RE: Using 2 Realms for authentication and access control

Workman, Joe Mon, 18 Dec 2006 09:19:09 -0800

I have not seen any response to this . . . . Can anyone help? Please?!?
 
Cheers
Joe


________________________________

From: Workman, Joe 
Sent: Friday, December 15, 2006 12:30 PM
To: 'users@tomcat.apache.org'
Subject: Using 2 Realms for authentication and access control


I have an application that runs on tomcat that by default uses a
JDBCRealm to query a database for authentication. I would like to use
Kerberos for the user password authentication but still use my JDBCRealm
for access control through roles. I was hoping you could point me in the
right direction.  I am running on Solaris 9, java 1.5.0_10 with tomcat
5.5.17
 
I really appreciate any help you could give me!!!
 
Here is my tomcat config:
 
server.xml (snippet) - 
 
      <Realm className="org.apache.catalina.realm.JAASRealm"
                 appName="Tomcat"
 
userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
 
roleClassNames="javax.security.auth.kerberos.KerberosPrincipal"
                 useContextClassLoader="true"
                 debug="99"/>
 
      <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
             driverName="in.co.daffodil.db.rmi.RmiDaffodilDBDriver"
          connectionURL="jdbc:daffodilDB://localhost:3456/ovaa;"
         connectionName="DAFFODIL" connectionPassword="daff0d1l"
           AllRolesMode="strict"
              userTable="users" userNameCol="username"
userCredCol="password"
          userRoleTable="users_roles" roleNameCol="rolename" />

 
jaas.conf - 
 
Tomcat {
  com.sun.security.auth.module.Krb5LoginModule required;
};

 
web.xml (snippet) -
 
  <security-constraint>
    <display-name>Tomcat Server Configuration Security
Constraint</display-name>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>*.do</url-pattern>
      <url-pattern>*.jsp</url-pattern>
      <url-pattern>*.js</url-pattern>
      <url-pattern>*.html</url-pattern>
      <url-pattern>*.pieConfig</url-pattern>
      <url-pattern>*.pieData</url-pattern>
      <url-pattern>*.gridData</url-pattern>
      <url-pattern>*.xls</url-pattern>
      <url-pattern>*.excel</url-pattern>
      <url-pattern>*.tre</url-pattern>
      <url-pattern>*.tem</url-pattern>
      <url-pattern>*.nc</url-pattern>
      <url-pattern>*.menu</url-pattern>
      <url-pattern>*.ext</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat_auth_role</role-name>
    </auth-constraint>
  </security-constraint>
 
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ovaa-tomcat</realm-name>
    <form-login-config>
      <form-login-page>/jsp/rootLogin.jsp</form-login-page>
      <form-error-page>/jsp/rootLogin.jsp?error=1</form-error-page>
    </form-login-config>
  </login-config>
 
  <security-role>
    <description>The role that is required to log into Advanced
Access</description>
    <role-name>tomcat_auth_role</role-name>
  </security-role>

 
Cheers
Joe

RE: Using 2 Realms for authentication and access control

Reply via email to