Site icon Tutorial

Standard Realm Implementations

JDBCRealm

Introduction

JDBCRealm is an implementation of the Tomcat Realm interface that looks up users in a relational database accessed via a JDBC driver. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements:

Quick Start

To set up Tomcat to use JDBCRealm, you will need to follow these steps:

Realm Element Attributes

To configure JDBCRealm, you will create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file, as described above. The attributes for the JDBCRealm are defined in the Realm configuration documentation.

Example

An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):

 

create table users (

user_name         varchar(15) not null primary key,

user_pass         varchar(15) not null

);

 

create table user_roles (

user_name         varchar(15) not null,

role_name         varchar(15) not null,

primary key (user_name, role_name)

);

 

Example Realm elements are included (commented out) in the default $CATALINA_BASE/conf/server.xml file. Here’s an example for using a MySQL database called “authority”, configured with the tables described above, and accessed with username “dbuser” and password “dbpass”:

 

<Realm className=”org.apache.catalina.realm.JDBCRealm”

driverName=”org.gjt.mm.mysql.Driver”

connectionURL=”jdbc:mysql://localhost/authority?user=dbuser&amp;password=dbpass”

userTable=”users” userNameCol=”user_name” userCredCol=”user_pass”

userRoleTable=”user_roles” roleNameCol=”role_name”/>

Additional Notes

JDBCRealm operates according to the following rules:

DataSourceRealm

Introduction

DataSourceRealm is an implementation of the Tomcat Realm interface that looks up users in a relational database accessed via a JNDI named JDBC DataSource. There is substantial configuration flexibility that lets you adapt to existing table and column names, as long as your database structure conforms to the following requirements:

Quick Start

To set up Tomcat to use DataSourceRealm, you will need to follow these steps:

Realm Element Attributes

To configure DataSourceRealm, you will create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file, as described above. The attributes for the DataSourceRealm are defined in the Realm configuration documentation.

Example

An example SQL script to create the needed tables might look something like this (adapt the syntax as required for your particular database):

 

create table users (

user_name         varchar(15) not null primary key,

user_pass         varchar(15) not null

);

 

create table user_roles (

user_name         varchar(15) not null,

role_name        varchar(15) not null,

primary key (user_name, role_name)

);

 

Here is an example for using a MySQL database called “authority”, configured with the tables described above, and accessed with the JNDI JDBC DataSource with name “java:/comp/env/jdbc/authority”.

 

<Realm className=”org.apache.catalina.realm.DataSourceRealm”

dataSourceName=”jdbc/authority”

userTable=”users” userNameCol=”user_name” userCredCol=”user_pass”

userRoleTable=”user_roles” roleNameCol=”role_name”/>

Additional Notes

DataSourceRealm operates according to the following rules:

JNDIRealm

Introduction

JNDIRealm is an implementation of the Tomcat Realm interface that looks up users in an LDAP directory server accessed by a JNDI provider (typically, the standard LDAP provider that is available with the JNDI API classes). The realm supports a variety of approaches to using a directory for authentication.

Connecting to the directory

The realm’s connection to the directory is defined by the connectionURL configuration attribute. This is a URL whose format is defined by the JNDI provider. It is usually an LDAP URL that specifies the domain name of the directory server to connect to, and optionally the port number and distinguished name (DN) of the required root naming context.

If you have more than one provider you can configure an alternateURL. If a socket connection can not be made to the provider at the connectionURL an attempt will be made to use the alternateURL.

When making a connection in order to search the directory and retrieve user and role information, the realm authenticates itself to the directory with the username and password specified by the connectionName andconnectionPassword properties. If these properties are not specified the connection is anonymous. This is sufficient in many cases.

Selecting the user’s directory entry

Each user that can be authenticated must be represented in the directory by an individual entry that corresponds to an element in the initial DirContext defined by the connectionURL attribute. This user entry must have an attribute containing the username that is presented for authentication.

Often the distinguished name of the user’s entry contains the username presented for authentication but is otherwise the same for all users. In this case the userPattern attribute may be used to specify the DN, with “{0}” marking where the username should be substituted.

Otherwise the realm must search the directory to find a unique entry containing the username. The following attributes configure this search:

userBase – the entry that is the base of the subtree containing users. If not specified, the search base is the top-level context.

userSubtree – the search scope. Set to true if you wish to search the entire subtree rooted at theuserBase entry. The default value of false requests a single-level search including only the top level.

userSearch – pattern specifying the LDAP search filter to use after substitution of the username.

Authenticating the user

By default the realm authenticates a user by binding to the directory with the DN of the entry for that user and the password presented by the user. If this simple bind succeeds the user is considered to be authenticated.

For security reasons a directory may store a digest of the user’s password rather than the clear text version. In that case, as part of the simple bind operation the directory automatically computes the correct digest of the plaintext password presented by the user before validating it against the stored value. In bind mode, therefore, the realm is not involved in digest processing. The digest attribute is not used, and will be ignored if set.

Alternatively, the realm may retrieve the stored password from the directory and compare it explicitly with the value presented by the user. This mode is configured by setting the userPassword attribute to the name of a directory attribute in the user’s entry that contains the password.

Comparison mode has some disadvantages. First, the connectionName and connectionPasswordattributes must be configured to allow the realm to read users’ passwords in the directory. For security reasons this is generally undesirable; indeed many directory implementations will not allow even the directory manager to read these passwords. In addition, the realm must handle password digests itself, including variations in the algorithms used and ways of representing password hashes in the directory. However, the realm may sometimes need access to the stored password, for example to support HTTP Digest Access Authentication (RFC 2069). (Note that HTTP digest authentication is different from the storage of password digests in the repository for user information as discussed above).

Assigning roles to the user

The directory realm supports two approaches to the representation of roles in the directory:

Roles may be represented by explicit directory entries. A role entry is usually an LDAP group entry with one attribute containing the name of the role and another whose values are the distinguished names or usernames of the users in that role. The following attributes configure a directory search to find the names of roles associated with the authenticated user:

Role names may also be held as the values of an attribute in the user’s directory entry. UseuserRoleName to specify the name of this attribute.

A combination of both approaches to role representation may be used.

Quick Start

To set up Tomcat to use JNDIRealm, you will need to follow these steps:

Realm Element Attributes

To configure JNDIRealm, you will create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file, as described above. The attributes for the JNDIRealm are defined in theRealm configuration documentation.

Example

Creation of the appropriate schema in your directory server is beyond the scope of this document, because it is unique to each directory server implementation. In the examples below, we will assume that you are using a distribution of the OpenLDAP directory server (version 2.0.11 or later), which can be downloaded fromhttp://www.openldap.org. Assume that your slapd.conf file contains the following settings (among others):

database ldbm

suffix dc=”mycompany”,dc=”com”

rootdn “cn=Manager,dc=mycompany,dc=com”

rootpw secret

 

We will assume for connectionURL that the directory server runs on the same machine as Tomcat. Seehttp://java.sun.com/products/jndi/docs.html for more information about configuring and using the JNDI LDAP provider.

 

Next, assume that this directory server has been populated with elements as shown below (in LDIF format):

# Define top-level entry

dn: dc=mycompany,dc=com

objectClass: dcObject

dc:mycompany

 

# Define an entry to contain people

# searches for users are based on this entry

dn: ou=people,dc=mycompany,dc=com

objectClass: organizationalUnit

ou: people

 

# Define a user entry for Janet Jones

dn: uid=jjones,ou=people,dc=mycompany,dc=com

objectClass: inetOrgPerson

uid: jjones

sn: jones

cn: janet jones

mail: j.jones@mycompany.com

userPassword: janet

 

# Define a user entry for Fred Bloggs

dn: uid=fbloggs,ou=people,dc=mycompany,dc=com

objectClass: inetOrgPerson

uid: fbloggs

sn: bloggs

cn: fred bloggs

mail: f.bloggs@mycompany.com

userPassword: fred

 

# Define an entry to contain LDAP groups

# searches for roles are based on this entry

dn: ou=groups,dc=mycompany,dc=com

objectClass: organizationalUnit

ou: groups

 

# Define an entry for the “tomcat” role

dn: cn=tomcat,ou=groups,dc=mycompany,dc=com

objectClass: groupOfUniqueNames

cn: tomcat

uniqueMember: uid=jjones,ou=people,dc=mycompany,dc=com

uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com

 

# Define an entry for the “role1″ role

dn: cn=role1,ou=groups,dc=mycompany,dc=com

objectClass: groupOfUniqueNames

cn: role1

uniqueMember: uid=fbloggs,ou=people,dc=mycompany,dc=com

 

An example Realm element for the OpenLDAP directory server configured as described above might look like this, assuming that users use their uid (e.g. jjones) to login to the application and that an anonymous connection is sufficient to search the directory and retrieve role information:

 

<Realm   className=”org.apache.catalina.realm.JNDIRealm”

connectionURL=”ldap://localhost:389″

userPattern=”uid={0},ou=people,dc=mycompany,dc=com”

roleBase=”ou=groups,dc=mycompany,dc=com”

roleName=”cn”

roleSearch=”(uniqueMember={0})”

/>

 

With this configuration, the realm will determine the user’s distinguished name by substituting the username into the userPattern, authenticate by binding to the directory with this DN and the password received from the user, and search the directory to find the user’s roles.

Now suppose that users are expected to enter their email address rather than their userid when logging in. In this case the realm must search the directory for the user’s entry. (A search is also necessary when user entries are held in multiple subtrees corresponding perhaps to different organizational units or company locations).

Further, suppose that in addition to the group entries you want to use an attribute of the user’s entry to hold roles. Now the entry for Janet Jones might read as follows:

dn: uid=jjones,ou=people,dc=mycompany,dc=com

objectClass: inetOrgPerson

uid: jjones

sn: jones

cn: janet jones

mail: j.jones@mycompany.com

memberOf: role2

memberOf: role3

userPassword: janet

 

This realm configuration would satisfy the new requirements:

 

<Realm   className=”org.apache.catalina.realm.JNDIRealm”

connectionURL=”ldap://localhost:389″

userBase=”ou=people,dc=mycompany,dc=com”

userSearch=”(mail={0})”

userRoleName=”memberOf”

roleBase=”ou=groups,dc=mycompany,dc=com”

roleName=”cn”

roleSearch=”(uniqueMember={0})”

/>

 

Now when Janet Jones logs in as “j.jones@mycompany.com”, the realm searches the directory for a unique entry with that value as its mail attribute and attempts to bind to the directory asuid=jjones,ou=people,dc=mycompany,dc=com with the given password. If authentication succeeds, she is assigned three roles: “role2” and “role3”, the values of the “memberOf” attribute in her directory entry, and “tomcat”, the value of the “cn” attribute in the only group entry of which she is a member.

Finally, to authenticate the user by retrieving the password from the directory and making a local comparison in the realm, you might use a realm configuration like this:

 

<Realm   className=”org.apache.catalina.realm.JNDIRealm”

connectionName=”cn=Manager,dc=mycompany,dc=com”

connectionPassword=”secret”

connectionURL=”ldap://localhost:389″

userPassword=”userPassword”

userPattern=”uid={0},ou=people,dc=mycompany,dc=com”

roleBase=”ou=groups,dc=mycompany,dc=com”

roleName=”cn”

roleSearch=”(uniqueMember={0})”

/>

 

However, as discussed above, the default bind mode for authentication is usually to be preferred.

Additional Notes

JNDIRealm operates according to the following rules:

UserDatabaseRealm

Introduction

UserDatabaseRealm is an implementation of the Tomcat Realm interface that uses a JNDI resource to store user information. By default, the JNDI resource is backed by an XML file. It is not designed for large-scale production use. At startup time, the UserDatabaseRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). The users, their passwords and their roles may all be editing dynamically, typically via JMX. Changes may be saved and will be reflected in the XML file.

Realm Element Attributes

To configure UserDatabaseRealm, you will create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file, as described above. The attributes for the UserDatabaseRealm are defined in the Realm configuration documentation.

User File Format

The users file uses the same format as the MemoryRealm.

Example

The default installation of Tomcat is configured with a UserDatabaseRealm nested inside the <Engine> element, so that it applies to all virtual hosts and web applications. The default contents of the conf/tomcat-users.xmlfile is:

 

<tomcat-users>

<user name=”tomcat” password=”tomcat” roles=”tomcat” />

<user name=”role1″ password=”tomcat” roles=”role1″ />

<user name=”both”   password=”tomcat” roles=”tomcat,role1″ />

</tomcat-users>

Additional Notes

UserDatabaseRealm operates according to the following rules:

MemoryRealm

Introduction

MemoryRealm is a simple demonstration implementation of the Tomcat Realm interface. It is not designed for production use. At startup time, MemoryRealm loads information about all users, and their corresponding roles, from an XML document (by default, this document is loaded from $CATALINA_BASE/conf/tomcat-users.xml). Changes to the data in this file are not recognized until Tomcat is restarted.

Realm Element Attributes

To configure MemoryRealm, you will create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file, as described above. The attributes for the MemoryRealm are defined in the Realm configuration documentation.

User File Format

The users file (by default, conf/tomcat-users.xml must be an XML document, with a root element <tomcat-users>. Nested inside the root element will be a <user> element for each valid user, consisting of the following attributes:

name – Username this user must log on with.

password – Password this user must log on with (in clear text if the digest attribute was not set on the<Realm> element, or digested appropriately as described here otherwise).

roles – Comma-delimited list of the role names associated with this user.

Additional Notes

MemoryRealm operates according to the following rules:

JAASRealm

Introduction

JAASRealm is an implementation of the Tomcat Realm interface that authenticates users through the Java Authentication & Authorization Service (JAAS) framework which is now provided as part of the standard Java SE API.

Using JAASRealm gives the developer the ability to combine practically any conceivable security realm with Tomcat’s CMA.

JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication framework for J2EE v1.4, based on theJCP Specification Request 196 to enhance container-managed security and promote ‘pluggable’ authentication mechanisms whose implementations would be container-independent.

Based on the JAAS login module and principal, you can develop your own security mechanism or wrap another third-party mechanism for integration with the CMA as implemented by Tomcat.

Quick Start

To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:

Realm Element Attributes

To configure JAASRealm as for step 6 above, you create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file within your <Engine> node. The attributes for the JAASRealm are defined in the Realm configuration documentation.

Example

Here is an example of how your server.xml snippet should look.

<Realm className=”org.apache.catalina.realm.JAASRealm”

appName=”MyFooRealm”

userClassNames=”org.foobar.realm.FooUser”

roleClassNames=”org.foobar.realm.FooRole”/>

It is the responsibility of your login module to create and save User and Role objects representing Principals for the user (javax.security.auth.Subject). If your login module doesn’t create a user object but also doesn’t throw a login exception, then the Tomcat CMA will break and you will be left at the http://localhost:8080/myapp/j_security_check URI or at some other unspecified location.

The flexibility of the JAAS approach is two-fold:

Additional Notes

CombinedRealm

Introduction

CombinedRealm is an implementation of the Tomcat Realm interface that authenticates users through one or more sub-Realms.

 

Using CombinedRealm gives the developer the ability to combine multiple Realms of the same or different types. This can be used to authenticate against different sources, provide fall back in case one Realm fails or for any other purpose that requires multiple Realms.

Sub-realms are defined by nesting Realm elements inside the Realm element that defines the CombinedRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.

Realm Element Attributes

To configure a CombinedRealm, you create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file within your <Engine> or <Host>. You can also nest inside a <Context>node in a context.xml file.

Example

Here is an example of how your server.xml snippet should look to use a UserDatabase Realm and a DataSource Realm.

 

<Realm className=”org.apache.catalina.realm.CombinedRealm” >

<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”

resourceName=”UserDatabase”/>

<Realm className=”org.apache.catalina.realm.DataSourceRealm”

dataSourceName=”jdbc/authority”

userTable=”users” userNameCol=”user_name” userCredCol=”user_pass”

userRoleTable=”user_roles” roleNameCol=”role_name”/>

</Realm>

LockOutRealm

Introduction

LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide lock out functionality to provide a user lock out mechanism if there are too many failed authentication attempts in a given period of time.

To ensure correct operation, there is a reasonable degree of synchronisation in this Realm.

This Realm does not require modification to the underlying Realms or the associated user storage mechanisms. It achieves this by recording all failed logins, including those for users that do not exist. To prevent a DOS by deliberating making requests with invalid users (and hence causing this cache to grow) the size of the list of users that have failed authentication is limited.

Sub-realms are defined by nesting Realm elements inside the Realm element that defines the LockOutRealm. Authentication will be attempted against each Realm in the order they are listed. Authentication against any Realm will be sufficient to authenticate the user.

Realm Element Attributes

To configure a LockOutRealm, you create a <Realm> element and nest it in your$CATALINA_BASE/conf/server.xml file within your <Engine> or <Host>. You can also nest inside a <Context>node in a context.xml file. The attributes for the LockOutRealm are defined in the Realm configuration documentation.

Example

Here is an example of how your server.xml snippet should look to add lock out functionality to a UserDatabase Realm.

 

<Realm className=”org.apache.catalina.realm.LockOutRealm” >

<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”

resourceName=”UserDatabase”/>

</Realm>

 

Exit mobile version