Ashutosh's Blog

My previous blog Running Kerberos Token Profile scenario with Metro showed how to run kerberos token based WS-Security scenarios on Glassfish. Here I show the small changes you need to do to run it on Tomcat. The steps essentially boil down to specifying the location of JAAS login config file where login modules for Kerberos are stored. Glassfish picks the login modules from $GLASSFISH_HOME/domains/domain1/config/login.conf, in Tomcat we need to specify the file explicitly using java.security.auth.login.config system property.

Here are the complete steps:

1. Create a file jaas.conf , and place it in $CATALINA_HOME/conf. Here's what jaas.conf looks like:

           KerberosClient { 
               com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; 
           };
   
           KerberosServer { 
               com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/krb5.keytab" doNotPrompt=true storeKey=true principal="websvc/service@INDIA.SUN.COM"; 
           };
           

2. Add following line to the catalina.sh script (or specify the mentioned JAVA_OPTS property):

           JAVA_OPTS="$JAVA_OPTS "-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.conf
           

3. Specify the following system property in your client code:

       -Djava.security.policy=${tomcat.home}/conf/catalina.policy
       -Djava.security.auth.login.config=${tomcat.home}/conf/jaas.conf