| By Zhiyong Li | Article Rating: |
|
| August 14, 2011 06:15 AM EDT | Reads: |
3,186 |
Tomcat is a widely popular lightweight application server. When securing Tomcat web applications, Valve, JAAS and Filter are used in various scenarios. The challenges for developers are when to use each of these methods and how to integrate them together if more than one method is chosen. For example, the WebSeal agent discussed in the article [1] uses Valve. If a customer needs to integrate WebSeal and its own JAAS-based authentication module, they will need to know how to configure Tomcat to use both the WebSeal Agent Valve and the JAAS module and how to pass information between them.
In this article, we will explain the concepts of Valve, JAAS and Filter, and their relationships such as the order that they get called. Through an example application, we will explain how you can use them together and pass information among them for an authentication process. How to configure and run the example application using Tomcat 7 will also be discussed.
The Concepts
Valve
A Valve is a piece of Java code that can be inserted into the request processing pipeline. The Valve can be defined on a different scope such as Engine, Host and Context. Tomcat comes with a set of pre-built valves that can be found here [2]. However, developers can write their own Valve and participate in the processing of the Valve chain. The main requirements for a Valve are:
- It needs to extend ValveBase
- It needs to call getNext().invoke(request, response) to chain other Valves.
For example, Listing 1 is a simple Valve. (Listings 1 - 5 can be downloaded here.) That Valve also has a method that may call an external policy server to verify the user. It may retrieve the user information passed in as a token in the HTTP header field such as the one used in [1]. You can ignore the ThreadLocale part in the Listing 1, which will be discussed later.

JAAS
Java Authentication and Authorization Service (JAAS) [3] is a security framework that allows a user's program to participate in the authentication and authorization process. JAAS also serves as an integration point to allow different user-specific security implementations to be used. JAAS is supported in Tomcat through its JAASRealm interface [4].
When JAASRealm is used, a user will need to provide a login module and the appropriate configurations: a configuration file and a security configuration in the web.xml. Once it's configured properly, the login module will be called and managed by the Tomcat.
Listing 2 has a sample JAAS login module. This login module will use a callback to get the userid and password. It will check whether the password is the reverse of the userid. If the check succeeds, it will create a principal based on the username and assign the role "jvalve" to the principal.
Filter
A filter is part of the Java Servlet specification [5]. A filter can be inserted into the request processing pipeline. It will be executed before the servlet is called and invoked again when the servlet process is done. Multiple filters can be chained together and thus can be used as an integration point for different users who want to use the filter to accomplish certain cross-cutting functions. The main requirements for a filter are:
- It needs to extend javax.servlet.Filter.
- It needs to call chain.doFilter(request, response).
Listing 3 shows an example filter. This filter simply calculates the time used to complete the request.
The Relationships
All three technologies, Valve, JAAS and Filter, have the following commonalities:
- Run before the servlet is invoked
- Allow cross-cutting functions to be implemented.
- Provide integration points to allow multiple Valves, login modules and filters to be defined by different users.
- Provide a common place for implementing security features.
Even though JAAS is the official method for providing security implementations, Valve and filter have been used to implement securities frequently. Especially in the Tomcat case, it is relatively hard to get a Subject in the application code (JBoss has a SharedState, WebLogic and WebSphere all provide a static method to make the "Subject" available for the application code). Implementations may use Valve for the authentication and then set the authenticated principal on the request for the filter and application code to use.
However, it's also important to understand their differences especially if you want to use them together.
- The order that they get invoked is as follows: Valve, JAAS module, Filter and then Servlet.
- Valve and Filter have access to a request/response/session, etc. However, JAAS only has access to the shared state. It can interact with the Tomcat container to retrieve such things as security information, but can only do so through callbacks.
Because of the above differences, it becomes a challenge if you want to use all three of them together and pass information among them. Consider the following example. Tivilo WebSeal provides a Valve engine that will set an authenticated user on the request. Your company has been using the JAAS module for the additional authentication purpose. The JAAS module will want to retrieve that authenticated user from the Valve. Tomcat will not help in this case. In the next session, we'll discuss a ThreadLocale [6] solution to address this issue.
The Sample Application
The sample application uses the Valve, the JAAS login module and the filter in Listings 1, 2, and 3. However, we want to retrieve a key in the Valve and pass it to the JAAS login module. We will use the ThreadLocale to accomplish this. Listing 4 shows the ThreadLocale class.
In Listing 1, we have set the "key" to the ThreadLocale. In Listing 2 of the JAAS code, we have code to retrieve the "key" from the ThreadLocale (it is commented out). We define the value of the password as the reverse of the username plus the key (it's commented out in Listing 2 as well).
The web.xml, which protects the secured resource and defines the filter, is listed in Listing 5.
The JAAS login module can be defined in the following login.config file:
MyAccess {
com.sas.tcserver.SampleLoginModule required
debug=true;
};
This same ThreadLocale concept can be used if a user wants to pass information from the JAAS login module to the filter.
Issues with Tomcat 6
If you are using Tomcat 6 and plan to create a user principal at the Valve, the JAAS login module will not be called by Tomcat.
For example, you have the following code in your Valve's "invoke()" method:
GenericPrincipal genericprincipal = new
GenericPrincipal(request.getContext().getRealm(), "user", null,
arraylist, null);
request.setUserPrincipal(genericprincipal);
This problem does not occur at Tomcat 7. It should note that the construct for GenericPrincipal has been changed from 6 to 7. In Tomcat 7, you will do:
GenericPrincipal genericprincipal = new
GenericPrincipal("user", null, arraylist, null);
request.setUserPrincipal(genericprincipal);
Configure and Run the Sample Application
The sample application is packaged into the following files: 1) A src folder, which contains all source code; 2) securityvalve.jar; 3) loginmodule war file, which includes the sampleloginmodule.jar and timerfilter.jar. The files can be downloaded from here.
To run the application, complete the following process:
- Download and install Tomcat 7.
- Unzip the downloaded file.
- Copy securityvalve.jar into Tomcat lib directory
- Copy loginmodule war (in exploded format) into Tomcat webapps directory
- Add the following xml piece into Tomcat conf/server.xml file inside Services -> Engine -> Host:
<Context path="/loginmodule">
<Realm
className="org.apache.catalina.realm.JAASRealm
appName="MyAccess"
userClassNames="com.sas.tcserver.SampleUserPrincipal"
roleClassNames="com.sas.tcserver.SampleRolePrincipal"/>
<Valve className="com.sas.tcserver.SecurityValve"debugTrace="true"/>
</Context>
- Create login.config file in Tomcat conf directory using the content in the previous section.
- Update Tomcat startup command to add the following parameter:
-Djava.security.auth.login.config=%CATALINA_BASE%\conf\login.config
- Start Tomcat
- Access the application in Web browser using the following URL: http://localhost:8080/loginmodule/index.html. When prompted, type in "jvalve/velavjsas" as username/password, you should see the following output in the Tomcat console:
Security Valve: invoke
SampleLoginModule: initialize
SampleLoginModule - initialize - subject: Subject:
SampleLoginModule - initialize - sharedState: {}
SampleLoginModule: login
SampleUserPrincipal
SampleLoginModule: commit
SampleRolePrincipal
SampleLoginModule: commit successful
TimerFilter: Time to execute request: 2 milliseconds
Security Valve: exit invoke
In the above output, you may notice that the Valve works like filters but is called before and after JAAS and the filters. We use the password "velavjsas", which is the reverse of username "jvalve" plus the key that is passed from the Valve to the JAAS module using the ThreadLocale.
Conclusion
Valve, JAAS and Filter are common technologies in Tomcat. However, to configure and use them together requires a basic understanding of their relationships. This article explained the concepts and demonstrated their usages and relationships through a sample application. The sample application can be easily expanded and used in various authentication processes.
The concept discussed here can also be used in other Tomcat based application servers such as the VMware vFabric tc Server [7].
Resources
Published August 14, 2011 Reads 3,186
Copyright © 2011 Ulitzer, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Zhiyong Li
Zhiyong Li is a senior manager of SAS Platform Division and the chair of the Java Technology Board at SAS institute. He started coding in Java in 1995 as a Sun’s development staff. He worked at IBM and iBiomatics as lead architect and developer for several enterprises Java applications. He holds a Ph.D from Computer Science Department of Duke University. He has published many papers in AI, parallel computation and program languages. He has also published several patents.
- The History of Programming
- Sun Burns Oracle
- It's the Java vs. C++ Shootout Revisited!
- Oracle Wants Billions from Google Suit
- Valve, JAAS and Filter in Tomcat
- ActiveJDBC: New Java ORM
- Oracle Wants $2.6 Billion in Damages from Google
- How Bad Outdated JavaScript Libraries Are for Page Load Time
- Externalizing Fine-Grained Authorization from Applications
- Why Response Times Are Often Measured Incorrectly
- After Five-Year Drought, Java SE7 Is Here
- IBM CEO Seeks Heir
- Cloud Economics – Amazon, Microsoft, Google Compared
- Driving Java Innovation in the Cloud at Cloud Expo 2011 New York
- The History of Programming
- How Garbage Collection Differs in the Three Big JVMs
- Thirty Tips to Optimize HTML/CSS/Images for Smooth Web Experience
- Sun Burns Oracle
- It's the Java vs. C++ Shootout Revisited!
- Sun Settles Eolas’ Java Claims
- Oracle Wants Billions from Google Suit
- Three Tips to Successfully Load Test Adobe Flex Applications
- Valve, JAAS and Filter in Tomcat
- Developers Should Learn Why, Not Just Memorize What
- Secrets Of The Masters: Core Java Job Interview Questions
- A Cup of AJAX? Nay, Just Regular Java Please
- SYS-CON Announces Readers' Choice Awards for SOA, Java, Linux, .NET, MX, ColdFusion, and XML Technologies
- Java Developer's Journal Exclusive: 2006 "JDJ Editors' Choice" Awards
- Rich Internet Applications with Adobe Flex 2 and Java
- Java vs C++ "Shootout" Revisited
- Reporting Made Easy with JasperReports and Hibernate
- Why Do 'Cool Kids' Choose Ruby or PHP to Build Websites Instead of Java?
- What's New in Eclipse?
- How and Why AJAX, Not Java, Became the Favored Technology for Rich Internet Applications
- Java Basics: Lesson 11, Java Packages and Imports (Live Video Education)
- Cover Story: What Is POJO Programming?


































Ulitzer content is offered under Creative Commons "Attribution Non-Commercial No Derivatives" License.
For any reuse or distribution, you must make clear to others the license terms of this work.
The best way to do this is with a link to this web page.
Any of the above conditions can be waived if you get written permission from Ulitzer, Inc., the copyright holder.
Nothing in this license impairs or restricts the author's moral rights.