JAAS + Tomcat 4.0.2

Similar Messages

• JAAS + Tomcat 4

  Hi,
  Can someone help me ??? I want realize JAAS + Tomcat 4.0.2. I want to implement a JAAS-Module for authentication and authorization in the web-enviroment !!!!
  Hava anyone code or example to this topic, then please
  let me take part at this experience.
  Erdkal

  I'm interested in this as well. I'm new to JAAS, but I noticed a couple of classes in the catalina source.
  @see
  org.apache.catalina.realm.JAASMemoryLoginModule
  org.apache.catalina.realm.JAASRealm
  If there is more interest in this, maybe we should collaborate under the apache tomcat project by improving/extending these classes.
  Kevin Ross

• Authentification with JAAS, Tomcat

  Hello,
  I'm working on an application with some specific needs at authorization. Users should log on with an service running on their localhost, exchanging xml-documents.
  It works like....
  1. request application for loginpage
  2. loginpage is an html-form with localhost as action-target (redirecturl as hidden field)
  3. user submits the form and the xml-request in the form is evaluated, the xml-response is sent to the redirecturl.
  4. on applicationside, the xml-response is verified and when it is correct, the user is authenticated.
  My problem is, that i don't have any system (ldap, kerberos, jdbc-source) containing userids or roles, but i want to use jaas for authorization on tomcat/struts for the ability to assign roles to actions...
  I thought of using the j_security_check. When the xml-response is verified as correct (4) then the generated userid is written in a database, so j_security_check should be able to lookup.
  Can I do this? How could this be done? I would like to redirect to j_security_check and not render an html-form with the new generated userid and password...
  thanks for help,
  hanspeter

  Hello,
  did you try to create this user, using the Visual Administrator tool of the J2EE Engine? Then there you can manage the mappings you talk about.
  Did you see:
  http://help.sap.com/saphelp_nw04/helpdata/en/49/e98876e9865b4e977b54fc090df4ed/frameset.htm
  1. "Creating and Removing Users"
  (Administration Manual -> Server Administration -> J2EE Engine Security -> Users and Authorizations on the J2EE Engine -> User and Authorization Administration -> J2EE Engine User Management Using the Visual Administrator -> Managing Users -> Creating and Removing Users),
  2. "Security Roles Management"
  (Administration Manual -> Server Administration -> J2EE Engine Security -> Users and Authorizations on the J2EE Engine -> User and Authorization Administration -> J2EE Engine User Management Using the Visual Administrator -> Security Roles Management => Mapping Users and Groups)
  Does this helps?
  Regards, Jordan
  Message was edited by: Jordan Stanchev

• JAAS/Tomcat - providing more login information than just username/password

  Sorry if this is a vague question or that I seem lazy, but I have been asked to say if an easy solution is available by the end of the day so I thought I would ask some of the experts!
  I currently have a tomcat application which is protected by basic FORM protection with user name and password held within the database.
  This application is to be rolled out and accessed by multiple clients, non of which should have access to each others data.
  All of this is in place and a username is currently associated with a client. However we have been asked if the login can be changed so that the user logs in as
  client-name/user-name/password for two reasons - firstly to avoid the possibility of the same username existing for more than one client and secondly as we now have a user who will be able to log in to more than one of the clients and creating two separate user names is not seen as the answer.
  My guess is that this may be possible using JAAS though I have found no example showing this yet (and as always have not had much time to do so!)
  Could anyone tell me if they think this is possible?
  Many thanks in advance

  ToddTobin wrote:
  We are developing a custom SSPI module for our weblogic servers, and i have a concern
  with remote logins for remote ejb calls.
  The documentation statest that the UsernamePasswordLoginModule is a good way to
  remotely log into a different BEA server so that ejb calls can be made from the
  Security.runAs context. However, i need to have more information passed than
  just the username password combination. e.g. applicationId that is making the
  call, in addition to the userid.
  The docs recommend creating your own login module, which is fine, but if i am
  correct the UsernamePasswordLoginModule uses the environment object and Authenticate.athenticate,
  to perform the login to my sspi. in that case the name is somehow translated
  into a NameCallback and (credential) Password to a PasswordCallback. If i want
  to add a different callback, "CallingAppCallback" where is that set in the environment
  object? In the properties? and if so, how is that then accessed by my LoginModule
  or AuthenticationProviderImpl?
  I just dont see how to extend the functionality of UsernamePasswordLoginModule,
  for remote-server logins?Yes, this is a major limitation. I had a similar limitation when I
  implemented a kerberos client. If you can't fit what you want into two
  string fields, you are stuffed. BEA really need to open up the API for
  client-side login modules. To be fair to BEA, JAAS is useless so they
  weren't working with something that was designed for distributed systems
  in the first place.
  Anyway I worked around it by base 64 encoding my data (which was binary
  obviously). I suggest you come up with some way of encoding the
  application id in the username, e.g user@id or something along those lines.
  If you do come up with a better solution I'd be very interested to know!
  Robert

• JAAS Tomcat PB..

  I try to integrate JAAS with Tomcat 5.028 and JSF
  I read a lot of FAQs BUT i have a pb for authorization.
  My web.xml seems OK
  The Login module seems OK
  I always have a HTTP 403 error for bad authorization.
  I launch Tomcat with 2 JVM options:
  -Djava.security.auth.policy=<path to tomcat.policy>
  -Djava.security.auth.login.config=<path to auth.conf>
  My question are:
  Is the .policy file mandatory and how to fill it ??
  How to specify URLs in the file... No URLPermission class available...
  How does my policy file be modified ??
  grant codebase "file://C:/Program Files/Apache Software Foundation/Tomcat 5.0/webapps/realms/index.jspx"  Principal * * {
    permission java.io.FilePermission "/admin/admin.jspx", "read";
  };Can you help me ??

  Hi,
  you should look towards jGuard (http://www.jguard.net) which enable easy JAAS integration into J2EE webapps on your application server (including tomcat).
  it provides also taglibs, URLPermission and many others things.
  cheers,
  Charles(jGuard team).

• JAAS Tomcat

  I'm Using JSC2 EA
  The JAAS example downloaded from JSC2 page (http://developers.sun.com/prodtech/javatools/jscreator/ea/jsc2/reference/sampleapps/SignonTR.zip), works fine in Sunappserver 8.
  I'm confuse when the application is executed in tomcat.
  In the readme file :
  "4. You need to give some additional permissions to this application so it can
  create a login context and use your Jaas Login Module for authentication.
  Go to $Sun AppServer Home/domains/creator/config/ and open this file, "login.conf"
  Add this text at the end of the file and save it:
  Sample{
       signontr.MyJdbcLoginModule required;
  5. Now open the server.policy located in the same folder as the login.conf file above.
  add these lines at the end of the file:
  grant codeBase "file:/$Your project location/SignonTR/build/web/WEB-INF/-" {
  permission javax.security.auth.AuthPermission "createLoginContext.Sample";
  My question is : How the correct configuration, to use this application in tomcat ?.
  Thanks.
  Heitor

  Hi,
  Please post messages related to Creator 2 EA at the feedbacks programs portal. The URL is:
  https://feedbackprograms.sun.com/login.html
  Thanks,
  Creator Team

• Jaas tomcat auto login

  I have a webapp running Struts, Tomcat 5 and JAAS. After a user
  registers on my site they then verify their e-mail through clicking a
  link. How can I get them to be automatically logged in after clicking
  that link using JAAS??

  Did you find how to make automated login.
  I'm trying to do almost the same thing.
  I want the same identity for each user in order to be able to communicate with another web app running on the same server.
  Some kind of impersonation will be a good solution too.
  I have no solution which I can deploy on a live server yet.
  You are well dressed

• JAAS, Tomcat and own Policy-implementation

  Hello,
  I want to use my own Policy-implementation in a Tomcat web-application.
  In a plain Java-application i got it work by adding
  policy.provider=MyPolicy
  to java.security and starting the application with
  option -Xbootclasspath/a:<path-to-my-policy-class>.
  Starting tomcat with that option doesn't work
  How can i make this work for my web-application?
  Thanks,
  Steffen

  I have a question on custom permission class. If you can give some pointers that would be helpful.
  I have a custom Permission class (MyPermission) and a custom PermissionCollection class (MyPermissionCollection) that has all the required methods implemented (e.g. add, elements, implies). however I am not sure how does MyPermissionCollection's member variable ("permissions" vector/hashtable) get filled? i see that my PermissionCollection.add() method is not being called at all that does add elements to the "permissions".
  Is it the Policy class that fills it? I am using the default sun format to define my policy file. Do i need to setup a custom policy class/object to add my custom PermissionCollection and custom Permission objects even though the policy format is default.
  Please advise!

• HTTP Error 400 on Tomcat 5.0.28 and JAAS

  Hi
  I have this problem every time I send an Authentication Request using JAAS. I've a login form and, after I send my request, LoginModule starts to process it. The problem is that, viewing the tomcat log output, the authentication goes well, but Tomcat send me a HTTP error code 400 which means "Invalid direct reference to form login page".
  If I reload the login form, not back button, and retype my credentials, I reach to enter in my website. Tomcat send me a HTTP code 302, then load my home page.
  This is the login HTTP message:
  POST /j_security_check HTTP/1.1
  Host: localhost:1999
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://localhost/xxxx/index
  Cookie: JSESSIONID=8F91E0B617B45C1BC772E370481C8FCF
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 65
  j_username=user&j_password=pass&Submit=LoginAnd this is the login form:
  <form method="post" action ="j_security_check" name="loginform" >
    <table width="100%" cellpadding="2" cellspacing="0" class="corpo">
       <tr>
        <td><div align="right">Username</div></td>
        <td width="20%"><input type="text" class="corpo" name="j_username" /></td>
      </tr>
      <tr>
        <td><div align="right">Password</div></td>
        <td width="20%"><input type="password" class="corpo" name="j_password" /></td>
      </tr>
      <tr>
        <td> </td>
        <td><div align="right">
           <input type="submit" class="bottone" name="Submit" value="Login" /><br />
             <a href="javascript:apriFinestra('<%= request.getContextPath() %>/jsp/password.jsp', '', '400px', '400px');" class="corpo"><%=lu.resource(rb, "HOME.forgot") %> </a>
        </div></td>
      </tr>
    </table>
  </form>

  There've been issues when running in the embedded OC4J server where logged messages don't appear at all - I suspect this is happening on both environments, but you're only seeing the message on Tomcat.
  If you look in the HTML, you'll see a <!-- ILLEGAL HTML: --> comment where the problem occurs, and you should be able to trace that content back to the components you're using at that spot. Could you let us know what combination of components produces this error? (The problem is exactly what the error message says: HTML does not allow <img> directly inside of <table>, but that's what got produced.)

• Integration of JAAS in Tomcat

  Hi,
  I want to use JAAS in Tomcat, but i don't hava a idea, how i can realize it !!!
  Can someone help me with a tutorial or tips, to include JAAS in Tomcat.
  Thanks a lot for your help !!
  erdkal

  Hi erdal,
  look on the JAASRealm from tomcat. http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  There is a JAASImplementation in the nightly builds.
  juraj

• JAAS example fails on Tomcat

  The JAAS tutorial and sample code works fine in Creator but when I tried to deploy it in Tomcat 5.5.17 it fails to start and gives this error.
  org.apache.catalina.startup.ContextConfig applicationWebConfig
  SEVERE: Parse error in application web.xml file at jndi:/localhost/JaasAuthentication/WEB-INF/web.xml
  java.lang.IllegalArgumentException: Invalid <url-pattern> /faces/*.jsp in filter mappingI have looked at the Help in Creator on deploying applications in Tomcat but with no luck. Anybody know what is causing this exception in Tomcat?
  John.

  the cross-domain file has to be placed on the web service
  server.
  you can use blazeds or lcds to proxy your ws calls. this
  tutorial should help,
  http://learn.adobe.com/wiki/display/Flex/Creating+a+BlazeDS+web+service+application+in+Fle x+Builder

• JAAS configuration steps for web example in tomcat

  Hi,
  I have to configure JAAS for the deployement of my web application in tomcat.
  but i am not getting any proper document for this.
  If any one could provide some useful information or documentation so please help me.
  Thanks

  after googling i came to the forum.
  i am not getting any proper way from where i can start Jaas login module implementation for my web application with tomcat. The information i am getting from google is to do the job using COMMAND PROMT, but I want to implement that in my web application so that i can start that using webUI
  Can you provide me some links which will be help ful to start.
  Thanks

• JAAS with TomCat 5.5  Unable to login.No error shown.PLS HELP ME:(

  Log of tomcat:
  Sep 28, 2006 3:21:49 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
  INFO: The Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin;.;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM;C:\j2sdk1.4.2\bin;c:\mysql\bin;C:\apache-ant-1.6.5\bin;C:\Program Files\QuickTime\QTSystem\;C:\eclipse_ac\bin
  Sep 28, 2006 3:21:49 PM org.apache.coyote.http11.Http11BaseProtocol init
  INFO: Initializing Coyote HTTP/1.1 on http-8080
  Sep 28, 2006 3:21:49 PM org.apache.catalina.startup.Catalina load
  INFO: Initialization processed in 2547 ms
  Sep 28, 2006 3:21:50 PM org.apache.catalina.core.StandardService start
  INFO: Starting service Catalina
  Sep 28, 2006 3:21:50 PM org.apache.catalina.core.StandardEngine start
  INFO: Starting Servlet Engine: Apache Tomcat/5.5.17
  Sep 28, 2006 3:21:50 PM org.apache.catalina.core.StandardHost start
  INFO: XML validation disabled
  Sep 28, 2006 3:21:54 PM org.apache.catalina.startup.HostConfig deployWAR
  INFO: Deploying web application archive jaasLogin.war
  Sep 28, 2006 3:21:57 PM org.apache.struts.tiles.TilesPlugin initDefinitionsFactory
  INFO: Tiles definition factory loaded for module ''.
  Sep 28, 2006 3:21:57 PM org.apache.struts.validator.ValidatorPlugIn initResources
  INFO: Loading validation rules file from '/WEB-INF/validator-rules.xml'
  Sep 28, 2006 3:21:57 PM org.apache.struts.validator.ValidatorPlugIn initResources
  INFO: Loading validation rules file from '/WEB-INF/validation.xml'
  Sep 28, 2006 3:21:58 PM org.apache.coyote.http11.Http11BaseProtocol start
  INFO: Starting Coyote HTTP/1.1 on http-8080
  Sep 28, 2006 3:21:59 PM org.apache.jk.common.ChannelSocket init
  INFO: JK: ajp13 listening on /0.0.0.0:8009
  Sep 28, 2006 3:21:59 PM org.apache.jk.server.JkMain start
  INFO: Jk running ID=0 time=0/109 config=null
  Sep 28, 2006 3:21:59 PM org.apache.catalina.storeconfig.StoreLoader load
  INFO: Find registry server-registry.xml at classpath resource
  Sep 28, 2006 3:22:00 PM org.apache.catalina.startup.Catalina start
  INFO: Server startup in 10312 ms
  ===========================================================
  Notice that line i bolded and italic..Does it means that my loginModule is not loaded?how to i configure my login.config so that it will call the module or whatsoever?because it my loginModule is not being called.any solutions to configure JAAS?pls help me..im new to this..=))) i wrote my login.conf and put in the /conf folder of tomcat..what else must i do?=)))

  Sorry, I am not sure about that.
  Also, I don't see a particular line that was bolded in your original post.
  The way I ensured that my LoginModule was being called (aside from the fact that I was able to login) was debugging it in Eclipse and placing a breakpoint in the LoginModule code.
  You could try putting a System.out.println() statement in it to see if it is called.

• Run JAAS Example with Tomcat

  Can someone explain, how i can include the JAAS-Example in Tomcat 4. I am a newbie, therefore step
  by step, please !! Everyone speaks about JAAS in the
  web-enviroment, but nobody implements any example !!!
  Please !!!
  Thanks for your help and reply !!!

  Please help me ?????

• Run JAAS Example with Tomcat 4

  Can someone explain me, how i can run the JAAS-Example from SUN with Tomcat.
  Please so that i can understand it, step by step.
  Thanks for your help and understand !!!

  Here you go:
  Environment Tomcat 4.1.10
  These steps will configure Tomcat Admin app so that it uses
  JAASRealm to authenticate.
  To keep things simple, I wrote a MyLoginModule that succeeds with username,password pair "jaas","jaas".
  Authentication information as well as role "admin" are hardcoded, so you do not have to worry about additional settings.
  So compile following files, and put them into e.q. tomcat/server/classes or jar them and put them to some place where
  tomcat finds them :
  --------my.MyLoginModule.java---------------
  package my;
  import java.util.Map;
  import java.security.Principal;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.spi.LoginModule;
  import java.io.IOException;
  public class MyLoginModule implements LoginModule {
      protected CallbackHandler callbackHandler = null;
      protected boolean committed = false;
      protected boolean debug = false;
      protected Map options = null;
      protected Principal principal = null;
      protected Map sharedState = null;
      protected Subject subject = null;
      protected void log(String message) {
          System.out.print("MyLoginModule: ");
          System.out.println(message);
      public boolean abort() throws LoginException {
          log("abort");  
          return (true);
      public boolean commit() throws LoginException {
          log("commit phase");
          // If authentication was not successful, just return false
          if (principal == null){
              log("no principal commit fails");
              return (false);
          if (!subject.getPrincipals().contains(principal))
              subject.getPrincipals().add(principal);
          // add role principals
          subject.getPrincipals().add(new MyRolePrincipal("admin"));
          committed = true;
          log("commit succesful");
          return (true);
      public void initialize(Subject subject, CallbackHandler callbackHandler,
                             Map sharedState, Map options) {
          // Save configuration values
          this.subject = subject;
          this.callbackHandler = callbackHandler;
          this.sharedState = sharedState;
          this.options = options;
     public boolean login() throws LoginException {
          log("login phase");
          // Set up our CallbackHandler requests
          if (callbackHandler == null)
              throw new LoginException("No CallbackHandler specified");
          Callback callbacks[] = new Callback[2];
          callbacks[0] = new NameCallback("Username: ");
          callbacks[1] = new PasswordCallback("Password: ", false);
          // Interact with the user to retrieve the username and password
          String username = null;
          String password = null;
          try {
              callbackHandler.handle(callbacks);
              username = ((NameCallback) callbacks[0]).getName();
              password =
                  new String(((PasswordCallback) callbacks[1]).getPassword());
          } catch (IOException e) {
              throw new LoginException(e.toString());
          } catch (UnsupportedCallbackException e) {
              throw new LoginException(e.toString());
          if (!authenticate(username,password))
              return false;
          principal  = new MyPrincipal(username);
          return true;
      public boolean logout() throws LoginException {
          subject.getPrincipals().remove(principal);
          committed = false;
          principal = null;
          return (true);
      boolean authenticate(String s,String p){
         return (s.compareTo("jaas") == 0) && (p.compareTo("jaas") == 0);  
      static public void main(String args[]) throws Exception{
          LoginContext ctx = new LoginContext("TomCatAdminApplication");
          ctx.login();
  ---------my/MyPrincipal.java-------------------
  package my;
  public class MyPrincipal implements java.security.Principal {
      String m_Name = new String("");
      public MyPrincipal(String name) {
          m_Name = name;
      public boolean equals(Object another) {
          try {
              MyPrincipal pm = (MyPrincipal)another;
              return pm.m_Name.equalsIgnoreCase(m_Name);
          } catch(Exception e){
              return false;  
      public String getName() {
          return m_Name;
      public int hashCode() {
          return m_Name.hashCode();
      public String toString() {
          return  m_Name;
  ------my/MyRolePrincipal.java-------------
  package my;
  public class MyRolePrincipal extends MyPrincipal {
      /** Creates a new instance of MyRolePrincipal */
      public MyRolePrincipal(String s) {
          super(s);
  1. Configure Tomcat Administration Application in server.xml
  <Context ..Tomcat Administration..>
       <Realm className="org.apache.catalina.realm.JAASRealm" debug="3" appName="TomCatAdminApplication" userClassNames="my.MyPrincipal" roleClassNames="my.MyRolePrincipal">
       </Realm>
  </Context>
  2. Configure the location of your JAAS configuration file in jre/lib/security/java.security
  like this:
  login.config.url.3=file:///d:/tomcats/tomcat410/auth.conf
  3. Configure JAAS - sequence for "TomCatAdminApplication" in file:///d:/tomcats/tomcat410/auth.conf
  like this:
  TomCatAdminApplication {
  my.MyLoginModule required;
  4. Thats it. Restart Tomcat, and go to admin-app with "jaas","jaas" ....debug and enjoy. After you
  got this working it is time to configure some more challenging login sequences....
  Kullervo