> From: Robin Coe [mailto:[EMAIL PROTECTED] > Subject: RE: JAAS authenticated user fails authorization check
It appears that the problem is you haven't fully configured the JAAS environment. See below for details. > I tested the implementation of isUserInRole() by wild-carding > the role, to force Tomcat to authenticate but not authorize: It doesn't work that way. A <role-name> of * means that authorization is allowed for any of the listed <security-role>s, not that authorization is ignored. > As a side note, I wrote my own implementation of the login > process, using a servlet to hook into my login module, thus > avoiding the declarative security. Why did you choose to reinvent the wheel here? Use the declarative security - it's much easier. > <Context> > <Realm className="org.apache.catalina.realm.JAASRealm" > appName="landscape" The appName is not some arbitrary value; it needs to point to the entry in the file pointed to by the java.security.auth.login.config system property (see below). > The JAAS module is not based on a security policy file, I > wrote it to work from a database. Not relevant to the discussion. You still have to tell Tomcat's JAASRealm what your LoginModule class name is via the file pointed to by the java.security.auth.login.config system property. For example, here's ours: -Djava.security.auth.login.config=conf/security/tomcatLogin.config The conf/security/tomcatLogin.config file contains: TomcatLogin { com.unisys.os2200.security.TomcatLoginModule required; }; Have you done that? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]