Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0-a1
    • Fix Version/s: 2.0-M1
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Tomcat 5.0.24, J2SE 1.4.2_03

      Description

      As discussed on the Jetspeed developers mailinglist (thread starts with: http://nagoya.apache.org/eyebrowse/ReadMsg?listName=jetspeed-dev@jakarta.apache.org&msgNo=14605) the new behaviour of Tomcat 5 to set the ContextClassLoader in the JAASRealm to the server classloader prevents defining LoginModules within the context of an web app.

      As a quick solution to this problem the Tomcat 5 JAASRealm is going to be patched to revert back to the old Tomcat 4 handling.

      The preferred solution is that the Tomcat Team would do this themselves or provide it as an option. Someone should start discussing this with them....

      I'll provide a patch implementing the quick fix which will depend on the user property catalina.version.major=5 to be enforced upon the catalina server: when this condition is true a patched version of the Tomcat 5.0.24 JAASRealm.java revision 1.6 will be compiled into the $Tomcat/server/classes directory.

        Activity

        Ate Douma created issue -
        Hide
        Ate Douma added a comment -

        I attached the patch for the Tomcat 5 JAASRealm.
        Also included in the patch are:

        • new maven goals:

        check.required.properties
        I've added two new required properties:
        catalina.home, and
        catalina.version.major
        These properties are used to determine if the patch is required
        and where to put it ($

        {catalina.home}/server/classes.
        To ensure these properties are available this goal is the first
        thing executed by allBuild.
        Also checked now are the already required properties:
        catalina.shared.lib and deploy.war.dir.

        check.patch.tomcat5.jaas.realm
        Is executed at the end of allBuild.
        Performs the compilation of the JAASRealm class directly into
        ${catalina.home}

        /server/classes when catalina.version.major=5.

        • new project.xml dependencies to be able to compile the patch:
          Just compiling the class against all the Tomcat 5 server jars
          didn't work! Strangely enough this class depends on commons-logging
          (1.0.3) and JMX (xm4j-mx-1.1.1) which are not distributed with
          Tomcat 5. How can this class be used without these dependencies???
          Tomcat 4 does have these jars in its server/lib folder.
        • Updated site/xdocs/getting-started.xml for:
          supported versions of Tomcat:
          4.1.x and 5.x and only with JDK 1.4
          required properties:
          catalina.home and catalina.version.major
          warning about the patch with a reference to this issue

        Regards,

        Ate

        Show
        Ate Douma added a comment - I attached the patch for the Tomcat 5 JAASRealm. Also included in the patch are: new maven goals: check.required.properties I've added two new required properties: catalina.home, and catalina.version.major These properties are used to determine if the patch is required and where to put it ($ {catalina.home}/server/classes. To ensure these properties are available this goal is the first thing executed by allBuild. Also checked now are the already required properties: catalina.shared.lib and deploy.war.dir. check.patch.tomcat5.jaas.realm Is executed at the end of allBuild. Performs the compilation of the JAASRealm class directly into ${catalina.home} /server/classes when catalina.version.major=5. new project.xml dependencies to be able to compile the patch: Just compiling the class against all the Tomcat 5 server jars didn't work! Strangely enough this class depends on commons-logging (1.0.3) and JMX (xm4j-mx-1.1.1) which are not distributed with Tomcat 5. How can this class be used without these dependencies??? Tomcat 4 does have these jars in its server/lib folder. Updated site/xdocs/getting-started.xml for: supported versions of Tomcat: 4.1.x and 5.x and only with JDK 1.4 required properties: catalina.home and catalina.version.major warning about the patch with a reference to this issue Regards, Ate
        Ate Douma made changes -
        Field Original Value New Value
        Attachment JS2-55-patch.txt [ 14552 ]
        Hide
        David Sean Taylor added a comment -

        patch applied

        Show
        David Sean Taylor added a comment - patch applied
        Hide
        David Le Strat added a comment -

        The issue was submitted to the Tomcat development team:

        http://issues.apache.org/bugzilla/show_bug.cgi?id=29406

        Show
        David Le Strat added a comment - The issue was submitted to the Tomcat development team: http://issues.apache.org/bugzilla/show_bug.cgi?id=29406
        Hide
        Ate Douma added a comment -

        The Tomcat 5 issue 29406 has been fixed since 2004-07-28 which means that from Tomcat 5.0.28 we can resolve this problem without patching Tomcat ourselves.

        Since yesterday, Scott removed the unneeded jmx dependencies from J2, with my vote
        But, I overlooked we needed it to be able to compile the patched JAASRealm. Because of that, Tomcat 5 deployment is currently broken!

        Now, if we would bump up the minimal supported version of Tomcat 5 to 5.0.28, we can drop the need of the patch and at the same time fix the build again.

        If nobody objects, I will set the additional (still undocumented!) attribute useContextClassLoader to false for the JAASRealm in Jetspeed.xml when deploying on Tomcat 5 and remove the JAASRealm patch.
        And of course, the getting-started.html page as well as the Wiki information concerning the required Tomcat 5 version and the resolved JAASRealm problem shall be updated by me.

        Finally, this issue can then be closed also.

        Show
        Ate Douma added a comment - The Tomcat 5 issue 29406 has been fixed since 2004-07-28 which means that from Tomcat 5.0.28 we can resolve this problem without patching Tomcat ourselves. Since yesterday, Scott removed the unneeded jmx dependencies from J2, with my vote But, I overlooked we needed it to be able to compile the patched JAASRealm. Because of that, Tomcat 5 deployment is currently broken! Now, if we would bump up the minimal supported version of Tomcat 5 to 5.0.28, we can drop the need of the patch and at the same time fix the build again. If nobody objects, I will set the additional (still undocumented!) attribute useContextClassLoader to false for the JAASRealm in Jetspeed.xml when deploying on Tomcat 5 and remove the JAASRealm patch. And of course, the getting-started.html page as well as the Wiki information concerning the required Tomcat 5 version and the resolved JAASRealm problem shall be updated by me. Finally, this issue can then be closed also.
        Hide
        Scott T Weaver added a comment -

        1 on requiring tomcat 5.0.28

        Show
        Scott T Weaver added a comment - 1 on requiring tomcat 5.0.28
        Hide
        Ate Douma added a comment -

        Configured the new JAASRealm attribute sseContextClassLoader="false" in Jetspeed.xml when using Tomcat 5.
        As described above this now requires version 5.0.28+ when using Tomcat 5.
        The JAASRealm patch is now no longer needed and thus removed.

        Show
        Ate Douma added a comment - Configured the new JAASRealm attribute sseContextClassLoader="false" in Jetspeed.xml when using Tomcat 5. As described above this now requires version 5.0.28+ when using Tomcat 5. The JAASRealm patch is now no longer needed and thus removed.
        Ate Douma made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Fix Version/s 2.0-M1 [ 10931 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Ate Douma
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development