Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

RE: Using 2 Realms for authentication and access control

Workman, Joe

2006-12-18

Replies:

I have not seen any response to this . . . . Can anyone help? Please?!?

Cheers
Joe

________________________________

From: Workman, Joe
Sent: Friday, December 15, 2006 12:30 PM
To: 'users@(protected)'
Subject: Using 2 Realms for authentication and access control


I have an application that runs on tomcat that by default uses a
JDBCRealm to query a database for authentication. I would like to use
Kerberos for the user password authentication but still use my JDBCRealm
for access control through roles. I was hoping you could point me in the
right direction. I am running on Solaris 9, java 1.5.0_10 with tomcat
5.5.17

I really appreciate any help you could give me!!!

Here is my tomcat config:

server.xml (snippet) -

   <Realm className="org.apache.catalina.realm.JAASRealm"
          appName="Tomcat"

userClassNames="javax.security.auth.kerberos.KerberosPrincipal"

roleClassNames="javax.security.auth.kerberos.KerberosPrincipal"
          useContextClassLoader="true"
          debug="99"/>

   <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
        driverName="in.co.daffodil.db.rmi.RmiDaffodilDBDriver"
      connectionURL="jdbc:daffodilDB://localhost:3456/ovaa;"
     connectionName="DAFFODIL" connectionPassword="daff0d1l"
      AllRolesMode="strict"
        userTable="users" userNameCol="username"
userCredCol="password"
      userRoleTable="users_roles" roleNameCol="rolename" />


jaas.conf -

Tomcat {
com.sun.security.auth.module.Krb5LoginModule required;
};


web.xml (snippet) -

<security-constraint>
  <display-name>Tomcat Server Configuration Security
Constraint</display-name>
  <web-resource-collection>
   <web-resource-name>Protected Area</web-resource-name>
   <url-pattern>*.do</url-pattern>
   <url-pattern>*.jsp</url-pattern>
   <url-pattern>*.js</url-pattern>
   <url-pattern>*.html</url-pattern>
   <url-pattern>*.pieConfig</url-pattern>
   <url-pattern>*.pieData</url-pattern>
   <url-pattern>*.gridData</url-pattern>
   <url-pattern>*.xls</url-pattern>
   <url-pattern>*.excel</url-pattern>
   <url-pattern>*.tre</url-pattern>
   <url-pattern>*.tem</url-pattern>
   <url-pattern>*.nc</url-pattern>
   <url-pattern>*.menu</url-pattern>
   <url-pattern>*.ext</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>tomcat_auth_role</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>ovaa-tomcat</realm-name>
  <form-login-config>
   <form-login-page>/jsp/rootLogin.jsp</form-login-page>
   <form-error-page>/jsp/rootLogin.jsp?error=1</form-error-page>
  </form-login-config>
</login-config>

<security-role>
  <description>The role that is required to log into Advanced
Access</description>
  <role-name>tomcat_auth_role</role-name>
</security-role>


Cheers
Joe
©2008 junlu.com - Jax Systems, LLC, U.S.A.