Okay that sounds good I'll try that. Next newbie question...will this be server agnostic? I need to support Tomcat/JBoss/WebLogic.
-Dave On Mon, May 11, 2009 at 4:17 PM, Pid <p...@pidster.com> wrote: > David Hoffer wrote: > > Update. > > > > It looks like the problem is with the Tomcat Realm configuration. If I > move > > the jar that contains these custom classes to the Tomcat lib folder then > it > > works! > > > > However this is not a workable solution. I can't deploy jars like this. > > How can I delay JAAS realm configuration to my web app? After all what > is > > the purpose of useContextClassLoader? Ideally I would like to move the > > configuration out of server.xml to my web app so this is self-contained. > > > > What is the right way to do this? > > Configure the realm at the context level - ie in the > META-INF/context.xml of your WAR, or application directory. > > p > > > -Dave > > > > On Mon, May 11, 2009 at 1:14 PM, David Hoffer <dhoff...@gmail.com> > wrote: > > > >> No matter what I do...I always get an 'HTTP Status 403 - Access to the > >> requested resource has been denied error' displayed after authenticating > in > >> Tomcat with JAAS. Here is my configuration. > >> > >> Tomcat 6.0.x > >> > >> server.xml: > >> ... > >> <Host name="localhost" appBase="webapps" unpackWARs="true" > >> autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> > >> > >> <!-- JAAS config --> > >> <Realm className="org.apache.catalina.realm.JAASRealm" > >> appName="CDF_TestApp" > >> userClassNames="ipt.tas.security.login.TASUserPrincipal" > >> roleClassNames="ipt.tas.security.login.TASGroupPrincipal" > >> useContextClassLoader="true" > >> debug="99"/> > >> </Host> > >> </Engine> > >> </Service> > >> </Server> > >> > >> Issues here...since TASUserPrincipal & TASGroupPrincipal are not > available > >> yet (they are in my web app) hasn't started how can I delay > configuration > >> until my web app has started? (Doubt this is cause of error however). > >> > >> My WebApp web.xml: > >> > >> <!--Test code to get JAAS to work--> > >> <servlet> > >> <servlet-name>StartupServlet</servlet-name> > >> <servlet-class> > >> com.issinc.cdf.servlet.StartupServlet > >> </servlet-class> > >> <load-on-startup>1</load-on-startup> > >> </servlet> > >> <security-constraint> > >> <web-resource-collection> > >> <web-resource-name>Test App</web-resource-name> > >> <url-pattern>/*</url-pattern> > >> </web-resource-collection> > >> <auth-constraint> > >> <role-name>members</role-name> > >> </auth-constraint> > >> </security-constraint> > >> <security-role> > >> <description> > >> </description> > >> <role-name>members</role-name> > >> </security-role> > >> <login-config> > >> <auth-method>BASIC</auth-method> > >> <realm-name>Test App Realm</realm-name> > >> </login-config> > >> <!--End JAAS code--> > >> > >> Note that StartupServlet configures JAASConfiguration to load my custom > >> LoginModule. > >> > >> When my web app starts I do get the authentication dialog and I enter my > >> login info. I have debugged my custom LoginModule and login() and > commit() > >> both succeed/return true for the user. However when the app continues I > get > >> the 403 error stated above. > >> > >> What am I doing wrong? I don't understand if/how the role-name(s) > specifed > >> in the web.xml are validated at this point. Do I have to tie my Subject > >> Principal to these roles somehow? Or are these roles just used by the > JAAS > >> logic after authenication is complete? I will say that if I remove the > >> auth-constraint section then the login dialog is not even displayed. > >> > >> Can someone point me to my error? > >> > >> -Dave > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
