| JDBCRealm |
Introduction
JDBCRealm is an implementation of the Tomcat 6 Realm interface that looks up users in a relational database accessed via a JDBC driver. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements:
- There must be a table, referenced below as the users table, that contains one row for every valid user that this
Realm should recognize.
- The users table must contain at least two columns (it may contain more if your existing applications required it):
- Username to be recognized by Tomcat when the user logs in.
- Password to be recognized by Tomcat when the user logs in. This value may in cleartext or digested - see below for more information.
- There must be a table, referenced below as the user roles table, that contains one row for every valid role that is assigned to a particular user. It is legal for a user to have zero, one, or more than one valid role.
- The user roles table must contain at least two columns (it may contain more if your existing applications required it):
- Username to be recognized by Tomcat (same value as is specified in the users table).
- Role name of a valid role associated with this user.
Quick Start
To set up Tomcat to use JDBCRealm, you will need to follow these steps:
- If you have not yet done so, create tables and columns in your database that conform to the requirements described above.
- Configure a database username and password for use by Tomcat, that has at least read only access to the tables described above. (Tomcat will never attempt to write to these tables.)
- Place a copy of the JDBC driver you will be using inside the
$CATALINA_HOME/lib directory. Note that onlyJAR files are recognized!
- Set up a
<Realm> element, as described below, in your $CATALINA_BASE/conf/server.xml file.
- Restart Tomcat 6 if it is already running.
Realm Element Attributes
To configure JDBCRealm, you will create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xml file, as described above. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.JDBCRealm" here.
|
connectionName |
The database username used to establish a JDBC connection.
|
connectionPassword |
The database password used to establish a JDBC connection.
|
connectionURL |
The database URL used to establish a JDBC connection.
|
digest |
The digest algorithm used to store passwords in non-plaintext formats. Valid values are those accepted for the algorithm name by the java.security.MessageDigest class. SeeDigested Passwords for more information. If not specified, passwords are stored in clear text.
|
driverName |
The fully qualified Java class name of the JDBC driver to be used. Consult the documentation for your JDBC driver for the appropriate value.
|
roleNameCol |
The name of the column, in the user roles table, that contains the name of a role assigned to this user.
|
userCredCol |
The name of the column, in the users table, that contains the password for this user (either in clear text, or digested if the digest attribute is set).
|
userNameCol |
The name of the column, in the users and user roles tables, that contains the username of this user.
|
userRoleTable |
The name of the table that contains one row for each role assigned to a particularusername. This table must include at least the columns named by the userNameCol androleNameCol attributes.
|
userTable |
The name of the table that contains one row for each username to be recognized by Tomcat. This table must include at least the columns named by the userNameCol anduserCredCol attributes.
|
Example
An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):
 |
|
|
|
create table users (
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
);
create table user_roles (
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key (user_name, role_name)
);
|
|
|
|
|
Example Realm elements are included (commented out) in the default $CATALINA_BASE/conf/server.xml file. Here's an example for using a MySQL database called "authority", configured with the tables described above, and accessed with username "dbuser" and password "dbpass":
|
|
|
|
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
|
|
|
|
|
Additional Notes
JDBCRealm operates according to the following rules:
- When a user attempts to access a protected resource for the first time, Tomcat 6 will call the
authenticate() method of this Realm. Thus, any changes you have made to the database directly (new users, changed passwords or roles, etc.) will be immediately reflected.
- Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). The cached user is not saved and restored across sessions serialisations. Any changes to the database information for an already authenticated user will not be reflected until the next time that user logs on again.
- Administering the information in the users and user roles table is the responsibility of your own applications. Tomcat does not provide any built-in capabilities to maintain users and roles.
|
| DataSourceRealm |
Introduction
DataSourceRealm is an implementation of the Tomcat 6 Realm interface that looks up users in a relational database accessed via a JNDI named JDBC DataSource. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements:
- There must be a table, referenced below as the users table, that contains one row for every valid user that this
Realm should recognize.
- The users table must contain at least two columns (it may contain more if your existing applications required it):
- Username to be recognized by Tomcat when the user logs in.
- Password to be recognized by Tomcat when the user logs in. This value may in cleartext or digested - see below for more information.
- There must be a table, referenced below as the user roles table, that contains one row for every valid role that is assigned to a particular user. It is legal for a user to have zero, one, or more than one valid role.
- The user roles table must contain at least two columns (it may contain more if your existing applications required it):
- Username to be recognized by Tomcat (same value as is specified in the users table).
- Role name of a valid role associated with this user.
Quick Start
To set up Tomcat to use DataSourceRealm, you will need to follow these steps:
- If you have not yet done so, create tables and columns in your database that conform to the requirements described above.
- Configure a database username and password for use by Tomcat, that has at least read only access to the tables described above. (Tomcat will never attempt to write to these tables.)
- Configure a JNDI named JDBC DataSource for your database. Refer to the JNDI DataSource Example HOW-TOfor information on how to configure a JNDI named JDBC DataSource.
- Set up a
<Realm> element, as described below, in your $CATALINA_BASE/conf/server.xml file.
- Restart Tomcat 6 if it is already running.
Realm Element Attributes
To configure DataSourceRealm, you will create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xmlfile, as described above. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.DataSourceRealm" here.
|
dataSourceName |
The JNDI named JDBC DataSource for your database. If the DataSource is local to the context, the name is relative to java:/comp/env, and otherwise the name should match the name used to define the global DataSource.
|
digest |
The digest algorithm used to store passwords in non-plaintext formats. Valid values are those accepted for the algorithm name by the java.security.MessageDigest class. See Digested Passwords for more information. If not specified, passwords are stored in clear text.
|
localDataSource |
When the realm is nested inside a Context element, this allows the realm to use a DataSource defined for the Context rather than a global DataSource. If not specified, the default is false: use a global DataSource.
|
roleNameCol |
The name of the column, in the user roles table, that contains the name of a role assigned to this user.
|
userCredCol |
The name of the column, in the users table, that contains the password for this user (either in clear text, or digested if the digest attribute is set).
|
userNameCol |
The name of the column, in the users and user roles tables, that contains the username of this user.
|
userRoleTable |
The name of the table that contains one row for each role assigned to a particularusername. This table must include at least the columns named by the userNameCol androleNameCol attributes.
|
userTable |
The name of the table that contains one row for each username to be recognized by Tomcat. This table must include at least the columns named by the userNameCol and userCredColattributes.
|
Example
An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):
|
|
|
|
create table users (
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
);
create table user_roles (
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key (user_name, role_name)
);
|
|
|
|
|
Here is an example for using a MySQL database called "authority", configured with the tables described above, and accessed with the JNDI JDBC DataSource with name "java:/comp/env/jdbc/authority".
|
|
|
|
<Realm className="org.apache.catalina.realm.DataSourceRealm" debug="99"
dataSourceName="jdbc/authority"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
|
|
|
|
|
Additional Notes
DataSourceRealm operates according to the following rules:
- When a user attempts to access a protected resource for the first time, Tomcat 6 will call the
authenticate() method of this Realm. Thus, any changes you have made to the database directly (new users, changed passwords or roles, etc.) will be immediately reflected.
- Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). The cached user is not saved and restored across sessions serialisations. Any changes to the database information for an already authenticated user will not be reflected until the next time that user logs on again.
- Administering the information in the users and user roles table is the responsibility of your own applications. Tomcat does not provide any built-in capabilities to maintain users and roles.
|
| JNDIRealm |
Introduction
JNDIRealm is an implementation of the Tomcat 6 Realm interface that looks up users in an LDAP directory server accessed by a JNDI provider (typically, the standard LDAP provider that is available with the JNDI API classes). The realm supports a variety of approaches to using a directory for authentication.
Connecting to the directory
The realm's connection to the directory is defined by the connectionURL configuration attribute. This is a URL whose format is defined by the JNDI provider. It is usually an LDAP URL that specifies the domain name of the directory server to connect to, and optionally the port number and distinguished name (DN) of the required root naming context.
If you have more than one provider you can configure an alternateURL. If a socket connection can not be made to the provider at the connectionURL an attempt will be made to use the alternateURL.
When making a connection in order to search the directory and retrieve user and role information, the realm authenticates itself to the directory with the username and password specified by the connectionName andconnectionPassword properties. If these properties are not specified the connection is anonymous. This is sufficient in many cases.
Selecting the user's directory entry
Each user that can be authenticated must be represented in the directory by an individual entry that corresponds to an element in the initial DirContext defined by the connectionURL attribute. This user entry must have an attribute containing the username that is presented for authentication.
Often the distinguished name of the user's entry contains the username presented for authentication but is otherwise the same for all users. In this case the userPattern attribute may be used to specify the DN, with "{0}" marking where the username should be substituted.
Otherwise the realm must search the directory to find a unique entry containing the username. The following attributes configure this search:
- userBase - the entry that is the base of the subtree containing users. If not specified, the search base is the top-level context.
- userSubtree - the search scope. Set to
true if you wish to search the entire subtree rooted at theuserBase entry. The default value of false requests a single-level search including only the top level.
- userSearch - pattern specifying the LDAP search filter to use after substitution of the username.
Authenticating the user
Bind mode
By default the realm authenticates a user by binding to the directory with the DN of the entry for that user and the password presented by the user. If this simple bind succeeds the user is considered to be authenticated.
For security reasons a directory may store a digest of the user's password rather than the clear text version (see Digested Passwords for more information). In that case, as part of the simple bind operation the directory automatically computes the correct digest of the plaintext password presented by the user before validating it against the stored value. In bind mode, therefore, the realm is not involved in digest processing. The digest attribute is not used, and will be ignored if set. Comparison mode
Alternatively, the realm may retrieve the stored password from the directory and compare it explicitly with the value presented by the user. This mode is configured by setting the userPassword attribute to the name of a directory attribute in the user's entry that contains the password.
Comparison mode has some disadvantages. First, the connectionName and connectionPassword attributes must be configured to allow the realm to read users' passwords in the directory. For security reasons this is generally undesirable; indeed many directory implementations will not allow even the directory manager to read these passwords. In addition, the realm must handle password digests itself, including variations in the algorithms used and ways of representing password hashes in the directory. However, the realm may sometimes need access to the stored password, for example to support HTTP Digest Access Authentication (RFC 2069). (Note that HTTP digest authentication is different from the storage of password digests in the repository for user information as discussed above).
Assigning roles to the user
The directory realm supports two approaches to the representation of roles in the directory:
Roles as explicit directory entries
Roles may be represented by explicit directory entries. A role entry is usually an LDAP group entry with one attribute containing the name of the role and another whose values are the distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:
- roleBase - the base entry for the role search. If not specified, the search base is the top-level directory context.
- roleSubtree - the search scope. Set to
true if you wish to search the entire subtree rooted at theroleBase entry. The default value of false requests a single-level search including the top level only.
- roleSearch - the LDAP search filter for selecting role entries. It optionally includes pattern replacements "{0}" for the distinguished name and/or "{1}" for the username of the authenticated user.
- roleName - the attribute in a role entry containing the name of that role.
A combination of both approaches to role representation may be used.
Quick Start
To set up Tomcat to use JNDIRealm, you will need to follow these steps:
- Make sure your directory server is configured with a schema that matches the requirements listed above.
- If required, configure a username and password for use by Tomcat, that has read only access to the information described above. (Tomcat will never attempt to modify this information.)
- Place a copy of the JNDI driver you will be using (typically
ldap.jar available with JNDI) inside the$CATALINA_HOME/lib directory.
- Set up a
<Realm> element, as described below, in your $CATALINA_BASE/conf/server.xml file.
- Restart Tomcat 6 if it is already running.
Realm Element Attributes
To configure JNDIRealm, you will create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xml file, as described above. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.JNDIRealm" here.
|
alternateURL |
If a socket connection can not be made to the provider at the connectionURL an attempt will be made to use the alternateURL.
|
authentication |
A string specifying the type of authentication to use. "none", "simple", "strong" or a provider specific definition can be used. If no value is given the providers default is used.
|
connectionName |
The directory username to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.
|
connectionPassword |
The directory password to use when establishing a connection to the directory for LDAP search operations. If not specified an anonymous connection is made, which is often sufficient unless you specify the userPassword property.
|
connectionURL |
The connection URL to be passed to the JNDI driver when establishing a connection to the directory.
|
contextFactory |
The fully qualified Java class name of the JNDI context factory to be used for this connection. By default, the standard JNDI LDAP provider is used (com.sun.jndi.ldap.LdapCtxFactory).
|
digest |
The digest algorithm to apply to the plaintext password offered by the user before comparing it with the value retrieved from the directory. Valid values are those accepted for the algorithm name by the java.security.MessageDigest class. See Digested Passwords for more information. If not specified the plaintext password is assumed to be retrieved. Not required unless userPassword is specified
|
protocol |
A string specifying the security protocol to use. If not given the providers default is used.
|
roleBase |
The base directory entry for performing role searches. If not specified, the top level element in the directory context will be used.
|
roleName |
The name of the attribute that contains role names in the directory entries found by a role search. In addition you can use the userRoleName property to specify the name of an attribute, in the user's entry, containing additional role names. If roleName is not specified a role search does not take place, and roles are taken only from the user's entry.
|
roleSearch |
The LDAP filter expression used for performing role searches, following the syntax supported by the java.text.MessageFormat class. Use {0} to substitute the distinguished name (DN) of the user, and/or {1} to substitute the username. If not specified a role search does not take place and roles are taken only from the attribute in the user's entry specified by the userRoleName property.
|
roleSubtree |
Set to true if you want to search the entire subtree of the element specified by theroleBase property for role entries associated with the user. The default value of falsecauses only the top level to be searched.
|
userBase |
The base element for user searches performed using the userSearch expression. If not specified, the top level element in the directory context will be used. Not used if you are using the userPattern expression.
|
userPassword |
Name of the attribute in the user's entry containing the user's password. If you specify this value, JNDIRealm will bind to the directory using the values specified byconnectionName and connectionPassword properties, and retrieve the corresponding attribute for comparison to the value specified by the user being authenticated. If the digestattribute is set, the specified digest algorithm is applied to the password offered by the user before comparing it with the value retrieved from the directory. If you do notspecify this value, JNDIRealm will attempt a simple bind to the directory using the DN of the user's entry and password specified by the user, with a successful bind being interpreted as an authenticated user.
|
userPattern |
A pattern for the distinguished name (DN) of the user's directory entry, following the syntax supported by the java.text.MessageFormat class with {0} marking where the actual username should be inserted. You can use this property instead of userSearch, userSubtreeand userBase when the distinguished name contains the username and is otherwise the same for all users.
|
userRoleName |
The name of an attribute in the user's directory entry containing zero or more values for the names of roles assigned to this user. In addition you can use the roleName property to specify the name of an attribute to be retrieved from individual role entries found by searching the directory. If userRoleName is not specified all the roles for a user derive from the role search.
|
userSearch |
The LDAP filter expression to use when searching for a user's directory entry, with {0}marking where the actual username should be inserted. Use this property (along with theuserBase and userSubtree properties) instead of userPattern to search the directory for the user's entry.
|
userSubtree |
Set to true if you want to search the entire subtree of the element specified by theuserBase property for the user's entry. The default value of false causes only the top level to be searched. Not used if you are using the userPattern expression.
|
Example
Creation of the appropriate schema in your directory server is beyond the scope of this document, because it is unique to each directory server implementation. In the examples below, we will assume that you are using a distribution of the OpenLDAP directory server (version 2.0.11 or later), which can be downloaded fromhttp://www.openldap.org. Assume that your slapd.conf file contains the following settings (among others):
|
|
|
|
database ldbm
suffix dc="mycompany",dc="com"
rootdn "cn=Manager,dc=mycompany,dc=com"
rootpw secret
|
|
|
|
|
We will assume for connectionURL that the directory server runs on the same machine as Tomcat. Seehttp://java.sun.com/products/jndi/docs.html for more information about configuring and using the JNDI LDAP provider.
Next, assume that this directory server has been populated with elements as shown below (in LDIF format):
|
|
|
|
# Define top-level entry
dn: dc=mycompany,dc=com
objectClass: dcObject
dc:mycompany
# Define an entry to contain people
# searches for users are based on this entry
dn: ou=people,dc=mycompany,dc=com
objectClass: organizationalUnit
ou: people
# Define a user entry for Janet Jones
dn: uid=jjones,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: jjones
sn: jones
cn: janet jones
mail: j.jones@mycompany.com
userPassword: janet
# Define a user entry for Fred Bloggs
dn: uid=fbloggs,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: fbloggs
sn: bloggs
cn: fred bloggs
mail: f.bloggs@mycompany.com
userPassword: fred
# Define an entry to contain LDAP groups
# searches for roles are based on this entry
dn: ou=groups,dc=mycompany,dc=com
objectClass: organizationalUnit
ou: groups
# Define an entry for the "tomcat" role
dn: cn=tomcat,ou=groups,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
cn: tomcat
uniqueMember: uid=jjones,ou=people,dc=mycompany,dc=com
uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com
# Define an entry for the "role1" role
dn: cn=role1,ou=groups,dc=mycompany,dc=com
objectClass: groupOfUniqueNames
cn: role1
uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com
|
|
|
|
|
An example Realm element for the OpenLDAP directory server configured as described above might look like this, assuming that users use their uid (e.g. jjones) to login to the application and that an anonymous connection is sufficient to search the directory and retrieve role information:
|
|
|
|
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389"
userPattern="uid={0},ou=people,dc=mycompany,dc=com"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
|
|
|
|
|
With this configuration, the realm will determine the user's distinguished name by substituting the username into the userPattern, authenticate by binding to the directory with this DN and the password received from the user, and search the directory to find the user's roles.
Now suppose that users are expected to enter their email address rather than their userid when logging in. In this case the realm must search the directory for the user's entry. (A search is also necessary when user entries are held in multiple subtrees corresponding perhaps to different organizational units or company locations).
Further, suppose that in addition to the group entries you want to use an attribute of the user's entry to hold roles. Now the entry for Janet Jones might read as follows:
|
|
|
|
dn: uid=jjones,ou=people,dc=mycompany,dc=com
objectClass: inetOrgPerson
uid: jjones
sn: jones
cn: janet jones
mail: j.jones@mycompany.com
memberOf: role2
memberOf: role3
userPassword: janet
|
|
|
|
|
This realm configuration would satisfy the new requirements:
|
|
|
|
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://localhost:389"
userBase="ou=people,dc=mycompany,dc=com"
userSearch="(mail={0})"
userRoleName="memberOf"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
|
|
|
|
|
Now when Janet Jones logs in as "j.jones@mycompany.com", the realm searches the directory for a unique entry with that value as its mail attribute and attempts to bind to the directory asuid=jjones,ou=people,dc=mycompany,dc=com with the given password. If authentication succeeds, she is assigned three roles: "role2" and "role3", the values of the "memberOf" attribute in her directory entry, and "tomcat", the value of the "cn" attribute in the only group entry of which she is a member.
Finally, to authenticate the user by retrieving the password from the directory and making a local comparison in the realm, you might use a realm configuration like this:
|
|
|
|
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=mycompany,dc=com"
connectionPassword="secret"
connectionURL="ldap://localhost:389"
userPassword="userPassword"
userPattern="uid={0},ou=people,dc=mycompany,dc=com"
roleBase="ou=groups,dc=mycompany,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>
|
|
|
|
|
However, as discussed above, the default bind mode for authentication is usually to be preferred.
Additional Notes
JNDIRealm operates according to the following rules:
- When a user attempts to access a protected resource for the first time, Tomcat 6 will call the
authenticate() method of this Realm. Thus, any changes you have made to the directory (new users, changed passwords or roles, etc.) will be immediately reflected.
- Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). The cached user is not saved and restored across sessions serialisations. Any changes to the directory information for an already authenticated user will not be reflected until the next time that user logs on again.
- Administering the information in the directory server is the responsibility of your own applications. Tomcat does not provide any built-in capabilities to maintain users and roles.
|
| MemoryRealm |
Introduction
MemoryRealm is a simple demonstration implementation of the Tomcat 6 Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.
Realm Element Attributes
To configure MemoryRealm, you will create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xmlfile, as described above. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.MemoryRealm" here.
|
digest |
The digest algorithm used to store passwords in non-plaintext formats. Valid values are those accepted for the algorithm name by the java.security.MessageDigest class. See Digested Passwords for more information. If not specified, passwords are stored in clear text.
|
pathname |
Absolute or relative (to $CATALINA_BASE) pathname of the XML document containing our valid usernames, passwords, and roles. See below for more information on the format of this file. If not specified, the value conf/tomcat-users.xml is used.
|
User File Format
The users file (by default, conf/tomcat-users.xml must be an XML document, with a root element <tomcat-users>. Nested inside the root element will be a <user> element for each valid user, consisting of the following attributes:
- name - Username this user must log on with.
- password - Password this user must log on with (in clear text if the
digest attribute was not set on the<Realm> element, or digested appropriately as described here otherwise).
- roles - Comma-delimited list of the role names associated with this user.
Example
The default installation of Tomcat 6 is configured with a MemoryRealm nested inside the <Engine> element, so that it applies to all virtual hosts and web applications. The default contents of the conf/tomcat-users.xmlfile is:
|
|
|
|
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
|
|
|
|
|
Additional Notes
MemoryRealm operates according to the following rules:
- When Tomcat first starts up, it loads all defined users and their associated information from the users file. Changes to the data in this file will not be recognized until Tomcat is restarted.
- When a user attempts to access a protected resource for the first time, Tomcat 6 will call the
authenticate() method of this Realm.
- Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser). The cached user is not saved and restored across sessions serialisations.
- Administering the information in the users file is the responsibility of your application. Tomcat does not provide any built-in capabilities to maintain users and roles.
|
| JAASRealm |
Introduction
JAASRealm is an implementation of the Tomcat 6 Realm interface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework which is now provided as part of the standard J2SE API.
Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat's CMA.
JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication framework for J2EE v1.4, based on theJCP Specification Request 196 to enhance container-managed security and promote 'pluggable' authentication mechanisms whose implementations would be container-independent.
Based on the JAAS login module and principal (see javax.security.auth.spi.LoginModule and javax.security.Principal), you can develop your own security mechanism or wrap another third-party mechanism for integration with the CMA as implemented by Tomcat.
Quick Start
To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:
- Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorialand the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (
javax.security.auth.login.LoginContext) When developing your LoginModule, note that JAASRealm's built-inCallbackHandler only recognizes the NameCallback and PasswordCallback at present.
- Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending
javax.security.Principal, so that Tomcat can tell which Principals returned from your login module are users and which are roles (see org.apache.catalina.realm.JAASRealm). Regardless, the first Principal returned is always treated as the user Principal.
- Place the compiled classes on Tomcat's classpath
- Set up a login.config file for Java (see JAAS LoginConfig file) and tell Tomcat where to find it by specifying its location to the JVM, for instance by setting the environment variable:
JAVA_OPTS=$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_BASE/conf/jaas.config
- Configure your security-constraints in your web.xml for the resources you want to protect
- Configure the JAASRealm module in your server.xml
- Restart Tomcat 6 if it is already running.
Realm Element Attributes
To configure JAASRealm as for step 6 above, you create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file within your <Engine> node. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.JAASRealm" here.
|
appName |
The name of the application as configured in your login configuration file (JAAS LoginConfig).
|
userClassNames |
A comma-seperated list of the names of the classes that you have made for your userPrincipals.
|
roleClassNames |
A comma-seperated list of the names of the classes that you have made for your rolePrincipals.
|
useContextClassLoader |
Instructs JAASRealm to use the context class loader for loading the user-specifiedLoginModule class and associated Principal classes. The default value is true, which is backwards-compatible with the way Tomcat 4 works. To load classes using the container's classloader, specify false.
|
Example
Here is an example of how your server.xml snippet should look.
|
|
|
|
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="MyFooRealm"
userClassNames="org.foobar.realm.FooUser"
roleClassNames="org.foobar.realm.FooRole"
debug="99"/>
|
|
|
|
|
It is the responsibility of your login module to create and save User and Role objects representing Principals for the user (javax.security.auth.Subject). If your login module doesn't create a user object but also doesn't throw a login exception, then the Tomcat CMA will break and you will be left at the http://localhost:8080/myapp/j_security_check URI or at some other unspecified location.
The flexibility of the JAAS approach is two-fold:
- you can carry out whatever processing you require behind the scenes in your own login module.
- you can plug in a completely different LoginModule by changing the configuration and restarting the server, without any code changes to your application.
Additional Notes
- When a user attempts to access a protected resource for the first time, Tomcat 6 will call the
authenticate() method of this Realm. Thus, any changes you have made in the security mechanism directly (new users, changed passwords or roles, etc.) will be immediately reflected.
- Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser. Any changes to the security information for an already authenticated user will not be reflected until the next time that user logs on again.
- As with other
Realm implementations, digested passwords are supported if the <Realm> element in server.xmlcontains a digest attribute; JAASRealm's CallbackHandler will digest the password prior to passing it back to the LoginModule
|
| CombinedRealm |
Introduction
CombinedRealm is an implementation of the Tomcat 6 Realm interface that authenticates users through one or more sub-Realms.
Using CombinedRealm gives the developer the ability to combine multiple Realms of the same or different types. This can be used to authenticate against different sources, provide fall back in case one Realm fails or for any other purpose that requires multiple Realms.
Sub-realms are defined by nesting Realm elements inside the Realm element that defines the CombinedRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.
Realm Element Attributes
To configure a CombinedRealm, you create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xml file within your <Engine> or <Host>. You can also nest inside a <Context> node in a context.xml file. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.CombinedRealm" here.
|
Example
Here is an example of how your server.xml snippet should look to use a UserDatabase Realm and a DataSource Realm.
|
|
|
|
<Realm className="org.apache.catalina.realm.CombinedRealm" >
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.DataSourceRealm" debug="99"
dataSourceName="jdbc/authority"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
<Realm/>
|
|
|
|
|
|
| LockOutRealm |
Introduction
LockOutRealm is an implementation of the Tomcat 6 Realm interface that extends the CombinedRealm to provide lock out functionality to provide a user lock out mechanism if there are too many failed authentication attempts in a given period of time.
To ensure correct operation, there is a reasonable degree of synchronisation in this Realm.
This Realm does not require modification to the underlying Realms or the associated user storage mecahisms. It achieves this by recording all failed logins, including those for users that do not exist. To prevent a DOS by deliberating making requests with invalid users (and hence causing this cache to grow) the size of the list of users that have failed authentication is limited.
Sub-realms are defined by nesting Realm elements inside the Realm element that defines the LockOutRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.
Realm Element Attributes
To configure a LockOutRealm, you create a <Realm> element and nest it in your $CATALINA_BASE/conf/server.xml file within your <Engine> or <Host>. You can also nest inside a <Context> node in a context.xml file. The following attributes are supported by this implementation:
| Attribute |
Description |
className |
The fully qualified Java class name of this Realm implementation. You MUST specify the value "org.apache.catalina.realm.LockOutRealm" here.
|
cacheRemovalWarningTime |
If a failed user is removed from the cache because the cache is too big before it has been in the cache for at least this period of time (in seconds) a warning message will be logged. Defaults to 3600 (1 hour).
|
cacheSize |
Number of users that have failed authentication to keep in cache. Over time the cache will grow to this size and may not shrink. Defaults to 1000.
|
failureCount |
The number of times in a row a user has to fail authentication to be locked out. Defaults to 5.
|
lockOutTime |
The time (in seconds) a user is locked out for after too many authentication failures. Defaults to 300 (5 minutes).
|
Example
Here is an example of how your server.xml snippet should look to add lock out functionality to a UserDatabase Realm.
|
|
|
|
<Realm className="org.apache.catalina.realm.LockOutRealm" >
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm/>
|
|
|
|
|
|
