Grokbase Groups Tomcat users May 2009
FAQ
No matter what I do...I always get an 'HTTP Status 403 - Access to the
requested resource has been denied error' displayed after authenticating in
Tomcat with JAAS. Here is my configuration.

Tomcat 6.0.x

server.xml:
...
<Host name="localhost" appBase="webapps" unpackWARs="true"
autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

<!-- JAAS config -->
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="CDF_TestApp"
userClassNames="ipt.tas.security.login.TASUserPrincipal"
roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
useContextClassLoader="true"
debug="99"/>
</Host>
</Engine>
</Service>
</Server>

Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
yet (they are in my web app) hasn't started how can I delay configuration
until my web app has started? (Doubt this is cause of error however).

My WebApp web.xml:

<!--Test code to get JAAS to work-->
<servlet>
<servlet-name>StartupServlet</servlet-name>
<servlet-class>
com.issinc.cdf.servlet.StartupServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>Test App</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>members</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
</description>
<role-name>members</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test App Realm</realm-name>
</login-config>
<!--End JAAS code-->

Note that StartupServlet configures JAASConfiguration to load my custom
LoginModule.

When my web app starts I do get the authentication dialog and I enter my
login info. I have debugged my custom LoginModule and login() and commit()
both succeed/return true for the user. However when the app continues I get
the 403 error stated above.

What am I doing wrong? I don't understand if/how the role-name(s) specifed
in the web.xml are validated at this point. Do I have to tie my Subject
Principal to these roles somehow? Or are these roles just used by the JAAS
logic after authenication is complete? I will say that if I remove the
auth-constraint section then the login dialog is not even displayed.

Can someone point me to my error?

-Dave

Search Discussions

  • David Hoffer at May 11, 2009 at 7:30 pm
    Update.

    It looks like the problem is with the Tomcat Realm configuration. If I move
    the jar that contains these custom classes to the Tomcat lib folder then it
    works!

    However this is not a workable solution. I can't deploy jars like this.
    How can I delay JAAS realm configuration to my web app? After all what is
    the purpose of useContextClassLoader? Ideally I would like to move the
    configuration out of server.xml to my web app so this is self-contained.

    What is the right way to do this?

    -Dave
    On Mon, May 11, 2009 at 1:14 PM, David Hoffer wrote:

    No matter what I do...I always get an 'HTTP Status 403 - Access to the
    requested resource has been denied error' displayed after authenticating in
    Tomcat with JAAS. Here is my configuration.

    Tomcat 6.0.x

    server.xml:
    ...
    <Host name="localhost" appBase="webapps" unpackWARs="true"
    autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

    <!-- JAAS config -->
    <Realm className="org.apache.catalina.realm.JAASRealm"
    appName="CDF_TestApp"
    userClassNames="ipt.tas.security.login.TASUserPrincipal"
    roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
    useContextClassLoader="true"
    debug="99"/>
    </Host>
    </Engine>
    </Service>
    </Server>

    Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
    yet (they are in my web app) hasn't started how can I delay configuration
    until my web app has started? (Doubt this is cause of error however).

    My WebApp web.xml:

    <!--Test code to get JAAS to work-->
    <servlet>
    <servlet-name>StartupServlet</servlet-name>
    <servlet-class>
    com.issinc.cdf.servlet.StartupServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Test App</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>members</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <description>
    </description>
    <role-name>members</role-name>
    </security-role>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test App Realm</realm-name>
    </login-config>
    <!--End JAAS code-->

    Note that StartupServlet configures JAASConfiguration to load my custom
    LoginModule.

    When my web app starts I do get the authentication dialog and I enter my
    login info. I have debugged my custom LoginModule and login() and commit()
    both succeed/return true for the user. However when the app continues I get
    the 403 error stated above.

    What am I doing wrong? I don't understand if/how the role-name(s) specifed
    in the web.xml are validated at this point. Do I have to tie my Subject
    Principal to these roles somehow? Or are these roles just used by the JAAS
    logic after authenication is complete? I will say that if I remove the
    auth-constraint section then the login dialog is not even displayed.

    Can someone point me to my error?

    -Dave
  • Pid at May 11, 2009 at 10:17 pm

    David Hoffer wrote:
    Update.

    It looks like the problem is with the Tomcat Realm configuration. If I move
    the jar that contains these custom classes to the Tomcat lib folder then it
    works!

    However this is not a workable solution. I can't deploy jars like this.
    How can I delay JAAS realm configuration to my web app? After all what is
    the purpose of useContextClassLoader? Ideally I would like to move the
    configuration out of server.xml to my web app so this is self-contained.

    What is the right way to do this?
    Configure the realm at the context level - ie in the
    META-INF/context.xml of your WAR, or application directory.

    p
    -Dave
    On Mon, May 11, 2009 at 1:14 PM, David Hoffer wrote:

    No matter what I do...I always get an 'HTTP Status 403 - Access to the
    requested resource has been denied error' displayed after authenticating in
    Tomcat with JAAS. Here is my configuration.

    Tomcat 6.0.x

    server.xml:
    ...
    <Host name="localhost" appBase="webapps" unpackWARs="true"
    autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

    <!-- JAAS config -->
    <Realm className="org.apache.catalina.realm.JAASRealm"
    appName="CDF_TestApp"
    userClassNames="ipt.tas.security.login.TASUserPrincipal"
    roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
    useContextClassLoader="true"
    debug="99"/>
    </Host>
    </Engine>
    </Service>
    </Server>

    Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
    yet (they are in my web app) hasn't started how can I delay configuration
    until my web app has started? (Doubt this is cause of error however).

    My WebApp web.xml:

    <!--Test code to get JAAS to work-->
    <servlet>
    <servlet-name>StartupServlet</servlet-name>
    <servlet-class>
    com.issinc.cdf.servlet.StartupServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Test App</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>members</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <description>
    </description>
    <role-name>members</role-name>
    </security-role>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test App Realm</realm-name>
    </login-config>
    <!--End JAAS code-->

    Note that StartupServlet configures JAASConfiguration to load my custom
    LoginModule.

    When my web app starts I do get the authentication dialog and I enter my
    login info. I have debugged my custom LoginModule and login() and commit()
    both succeed/return true for the user. However when the app continues I get
    the 403 error stated above.

    What am I doing wrong? I don't understand if/how the role-name(s) specifed
    in the web.xml are validated at this point. Do I have to tie my Subject
    Principal to these roles somehow? Or are these roles just used by the JAAS
    logic after authenication is complete? I will say that if I remove the
    auth-constraint section then the login dialog is not even displayed.

    Can someone point me to my error?

    -Dave

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • David Hoffer at May 12, 2009 at 2:19 am
    Okay that sounds good I'll try that. Next newbie question...will this be
    server agnostic? I need to support Tomcat/JBoss/WebLogic.

    -Dave
    On Mon, May 11, 2009 at 4:17 PM, Pid wrote:

    David Hoffer wrote:
    Update.

    It looks like the problem is with the Tomcat Realm configuration. If I move
    the jar that contains these custom classes to the Tomcat lib folder then it
    works!

    However this is not a workable solution. I can't deploy jars like this.
    How can I delay JAAS realm configuration to my web app? After all what is
    the purpose of useContextClassLoader? Ideally I would like to move the
    configuration out of server.xml to my web app so this is self-contained.

    What is the right way to do this?
    Configure the realm at the context level - ie in the
    META-INF/context.xml of your WAR, or application directory.

    p
    -Dave
    On Mon, May 11, 2009 at 1:14 PM, David Hoffer wrote:

    No matter what I do...I always get an 'HTTP Status 403 - Access to the
    requested resource has been denied error' displayed after authenticating
    in
    Tomcat with JAAS. Here is my configuration.

    Tomcat 6.0.x

    server.xml:
    ...
    <Host name="localhost" appBase="webapps" unpackWARs="true"
    autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

    <!-- JAAS config -->
    <Realm className="org.apache.catalina.realm.JAASRealm"
    appName="CDF_TestApp"
    userClassNames="ipt.tas.security.login.TASUserPrincipal"
    roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
    useContextClassLoader="true"
    debug="99"/>
    </Host>
    </Engine>
    </Service>
    </Server>

    Issues here...since TASUserPrincipal & TASGroupPrincipal are not
    available
    yet (they are in my web app) hasn't started how can I delay
    configuration
    until my web app has started? (Doubt this is cause of error however).

    My WebApp web.xml:

    <!--Test code to get JAAS to work-->
    <servlet>
    <servlet-name>StartupServlet</servlet-name>
    <servlet-class>
    com.issinc.cdf.servlet.StartupServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Test App</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>members</role-name>
    </auth-constraint>
    </security-constraint>
    <security-role>
    <description>
    </description>
    <role-name>members</role-name>
    </security-role>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Test App Realm</realm-name>
    </login-config>
    <!--End JAAS code-->

    Note that StartupServlet configures JAASConfiguration to load my custom
    LoginModule.

    When my web app starts I do get the authentication dialog and I enter my
    login info. I have debugged my custom LoginModule and login() and
    commit()
    both succeed/return true for the user. However when the app continues I
    get
    the 403 error stated above.

    What am I doing wrong? I don't understand if/how the role-name(s)
    specifed
    in the web.xml are validated at this point. Do I have to tie my Subject
    Principal to these roles somehow? Or are these roles just used by the
    JAAS
    logic after authenication is complete? I will say that if I remove the
    auth-constraint section then the login dialog is not even displayed.

    Can someone point me to my error?

    -Dave

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Caldarale, Charles R at May 12, 2009 at 3:17 am

    From: David Hoffer
    Subject: Re: How to configure Tomcat 6.0 with JAAS?

    Next newbie question...will this be server agnostic?
    Unfortunately not. The servlet spec does not define how realms are to be configured, so each app server rolls its own mechanism. Note that the <Context> and <Realm> elements are unique to Tomcat, which is why they're not in WEB-INF/web.xml.

    - Chuck


    THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
  • Christopher Schultz at May 12, 2009 at 4:30 pm
    Chuck,
    On 5/11/2009 11:16 PM, Caldarale, Charles R wrote:
    From: David Hoffer
    Subject: Re: How to configure Tomcat 6.0 with JAAS?

    Next newbie question...will this be server agnostic?
    Unfortunately not. The servlet spec does not define how realms are
    to be configured, so each app server rolls its own mechanism. Note
    that the <Context> and <Realm> elements are unique to Tomcat, which
    is why they're not in WEB-INF/web.xml.
    ... though JBoss uses Tomcat as its default servlet container, so you
    should be fine until you move to WebLogic, which uses a different
    mechanism to configure its Realms.

    - -chris
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
  • Caldarale, Charles R at May 12, 2009 at 4:57 pm

    From: Christopher Schultz
    Subject: Re: How to configure Tomcat 6.0 with JAAS?

    ... though JBoss uses Tomcat as its default servlet container
    Unfortunately, JBoss does not use Tomcat's authentication - it has its own. When we wrote JAAS modules for use on our proprietary OS, we had to do separate implemenations for JBoss and Tomcat.

    - Chuck


    THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
  • David Hoffer at May 13, 2009 at 1:18 pm
    Thanks, if possible could you/someone send some examples of how to configure
    JAAS with JBoss? I have it working with Tomcat but need the minimum
    configuration to do the same for JBoss.

    Note, I have a servlet that at startup sets the JAAS configuration, i.e.
    Configuration.setConfiguration(configuration) which sets the LoginModule to
    use. I just need to know how to configure JBoss to work with this
    LoginModule.

    -Dave
    On Tue, May 12, 2009 at 10:56 AM, Caldarale, Charles R wrote:

    From: Christopher Schultz
    Subject: Re: How to configure Tomcat 6.0 with JAAS?

    ... though JBoss uses Tomcat as its default servlet container
    Unfortunately, JBoss does not use Tomcat's authentication - it has its own.
    When we wrote JAAS modules for use on our proprietary OS, we had to do
    separate implemenations for JBoss and Tomcat.

    - Chuck


    THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
    MATERIAL and is thus for use only by the intended recipient. If you received
    this in error, please contact the sender and delete the e-mail and its
    attachments from all computers.

  • radhika PA at Sep 11, 2009 at 9:43 am
    Hi ,
    Can you give me details of configuring Custom LoginModule in Tomcat6.0.18.
    Where exactly did you place the custom LoginModuleImpl and principle
    classes?
    I tried to configure it but i am getting the following exception.

    javax.security.auth.login.LoginException: unable to find LoginModule class:
    com.test.loginmodule.SampleLoginModule
    at
    javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
    at
    javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at
    javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at
    javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at
    javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at
    org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:399)
    at
    org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:323)
    at
    org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
    at
    org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
    at
    org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at
    org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at
    org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at
    org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at
    org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at
    org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)




    dahoffer wrote:
    Thanks, if possible could you/someone send some examples of how to
    configure
    JAAS with JBoss? I have it working with Tomcat but need the minimum
    configuration to do the same for JBoss.

    Note, I have a servlet that at startup sets the JAAS configuration, i.e.
    Configuration.setConfiguration(configuration) which sets the LoginModule
    to
    use. I just need to know how to configure JBoss to work with this
    LoginModule.

    -Dave

    On Tue, May 12, 2009 at 10:56 AM, Caldarale, Charles R <
    Chuck.Caldarale@unisys.com> wrote:
    From: Christopher Schultz
    Subject: Re: How to configure Tomcat 6.0 with JAAS?

    ... though JBoss uses Tomcat as its default servlet container
    Unfortunately, JBoss does not use Tomcat's authentication - it has its
    own.
    When we wrote JAAS modules for use on our proprietary OS, we had to do
    separate implemenations for JBoss and Tomcat.

    - Chuck


    THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
    MATERIAL and is thus for use only by the intended recipient. If you
    received
    this in error, please contact the sender and delete the e-mail and its
    attachments from all computers.

    --
    View this message in context: http://www.nabble.com/How-to-configure-Tomcat-6.0-with-JAAS--tp23489670p25398035.html
    Sent from the Tomcat - User mailing list archive at Nabble.com.


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupusers @
categoriestomcat
postedMay 11, '09 at 7:15p
activeSep 11, '09 at 9:43a
posts9
users5
websitetomcat.apache.org
irc#tomcat

People

Translate

site design / logo © 2022 Grokbase