How to configure Tomcat 6.0 with JAAS?

Mon, 11 May 2009 12:15:04 -0700 

No matter what I do...I always get an 'HTTP Status 403 - Access to the
requested resource has been denied error' displayed after authenticating in
Tomcat with JAAS.  Here is my configuration.

Tomcat 6.0.x

server.xml:
...
<Host name="localhost"  appBase="webapps" unpackWARs="true"
autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false">

<!-- JAAS config -->
<Realm className="org.apache.catalina.realm.JAASRealm"
    appName="CDF_TestApp"
    userClassNames="ipt.tas.security.login.TASUserPrincipal"
    roleClassNames="ipt.tas.security.login.TASGroupPrincipal"
    useContextClassLoader="true"
    debug="99"/>
      </Host>
    </Engine>
  </Service>
</Server>

Issues here...since TASUserPrincipal & TASGroupPrincipal are not available
yet (they are in my web app) hasn't started how can I delay configuration
until my web app has started? (Doubt this is cause of error however).

My WebApp web.xml:

<!--Test code to get JAAS to work-->
    <servlet>
        <servlet-name>StartupServlet</servlet-name>
        <servlet-class>
            com.issinc.cdf.servlet.StartupServlet
        </servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Test App</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>members</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <description>
        </description>
        <role-name>members</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Test App Realm</realm-name>
    </login-config>
    <!--End JAAS code-->

Note that StartupServlet configures JAASConfiguration to load my custom
LoginModule.

When my web app starts I do get the authentication dialog and I enter my
login info.  I have debugged my custom LoginModule and login() and commit()
both succeed/return true for the user.  However when the app continues I get
the 403 error stated above.

What am I doing wrong?  I don't understand if/how the role-name(s) specifed
in the web.xml are validated at this point.  Do I have to tie my Subject
Principal to these roles somehow?  Or are these roles just used by the JAAS
logic after authenication is complete?  I will say that if I remove the
auth-constraint section then the login dialog is not even displayed.

Can someone point me to my error?

-Dave

Reply via email to