January 04, 2006
JAAS options Tomcat and many other servers support JAAS - but it's useless with the Sun-provided modules.


ShadowJAAS is an alternative implementation of JAAS for unix user/password authentication, by parsing passwd/shadow files in a SUID root file. It's a dead end in my opinion. As performance, it would mean exec-ing a program on every request. It's hard to deploy - need to install additional program, as root. And it won't work if the unix machine is set up to use different authentication mechanisms ( like LDAP ).

Another option would be a JAAS module on top of SysAuth.  This uses JNI to call PAM, and defines it's own simple API.

Unfortunately, both are GPL - so incompatible with tomcat for distribution.

Tomcat defines one LoginModule for JAAS, using the 'demo' xml file - that stores user/pass in clear text. The JNDI authentication is a separate realm, has nothing to do with jaas.

Since I want to add some simple authentication to the 'minimal server' I'm playing with in tomcat sandbox, it looks like the most reasonable solution would be to still use JAAS for authentication, and then create few separate LoginModules - one using the apr or separate jni library to make calls to PAM, and maybe another one parsing apache htpasswd file, since it's so commonly used. JAAS has one useable module for jndi, not sure how bad is the NT module, but from docs it seems as bad as the unix module, no real authentication, only current user info. I keep wondering - who would ever need this, to authenticate the current user ??

Looking at Jboss - they use a saner 'demo' auth, with properties files for users and roles ( instead of the stupid tomcat xml - I don't really remember if I wrote it, but I've been around so I share part of the guilt anyway ), and a database LoginModule for production-like env. I assume they also use the Sun-provided JNDI module.


Posted by costin at January 04, 2006 05:30 PM
Comments
Disabled due to spam. Click on the link to post a comment, it'll be sent in email ( and thus usual mail spam filters and blacklist applied ). It may be made accessible later on, but code needs to be written for that. Comments