okay, thank you very much. On Wed, Jun 2, 2010 at 10:25 PM, dB. <dbl...@dblock.org> wrote:
> Yes. You can (and should) have a list of roles - everything the user that > just logged in has access to / every role he has. > > cheers > dB. > > > > dB. @ dblock.org > Moscow|Geneva|Seattle|New York > > > -----Original Message----- > From: geofrey rainey [mailto:geofr...@gmail.com] > Sent: Tuesday, June 01, 2010 10:13 PM > To: Tomcat Users List > Subject: Re: JAAS Realm Authentication with Kerberos > > Right, so let me get this straight; Presently the KerberosLoginModule saves > the role information (defined as u...@realm) as a Principal which is then > compared against the literal string defined in web.xml. So what you're > suggesting is modify the KerberosLoginModule so that, essentially, the > credentials saved in the (Role) Principal should reflect exactly what's in > (under the Role) web.xml? > > thank you for your help. > > On Tue, Jun 1, 2010 at 11:56 PM, dB. <dbl...@dblock.org> wrote: > > > If you look at the KerberosLoginModule code, it wants to be modified to > > retrieve roles from somewhere in your system. For example a user database > > that says that u...@realm is "manager". Then you can say > <auth-constraint> > > ... manager </> in web.xml rather than u...@realm. Listing individual > > users clearly isn't practical. > > > > Any authenticated user will be a member of "Everyone" or > > "DOMAIN\Authenticated Users" or "DOMAIN\Users", etc. > > > > If you are using Active Directory on Windows, you're probably not getting > > what you want with Kerberos alone. To use web.xml for authorization, you > > want something like roles = AD groups (and local groups). Retrieving user > > groups by name from AD is going to yield the wrong result in any kind of > > real world deployment - you will have hard time getting nested groups or > > anything from trusted domains. > > > > If you're running on Windows and your goal is single sign-on, you may > want > > to try http://waffle.codeplex.com. There're several options, including a > > login filter and a JAAS authenticator. All use SSPI to login (will do > > Kerberos and NTLM) and will return not just the user identity, but the > user > > local and domain groups. > > > > Hope this helps, > > -dB. > > > > > > dB. @ dblock.org > > Moscow|Geneva|Seattle|New York > > > > > > -----Original Message----- > > From: geofrey rainey [mailto:geofr...@gmail.com] > > Sent: Tuesday, June 01, 2010 4:05 AM > > To: users@tomcat.apache.org > > Subject: JAAS Realm Authentication with Kerberos > > > > Hello, > > > > I've been following this fairly self-explanatory document on Kerberos > > authentication against an AD. If I hard-code the u...@realm in the > web.xml > > file, authentication is successful. However obviously what one really > wants > > is the actual user credentials as stored in the Principals class, > > javax.security.auth.kerberos.KerberosPrincipal, in the web.xml for each > > Subject authenticating, but I'm a bit lost as to how to get that > > information > > from the class into the web.xml. Any ideas would be appreciated? > > > > ( > > > > > http://wiki.wsmoak.net/cgi-bin/wiki.pl?action=browse&diff=1&id=TomcatKerberosConfigOnly > > ) > > > > > > <auth-constraint> > > <role-name>u...@realm</role-name> > > </auth-constraint> > > > > > > Regards, > > Geofrey. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
