Bug 43392 - Tomcat6 JAASRealm ignores useContextClassLoader in parseClassNames
Tomcat6 JAASRealm ignores useContextClassLoader in parseClassNames
Status: RESOLVED DUPLICATE of bug 44084
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.14
PC All
: P2 regression (vote)
: default
Assigned To: Tomcat Developers Mailing List
http://support.liferay.com/browse/LEP...
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-09-13 21:34 UTC by David
Modified: 2007-12-20 19:22 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David 2007-09-13 21:34:49 UTC
Issue when specifying custom User/Role security principal classes in a JAASRealm
element within a /META-INF/context.xml of a war. Tomcat 6 should obey the
useContextClassLoader configuration of the JAASRealm when parsing the user/role
classNames.

<Realm
className="org.apache.catalina.realm.JAASRealm"
appName="PortalRealm"
userClassNames="com.liferay.portal.security.jaas.PortalPrincipal"
roleClassNames="com.liferay.portal.security.jaas.PortalRole"
debug="99"
useContextClassLoader="false"
/>

Upon server startup, the Tomcat 6.0.14 JAASRealm attempts to load the
userClassNames and roleClassNames in parseClassNames with Class.forName(), and
since these classes reside only in the webapp context (/WEB-INF/lib/) they are
not found on the classpath, and causes the following output in the Tomcat
console upon startup:
         SEVERE: Class com.liferay.portal.security.jaas.PortalPrincipal not
found! Class not added.
         SEVERE: Class com.liferay.portal.security.jaas.PortalRole not found!
Class not added.

Tomcat 5.5.x did not report these failures, because it did not attempt to
perform a Class.forName() lookup. Instead, it only saved the userClassNames and
roleClassNames in a java.util.List object.
Comment 1 David 2007-09-13 21:45:36 UTC
Sorry, I meant the issue occurs when using useContextClassLoader="true" in the
original report (which is the default according to
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm).

As a temporary work-around for this issue you can:
1. Move your classes to the Tomcat shared /lib directory.
2. Since all principals must implement java.security.Principal, and the first
principal 'must' be the user principal, you can just use the base class:
<Realm
className="org.apache.catalina.realm.JAASRealm"
appName="PortalRealm"
userClassNames="java.security.Principal"
debug="99"
useContextClassLoader="true"
/>
Comment 2 Kurt Zettel 2007-10-05 14:24:15 UTC
I think this was caused by the changes for bug 40150
Comment 3 Noah Levitt 2007-12-15 14:55:14 UTC
Just noticed this bug report. I put up a patch at bug 44084, would be cool if
you could try it.

The logic also seemed to be backwards to me. I assume useContextClassLoader
means to use Thread.currentThread().getContextClassLoader(), which is the
webapp's class loader, and useContextClassLoader="false" means the servlet class
loader, which is retrieved by getClass().getClassLoader() from the JAASRealm.
Comment 4 David 2007-12-20 19:22:10 UTC
Thanks Noah, The patch looks perfect to me. I hope it makes it into the next
release!
Since the patch is in 44084, I'll mark this one as a duplicate.
See also bug 40150 that Ate re-opened so that the patch could be applied to T5.5
too.

*** This bug has been marked as a duplicate of 44084 ***