views:

421

answers:

1

Here is the issue,

The JAAS realm connects to the database fine, the user name and password match, the session is authenticated. HOWEVER, none of the roles seem to be getting into the Principal. Tomcat's isInUserRole returns false for every role, and tomcat security doesn't see them either.

Here is the realm configuration in the Server.xml

<Realm  className="org.apache.catalina.realm.JAASRealm"
        appName="TomcatTimedLogin"
        userClassName="com.tagish.auth.TypedPrincipal"
        roleClassNames="org.ovasp.java.jaas.RolePrincipal" />

Here is the login.config

TomcatTimedLogin
{
    org.owasp.java.jaas.TomcatTimedLogin required
    useDS=true
    dsJNDI="jdbc/resourceName"
        dbDriver="com.microsoft.sqlserver.jdbc.SQLServerDriver" 
        dbURL="jdbc:sqlserver://server\\DBSERVER;databaseName=DBName"
        dbUser="username"
        dbPassword="password"
        debug=true 
        loginTable="loginTable" 
        clippingLevel="3" 
        interval="10"
        loginQuery="SELECT UserID,Password FROM Users WHERE LogonUserName=? AND RetirementDate is null"
        rolesQuery="SELECT Role.RoleDescription FROM User_Role,Role WHERE User_Role.UserID=? AND User_Role.RoleID=Role.RoleID";
};

And in catalina.properties I refer to the configuration like this

java.security.auth.login.config=file:///C:/config/login.config

When start the application I do get the following message in the Debug output, not sure why as all classes should be accessible by the server

SEVERE: Class org.ovasp.java.jaas.RolePrincipal not found! Class not added.

Any help would be appreciated. I have already read post after post and tutorial after tutorial, and those who do have this problem, don't have solution posted.

Btw, I am using Tomcat 5.5, not my choice, legacy code, you know how it is! I also using the OWASP login module (OWASPJaasLoginModule.jar). This jar file is located in the server/lib directory.

A: 

Okay... I solved it myself... again, VERY STUPID! If this was my code I would be mad at myself, but it is not, and after 4 days of screwing around with this app, I am close to fed up. The problem was that the CLASS is not

org.ovasp.java.jaas.RolePrincipal

its

org.owasp.java.jaas.RolePrincipal

STUPID!!!

Zoidberg