File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes JAAS and Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS and Tomcat" Watch "JAAS and Tomcat" New topic
Author

JAAS and Tomcat

Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
I have an intranet application, for which I need to get the user credentials.
If they are connected to the network, they can access this app. I'm using the below code and calling the authenticate() method.



My .config file has
JaasSample {
com.sun.security.auth.module.NTLoginModule required debug=true;
}
server.xml has
<Realm className="org.apache.catalina.realm.JAASRealm" appName="JaasSample" debug="99" />

The code works except that it is unable to override Tomcat, so my username is always 'SYSTEM'.
How can I override this?

Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
How do the users provide their credentials?
Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
The user does not have to provide a userid or password.
If the user is logged into the network then the information should be grabbed and he should be able to access the site based on his user group.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42927
    
  68
I'd guess that 'SYSTEM' is the account used to run Tomcat ... which kind of makes sense if no user credentials are provided.

System.exit(-1);

A server application should never call System.exit.
Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
System.exit(-1); happens only in the catch block.
The code works fine and never hits the catch block. Only it is not able to overide the tomcat security.
Another wierd thing is, I'm able to get the user credentials with the exact same code when I start tomcat using the tomcat6.exe, but it prints 'SYSTEM' when I start tomcat using Admin Services.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42927
    
  68
System.exit(-1); happens only in the catch block. The code works fine and never hits the catch block.

Exception handlers are situations for when the code does NOT work fine. I can assure you, having the server quit is not want to happen in such a case.

Another wierd thing is, I'm able to get the user credentials with the exact same code when I start tomcat using the tomcat6.exe, but it prints 'SYSTEM' when I start tomcat using Admin Services.

That's because it runs under your account in the former case. As I said in my previous post, it grabs the credentials of the account it runs under - which is yours if you start it via the exe, but the system account if you start it as a service.
Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
So is there any way to grab the username from the network without the user providing it again once he is already in the network?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42927
    
  68
See http://jcifs.samba.org/src/docs/ntlmhttpauth.html and -afterwards- http://www.ioplex.com/jespa.html for a possible approach.
Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
Thank you. will go through that.
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
You could implement the javax.security.auth.callback.CallbackHandler interface and get the network credentials with this object.



And then...

Swathi Ram
Greenhorn

Joined: Sep 18, 2007
Posts: 27
What do you mean by '// Code that gets network credentials here'?

I created the object and called it from my authenticate() method, but still get the same output

About to Login
[NTLoginModule] succeeded importing info:
user name = SYSTEM
user SID = S-1-5-18
user domain = NT AUTHORITY
user primary group = S-1-5-18
user group = S-1-5-32-544
user group = S-1-1-0
user group = S-1-5-11
impersonation token = 3724
Subject:
Principal: NTUserPrincipal: SYSTEM
Principal: NTSidUserPrincipal: S-1-5-18
Principal: NTDomainPrincipal: NT AUTHORITY
Principal: NTSidPrimaryGroupPrincipal: S-1-5-18
Principal: NTSidGroupPrincipal: S-1-5-32-544
Principal: NTSidGroupPrincipal: S-1-1-0
Principal: NTSidGroupPrincipal: S-1-5-11
Public Credential: NTNumericCredential: 3724

After the Login
Authentication succeeded!
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
What do you mean by '// Code that gets network credentials here'?


In the 'handle' method of the CallBackHandler you can retrieve the network credentials of the logged in user.

And you most likely will need to implement your own LoginModule and use this
instead of com.sun.security.auth.module.NTLoginModule.

In the statement below, what purpose does tthe TextCallbackHandler object serve?

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JAAS and Tomcat