Apache Tomcat 1.7 How to pass additional parameters to JAAS

9
votes

According to Apache Tomcat 1.7 documentation:

Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorial and the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (javax.security.auth.login.LoginContext) When developing your LoginModule, note that JAASRealm's built-in CallbackHandler only recognizes the NameCallback and PasswordCallback at present.

It only supports NameCallback and PasswordCallback. I want to pass additional parameters to the JAAS login module but could not due to this restriction.

How do i pass additional paramaters to JAAS login module?

3
tomcatjakarta-eetomcat7jaas
You define them in the jaas.config file along with the login module(s) and retrieve them during initialization.user207421
@EJP I'm using the default tomcat org.apache.catalina.realm.JAASRealm which i defined in the context.xml. This JAASRealm by default call its own callback handler. Even though i have custom callback handler defined, this won't get called by JAASRealm. How do i force this JAASRealm defined in my context.xml to use this custom callback handler?yapkm01
Tomcat 1.7, sure? Or rather Tomcat 7, as indicated by the tags you used?f_puras
You seem to be confused here. The JAAS Realm calls login modules, and they call handlers. You're going to have to write your own login module, to call your handler.user207421
@EJP I think you've misunderstood me. Tomcat JAASRealm (org.apache.catalina.realm.JAASRealm) does not requires creation of LoginContext. FYI, LoginContext allows usage of custom callback handler. Since Tomcat JAASRealm does not requires that, it means it uses its own callback handler. That's the issue i'm having nowyapkm01

3 Answers

1
votes

Write your own CallbackHandler. For details, see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

For example, a MyCallbackHandler could support an additional TextOutputCallback

public void handle(Callback[] callbacks)
  throws IOException, UnsupportedCallbackException {

  for (int i = 0; i < callbacks.length; i++) {
    if (callbacks[i] instanceof TextOutputCallback) {

      // display a message according to a specified type
      . . .

    } else if (callbacks[i] instanceof NameCallback) {

      // prompt the user for a username
      . . .

    } else if (callbacks[i] instanceof PasswordCallback) {

      // prompt the user for a password
      . . .

    } else {
        throw new UnsupportedCallbackException
         (callbacks[i], "Unrecognized Callback");
    }
  }
}
1
votes

The conventional way to approach this is to map your contractor and customer groups to roles.

  • Download a copy of the Servlet 3.0 Specification (Tomcat 7.0 is an implementation of this) and read the chapter on Security to see the multitude of options that are provided by the servlet container for authenticating users based upon username and password and then authorising users based upon their role.
  • Follow the instructions in the Tomcat documentation for configuring a JNDIRealm. This provides a way of configuring Tomcat to use an LDAP server for authentication (username/password) and authorisation (role checking).

Using the specification based approach like this has the added benefit of ensuring your solution is portable should you decide to migrate to a full blown Java EE solution (such as JBossAS/WildFly, Glassfish, WebSphere, etc) in the future.

Additionally, if you're able to migrate to Tomcat 8 you would have access to the additional authentication features that have been added in the Servlet 3.1 specification.

-4
votes

Simplest way: concat all parameters to one string, and split it later