David Hoffer wrote: > Update. > > It looks like the problem is with the Tomcat Realm configuration. If I move > the jar that contains these custom classes to the Tomcat lib folder then it > works! > > However this is not a workable solution. I can't deploy jars like this. > How can I delay JAAS realm configuration to my web app? After all what is > the purpose of useContextClassLoader? Ideally I would like to move the > configuration out of server.xml to my web app so this is self-contained. > > What is the right way to do this?
Configure the realm at the context level - ie in the META-INF/context.xml of your WAR, or application directory. p > -Dave > > On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoff...@gmail.com> wrote: > >> No matter what I do...I always get an 'HTTP Status 403 - Access to the >> requested resource has been denied error' displayed after authenticating in >> Tomcat with JAAS. Here is my configuration. >> >> Tomcat 6.0.x >> >> server.xml: >> ... >> <Host name="localhost" appBase="webapps" unpackWARs="true" >> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> >> >> <!-- JAAS config --> >> <Realm className="org.apache.catalina.realm.JAASRealm" >> appName="CDF_TestApp" >> userClassNames="ipt.tas.security.login.TASUserPrincipal" >> roleClassNames="ipt.tas.security.login.TASGroupPrincipal" >> useContextClassLoader="true" >> debug="99"/> >> </Host> >> </Engine> >> </Service> >> </Server> >> >> Issues here...since TASUserPrincipal & TASGroupPrincipal are not available >> yet (they are in my web app) hasn't started how can I delay configuration >> until my web app has started? (Doubt this is cause of error however). >> >> My WebApp web.xml: >> >> <!--Test code to get JAAS to work--> >> <servlet> >> <servlet-name>StartupServlet</servlet-name> >> <servlet-class> >> com.issinc.cdf.servlet.StartupServlet >> </servlet-class> >> <load-on-startup>1</load-on-startup> >> </servlet> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Test App</web-resource-name> >> <url-pattern>/*</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <role-name>members</role-name> >> </auth-constraint> >> </security-constraint> >> <security-role> >> <description> >> </description> >> <role-name>members</role-name> >> </security-role> >> <login-config> >> <auth-method>BASIC</auth-method> >> <realm-name>Test App Realm</realm-name> >> </login-config> >> <!--End JAAS code--> >> >> Note that StartupServlet configures JAASConfiguration to load my custom >> LoginModule. >> >> When my web app starts I do get the authentication dialog and I enter my >> login info. I have debugged my custom LoginModule and login() and commit() >> both succeed/return true for the user. However when the app continues I get >> the 403 error stated above. >> >> What am I doing wrong? I don't understand if/how the role-name(s) specifed >> in the web.xml are validated at this point. Do I have to tie my Subject >> Principal to these roles somehow? Or are these roles just used by the JAAS >> logic after authenication is complete? I will say that if I remove the >> auth-constraint section then the login dialog is not even displayed. >> >> Can someone point me to my error? >> >> -Dave >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
