JAASRealm, Kerberos, and Open Directory

Fri, 15 Sep 2006 11:27:59 -0700

I'd like to set up a Realm which gets it's authentication information using Kerberos, specifically Open Directory running under OS X Server 10.3.9. For initial testing, I'm running Tomcat 5.5.7 on the same machine (the copy the comes with NetBeans 4.1), and setting CATALINA_BASE to a directory of mine. I can run Tomcat fine from my CATALINA_BASE, and configuration changes are being seen by Tomcat. The JAAS Kerberos example (http://java.sun.com/j2se/1.5.0/docs/guids/security/jgss/tutorials/ AcnONly.html) is able to authorize against my Open Directory server with no problems.
After reading the Tomcat docs, _Tomcat: The Definitive Guide_, and Wendy Smoak's examples at http://wiki.wsmoak.net/cgi-bin/wiki.pl?TomcatKerberosConfigOnly, I configured a Realm in server.xml as follows: 

      <Realm className="org.apache.catalina.realm.JAASRealm"

              
userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
              
roleClassNames="javax.security.auth.kerberos.KerberosPrincipal"

             useContextClassLoader="true"
             debug="99"
      />

I created .java.login.config in my home directory:

Tomcat {
    com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

my script to start Tomcat is:

#! /bin/bash

export JAVA_HOME=/Library/Java/Home


export  
CATALINA_HOME=/Applications/NetBeans4.1.app/Contents/Resources/ 
NetBeans/enterprise1/jakarta-tomcat-5.5.7


export CATALINA_BASE=$PWD


export JAVA_OPTS=-Djava.security.krb5.realm=TONKUNST.SOM.OHIO-STATE.EDU  
-Djava.security.krb5.kdc=tonkunst.som.ohio-state.edu  
-Djava.security.auth.login.config=$HOME/.java.login.config


$CATALINA_HOME/bin/startup.sh



Tomcat comes up without any errors, but whenever I try to access any  
servlet that requires authentication, the following error shows up in  
Tomcat's output:



javax.security.auth.login.LoginException: No LoginModules configured  
for Catalina



Although the browser puts up a password entry dialog, entering a valid  
username/password combination just results in the dialog coming back,  
signalling a failed authorization.



I get the same results when I try moving .java.login.config to   
CATALINA_HOME/conf and
updating java.security.auth.login.config in the login script  
accordingly.  (if I misspell the file name in setting  
java.security.auth.login.config, Tomcat complains about the missing  
file, so I know it's finding the .java.login.conf file.




Doug Reeder
Cognitive & Systematic Musicology Lab
OSU School of Music


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to