Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: kerberos,JAAS, and container managed security

Hanasaki JiJi

2007-07-28

Replies:

Take a look at CAS. It has the added value of:
- keeps passwords away from your container and its applications
- gives SSO !
- integrates well behind apache for a balancer and other mod_*
- works with other languages
- existing application integration

I have used it with success and replaced an expensive commercial
proprietary application for SSO with it.

http://www.ja-sig.org/products/cas/

email me off line if you need a hand with this.

- hanasaki-tomcatuser20070728@(protected)

joe bob wrote:
> Hi,
>   I would like to use kerberos in conjunction with container managed
> security. I have configured a JAASRealm with Sun's kerberos LoginModule and
> a basic scenario works fine. I.e, if a user accesses a protected URL, he is
> challenged with a login screen. The user/password he enters is validated
> against the kerberos system correctly.
>
> We now have a requirement to honor kerberos password policies, for example
> the "mandatory-password-change" flag. When set, the user gets a valid
> ticket
> but all he can do is change his password. I tried doing this via my
> standard
> configuration and the kerberos LoginModule throws an exception indicating
> the user must change his password but the tomcat form authentication logic
> seems to treat this as an invalid login and just redirects the user to the
> error page with no way for the application to differentiate this situation.
>
> Is it possible to honor kerberos password policies using JAAS and container
> managed security? I have looked through the source and the answer appears
> no. JAASRealm seems to catch various exceptions (e.g.
> AccountExpiredException) but in the end just returns null to
> FormAuthenticator as the authenticate() signature does not allow any
> checked
> exceptions to be thrown and the FormAuthenticator implementation doesn't
> seem to anticipate any runtime exceptions from this method.
>
> I would much prefer to use container managed security for the usual reasons
> but also to get (clustered) SSO support. Does anyone see something I missed
> or have any ideas? Can I use the standard SSO valve with application
> managed
> security somehow? Seems doubtful.
>
> Thanks.
> Kireet <users-sc.1185403782.aokiedfcpgeeepdlcflj-krtomcat=gmail.com@(protected)>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.