• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

To the authors - Core Security Patters - Configuration Question.

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

Looks like a fantastic book -- and well timed in my case, I'm just about to start a new Web application and I'm pretty new to Web apps and their security.

I have used JAAS before, but only in simple and "desktop" applications which were relatively trivial to configure. I'd like to use JAAS in this new Web app, in fact I've already started the work on it. I've looked for examples of where JAAS configuration files go in Web apps, but I cannot find any.

My question is, where would one normally put my application's JAAS config file (listing the LoginModules) and the JAAS policy file?

I'm using Tomcat as my servlet container. Would I put the config and policy files in the Tomcat directory where it stores its own config and policy files, or do I put them in the webapps folder where my application is deployed, or do I edit Tomcat's config and policy files and add my application's config and policy details there? Basically, which is the most secure?

Where would I set system properties for Kerberos realms and KDCs? For now I've edited Tomcat's startup script (catalina.sh) to pass the system properties in an environment variable to pass on the JVM's command line. This feels more like a "hack" since I don't feel comfortable editing this file. For example, what if I had several Web applications with different Kerberos realms and KDCs that use Tomcat too? I don't want to be editing catalina.sh all the time!

Many thanks in advance for your time!

Cheers,
- Garry Archer
 
Author
Posts: 159
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your comments.

From a Tomcat perspective, you have two options to install the JAAS provider...

First option, You may edit the java.security properties file loacted at your <java.home>/jre/lib/security and you may add properties similar to as follows:

login.configuration.provider=com.yada.yada.MyJAASProvider
login.config.url.1=/dir/home/myJAAS.conf

Second option is to use the Java command line including -Djava.security.auth.login.config=..... (I know, most of us hate this approach.

In commercial J2EE implementations, each vendor has its own mechanism for configuring Realms...that allows to configure a JAAS provider as a Realm.

Hope it helps,

/Ramesh
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic