Update. It looks like the problem is with the Tomcat Realm configuration. If I move the jar that contains these custom classes to the Tomcat lib folder then it works!
However this is not a workable solution. I can't deploy jars like this. How can I delay JAAS realm configuration to my web app? After all what is the purpose of useContextClassLoader? Ideally I would like to move the configuration out of server.xml to my web app so this is self-contained. What is the right way to do this? -Dave On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoff...@gmail.com> wrote: > No matter what I do...I always get an 'HTTP Status 403 - Access to the > requested resource has been denied error' displayed after authenticating in > Tomcat with JAAS. Here is my configuration. > > Tomcat 6.0.x > > server.xml: > ... > <Host name="localhost" appBase="webapps" unpackWARs="true" > autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> > > <!-- JAAS config --> > <Realm className="org.apache.catalina.realm.JAASRealm" > appName="CDF_TestApp" > userClassNames="ipt.tas.security.login.TASUserPrincipal" > roleClassNames="ipt.tas.security.login.TASGroupPrincipal" > useContextClassLoader="true" > debug="99"/> > </Host> > </Engine> > </Service> > </Server> > > Issues here...since TASUserPrincipal & TASGroupPrincipal are not available > yet (they are in my web app) hasn't started how can I delay configuration > until my web app has started? (Doubt this is cause of error however). > > My WebApp web.xml: > > <!--Test code to get JAAS to work--> > <servlet> > <servlet-name>StartupServlet</servlet-name> > <servlet-class> > com.issinc.cdf.servlet.StartupServlet > </servlet-class> > <load-on-startup>1</load-on-startup> > </servlet> > <security-constraint> > <web-resource-collection> > <web-resource-name>Test App</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>members</role-name> > </auth-constraint> > </security-constraint> > <security-role> > <description> > </description> > <role-name>members</role-name> > </security-role> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Test App Realm</realm-name> > </login-config> > <!--End JAAS code--> > > Note that StartupServlet configures JAASConfiguration to load my custom > LoginModule. > > When my web app starts I do get the authentication dialog and I enter my > login info. I have debugged my custom LoginModule and login() and commit() > both succeed/return true for the user. However when the app continues I get > the 403 error stated above. > > What am I doing wrong? I don't understand if/how the role-name(s) specifed > in the web.xml are validated at this point. Do I have to tie my Subject > Principal to these roles somehow? Or are these roles just used by the JAAS > logic after authenication is complete? I will say that if I remove the > auth-constraint section then the login dialog is not even displayed. > > Can someone point me to my error? > > -Dave > >