Search code examples
apachetomcatldapkerberosjaas

What is tomcat/kerberos realm and where it is configured

I am configuring spengo/tomcat/sso/ on windows 7.
I dont understand what is a Realm and where it is configured !
From reading the following guides:

  1. https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
  2. https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

I understand a realm is a DB of users/password, This DB data can be taken from several places, DB, Active directory, users.xml file, etc..

When configuring krb5.ini and jaas.config I need to provide a realm name, Where do i find this Realm name, On our Active Directory machine - No system admin ever created a Realm object, So how do i know what is the Realm name to enter in configuration ?
Spengo w/ SSO require JAASRealm, So why I need to setup
Realm className="org.apache.catalina.realm.JNDIRealm In the server.xml ?
Does JAASRealm is a wrappher that uses JNDI in order to work with AD?

Thanks

Solution

  • I understand a realm is a DB of users/password, This DB data can be taken from several places, DB, Active directory, users.xml file, etc.

    It is a service, not just a database. It can be implemented via an XML file, a JNDI interface, a JDBC interface, JAAS, several others.

    When configuring krb5.ini and jaas.config I need to provide a realm name. Where do i find this Realm name

    You configure it, in a Realm entry in either your context.xml file or, if you want it global across webapps, in server.xml. Then you refer to that name in the files you mention.

    On our Active Directory machine - No system admin ever created a Realm object,

    Of course not. They don't exist in AD servers. You're looking in the wrong place.

    So how do i know what is the Realm name to enter in configuration ?

    In this case you would use a JNDI or JAAS realm.

    Spengo w/ SSO require JAASRealm

    So there's your answer.

    So why I need to setup
    Realm className="org.apache.catalina.realm.JNDIRealm In the server.xml?

    You don't. You need to configure a JAAS realm, as you just said above. Unclear why you think a JNDI realm is required here.

    Does JAASRealm is a wrappher that uses JNDI in order to work with AD?

    You need to look some of these things up. JAAS is a service that can use any combination of login modules, including some you can write yourself. What they do is up to them, and to you if you write them. Too broad to answer here.