Here is the issue,
The JAAS realm connects to the database fine, the user name and password match, the session is authenticated. HOWEVER, none of the roles seem to be getting into the Principal. Tomcat's isInUserRole returns false for every role, and tomcat security doesn't see them either.
Here is the realm configuration in the Server.xml
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="TomcatTimedLogin"
userClassName="com.tagish.auth.TypedPrincipal"
roleClassNames="org.ovasp.java.jaas.RolePrincipal" />
Here is the login.config
TomcatTimedLogin
{
org.owasp.java.jaas.TomcatTimedLogin required
useDS=true
dsJNDI="jdbc/resourceName"
dbDriver="com.microsoft.sqlserver.jdbc.SQLServerDriver"
dbURL="jdbc:sqlserver://server\\DBSERVER;databaseName=DBName"
dbUser="username"
dbPassword="password"
debug=true
loginTable="loginTable"
clippingLevel="3"
interval="10"
loginQuery="SELECT UserID,Password FROM Users WHERE LogonUserName=? AND RetirementDate is null"
rolesQuery="SELECT Role.RoleDescription FROM User_Role,Role WHERE User_Role.UserID=? AND User_Role.RoleID=Role.RoleID";
};
And in catalina.properties I refer to the configuration like this
java.security.auth.login.config=file:///C:/config/login.config
When start the application I do get the following message in the Debug output, not sure why as all classes should be accessible by the server
SEVERE: Class org.ovasp.java.jaas.RolePrincipal not found! Class not added.
Any help would be appreciated. I have already read post after post and tutorial after tutorial, and those who do have this problem, don't have solution posted.
Btw, I am using Tomcat 5.5, not my choice, legacy code, you know how it is! I also using the OWASP login module (OWASPJaasLoginModule.jar). This jar file is located in the server/lib directory.