From: "Adam Hardy" <[EMAIL PROTECTED]>
if you set up tomcat to use the JAAS realm, then tomcat will set up a LoginContext, which is what you configure by pointing it to your LoginModule(s). You either code your LoginModule or perhaps use the Sun one you mention (if the code does what it's meant to), you just need to configure it with the right options.
Thanks! I finally managed to get the Tomcat 5.0 'jsp-examples' webapp to use Kerberos for authentication:
http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatJspExamples It's very much a hack-- in my environment, Sun's LoginModule only comes back with a single KerberosPrincipal, so I had to add user@<krb realm> as a 'role' in the webapp's web.xml to allow access.
The User and Role classes are more or less simple DTOs, one User object for the user and x Role objects for each role the User is in.
This is where I'm stuck. Right now I'm playing with extending Krb5LoginModule, just wrapping it and passing through all the method calls except 'commit' where I'll need to add more Principals (Users & Roles) to the Subject. I think. It made sense yesterday... Does that sound remotely correct?
Getting the classes all in the classpath is obviously important, and depending on how tomcat does it, you might need to jar them up seperately from your app and put them in the internal tomcat lib dir.
Interesting note... on http://jakarta.apache.org/tomcat/tomcat-5.0-doc/realm-howto.html#JAASRealm the 'useContextClassLoader' attribute seems to work *backwards*. If you set it to true... Tomcat will not find a LoginModule implementation in WEB-INF/lib, you have to put it in /server/lib. I think the attribute name should really be 'useContainerClassLoader. (This only applies to your own LoginModule implementation-- it can find Sun's Krb5LoginModule regardless.) I *still* cannot believe no one else has done this yet. If they have, Google doesn't know about it. I can't even find a commercial implementation. -- Wendy Smoak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
