Wendy Smoak Wiki: TomcatKerberosConfigOnly

Changing Tomcat 5.0's jsp-examples webapp from UserDatabase? to Kerberos by modifying only config files

Currently, the URL http://localhost:8080/jsp-examples/security/protected/index.jsp is protected by form-based authentication. Users and Roles are configured in tomcat-users.xml.

This page explains how to use Kerberos for authentication by modifying only configuration files. For other options, see: TomcatKerberos.

Add the JAAS configuration file to $TOMCAT_HOME/conf

jaas.conf

Tomcat {
  com.sun.security.auth.module.Krb5LoginModule required;
};

Start Catalina with these environment variables:
- java.security.krb5.realm=<your realm>
- java.security.krb5.kdc=<your kdc:port>
- java.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf

catalina.bat (all on one line!)

set JAVA_OPTS=-Djava.security.krb5.realm=<your realm> 
              -Djava.security.krb5.kdc=<your kdc:port> 
              -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf

Configure the JAASRealm

server.xml

      <Realm className="org.apache.catalina.realm.JAASRealm"
                 appName="Tomcat"
                 userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
                 roleClassNames="javax.security.auth.kerberos.KerberosPrincipal"
                 useContextClassLoader="true"
                 debug="99"/>

Sun's [Krb5LoginModule] comes back with *one* [KerberosPrincipal] with 'name' equal to the userid @ the Kerberos realm.

Add an auth constraint matching the user and Kerberos realm.
Add a security role matching the user and Kerberos realm.

$TOMCAT_HOME/webapps/jsp-examples/WEB-INF/web.xml

    <!-- Anyone with one of the listed roles may access this area -->
    <security-constraint>
      ...
      <auth-constraint>
         <role-name>tomcat</role-name>
         <role-name>role1</role-name>
         <role-name>wsmoak@ASU.EDU</role-name>   <!-- added -->
      </auth-constraint>
    </security-constraint>

    <!-- Security roles referenced by this web application -->
    <security-role>
      <role-name>role1</role-name>
    </security-role>
    <security-role>
      <role-name>tomcat</role-name>
    </security-role>
    <security-role>
      <role-name>wsmoak@ASU.EDU</role-name>  <!-- added -->
    </security-role>

Try it out:
- Restart Tomcat
- navigate to http://localhost:8080/jsp-examples/security/protected/index.jsp
- Log in with your Kerberos userid and password

For other options, see TomcatKerberos.