Configure Custom Realm for Tomcat

Copy the jar files jkniv-jaas-tomcat.jar to common lib tomcat-install/lib from Tomcat:

Create new file tomcat-install/conf/login.conf to config the hybridRealm. The name hybridRealm must be the same value from appName attribute <Realm appName="hybridRealm" in server.xml.

hybridRealm {
    net.sf.jkniv.jaas.tomcat.HybridLoginModule required
    authe-ldap=false
    authe-jdbc=true
    datasource-jndi="java:/comp/env/jdbc/myDataSource"
    user-table=AUTH_USER
    user-name-column =USERNAME
    user-password-column =PASSWD
    group-table =AUTH_GROUP
    group-name-column =GROUP_ID
    group-table-user-name-column=USERNAME
    assign-groups=auth;
};

Note: Config file from JAAS treat slash as comments, so to config JNDI name from datasource put the key between double quotes like "java:/comp/env/jdbc/myDataSource"

• Modify the file tomcat-install/conf/server.xml append a new ream <Realm element:

<Engine defaultHost="localhost" name="Catalina">
  ...
  <Realm className="org.apache.catalina.realm.JAASRealm"
    appName="hybridRealm"
    userClassNames="net.sf.jkniv.jaas.tomcat.UserPrincipal"
    roleClassNames="net.sf.jkniv.jaas.tomcat.RolePrincipal">
  </Realm>
</Engine>

• Modify web.xml from your application configuring the new realm acme-realm:

  Any user authenticated auth
  FORM acme-realm /login.html /error.html Exclude from Security /api/* auth

• Set up Tomcat to to find tomcat-install/conf/login.conf file specifying its location to the JVM, for instance by setting the environment variable: JAVA_OPTS=$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_BASE/conf/login.conf

• start Tomcat (run, forrest, run)

Note: If Enable Single Sign On for Tomcat it’s a requirement uncomment the <Valve>element from tomcat-install/conf/server.xml file.

<Host name="localhost" ...>
 ...
 <Valve className="org.apache.catalina.authenticator.SingleSignOn"/>
 ...
</Host>