Hello Jukka,
Jukka M�nnist� wrote:
Hello :)
(this is my very first post to any mailing-list)
Hope it will be a positive experience :-)
I've been trying to get Tomcat and its JAASRealm to work for maybe
four weeks now.
Even though the JAAS authentication succeeds, Tomcat does not pass me
through to the protected web-app, but says HTTP 403 instead!
403 means that authentication passed but authorization failed. In other
words, the user logged in all right, but does not posess the role
required to enter the webapp (in your case "outlook-role"), or at least
that Tomcat can't determine that he does.
I've tried fiddling with how and what Principals are added to the
Subject and so on.. I've tried everyhing I've thought of and more..
Make sure that you add Principals not only for the user, but also for
the role(s). I think if you didn't add the roles, that would explain the
above 403 error.
______________________________________________
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="OutlookProxy"
userClassNames="org.apache.catalina.realm.GenericPrincipal"
roleClassNames="org.apache.catalina.realm.GenericPrincipal"
debug="99"/>
______________________________________________
I think you need to make a distinction between user and role Principals,
like UserPrincipal where the getName() returns the user name and a
RolePrincipal that returns "outlook-role" in getName(). Both Principals
need to be added in your LoginModule. Also, the first added Principal
has to be the user, and the next one(s) the role(s). I found this in the
Tomcat docs
(http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html#JAASRealm):
"Although not specified in JAAS, you should create seperate classes to
distinguish between users and roles...." and
"Regardless, the first Principal returned is /always/ treated as the
user Principal."
Here's a snippet of my web.xml:
______________________________________________
<security-constraint>
<web-resource-collection>
<web-resource-name>OutlookProxy</web-resource-name>
<url-pattern>/exchange/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>outlook-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Protected Web-app</realm-name>
</login-config>
______________________________________________
You might want to add a
<security-role>
<role-name>outlook-role</role-name>
</security-role>
directly below the </login-config>, though I don't think that will make
the difference.
There's a user in tomcat-userx.xml that has been associated with the
aforementioned role ("outlook-role").
Now I'm quite sure you don't need this file at all. If Tomcat keeps
looking at this file, it means you're using MemoryRealm instead of
JAASRealm. Unless you use JAAS to access this file, but then you
probably wouldn't want to use JAAS in the first place. I assume you get
the user/role data from elsewhere, like from a database. If I am right,
better remove this file (or at least remove the users/roles that you're
testing) to avoid confusion.
Hope this helps. Please let me know either way, I'm also into JAAS
lately :-)
Regards, Jeroen
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
