I can get JAAS working as a Servlet just fine under Tomcat when I configure Tomcat with a static classpath under the JBuilder environment. When I take that same code and run Tomcat in stand alone mode, the LoginModule (a JAAS Class) can not find any of of the LoginModule's define in the configuration. I have tried both including the JAAS JAR in my project and in the jre/lib/ect directory
If I only include the jaas.jat in my WAR file, the class javax.security.auth.SubjectDomainCombiner can not be found. If I put the jaas.jar in my WAR and in the jre/lib/ext directory, then I can't locate any of my login modules. This all happens in the LoginContext.login member function. Regards John G Will Hartung wrote: > From: "John Gentilin" <[EMAIL PROTECTED]> > Sent: Friday, July 26, 2002 2:14 PM > Subject: Help, Can I Use JAAS in the Tomcat 3.3 /4.0 enviorment > > > In a Servlet design I am working on, I want to implement a security > > policy where the Servlet mechanisms knows if the user is allowed and > > what roles they are allowed to operate in, but falls back to the native > > O/S to validate the users password. The JAAS interface seems like the > > perfect mechanism using the NT Login mechanism along with a Login > > manager that I would implement. > > > > The question I have is, can JAAS be implemented in a Servlet > > environment. > > Mind you, this is after taking a good, solid 5 minutes to glance at the JAAS > docs at Sun, so I'm sure you've been through this already. > > It was not clear that the classes have to be anywhere but available to the > ClassLoader (as prepared by Tomcat) versus having to be in the System > classpath at JVM start, but that may be covered somplace else in Java > Security. > > However, everything else looks reasonably straightforward... > > For example, the Login Configuration is "simply" an abstract class that can > be reimplemented so that your servlet can populate it appropriately, rather > than relying on files. The LoginContext interacts with the > LoginConfiguration, so that should give you quite a bit of control over the > environment, though not necessarily "Out Of The Jar". You may have to do > some work yourself in this case. > > For authorization, it appears to want a policy file. And it appears to be > getting the file from a system property. I don't see any obvious reason why > you should be able to create your own policy file, and then set that system > property to your file before any appropriate calls are made. > > Anyway, I don't know the answers to your questions directly, as I'm not a > Java Security person, and I've never encountered JAAS before now, but I bet > you can adopt an "embrace and extend" technique to get the framework to work > for you, it just may not work correctly out of the box. > > And, of course, if for some reason the classes are needed by the core JVM, > then you may have other issues. > > With 1.4 it won't be an issue at all, as it's built in. With 1.3 you may > have to convince an ISP to install it as an extension. > > Anyway, food for thought. Love to hear how it turns out. > > Best Regards, > > Will Hartung > ([EMAIL PROTECTED]) > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- -------------------------------------- John Gentilin Eye Catching Solutions Inc. 18314 Carlwyn Drive Castro Valley CA 94546 Contact Info [EMAIL PROTECTED] Ca Office 1-510-881-4821 NJ Office 1-732-422-4917 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
