Re: Tomcat and JAASRealm

Mon, 23 May 2005 22:01:54 -0700 

Jukka M�nnist� wrote:

Hello :)


(this is my very first post to any mailing-list)


I've been trying to get Tomcat and its JAASRealm to work for maybe
four weeks now.

Even though the JAAS authentication succeeds, Tomcat does not pass me
through to the protected web-app, but says HTTP 403 instead!

I read somewhere that the JAASRealm implementations in Tomcat versions
under 5.0.30 were somehow broken, but right now I'm using the latest
version (5.5.9 + 1.4 compatibility pack), so that shouldn't be a
problem.

I've tried fiddling with how and what Principals are added to the
Subject and so on..  I've tried everyhing I've thought of and more..

Could someone please offer some suggestions on this? :)




Hi,

My best guess is that 403 is due to trying map roles in
tomcat-user.xml file. If you put some role, which comes directly
from loginmodule, to web.xml security-constraint, i am pretty
sure this will work.

- Jukka -





Here's the JAASRealm configuration from server.xml:

______________________________________________
<Realm className="org.apache.catalina.realm.JAASRealm" appName="OutlookProxy" userClassNames="org.apache.catalina.realm.GenericPrincipal" roleClassNames="org.apache.catalina.realm.GenericPrincipal" debug="99"/> 
______________________________________________




Here's a snippet of my web.xml:
______________________________________________

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>OutlookProxy</web-resource-name>
      <url-pattern>/exchange/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>

    </web-resource-collection>

     <auth-constraint>
         <role-name>outlook-role</role-name>
     </auth-constraint>

  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Protected Web-app</realm-name>
  </login-config>

______________________________________________


The JAAS configuration for "OutlookProxy" contains one LoginModule.

There's a user in tomcat-userx.xml that has been associated with the
aforementioned role ("outlook-role").

The LoginModule class is in a jar file, under tomcat/server/lib.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to