• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Bear Bibeault
  • Liutauras Vilda
  • Devaka Cooray
  • Knute Snortum
  • Junilu Lacar
  • Henry Wong
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
  • salvin francis
  • Frits Walraven
  • Piet Souris

To the authors - Core Security Patters - Configuration Question.

Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Looks like a fantastic book -- and well timed in my case, I'm just about to start a new Web application and I'm pretty new to Web apps and their security.

I have used JAAS before, but only in simple and "desktop" applications which were relatively trivial to configure. I'd like to use JAAS in this new Web app, in fact I've already started the work on it. I've looked for examples of where JAAS configuration files go in Web apps, but I cannot find any.

My question is, where would one normally put my application's JAAS config file (listing the LoginModules) and the JAAS policy file?

I'm using Tomcat as my servlet container. Would I put the config and policy files in the Tomcat directory where it stores its own config and policy files, or do I put them in the webapps folder where my application is deployed, or do I edit Tomcat's config and policy files and add my application's config and policy details there? Basically, which is the most secure?

Where would I set system properties for Kerberos realms and KDCs? For now I've edited Tomcat's startup script (catalina.sh) to pass the system properties in an environment variable to pass on the JVM's command line. This feels more like a "hack" since I don't feel comfortable editing this file. For example, what if I had several Web applications with different Kerberos realms and KDCs that use Tomcat too? I don't want to be editing catalina.sh all the time!

Many thanks in advance for your time!

- Garry Archer
Posts: 159
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for your comments.

From a Tomcat perspective, you have two options to install the JAAS provider...

First option, You may edit the java.security properties file loacted at your <java.home>/jre/lib/security and you may add properties similar to as follows:


Second option is to use the Java command line including -Djava.security.auth.login.config=..... (I know, most of us hate this approach.

In commercial J2EE implementations, each vendor has its own mechanism for configuring Realms...that allows to configure a JAAS provider as a Realm.

Hope it helps,

I claim this furniture in the name of The Ottoman Empire! You can keep this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!