Hi Felix, Thanks for the response.
Maybe I am thinking about this the wrong way. In my mind I expected the <security-constraint> to name a <Realm> to use. Then the combined <Realm> would specify the JAASRealm to do the krb5 authenticate followed by the DataSourceRealm to get the roles. Now I see that the <Realm> tag doesn't have a name, so the <security-constraint> can't be referencing the <Realm>. Is the flow that you specify a JAAS configuration that intern references the <Realm>? If so, how? Are we saying that we can only have one <Realm>, and all authentication is done against that one <Realm>? I know this sounds very basic. My experience is with JBoss so I guess I have some pre-conceived ideas. Thanks Ron -----Original Message----- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Wednesday, April 30, 2014 2:44 PM To: Tomcat Users List Subject: Re: Need How-To Authenticate with built-in SPNEGO and Authorize with a DataSourceRealm or JAAS database role lookup. On 29. April 2014 20:28:14 MESZ, "Troyer, Ron" <arthur.tro...@honeywell.com> wrote: >Hi, > >I am new to Tomcat and need some guidance. > >I am trying to setup a Tomcat 7.0.53 instance on a Windows 7 box, using >JDK 1.7_51. > >I have read the section of the documentation about Windows >Authentication, but I am confused at this point. From the >documentation I have been unable to determine how to configure my >realms and JAAS to authenticate with SPNEGO and authorize with a >database lookup. For one thing I don't understand the difference >between the krb5 initiate and accept entries in the example JAAS >configuration. Looking at the documentation for the Realms, it looks >like I want to specify a JAASRealm of some sort. From other things I >have done, I think I need to make the Krb5LoginModule as requisite and >use some other login module to do the DB lookup for the roles. You can use the DataSourceRealm as written in the windows authentication section. Tomcat will use the user and role definitions, but ignore the passwords. Regards Felix > >I am sure someone has had to do this in the past, and I am hoping they >can show me how to do it. > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
