Class JAASRealm

java.lang.Object
All Implemented Interfaces:
MBeanRegistration, Contained, JmxEnabled, Lifecycle, Realm

public class JAASRealm extends RealmBase

Implementation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS).

The value configured for the appName property is passed to the javax.security.auth.login.LoginContext constructor, to specify the application name used to select the set of relevant LoginModules required.

The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm:

  • The JAAS LoginModule is assumed to return a Subject with at least one Principal instance representing the user himself or herself, and zero or more separate Principals representing the security roles authorized for this user.
  • On the Principal representing the user, the Principal name is an appropriate value to return via the Servlet API method HttpServletRequest.getRemoteUser().
  • On the Principals representing the security roles, the name is the name of the authorized security role.
  • This Realm will be configured with two lists of fully qualified Java class names of classes that implement java.security.Principal - one that identifies class(es) representing a user, and one that identifies class(es) representing a security role.
  • As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will identify the first Principal that matches the "user classes" list as the Principal for this user.
  • As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will accumulate the set of all Principals matching the "role classes" list as identifying the security roles for this user.
  • It is a configuration error for the JAAS login method to return a validated Subject without a Principal that matches the "user classes" list.
  • By default, the enclosing Container's name serves as the application name used to obtain the JAAS LoginContext ("Catalina" in a default installation). Tomcat must be able to find an application with this name in the JAAS configuration file. Here is a hypothetical JAAS configuration file entry for a database-oriented login module that uses a Tomcat-managed JNDI database resource:
     Catalina {
     org.foobar.auth.DatabaseLoginModule REQUIRED
       JNDI_RESOURCE=jdbc/AuthDB
       USER_TABLE=users
       USER_ID_COLUMN=id
       USER_NAME_COLUMN=name
       USER_CREDENTIAL_COLUMN=password
       ROLE_TABLE=roles
       ROLE_NAME_COLUMN=name
       PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory;
     };
     
  • To set the JAAS configuration file location, set the CATALINA_OPTS environment variable similar to the following:
    CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
  • As part of the login process, JAASRealm registers its own CallbackHandler, called (unsurprisingly) JAASCallbackHandler. This handler supplies the HTTP requests's username and credentials to the user-supplied LoginModule
  • As with other Realm implementations, digested passwords are supported if the <Realm> element in server.xml contains a digest attribute; JAASCallbackHandler will digest the password prior to passing it back to the LoginModule
Author:
Craig R. McClanahan, Yoav Shapira