Hi Wendy,

Sure I can explain what happens but not why.

When you call the LoginModule with an optional Subject and CallBack the code
works fine for me, i.e. it calls the LoginModule and I do everything I need,
placing the Principals into the Subject.

However... and this is where I don't want to say anything sweeping in case I
have just simply misunderstood.... the Subject that is authenticated via the
LoginModule has no visibility to Tomcat. If I could find a way to replace
the session Subject with the one passed back from the
LoginModule.getSubject() I would be ok, but I couldn't, so I placed the
authorised Subject in the session and overrode the request.isUserInRole() to
authorise against the Subject I placed in the session.

One of these days I might ask the Tomcat dev list what I was doing wrong but
got comments from other developers saying they had the same problem [All the
JAAS examples do it the way I have described in some shape or form]

Its not that bid a deal, and if you just use the Request wrapper I have
attached you know that in the future you can remove the filter if you go to
WebSphere or something like that.

-----Original Message-----
From: Wendy Smoak [mailto:[EMAIL PROTECTED] 
Sent: 16 August 2005 17:44
To: Tomcat Users List
Subject: Re: howto configure JAAS+SSO

From: "Mark Benussi" <[EMAIL PROTECTED]>

> However I can tell you about JAAS in Tomcat. In 5 certainly there are
> issues. Essentially when you call the LoginModule to invoke your JAAS 
> config
> it works but it does not authenticate the proper session Subject.

Can you explain more about this?  I just _finally_ got the jsp-examples 
webapp that ships with Tomcat changed over to Kerberos authentication. Am I 
about to run into problems?

> What you end up doing (Or what I did) was place a request filter in the 
> app that
> wraps the request with an overridden RequestWrapper and you write your own
> inUserInRole against the Subject that the LoginModule returns (By placing 
> it
> in the session)
> If you want some code, taken from Wendy Smoak ...

.. who took it from one of Craig's tomcat-user posts. ;)

Wendy Smoak 

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to