 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Tomcat - JSP/Servlet container | | Struts - A MVC web framework | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | JSP - A mailing list about Java Server Pages specification and reference | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | |
Struts & Hibernate
|
|
|
| | | Using 2 Realms for authentication and access control | Using 2 Realms for authentication and access control 2006-12-15 - By Workman, Joe
Back
I have an application that runs on tomcat that by default uses a
JDBCRealm to query a database for authentication. I would like to use
Kerberos for the user password authentication but still use my JDBCRealm
for access control through roles. I was hoping you could point me in the
right direction. I am running on Solaris 9, java 1.5.0_10 with tomcat
5.5.17
I really appreciate any help you could give me!!!
Here is my tomcat config:
server.xml (snippet) -
<Realm className="org.apache.catalina.realm.JAASRealm  "
appName="Tomcat"
userClassNames="javax.security.auth.kerberos.KerberosPrincipal "
roleClassNames="javax.security.auth.kerberos.KerberosPrincipal "
useContextClassLoader="true"
debug="99"/>
<Realm className="org.apache.catalina.realm.JDBCRealm " debug="99"
driverName="in.co.daffodil.db.rmi.RmiDaffodilDBDriver"
connectionURL="jdbc:daffodilDB://localhost:3456/ovaa;"
connectionName="DAFFODIL" connectionPassword="daff0d1l"
AllRolesMode="strict"
userTable="users" userNameCol="username"
userCredCol="password"
userRoleTable="users_roles" roleNameCol="rolename" />
jaas.conf -
Tomcat {
com.sun.security.auth.module.Krb5LoginModule required;
};
web.xml (snippet) -
<security-constraint>
<display-name>Tomcat Server Configuration Security
Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*.do</url-pattern>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.pieConfig</url-pattern>
<url-pattern>*.pieData</url-pattern>
<url-pattern>*.gridData</url-pattern>
<url-pattern>*.xls</url-pattern>
<url-pattern>*.excel</url-pattern>
<url-pattern>*.tre</url-pattern>
<url-pattern>*.tem</url-pattern>
<url-pattern>*.nc</url-pattern>
<url-pattern>*.menu</url-pattern>
<url-pattern>*.ext</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat_auth_role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ovaa-tomcat</realm-name>
<form-login-config>
<form-login-page>/jsp/rootLogin.jsp</form-login-page>
<form-error-page>/jsp/rootLogin.jsp?error=1</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>The role that is required to log into Advanced
Access</description>
<role-name>tomcat_auth_role</role-name>
</security-role>
Cheers
Joe
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- -----
This email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else,
unless expressly approved by the sender or an authorized addressee, is
unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution or
any action omitted or taken in reliance on it, is prohibited and may be
unlawful. If you believe that you have received this email in error, please
contact the sender, delete this e-mail and destroy all copies.
==============================================================================
|
|
|
