Apache Tomcat 1.7 How to pass additional parameters to JAAS

Question

According to Apache Tomcat 1.7 documentation:

Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorial and the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (javax.security.auth.login.LoginContext) When developing your LoginModule, note that JAASRealm's built-in CallbackHandler only recognizes the NameCallback and PasswordCallback at present.

It only supports NameCallback and PasswordCallback. I want to pass additional parameters to the JAAS login module but could not due to this restriction.

How do i pass additional paramaters to JAAS login module?

Answer 1

Write your own CallbackHandler. For details, see http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

For example, a MyCallbackHandler could support an additional TextOutputCallback

public void handle(Callback[] callbacks)
  throws IOException, UnsupportedCallbackException {

  for (int i = 0; i < callbacks.length; i++) {
    if (callbacks[i] instanceof TextOutputCallback) {

      // display a message according to a specified type
      . . .

    } else if (callbacks[i] instanceof NameCallback) {

      // prompt the user for a username
      . . .

    } else if (callbacks[i] instanceof PasswordCallback) {

      // prompt the user for a password
      . . .

    } else {
        throw new UnsupportedCallbackException
         (callbacks[i], "Unrecognized Callback");
    }
  }
}

Answer 2

The conventional way to approach this is to map your contractor and customer groups to roles.

• Download a copy of the Servlet 3.0 Specification (Tomcat 7.0 is an implementation of this) and read the chapter on Security to see the multitude of options that are provided by the servlet container for authenticating users based upon username and password and then authorising users based upon their role.
• Follow the instructions in the Tomcat documentation for configuring a JNDIRealm. This provides a way of configuring Tomcat to use an LDAP server for authentication (username/password) and authorisation (role checking).

Using the specification based approach like this has the added benefit of ensuring your solution is portable should you decide to migrate to a full blown Java EE solution (such as JBossAS/WildFly, Glassfish, WebSphere, etc) in the future.

Additionally, if you're able to migrate to Tomcat 8 you would have access to the additional authentication features that have been added in the Servlet 3.1 specification.