·在Tomcat中使用JAASRealm

原创 2004年12月30日 15:19:00
 

ntroduction

JAASRealm is an implementation of the Tomcat 4 Realm interface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework, a Java package that is available as an optional package in Java 2 SDK 1.3 and is fully integrated as of SDK 1.4 .

Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat's CMA.

JAASRealm is prototype for Tomcat of the proposed JAAS-based J2EE authentication framework for J2EE v1.4, based on the JCP Specification Request 196 to enhance container-managed security and promote 'pluggable' authentication mechanisms whose implementations would be container-independent.

Based on the JAAS login module and principal (see javax.security.auth.spi.LoginModule and javax.security.Principal), you can develop your own security mechanism or wrap another third-party mechanism for integration with the CMA as implemented by Tomcat.

Quick Start

To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:

  1. Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorial and the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (javax.security.auth.login.LoginContext). When developing your LoginModule, note that JAASRealm's built-in CallbackHandler only recognizes the NameCallback and PasswordCallback at present.
  2. Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending javax.security.Principal, so that Tomcat can tell which Principals returned from your login module are users and which are roles (see org.apache.catalina.realm.JAASRealm). Regardless, the first Principal returned is always treated as the user Principal.
  3. Place the compiled classes on Tomcat's classpath
  4. Set up a login.config file for Java (see JAAS LoginConfig file) and tell Tomcat where to find it by specifying its location to the JVM, for instance by setting the environment variable: JAVA_OPTS=-DJAVA_OPTS=-Djava.security.auth.login.config==$CATALINA_HOME/conf/jaas.config
  5. Configure your security-constraints in your web.xml for the resources you want to protect
  6. Configure the JAASRealm module in your server.xml
  7. Restart Tomcat 4 if it is already running.

Realm Element Attributes

To configure JAASRealm as for step 6 above, you create a <Realm> element and nest it in your $CATALINA_HOME/conf/server.xml file within your <Engine> node. The following attributes are supported by this implementation:

Attribute Description
className

The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.MemoryRealm" here.

debug

The level of debugging detail logged by this Realm to the associated Logger. Higher numbers generate more detailed output. If not specified, the default debugging detail level is zero (0).

appName

The name of the application as configured in your login configuration file (JAAS LoginConfig).

userClassNames

A comma-seperated list of the names of the classes that you have made for your user Principals.

roleClassNames

A comma-seperated list of the names of the classes that you have made for your role Principals.

useContextClassLoader

Instructs JAASRealm to use the context class loader for loading the user-specified LoginModule class and associated Principal classes. The default value is true, which is backwards-compatible with the way Tomcat 4 works. To load classes using the container's classloader, specify true.

Example

Here is an example of how your server.xml snippet should look.

void.gif void.gif void.gif
void.gif
<Realm className="org.apache.catalina.realm.JAASRealm"                 
                appName="MyFooRealm"       
    userClassNames="org.foobar.realm.FooUser"       
     roleClassNames="org.foobar.realm.FooRole" 
                      debug="99"/>
void.gif
void.gif void.gif void.gif

It is the responsibility of your login module to create and save User and Role objects representing Principals for the user (javax.security.auth.Subject). If your login module doesn't create a user object but also doesn't throw a login exception, then the Tomcat CMA will break and you will be left at the http://localhost:8080/myapp/j_security_check URI or at some other unspecified location.

The flexibility of the JAAS approach is two-fold:

  • you can carry out whatever processing you require behind the scenes in your own login module.
  • you can plug in a completely different LoginModule by changing the configuration and restarting the server, without any code changes to your application.

Additional Notes

  • When a user attempts to access a protected resource for the first time, Tomcat 4 will call the authenticate() method of this Realm. Thus, any changes you have made in the security mechanism directly (new users, changed passwords or roles, etc.) will be immediately reflected.
  • Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). Any changes to the security information for an already authenticated user will not be reflected until the next time that user logs on again.
  • Debugging and exception messages logged by this Realm will be recorded by the Logger that is associated with our surrounding Context, Host, or Engine. By default, the corresponding Logger will create a log file in the $CATALINA_HOME/logs directory.
  • As with other Realm implementations, digested passwords are supported if the <Realm> element in server.xml contains a digest attribute; JAASRealm's CallbackHandler will digest the password prior to passing it back to the LoginModule

tomcat的realm域

Realm域,其实可以看成是一个包含了用户及密码的数据库,而且每个用户还会包含了若干角色。也就是包含了用户名、密码、角色三个列的数据记录集合,如下图,最下面椭圆内的包含的整块即可以看成realm域。它...
  • wangyangzhizhou
  • wangyangzhizhou
  • 2016年04月26日 09:13
  • 1963

Tomcat在IDEA中的使用

上一篇博客(http://blog.csdn.net/redoq/article/details/53580609)说了Tomcat的安装和使用。这次讲的是如何在IDEA中使用。其他工具的使用方法,大...
  • redoq
  • redoq
  • 2016年12月12日 12:19
  • 1382

Linux中安装tomcat和vsftp

tomcat 1.官网下载apache-tomcat-7.0.57.tar.gz 2.解压完就能用,命令:tar -zxvf apache-tomcat-7.0.57.tar.gz 3.配置CATAL...
  • shaoyangdd
  • shaoyangdd
  • 2014年12月21日 18:25
  • 542

Eclipse中Tomcat的配置及简单例子

Eclipse中Tomcat的配置及简单例子Eclipse中Tomcat的配置是很简单的一个工作,作为一名刚刚起步的编程菜鸟,我将这个配置的过程和简单的例子写下来记录,也希望能给像我怎样的新手一些帮助...
  • u010371710
  • u010371710
  • 2016年06月24日 20:33
  • 12560

全面讲解Tomcat下SSL证书的配置(二)

SSL证书的构成完整的服务器上使用的SSL证书库一定是包括:CA版本的关于公钥及证书所有者信息的证书部分、服务器自身使用的公钥对应的私钥、为了确定认证关系的证书链。这类的证书格式常用的有PKCS12、...
  • JohnLongYuan
  • JohnLongYuan
  • 2015年09月23日 10:25
  • 1622

eclipse中maven项目部署到tomcat运行

将maven项目部署到本地安装的tomcat中 1、准备工作     下载安装并配置好Tomcat和Maven。     准备好一个Maven Web项目。 2、Maven部署...
  • mween
  • mween
  • 2017年08月16日 11:18
  • 591

使用tomcat管理mina

项目运用场景:车台云设备采集车身CAN数据,通过3G手机网络实时发送到服务器,服务器接收到报文,解析报文,然后把数据保存到数据库,提供web平台查询,统计。 第一代程序架构: 服务端技术方案:ja...
  • elf001
  • elf001
  • 2015年03月20日 13:34
  • 1120

SpringBoot 项目如何在tomcat容器中运行

SpringBoot内嵌容器的部署方式SpringBoot内部默认提供内嵌的tomcat容器,所以可以直接打成jar包,丢到服务器上的任何一个目录,然后在当前目录下执行java -jar demo.j...
  • u010598360
  • u010598360
  • 2017年12月13日 10:41
  • 737

1.2 :tomcat 启动的时候如何启动虚拟机

tomcat 启动命令 start.bat 会调用  catalina.bat catalina.bat 会调用 java 命令 并且会配置启动参数, 用于优化jvm. 在catalina.bat...
  • xiaoliuliu2050
  • xiaoliuliu2050
  • 2016年11月03日 17:45
  • 558

Tomcat 数据源 -- 原理、配置、使用

server.xml debug=0 saveOnRestart="true" maxActiveSession="-1" minIdleSwap="-1" maxId...
  • tanyit
  • tanyit
  • 2011年11月07日 04:09
  • 2434
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:·在Tomcat中使用JAASRealm
举报原因:
原因补充:

(最多只允许输入30个字)