Looks like a fantastic book -- and well timed in my case, I'm just about to start a new Web application and I'm pretty new to Web apps and their security.
I have used JAAS before, but only in simple and "desktop" applications which were relatively trivial to configure. I'd like to use JAAS in this new Web app, in fact I've already started the work on it. I've looked for examples of where JAAS configuration files go in Web apps, but I cannot find any.
My question is, where would one normally put my application's JAAS config file (listing the LoginModules) and the JAAS policy file?
I'm using Tomcat as my servlet container. Would I put the config and policy files in the Tomcat directory where it stores its own config and policy files, or do I put them in the webapps folder where my application is deployed, or do I edit Tomcat's config and policy files and add my application's config and policy details there? Basically, which is the most secure?
Where would I set system properties for Kerberos realms and KDCs? For now I've edited Tomcat's startup script (catalina.sh) to pass the system properties in an environment variable to pass on the JVM's command line. This feels more like a "hack" since I don't feel comfortable editing this file. For example, what if I had several Web applications with different Kerberos realms and KDCs that use Tomcat too? I don't want to be editing catalina.sh all the time!