File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Jaas + Tomcat 6 + Multiple modules Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Jaas + Tomcat 6 + Multiple modules" Watch "Jaas + Tomcat 6 + Multiple modules" New topic

Jaas + Tomcat 6 + Multiple modules

Filip Nelis

Joined: Mar 23, 2009
Posts: 10
Hi all,

How do you define in tomcat multiple custom LoginModules?

By this I mean:
You have fi an jaas.conf file like this one:

How do you specify in the context.xml those different modules?

You can't add multiple appNames...
What's the right way to do this kind of configuration?

Thanks in advance,


Scjp 1.6 certified
SCWCD 5 certified
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17421

Tomcat implements J2EE standard container-based security, and that standard has very strict requirements. Specifically, 2 and only 2 parameters are supported as part of an authentication (login) request, and while security professionals have their own terminology, the rest of us call these parameters "userid" and "password".

It makes for a very simple unconfusing user interaction, since the user doesn't end up in situations where privileges assigned in one login mode or context aren't available because the user logged in using another context and because there's never any doubt of which context the user is operating under when problems arise.

I'm not sure if this has any bearing on what you're asking, since I'm not sure what the "multiple modules" thing is supposed to be about, but I figured I should mention it, since some people do ask questions like that.

Incidentally, I think that quite a few people have gotten the idea that J2EE container authorization is JAAS. It isn't. JAAS is just one of the many authentication mechanisms that are supported under the fa├žade of J2EE Container-Managed Authentication and Authorization for Tomcat.

Looking at the question from another direction, Tomcat 6 has an Aggregating Realm that allows multiple Realms to manage user accounts. It's especially useful for situations such as public/internal webapps, where in-house user accounts are defined in LDAP/Active Directory and public user accounts are defined in a database. You can also use this to combine several JAAS Realms, if that's of any help.

JAAS itself is much more fine-grained than J2EE container-managed security, and I'm not as well-versed in it as I would like, since I haven't needed the extra power lately.

An IDE is no substitute for an Intelligent Developer.
I agree. Here's the link:
subject: Jaas + Tomcat 6 + Multiple modules
It's not a secret anymore!