Thanks Felix, That is just what I needed. Once I got my head screwed on straight it makes perfect sense.
Best Regards Ron -----Original Message----- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Thursday, May 01, 2014 1:42 PM To: Tomcat Users List Subject: RE: Need How-To Authenticate with built-in SPNEGO and Authorize with a DataSourceRealm or JAAS database role lookup. Hi Ron, On 1. Mai 2014 16:52:13 MESZ, "Troyer, Ron" <arthur.tro...@honeywell.com> wrote: >Hi Felix, > >Thanks for the response. > >Maybe I am thinking about this the wrong way. In my mind I expected >the <security-constraint> to name a <Realm> to use. Then the combined ><Realm> would specify the JAASRealm to do the krb5 authenticate >followed by the DataSourceRealm to get the roles. Now I see that the ><Realm> tag doesn't have a name, so the <security-constraint> can't be >referencing the <Realm>. In the web.xml you define one or more security-constraints. They are independent of the realm and define what role can use what. You have to configure the login-config element to use SPNEGO instead of BASIC or FORMS. If you do this tomcat will add a kerberos/spnego aware authentication valve to your context. This valve will use the jaas config that is mentioned in the windows authentication page. You don't need the jaasrealm. Now tomcat needs a way to map the user found by the valve to a user and it's Roles as provided by a realm. For this you will have to define a realm (in your case the DataSourceRealm). You can define one realm per context. If no context is defined it will look at the host and then the engine. Hope this will make it a bit clearer. Regards Felix > >Is the flow that you specify a JAAS configuration that intern >references the <Realm>? If so, how? Are we saying that we can only >have one <Realm>, and all authentication is done against that one ><Realm>? > >I know this sounds very basic. My experience is with JBoss so I guess >I have some pre-conceived ideas. > >Thanks >Ron > >-----Original Message----- >From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] >Sent: Wednesday, April 30, 2014 2:44 PM >To: Tomcat Users List >Subject: Re: Need How-To Authenticate with built-in SPNEGO and >Authorize with a DataSourceRealm or JAAS database role lookup. > > > >On 29. April 2014 20:28:14 MESZ, "Troyer, Ron" ><arthur.tro...@honeywell.com> wrote: >>Hi, >> >>I am new to Tomcat and need some guidance. >> >>I am trying to setup a Tomcat 7.0.53 instance on a Windows 7 box, >using >>JDK 1.7_51. >> >>I have read the section of the documentation about Windows >>Authentication, but I am confused at this point. From the >>documentation I have been unable to determine how to configure my >>realms and JAAS to authenticate with SPNEGO and authorize with a >>database lookup. For one thing I don't understand the difference >>between the krb5 initiate and accept entries in the example JAAS >>configuration. Looking at the documentation for the Realms, it looks >>like I want to specify a JAASRealm of some sort. From other things I >>have done, I think I need to make the Krb5LoginModule as requisite and >>use some other login module to do the DB lookup for the roles. > >You can use the DataSourceRealm as written in the windows >authentication section. >Tomcat will use the user and role definitions, but ignore the >passwords. > >Regards > Felix >> >>I am sure someone has had to do this in the past, and I am hoping they >>can show me how to do it. >> >> >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
