Preloader image

Purpose

You want to use JAAS in TomEE with custom (or OpenEJB) LoginModules.

Solution

TomEE tries to keep as possible as it is Tomcat so simply configure your JAAS LoginModule as in Tomcat.

Note: only the first one will be used.

Configuration

Add to your CATALINA_OPTS the java.security.auth.login.config system property:

-Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config

Configure your realm in server.xml file

<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.tomee.loader.OpenEJBListener" />
  <Listener className="org.apache.catalina.security.SecurityListener" />

  <Service name="Catalina">
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    <Engine name="Catalina" defaultHost="localhost">
      <!-- here is the magic -->
      <Realm className="org.apache.catalina.realm.JAASRealm" appName="PropertiesLogin"
             userClassNames="org.apache.openejb.core.security.jaas.UserPrincipal"
             roleClassNames="org.apache.openejb.core.security.jaas.GroupPrincipal">
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true" />
    </Engine>
  </Service>
</Server>

Configure your login.config file

PropertiesLogin {
    org.apache.openejb.core.security.jaas.PropertiesLoginModule required
    Debug=false
    UsersFile="users.properties"
    GroupsFile="groups.properties";
};

Configure your login module specifically (users.properties for snippets of this page for instance).

Place users.properties and groups.properties files in $CATALINA_BASE/conf/ folder. users.properties file contains user name and associated password entries, ex.:

me=password
tomee=tomee

groups.properties file specifies groups and their users, ex.:

my-role=me
manager-gui=tomee,me
tomee-admin=tomee

NOTE: users.properties and groups.properties file names and file location are fixed. If other names are used, the files must be placed in %CATALINA_BASE/lib/ folder instead.