It seems that the simplest way is to write your own login module or try to use/configure/debug the existing JNDI login module. Regards,
-----Message d'origine----- De : Antoine Brocard - Vertical*i S.A. [mailto:[EMAIL PROTECTED] Envoyé : mardi 12 octobre 2004 09:52 À : [EMAIL PROTECTED] Objet : The good way of making JAAS and Realm authentication use the same back-end authentication system? Maybe this question should be in the User mailing list, but I think it could interest some Developers... The problem I had to solve is the following: My application needs J2EE container authentication AND JAAS (to authenticates requests coming from an application that don't support standard authentication scheme, like BASIC or FORM). The back-end authentication system is an LDAP server. I would like that both J2EE authentication and JAAS access the same LDAP server. As a first try I set up the following configuration: Use the Tomcat JAASRealm for J2EE authentication. Use the JDNILoginModule as JAAS login module, to access the LDAP server. The problem was that the JDNILoginModule was known to have bugs, and I dind't succeeded to make this configuration work. The other solution is to make JAAS use the current J2EE authentication; in other words make the JAAS login module access the current Tomcat Realm and forward authentication requests on it. I look for such a module, without success. I decided to write one myself, using the following hacks: In order to access the current Realm from inside a loginmodule, I used JMX. I copied some code from the Tomcat sources. At this point I was able to get the current Realm but I realized that the "authenticate" method wasn't manageable through JMX. To solve that, I decided to subclass the standard Tomcat Realm and to make them accessible through JMX by modifying the mbeans-descriptor.xml file. Finally it worked fine. The last problem I had was related to location of .jar files. In order to make this work, I had to move the content of TOMCAT_HOME/server/lib into TOMCAT_HOME/common/lib. This is not very elegant and can lead to security issues in some cases. Moreover clients are often reluctant to do such operations... My question(s) is(are) the following: 1)Is there is better/simpler procedure to make JAAS and J2EE container authentication use the same back-end mechanism? Maybe I missed a step somewhere... 1bis) If not, is there a simpler way of getting the current Realm from Java code, instead of the ugly JMX hack I used? 2)Why isn't there a "TomcatLogin" JAAS loginmodule, like there is with Weblogic or Websphere? It seems that "JAAS asking Realm" is the "standard" way of doing, not the "Realm asking JAAS" one used by Tomcat... Thanks in advance for your help --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
