Comments on: Custom LoginModule in Tomcat http://blog.frankel.ch/custom-loginmodule-in-tomcat Nicolas Fränkel blog Wed, 08 Feb 2012 07:06:46 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Gamma http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-1594 Gamma Tue, 09 Aug 2011 15:10:03 +0000 http://blog.frankel.ch/?p=84#comment-1594 This is a great resource that I used for an introduction on JAAS (Tomcat 7 / Mac OS X). Thanks for the sample, Gamma This is a great resource that I used for an introduction on JAAS (Tomcat 7 / Mac OS X).
Thanks for the sample,

Gamma

]]> By: Quadir Kareemullah http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-943 Quadir Kareemullah Wed, 09 Feb 2011 14:46:18 +0000 http://blog.frankel.ch/?p=84#comment-943 Can you provide more information as to how you are getting the role information and verifying if the user has that role? Thanks Quadir Can you provide more information as to how you are getting the role information and verifying if the user has that role?

Thanks
Quadir

]]> By: Reza http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-719 Reza Tue, 12 Oct 2010 10:47:59 +0000 http://blog.frankel.ch/?p=84#comment-719 I have tried this in Tomcat 6.0 and it failed. It raise HTTP 403 exception. I have tried this in Tomcat 6.0 and it failed. It raise HTTP 403 exception.

]]> By: Nicolas Frankel http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-641 Nicolas Frankel Wed, 04 Aug 2010 19:50:20 +0000 http://blog.frankel.ch/?p=84#comment-641 Since they are plain, they both are JavaBeans with a name property (and the appropriate getter/setter). Since they are plain, they both are JavaBeans with a name property (and the appropriate getter/setter).

]]> By: robin.bakkerus http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-640 robin.bakkerus Wed, 04 Aug 2010 11:57:25 +0000 http://blog.frankel.ch/?p=84#comment-640 Can you publish the code for PlainUserPrincipal and PlainRolePrincipal as well Can you publish the code for PlainUserPrincipal and PlainRolePrincipal as well

]]> By: orbit@websig.com http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-489 orbit@websig.com Fri, 18 Sep 2009 19:15:50 +0000 http://blog.frankel.ch/?p=84#comment-489 Thought I'd share my experience with getting JAAS/Tomcat 6/Eclipse working. Not everything in here is crucial to your implementation, but I figured this post will at least put it all together. Many articles and blogs left me frustrated with just covering pieces of the solution, and not showing me the necessary connections between them. To begin, I installed Java (say version 6.0 or better), and then Eclipse (or MyEclipse, if you like). Then I updated Eclipse with the Subversive plug-in, to access my subversion repository to persist and pull my code onto different machines as I travel. (e.g. https://failship.company.com/repo). Upon checkout, I created a Dynamic Web Project or whatever name Eclipse provides for a basic web application. Take your time here and step through each of the wizard screens, because some setting changes are subtle and have major pain-in-the-butt ripple effects. You'll have to create the basic LoginModule and Principal implementations to support your custom login code. That information was provided everywhere on the Web. My frustration was in putting it all together. Anyway, out of the scores of resources I used to investigate, I found this one to be pretty concise: http://blog.frankel.ch/tech/dev/java/jee/custom-loginmodule-in-tomcat If you are going to test with Tomcat 6.0, you must add the following tag to the conf/context.xml file. <Loader delegate="true"/> Otherwise, you might get some "java.lang.ClassCastException: org.apache.catalina.util.DefaultAnnotationProcessor cannot be cast to org.apache.AnnotationProcessor" exception. While you have context.xml open, you will have to add a 'Realm' for Container Security, to enable our LoginModule secure access. The 1st step is to enable the JaasRealm, typically by pasting in the existing entry as follows: <!-- Inserted to enable MyAccessLoginModule. You will have to launch tomcat with -Djava.security.auth.login.config= pointing to the jaas.config file: --> <Realm className="org.apache.catalina.realm.JAASRealm" appName="MyAccess" userClassNames="com.company.myAccess.realm.MyAccessUserPrincipal" roleClassNames="com.company.myAccess.realm.MyAccessRolePrincipal"> </Realm> Next, I had to create a jaas.conf file to declare my LoginModule implementation. Notice that this has the same name as the "appName" provided in the <realm> definition above. Here's the contents of jaas.conf: /** Login Configuration for the JAAS Sample Application **/ MyAccess { com.company.myAccess.realm.MyAccessLoginModule requisite debug=true; }; The realm also needs to know how to find the jaas.config file and it does this through the Java system property, set as a JVM argument, for the variable "java.security.auth.login.config". You can set this, in eclipse by configuring a "Server", typically through the Window->Preference menu (or in MyEclipse under its preferences). The JVM takes a -D argument, to define the variable, as in: -Djava.security.auth.login.config=C:"/Documents and Settings/sandrews/Workspaces/MyEclipse Blue/myAccess-20090902/jaas.config" While you’re here, you may want to add any custom defined variables for your web application. My LoginModule read the tomcat-users.xml file as well, so I designated it with the follow arguments: -DTomcatUsersXmlFile=C:"/Program Files/Apache Software Foundation/Tomcat 6.0/conf/tomcat-users.xml" Again, this last argument was custom to my application, so it's necessary for your web app. Next, edit the data source for your user authentication, as in conf/tomcat-users.xml, to add the role, say 'myAccess', and the user, like 'bsmith' for example: <tomcat-users> <role rolename="myAccess"/> <user name="bsmith" password="123qwe" roles="myRole"/> </tomcat-users> Your web application's WEB-INF/web.xml should set the security restrictions, as in: <!-- Define a Security Constraint on this Application --> <security-constraint> <web-resource-collection> <web-resource-name>Secured resources</web-resource-name> <url-pattern>/jsp/*</url-pattern> <url-pattern>/html/*</url-pattern> <url-pattern>/index.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myRole</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Unsecured resources</web-resource-name> <url-pattern>/images/*</url-pattern> <url-pattern>/css/*</url-pattern> </web-resource-collection> </security-constraint> <security-role> <description>Role required to see admin pages.</description> <role-name>myRole</role-name> </security-role> <!-- Define the Login Configuration for this Application --> <login-config> <auth-method>FORM</auth-method> <realm-name>MyAccess</realm-name> <form-login-config> <form-login-page>/jsp/userLoginForm.jsp</form-login-page> <form-error-page>/jsp/userLoginForm.jsp?action=error</form-error-page> </form-login-config> </login-config> Notice that the 'security-constraint' wraps a 'auth-constraint' which references a 'role-name' which maps to a 'security-role'. Lastly, I had to ensure that when the application server loads (not my web application, but the server), it has access to load my LoginModule implementation and supporting classes. Hence I used an ANT script to jar up my *.class files and deploy them under tomcat's lib directory, as in: lib/myAccess.jar This was key, and without it, I was left in the dark, not knowing that the WEB-INF/classes deployment (the default) was not enough. The realm is loaded before your web app, and needs to be ready with the data source connections open, etc. Once this was done, I was able to login using my custom LoginModule. Again, some of my frustrations were eleviated through the information found at: http://blog.frankel.ch/tech/dev/java/jee/custom-loginmodule-in-tomcat So some major Thanks go out to that Nicolas Frankel guy, and Good Luck! Thought I’d share my experience with getting JAAS/Tomcat 6/Eclipse working. Not everything in here is crucial to your implementation, but I figured this post will at least put it all together. Many articles and blogs left me frustrated with just covering pieces of the solution, and not showing me the necessary connections between them.

To begin, I installed Java (say version 6.0 or better), and then Eclipse (or MyEclipse, if you like). Then I updated Eclipse with the Subversive plug-in, to access my subversion repository to persist and pull my code onto different machines as I travel.
(e.g. https://failship.company.com/repo).

Upon checkout, I created a Dynamic Web Project or whatever name Eclipse provides for a basic web application. Take your time here and step through each of the wizard screens, because some setting changes are subtle and have major pain-in-the-butt ripple effects.

You’ll have to create the basic LoginModule and Principal implementations to support your custom login code. That information was provided everywhere on the Web. My frustration was in putting it all together. Anyway, out of the scores of resources I used to investigate, I found this one to be pretty concise:

http://blog.frankel.ch/tech/dev/java/jee/custom-loginmodule-in-tomcat

If you are going to test with Tomcat 6.0, you must add the following tag to the conf/context.xml file.

<Loader delegate=”true”/>

Otherwise, you might get some

“java.lang.ClassCastException: org.apache.catalina.util.DefaultAnnotationProcessor cannot be cast to org.apache.AnnotationProcessor”

exception.

While you have context.xml open, you will have to add a ‘Realm’ for Container Security, to enable our LoginModule secure access. The 1st step is to enable the JaasRealm, typically by pasting in the existing entry as follows:

<!– Inserted to enable MyAccessLoginModule. You will have to launch tomcat
with -Djava.security.auth.login.config= pointing to the jaas.config file: –>
<Realm className=”org.apache.catalina.realm.JAASRealm”
appName=”MyAccess”
userClassNames=”com.company.myAccess.realm.MyAccessUserPrincipal”
roleClassNames=”com.company.myAccess.realm.MyAccessRolePrincipal”>
</Realm>

Next, I had to create a jaas.conf file to declare my LoginModule implementation. Notice that this has the same name as the “appName” provided in the <realm> definition above. Here’s the contents of jaas.conf:

/** Login Configuration for the JAAS Sample Application **/
MyAccess {
com.company.myAccess.realm.MyAccessLoginModule requisite debug=true;
};

The realm also needs to know how to find the jaas.config file and it does this through the Java system property, set as a JVM argument, for the variable “java.security.auth.login.config”. You can set this, in eclipse by configuring a “Server”, typically through the Window->Preference menu (or in MyEclipse under its preferences). The JVM takes a -D argument, to define the variable, as in:

-Djava.security.auth.login.config=C:”/Documents and Settings/sandrews/Workspaces/MyEclipse Blue/myAccess-20090902/jaas.config”

While you’re here, you may want to add any custom defined variables for your web application. My LoginModule read the tomcat-users.xml file as well, so I designated it with the follow arguments:

-DTomcatUsersXmlFile=C:”/Program Files/Apache Software Foundation/Tomcat 6.0/conf/tomcat-users.xml”

Again, this last argument was custom to my application, so it’s necessary for your web app.

Next, edit the data source for your user authentication, as in conf/tomcat-users.xml, to add the role, say ‘myAccess’, and the user, like ‘bsmith’ for example:

<tomcat-users>
<role rolename=”myAccess”/>
<user name=”bsmith” password=”123qwe” roles=”myRole”/>
</tomcat-users>

Your web application’s WEB-INF/web.xml should set the security restrictions,
as in:

<!– Define a Security Constraint on this Application –>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured resources</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/html/*</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured resources</web-resource-name>
<url-pattern>/images/*</url-pattern>
<url-pattern>/css/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Role required to see admin pages.</description>
<role-name>myRole</role-name>
</security-role>
<!– Define the Login Configuration for this Application –>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyAccess</realm-name>
<form-login-config>
<form-login-page>/jsp/userLoginForm.jsp</form-login-page>
<form-error-page>/jsp/userLoginForm.jsp?action=error</form-error-page>
</form-login-config>
</login-config>

Notice that the ‘security-constraint’ wraps a ‘auth-constraint’ which references a ‘role-name’ which maps to a ‘security-role’.

Lastly, I had to ensure that when the application server loads (not my web application, but the server), it has access to load my LoginModule implementation and supporting classes. Hence I used an ANT script to jar up my *.class files and deploy them under tomcat’s lib directory, as in:

lib/myAccess.jar

This was key, and without it, I was left in the dark, not knowing that the WEB-INF/classes deployment (the default) was not enough. The realm is loaded before your web app, and needs to be ready with the data source connections open, etc. Once this was done, I was able to login using my custom LoginModule.

Again, some of my frustrations were eleviated through the information found at:

http://blog.frankel.ch/tech/dev/java/jee/custom-loginmodule-in-tomcat

So some major Thanks go out to that Nicolas Frankel guy, and Good Luck!

]]> By: cubaso http://blog.frankel.ch/custom-loginmodule-in-tomcat/comment-page-1#comment-480 cubaso Wed, 22 Jul 2009 12:21:13 +0000 http://blog.frankel.ch/?p=84#comment-480 Thanks for useful article! Just one little fix for your web.xml: replace <code>index.htm</code> <code>by index.html</code>. Thanks for useful article!
Just one little fix for your web.xml: replace index.htm by index.html.

]]>