Thanks for the response. I tried to keep the original post simple, to see if
there was a known problem with declaring realms in Tomcat. I've attached the
most relevant parts of my web-app below. I included the part of web.xml that
defines the security constraints; the context.xml contents, which sets up the
JAASRealm; my LoginModule's commit() method, and the output from Tomcat for the
full authentication handshake.
I tested the implementation of isUserInRole() by wild-carding the role, to
force Tomcat to authenticate but not authorize:
<security-constraint>
<web-resource-collection>
<web-resource-name>Velocity templates</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Then I used a filter to intercept my request check for my roles. After
authentication, the request gets to my authorization check, whereby I tested my
Subject for its Principals:
boolean test = request.isUserInRole( "landscape" );
After my login module authenticates me, test == true. However, as you can see
from the Tomcat debug messages, attached below, Tomcat fails to see that my
Subject holds the "landscape" Principal, even though a previous message shows
that this Principal was added to my Subject.
Again, I appreciate any help and will try to add whatever info is asked for.
As a side note, I wrote my own implementation of the login process, using a
servlet to hook into my login module, thus avoiding the declarative security.
However, while this works, I am left with the fact that the user's credentials
are easily discovered by a misplaced logging message, whereas it's much
trickier to get the credentials when using Tomcat's implementation. The real
pain, though, is that I would have to manage my own mappings between resources
and roles.
Thanks again for any and all help.
Here's the relevant part to the web.xml (This section is actually much longer
but I removed all the other url-patterns, as they obfuscated the part that I am
testing):
<!-- Define Security Constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Velocity pages</web-resource-name>
<url-pattern>/home.vm</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>landscape</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Role required to see reports</description>
<role-name>landscape</role-name>
</security-role>
My context.xml:
<?xml version="1.0"?>
<Context>
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="landscape"
userClassNames="com.kaleidescape.logdb.webapp.security.auth.UserPrincipal"
roleClassNames="com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal"
useContextClassLoader="false" />
</Context>
The JAAS module is not based on a security policy file, I wrote it to work from
a database. The login() method calls to my LDAP service provider and
successfully authenticates me, returning my DN from the Active Directory
server. The commit() method of my login module looks like:
public boolean commit()
throws LoginException
{
if( m_authenticated ) {
//add the user principal to the subject
UserCredential usercred = new UserCredential( m_uid );
m_subject.getPublicCredentials().add( usercred );
UserPrincipal user = new UserPrincipal( m_username );
m_subject.getPrincipals().add( user );
//add the entitlements (i.e., roles) that the user belongs to
try {
Set entitlements = AuthUtil.getUserEntitlements( m_username );
Iterator it = entitlements.iterator();
while( it.hasNext() ) {
Entitlement entitlement = (Entitlement)it.next();
UserGroupPrincipal group = new UserGroupPrincipal(
entitlement.getName() );
m_subject.getPrincipals().add( group );
}
} catch( KException e ) {
throw new LoginException( "Error while attempting to retrieve
group "
+ "names from the database." );
}
}
// we can get the username from the <code>Subject</code>, so cleanup
the reference
m_username = null;
return true;
}
The full debug stack during the login in phase looks like:
2008-05-05 13:08:49,534 7641062 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - JAASRealm login requested for username
"robin.coe" using LoginContext for application "landscape"
2008-05-05 13:08:50,343 7641871 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Login context created robin.coe
2008-05-05 13:08:52,997 7644525 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - JAAS LoginContext created for username
"robin.coe"
2008-05-05 13:08:52,999 7644527 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Checking Principal "CN=Robin
Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com"
[com.kaleidescape.logdb.webapp.security.auth.UserPrincipal]
2008-05-05 13:08:53,000 7644528 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Principal "CN=Robin
Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com" is a valid user
class. We will use this as the user Principal.
2008-05-05 13:08:53,002 7644530 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Checking Principal "landscape"
[com.kaleidescape.logdb.webapp.security.auth.UserGroupPrincipal]
2008-05-05 13:08:53,003 7644531 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Adding role Principal "landscape" to
this user Principal's roles
2008-05-05 13:08:53,004 7644532 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.JAASRealm - Username "robin.coe" successfully
authenticated as Principal "{1}" -- Subject was created too
2008-05-05 13:08:53,035 7644563 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Velocity templates]' against GET /index.html --> true
2008-05-05 13:08:53,036 7644564 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Login Page]' against GET /index.html --> false2008-05-05
13:08:53,037 7644565 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[home]' against GET /index.html --> false
2008-05-05 13:08:53,039 7644567 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Protected Velocity pages]' against GET /index.html --> false
2008-05-05 13:08:53,040 7644568 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Velocity templates]' against GET /index.html --> true
2008-05-05 13:08:53,041 7644569 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Login Page]' against GET /index.html --> false2008-05-05
13:08:53,042 7644570 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[home]' against GET /index.html --> false
2008-05-05 13:08:53,043 7644571 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Protected Velocity pages]' against GET /index.html --> false
2008-05-05 13:08:53,044 7644572 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - User data constraint has no
restrictions
2008-05-05 13:08:53,123 7644651 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Velocity templates]' against GET /home.vm --> true
2008-05-05 13:08:53,124 7644652 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Login Page]' against GET /home.vm --> false
2008-05-05 13:08:53,125 7644653 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[home]' against GET /home.vm --> true
2008-05-05 13:08:53,126 7644654 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking constraint
'SecurityConstraint[Protected Velocity pages]' against GET /home.vm --> false
2008-05-05 13:08:53,127 7644655 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - User data constraint has no
restrictions
2008-05-05 13:08:53,128 7644656 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - Checking roles CN=Robin
Coe,OU=Active,OU=Users,OU=Kaleidescape,DC=nextnewgig,DC=com
2008-05-05 13:08:53,129 7644657 [http-9808-Processor24] DEBUG
org.apache.catalina.realm.RealmBase - No role found: landscape
-----Original Message-----
From: Caldarale, Charles R [mailto:[EMAIL PROTECTED]
Sent: Monday, May 05, 2008 1:24 PM
To: Tomcat Users List
Subject: RE: JAAS authenticated user fails authorization check
> From: Robin Coe [mailto:[EMAIL PROTECTED]
> Subject: JAAS authenticated user fails authorization check
>
> However, when I declare a protected resource declaratively,
> and specify that the resource is protected with "rolename",
> Tomcat fails to authorize the user for that resource.
Post your web.xml for the webapp, since this works fine for everyone
else and we need to see what you really have configued. Also post the
relevant parts of server.xml so we can see how the realm is set up.
Finally, what file does the system property
java.security.auth.login.config point to and what are the contents of
that file?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
