TomcatJAASRealm

HomePage | RecentChanges | Preferences

This page explains how to use Kerberos for authentication with a custom Realm that extends JAASRealm and overrides 'authenticate'.

For other options, see TomcatKerberos.

Environment variables, set before starting Tomcat or place in catalina.bat file:

catalina.sh


#      -Djava.security.krb5.realm=<your realm>
#      -Djava.security.krb5.kdc=<your kdc:port> 
#      -Djava.security.auth.login.config=/path/to/jaas.conf 

export JAVA_OPTS="-Djava.security.krb5.realm=<your realm> -Djava.security.krb5.kdc=<your kdc:port> -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf"


$TOMCAT_HOME/conf/jaas.conf


Informer {
  com.sun.security.auth.module.Krb5LoginModule required;
};

server.xml (or contextName.xml in conf/Catalina/localhost/)

      <Realm className="edu.asu.vpia.auth.InformerJAASRealm"
                 appName="Informer"
                 userClassNames=""
                 roleClassNames=""
                 useContextClassLoader="true"
                 debug="2"/>

DO NOT turn the realm debug level up above 2 or JAASCallbackHandler? will log Kerberos passwords in plain text

And finally, the custom Realm, which matches the 'className' in the <Realm> tag. Place it in a .jar file in $TOMCAT_HOME/server/lib

package edu.asu.vpia.auth;

import org.apache.catalina.realm.JAASRealm;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import java.security.Principal;
import java.util.List;

/**
 * Custom Realm for use with Entrinsik Informer
 */
public class InformerJAASRealm extends JAASRealm {

   private static Log log = LogFactory.getLog( InformerJAASRealm.class );

   public Principal authenticate( java.lang.String username, java.lang.String credentials ) {

      log.debug( "authenticate:" );

        /* Hand off to the JAASRealm superclass to authenticate the user.
         This will use the Krb5LoginModule configured in jaas.conf.
         With no 'userClassNames' in the <Realm>, it will return a
         GenericPrincipal.  Alternately, if you use
         userClassNames="javax.security.auth.kerberos.KerberosPrincipal",
         you will get back a KerberosPrincipal instead.*/

      GenericPrincipal gp = null;
      Principal p = super.authenticate( username, credentials );

      if( p != null && p instanceof GenericPrincipal ) {
         gp = (GenericPrincipal) p;
      } else {
         log.warn( "authenticate: JAASRealm could not authenticate user " + username );
         return null;
      }

      log.debug( "authenticate: principal is " + gp );

      List roles = InformerRealmHelper.getInformerActions( gp.getName() );

      return new GenericPrincipal( gp.getRealm(), gp.getName(), null, roles );

   }

}

 


package edu.asu.vpia.auth;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import java.util.List;
import asjava.uniobjects.UniSession;
import asjava.uniobjects.UniSubroutine;
import asjava.uniclientlibs.UniDynArray;
import edu.asu.vpia.dao.UniSessionFactory;
import edu.asu.vpia.dao.UniDataDAOHelper;


public class InformerRealmHelper {

   private static Log log = LogFactory.getLog( InformerRealmHelper.class );

   public static List getRoles( String userid ) {

      List roles = null;

      try {
         UniSession uSession = UniSessionFactory.openSession();
         UniSubroutine uSubr = uSession.subroutine( "S.A51.GET.INFORMER.ACTIONS", 4 );
         uSubr.setArg( 1, userid );
         uSubr.call();
         String actions = uSubr.getArg( 0 );
         roles = UniDataDAOHelper.toList( new UniDynArray( actions ), 1 );
      } catch ( Exception e ) {
         log.warn( "getRoles: Unable to retrieve Informer roles for " + userid );
         return null;
      }
      return roles;
   }



   public static String getKrbUserName( String kerberosName ) {
      // username should be only what's before the domain (@ASU.EDU in this case)
      String username = null;
      int pos = kerberosName.indexOf( "@" );
      if ( pos > 0 && pos < kerberosName.length() ) {
         username = kerberosName.substring( 0, pos );
      } else {
         log.warn( "getKrbUserName: could not parse name " + kerberosName );
      }
      return username;
   }

}


HomePage | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited January 3, 2007 1:51 pm by WendySmoak (diff)
Search: