Hey Michiel - How did you overwrite Tomcat's Subject in the Session with your own?
Thanks, Alan -----Original Message----- From: Michiel Toneman [mailto:[EMAIL PROTECTED] Sent: Thursday, April 22, 2004 9:51 AM To: Tomcat Users List Subject: Re: another problem with JAAS Hi Beloglazov, I was running into the same problem. As far as I can tell (anyone on the list, please correct me if I'm wrong), Tomcat primarily uses JAAS for authentication, but it is pretty useless for authorisation. I have no idea why the JAASRealm goes to all the trouble of setting up a Subject etc... when you can't use them in your own policy. All you can do is use "isUserInRole()" to check for the *name* of your role Principal. This totally defeats the point of using JAAS IMHO. I am using a JAAS implementation with is custom Policy that assigns Permission(s) based on various types of Principal that I assign to the Subject. My webapps can then do proper java Permission checks (AccessController.checkPermission(perm)). The way to go in Tomcat is using a filter, setting up (LoginContext) your Subject and use a doAsPrivileged() to wrap the servlet call. (see my earlier post on the list). However, this does not work on Tomcat (works fine on JRun4) because the filter and servlet are evaluated by Tomcat in different security contexts. The solution was to overwrite Tomcat's Subject in the session by my own Subject. I'm writing a tutorial on this, but it isn't ready yet. If you need an implementation fast, and the above is not enough to go on, I can speed up the writing ;-) Cheers, Michiel Beloglazov Maksim wrote: > Hello, > > I've written a JAAS LoginModule and my web application successfully > authorizes with it. But! While the authorization is successful, Tomcat > does not recognize user Principals and roles which I assign in login > module and returns that I have logged as a *null* user with no roles > assigned to it. > > server.xml: > .... > <Realm className="org.apache.catalina.realm.JAASRealm" > appName="merx" > userClassNames="ru.mb.security.jaas.RdbmsPrincipal" > roleClassNames="ru.mb.security.jaas.RdbmsRole" > debug="99"/> > .... > > ru.mb.security.jaas.RdbmsPrincipal and ru.mb.security.jaas.RdbmsRole > are implementations of java.security.Principal interface. How can I > force Tomcat recognize these Principals in a proper way? Can be the > problem with moving javax.security.Principal of earlier JDKs to > java.security.Principal in modern ones? > > Any help is greatly appreciated. > > Beloglazov Maksim. > -- Michiel Toneman Software Engineer Bibit Global Payment Services Regulierenring 10 3981 LB Bunnik [EMAIL PROTECTED] Tel. +31-30-6595168 Fax +31-30-6564464 http://www.bibit.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
