Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-2899

Externalize Tomcat Authenticators at the Host Level

XMLWordPrintable

      This issue is related to JBAS-2481. My initial discussion with Remy on customization of authenticators at the tomcat sar level or webapp level via the injection of ContextConfig into StandardContext, was not agreed. Remy advised me to utilize the route of using the "configClass" attribute on the <host> element, to provide a custom version of the ContextConfig class.

      I have tested this and it works perfectly.

      -----------------------------------------------------------------------------------------------------------------------
      <Host name="localhost"
      autoDeploy="false" deployOnStartup="false" deployXML="false"
      configClass="org.jboss.web.tomcat.security.config.JBossContextConfig">
      -----------------------------------------------------------------------------------------------------------------------

      Here is the JBossContextConfig class that I tested:

      =======================================================================================
      public class JBossContextConfig extends ContextConfig
      {
      /**

      • Create a new JBossContextConfig.
        */
        public JBossContextConfig()
        {
        super();
        try
        { Map authMap = this.getAuthenticators(); if(authMap.size() > 0) customAuthenticators = authMap; }

        catch(Exception e)

        { throw new IllegalStateException("Failed to customize authenticators::" + e.getMessage()); }

      }

      private Map getAuthenticators() throws Exception

      { Map cmap = new HashMap(); ClassLoader tcl = Thread.currentThread().getContextClassLoader(); Authenticator basic = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.SSLAuthenticator").newInstance(); Authenticator clientCert = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.BasicAuthenticator").newInstance(); Authenticator digest = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.DigestAuthenticator").newInstance(); Authenticator form = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.FormAuthenticator").newInstance(); Authenticator none = (Authenticator)tcl.loadClass("org.apache.catalina.authenticator.NonLoginAuthenticator").newInstance(); cmap.put("BASIC",basic); cmap.put("CLIENT-CERT",clientCert); cmap.put("DIGEST",digest); cmap.put("FORM", form); cmap.put("NONE", none); return cmap; }

      }
      ======================================================================================================
      When I enabled jmx-console security, the error message in the browser:
      HTTP Status 400 - No client certificate chain in this request

      As you can see from the code above, I interchanged the authenticators for BASIC and CLIENT-CERT and default jmx-console security is BASIC. So
      the SSLAuthenticator has kicked in.

      This JIRA tasks involves writing a MBean service that provides the configurable map of authenticators, which the JBossContextConfig will solicit.

              anil.saldhana Anil Saldanha (Inactive)
              anil.saldhana Anil Saldanha (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: