Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Jaas + Tomcat 6 + Multiple modules

 
Filip Nelis
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

How do you define in tomcat multiple custom LoginModules?

By this I mean:
You have fi an jaas.conf file like this one:


How do you specify in the context.xml those different modules?

You can't add multiple appNames...
What's the right way to do this kind of configuration?

Thanks in advance,

Filip
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18214
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat implements J2EE standard container-based security, and that standard has very strict requirements. Specifically, 2 and only 2 parameters are supported as part of an authentication (login) request, and while security professionals have their own terminology, the rest of us call these parameters "userid" and "password".

It makes for a very simple unconfusing user interaction, since the user doesn't end up in situations where privileges assigned in one login mode or context aren't available because the user logged in using another context and because there's never any doubt of which context the user is operating under when problems arise.

I'm not sure if this has any bearing on what you're asking, since I'm not sure what the "multiple modules" thing is supposed to be about, but I figured I should mention it, since some people do ask questions like that.

Incidentally, I think that quite a few people have gotten the idea that J2EE container authorization is JAAS. It isn't. JAAS is just one of the many authentication mechanisms that are supported under the fa├žade of J2EE Container-Managed Authentication and Authorization for Tomcat.

Looking at the question from another direction, Tomcat 6 has an Aggregating Realm that allows multiple Realms to manage user accounts. It's especially useful for situations such as public/internal webapps, where in-house user accounts are defined in LDAP/Active Directory and public user accounts are defined in a database. You can also use this to combine several JAAS Realms, if that's of any help.

JAAS itself is much more fine-grained than J2EE container-managed security, and I'm not as well-versed in it as I would like, since I haven't needed the extra power lately.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic