Welcome!

Java IoT Authors: Elizabeth White, Pat Romanski, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui

Related Topics: Open Source Cloud, Java IoT, Microservices Expo, Apache

Open Source Cloud: Article

Valve, JAAS and Filter in Tomcat

Their usages and relationships

Tomcat is a widely popular lightweight application server. When securing Tomcat web applications, Valve, JAAS and Filter are used in various scenarios. The challenges for developers are when to use each of these methods and how to integrate them together if more than one method is chosen. For example, the WebSeal agent discussed in the article [1] uses Valve. If a customer needs to integrate WebSeal and its own JAAS-based authentication module, they will need to know how to configure Tomcat to use both the WebSeal Agent Valve and the JAAS module and how to pass information between them.

In this article, we will explain the concepts of Valve, JAAS and Filter, and their relationships such as the order that they get called. Through an example application, we will explain how you can use them together and pass information among them for an authentication process. How to configure and run the example application using Tomcat 7 will also be discussed.

The Concepts
Valve

A Valve is a piece of Java code that can be inserted into the request processing pipeline. The Valve can be defined on a different scope such as Engine, Host and Context. Tomcat comes with a set of pre-built valves that can be found here [2]. However, developers can write their own Valve and participate in the processing of the Valve chain. The main requirements for a Valve are:

  • It needs to extend ValveBase
  • It needs to call getNext().invoke(request, response) to chain other Valves.

For example, Listing 1 is a simple Valve. (Listings 1 - 5 can be downloaded here.) That Valve also has a method that may call an external policy server to verify the user. It may retrieve the user information passed in as a token in the HTTP header field such as the one used in [1]. You can ignore the ThreadLocale part in the Listing 1, which will be discussed later.

JAAS
Java Authentication and Authorization Service (JAAS) [3] is a security framework that allows a user's program to participate in the authentication and authorization process. JAAS also serves as an integration point to allow different user-specific security implementations to be used. JAAS is supported in Tomcat through its JAASRealm interface [4].

When JAASRealm is used, a user will need to provide a login module and the appropriate configurations: a configuration file and a security configuration in the web.xml. Once it's configured properly, the login module will be called and managed by the Tomcat.

Listing 2 has a sample JAAS login module. This login module will use a callback to get the userid and password. It will check whether the password is the reverse of the userid. If the check succeeds, it will create a principal based on the username and assign the role "jvalve" to the principal.

Filter
A filter is part of the Java Servlet specification [5]. A filter can be inserted into the request processing pipeline. It will be executed before the servlet is called and invoked again when the servlet process is done. Multiple filters can be chained together and thus can be used as an integration point for different users who want to use the filter to accomplish certain cross-cutting functions. The main requirements for a filter are:

  • It needs to extend javax.servlet.Filter.
  • It needs to call chain.doFilter(request, response).

Listing 3 shows an example filter. This filter simply calculates the time used to complete the request.

The Relationships
All three technologies, Valve, JAAS and Filter, have the following commonalities:

  • Run before the servlet is invoked
  • Allow cross-cutting functions to be implemented.
  • Provide integration points to allow multiple Valves, login modules and filters to be defined by different users.
  • Provide a common place for implementing security features.

Even though JAAS is the official method for providing security implementations, Valve and filter have been used to implement securities frequently. Especially in the Tomcat case, it is relatively hard to get a Subject in the application code (JBoss has a SharedState, WebLogic and WebSphere all provide a static method to make the "Subject" available for the application code). Implementations may use Valve for the authentication and then set the authenticated principal on the request for the filter and application code to use.

However, it's also important to understand their differences especially if you want to use them together.

  • The order that they get invoked is as follows: Valve, JAAS module, Filter and then Servlet.
  • Valve and Filter have access to a request/response/session, etc. However, JAAS only has access to the shared state. It can interact with the Tomcat container to retrieve such things as security information, but can only do so through callbacks.

Because of the above differences, it becomes a challenge if you want to use all three of them together and pass information among them. Consider the following example. Tivilo WebSeal provides a Valve engine that will set an authenticated user on the request. Your company has been using the JAAS module for the additional authentication purpose. The JAAS module will want to retrieve that authenticated user from the Valve. Tomcat will not help in this case. In the next session, we'll discuss a ThreadLocale [6] solution to address this issue.

The Sample Application
The sample application uses the Valve, the JAAS login module and the filter in Listings 1, 2, and 3. However, we want to retrieve a key in the Valve and pass it to the JAAS login module. We will use the ThreadLocale to accomplish this. Listing 4 shows the ThreadLocale class.

In Listing 1, we have set the "key" to the ThreadLocale. In Listing 2 of the JAAS code, we have code to retrieve the "key" from the ThreadLocale (it is commented out). We define the value of the password as the reverse of the username plus the key (it's commented out in Listing 2 as well).

The web.xml, which protects the secured resource and defines the filter, is listed in Listing 5.

The JAAS login module can be defined in the following login.config file:

MyAccess {
com.sas.tcserver.SampleLoginModule required
debug=true;
};

This same ThreadLocale concept can be used if a user wants to pass information from the JAAS login module to the filter.

Issues with Tomcat 6
If you are using Tomcat 6 and plan to create a user principal at the Valve, the JAAS login module will not be called by Tomcat.

For example, you have the following code in your Valve's "invoke()" method:

GenericPrincipal genericprincipal = new
GenericPrincipal(request.getContext().getRealm(), "user", null,
arraylist
, null);
request.setUserPrincipal(genericprincipal);

This problem does not occur at Tomcat 7. It should note that the construct for GenericPrincipal has been changed from 6 to 7. In Tomcat 7, you will do:

GenericPrincipal genericprincipal = new
GenericPrincipal("user", null, arraylist, null);
request.setUserPrincipal(genericprincipal);

Configure and Run the Sample Application
The sample application is packaged into the following files: 1) A src folder, which contains all source code; 2) securityvalve.jar; 3) loginmodule war file, which includes the sampleloginmodule.jar and timerfilter.jar. The files can be downloaded from here.

To run the application, complete the following process:

  • Download and install Tomcat 7.
  • Unzip the downloaded file.
  • Copy securityvalve.jar into Tomcat lib directory
  • Copy loginmodule war (in exploded format) into Tomcat webapps directory
  • Add the following xml piece into Tomcat conf/server.xml file inside Services -> Engine -> Host:

<Context path="/loginmodule">
<Realm
className="org.apache.catalina.realm.JAASRealm           
appName="MyAccess"          
userClassNames="com.sas.tcserver.SampleUserPrincipal"        
roleClassNames="com.sas.tcserver.SampleRolePrincipal"/>

<Valve className="com.sas.tcserver.SecurityValve"
debugTrace="true"/>
</Context>

  • Create login.config file in Tomcat conf directory using the content in the previous section.
  • Update Tomcat startup command to add the following parameter:

-Djava.security.auth.login.config=%CATALINA_BASE%\conf\login.config

  • Start Tomcat
  • Access the application in Web browser using the following URL: http://localhost:8080/loginmodule/index.html. When prompted, type in "jvalve/velavjsas" as username/password, you should see the following output in the Tomcat console:

Security Valve: invoke
SampleLoginModule: initialize
SampleLoginModule - initialize - subject: Subject:

SampleLoginModule - initialize - sharedState: {}
SampleLoginModule: login
SampleUserPrincipal
SampleLoginModule: commit
SampleRolePrincipal
SampleLoginModule: commit successful
TimerFilter: Time to execute request: 2 milliseconds
Security Valve: exit invoke

In the above output, you may notice that the Valve works like filters but is called before and after JAAS and the filters. We use the password "velavjsas", which is the reverse of username "jvalve" plus the key that is passed from the Valve to the JAAS module using the ThreadLocale.

Conclusion
Valve, JAAS and Filter are common technologies in Tomcat. However, to configure and use them together requires a basic understanding of their relationships. This article explained the concepts and demonstrated their usages and relationships through a sample application. The sample application can be easily expanded and used in various authentication processes.

The concept discussed here can also be used in other Tomcat based application servers such as the VMware vFabric tc Server [7].

Resources

  1. How do I integrate SSO on Apache Tomcat
  2. Apache Tomcat 7: The Valve Component
  3. All that JAAS
  4. Tomcat Class JAASRealm
  5. The Essentials of Filters
  6. ThreadLocale
  7. VMware vFabric tc Server

More Stories By Zhiyong Li

Zhiyong Li is a senior manager of SAS Platform Division and the chair of the Java Technology Board at SAS institute. He started coding in Java in 1995 as a Sun’s development staff. He worked at IBM and iBiomatics as lead architect and developer for several enterprises Java applications. He holds a Ph.D from Computer Science Department of Duke University. He has published many papers in AI, parallel computation and program languages. He has also published several patents.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...