybody?) please do respond, too.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
