Shibboleth Developers

["Scott Cantor" <>]

> can someone point me toward a description of how to configure Tomcat
> to use a JAAS-based Realm, with JAAS using either ldap or
> kerberos.... (preferably ldap)
> the tomcat doc available at
> 
> http://tomcat.apache.org/tomcat-5.5-doc/printer/realm-howto.html
> 
> states, as step 1, "Write your own LoginModule, User and Role classes
> based on JAAS "
> 
> I'm assuming someone somewhere has already done this...

Depends what you need. The JNDI module in Java sucks a lot. The LDAP code we
included in 2.0 from VT is much better, and I got it to work mostly by
guessing. The Kerberos one's simple to use.

You have to combine various pieces of documentation, the JAAS Realm from
Tomcat, setting the JAAS configuration itself, and the login module
properties.

Kerberos docs are at
http://java.sun.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/securit
y/auth/module/Krb5LoginModule.html

Setting up the login config is usually done in tomcat/bin/setenv.sh using
-Djava.security.auth.login.config=/usr/local/tomcat/conf/jaas.conf

e.g. Kerberos

shibboleth {
        com.sun.security.auth.module.Krb5LoginModule required;
}

e.g. VT LDAP

shibboleth {
   edu.vt.middleware.ldap.jaas.LdapLoginModule required
     host="..." port="636"
     base="ou=users,dc=osu,dc=edu"
     ssl="true"
     serviceUser="uid=WebAuth,dc=osu,dc=edu"
     serviceCredential="..."
     userField="osuEduPrincipalName"
     userRoleAttribute="eduPersonAffiliation";
};

And Tomcat needs the Realm specified somewhere in the context with the login
module's user class to look for.

e.g.
      <Realm className="org.apache.catalina.realm.JAASRealm"
          debug="1" appName="shibboleth"
        userClassNames="javax.security.auth.kerberos.KerberosPrincipal"/>
        <!--
        userClassNames="edu.vt.middleware.ldap.jaas.LdapPrincipal"
        -->

A lot of little pieces, nothing hard but takes a long time to understand.

-- Scott