TomcatKerberos

Once upon a time, I needed to convince a third-party web application (running in Tomcat) to talk to our campus Kerberos domain.

In order to learn how, I started with the jsp-examples webapp that ships with Tomcat.

Changing Tomcat's jsp-examples webapp from UserDatabase to Kerberos

Currently, the URL http://localhost:8080/jsp-examples/security/protected/index.jsp is protected by form-based authentication. Users and Roles are configured in tomcat-users.xml. Here are three ways to use Kerberos for authentication:

• With only changes to configuration, no custom programming required:
  • TomcatKerberosConfigOnly

• With a custom LoginModule that wraps Sun's Krb5LoginModule:
  • TomcatKerberosLoginModule

• With a custom Realm that extends JAASRealm and overrides 'authenticate'
  • TomcatJAASRealm

References

• Catalina
  • http://jakarta.apache.org/tomcat/tomcat-5.0-doc/catalina/docs/api/index.html
  • http://jakarta.apache.org/tomcat/tomcat-5.0-doc/catalina/docs/api/org/apache/catalina/UserDatabase.html
  • http://jakarta.apache.org/tomcat/tomcat-5.0-doc/catalina/docs/api/org/apache/catalina/users/MemoryUserDatabase.html

• http://jakarta.apache.org/tomcat/tomcat-5.0-doc/catalina/docs/api/org/apache/catalina/realm/JAASRealm.html

• Sun
  • http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
  • http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/kerberos/KerberosPrincipal.html

• JAAS Book
  • http://www.jaasbook.com