Create JNDIRealm in admin webapp is not correct.

2005-11-21 Thread Terry Zhou 
Hi, gents,

Regarding this mail,
http://marc.theaimsgroup.com/?l=tomcat-user&m=113035775420898&w=2

  I have tested both tomcat admin app and MBean createJNDIRealm can't
create a realm successfully with Tomcat5.5.12. I have checked some code
and found a bug in creating an JNDIRealm. The signature of
createJNDIRealm in MBeanFactory.java is not enough, it only has one
parameter called parent, if we want to create an JNDIRealm through JMX,
we need another three parameters, they are
ConnectionURL,ConnectionName,ConnectionPassword.If we provide this
information, the JNDIRealm can be initialized correctly,so you can set
other attribute to the realm.
   Attachments are the patches for admin webapp and the MBeanFactory
modification with tc5.5.x, I have tested it, and it can work now,
  Another improvement is I add createJAASRealm in MBeanFactory for
tomcat source code didn't contain creating JAASRealm JMX API,so I add
it, it can work too.
   
  The above problem I haven't fire a bug in bugzilla, if it's necessary,
I can do it.

  Thanks.

Terry Zhou 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: UserManager should be added

2006-01-20 Thread Terry Zhou 
Tomcat does have a realm in different level(Engine,Host,Webapp) for
security.
Check http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html


2006/1/20, Jack <[EMAIL PROTECTED]>:
>
>
> In order to add a new user to a web-app, since specification 2.4 doesn't
> cover this, web-app might have to take care of this. User information will
> be used by web-app anyway, the web-app keeps many information about the
> user. Keep its password is not difficult at all, and it is easier for the
> web-app to change password for the user. In case the user uses a
> certificate, the web-app might also use the certificate anyway. So the
> UserManager will be used by both the web-app Container & the web-app.
>
>
>
> There are 3 types user contexts:
>
> 1. Engine user context (tomcat-userx.xml, should not mix up with host &
> web-app user context. At present, they all mixed up.)
>
> 2. Host user context (Users defined in a host user context will be
> available
> to all web-apps in this host.)
>
> 3. Web-app user context
>
>
>
> Under the Engine element, add a Users element (EngineUserContext). Its
> content is the content of tomcat-users.xml, and tomcat-users.xml could be
> eliminate, or an attribute in Users link to tomcat-users.xml.
>
> Under each Host element, there could be a Users element (HostUserContext),
> too.
>
> In the context.xml for each web-app, there could be a Users element
> (WebAppUserContext), too.
>
>
>
> In Host Users & web-app users elements, the possible attributes are:
>
>
>
> scope=host|engine whether users information available to other context.
> "host" is the default value.
>
> useHost=yes|noUsing users defined in the host context. default: yes
>
> useOtherWebApp=yes|no   Using users defined in other web-app exposed to
> the
> same host. default: yes
>
> useOtherHost=yes|noUsing users defined in other host exposed to the
> same
> engine. default: no
>
> clientAuth
>
> keystoreFile
>
> keystorePass
>
> keystoreType
>
> truststoreFile
>
> truststorePass
>
> truststoreType
>
>
>
> The last 6 attributes of Connector element should become attributes of
> Users
> elements since they are all UserContext properties.
>
>
>
> "clientAuth" is configed in the login-config element in web.xml. If the
> client is requesting a server resource that requires client
> authentication,
> the server requests the client's certificate. However, it could also be
> put
> on Users element.
>
>
>
> Single Signon
>
> At present, single signon is done with a valve.
>
>
>
> For a user crosses a web-app (1) to another web-app (2) to access a
> constrained resource, the authorizer(Realm) will call the UserManager
> whether the user has a role for the resource. And the UserManager will
> consult the user context of the web-app 2 to check whether it accept users
> from web-app 1. If yes, and the user is authenticated, then the container
> doesn't have to ask the user do authentication again.
>
>
>
> This will be more logic than the original implementation with valve.
>
>
> [EMAIL PROTECTED]
>
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


--


Terry(Xiaochao) Zhou

Is it possible to change server MBean domain name in Tomcat?

2006-06-11 Thread Terry Zhou 

Hi, folks,

When I changed engine name to another (not default "Catalina") in server.xml,
for example "testEngine", I found there were two domain names in MBean tree
of tomcat, one was "Catalina", and the other was "testEngine", I wondered if
there was some other way to set them be the same (except override the
register method)? So I can maintain them under a same domain. I have looked
some source code I found "Catalina:type=..." hardcoded in several files,
BootStrap.java, for example. What do you guys think?


Thanks a lot!

Terry