Click here to close now.

Welcome!

Java Authors: Pat Romanski, Ken Fogel, Liz McMillan, Elizabeth White, Carmen Gonzalez

Related Topics: Open Source, Java, SOA & WOA, Apache

Open Source: Article

Valve, JAAS and Filter in Tomcat

Their usages and relationships

Tomcat is a widely popular lightweight application server. When securing Tomcat web applications, Valve, JAAS and Filter are used in various scenarios. The challenges for developers are when to use each of these methods and how to integrate them together if more than one method is chosen. For example, the WebSeal agent discussed in the article [1] uses Valve. If a customer needs to integrate WebSeal and its own JAAS-based authentication module, they will need to know how to configure Tomcat to use both the WebSeal Agent Valve and the JAAS module and how to pass information between them.

In this article, we will explain the concepts of Valve, JAAS and Filter, and their relationships such as the order that they get called. Through an example application, we will explain how you can use them together and pass information among them for an authentication process. How to configure and run the example application using Tomcat 7 will also be discussed.

The Concepts
Valve

A Valve is a piece of Java code that can be inserted into the request processing pipeline. The Valve can be defined on a different scope such as Engine, Host and Context. Tomcat comes with a set of pre-built valves that can be found here [2]. However, developers can write their own Valve and participate in the processing of the Valve chain. The main requirements for a Valve are:

  • It needs to extend ValveBase
  • It needs to call getNext().invoke(request, response) to chain other Valves.

For example, Listing 1 is a simple Valve. (Listings 1 - 5 can be downloaded here.) That Valve also has a method that may call an external policy server to verify the user. It may retrieve the user information passed in as a token in the HTTP header field such as the one used in [1]. You can ignore the ThreadLocale part in the Listing 1, which will be discussed later.

JAAS
Java Authentication and Authorization Service (JAAS) [3] is a security framework that allows a user's program to participate in the authentication and authorization process. JAAS also serves as an integration point to allow different user-specific security implementations to be used. JAAS is supported in Tomcat through its JAASRealm interface [4].

When JAASRealm is used, a user will need to provide a login module and the appropriate configurations: a configuration file and a security configuration in the web.xml. Once it's configured properly, the login module will be called and managed by the Tomcat.

Listing 2 has a sample JAAS login module. This login module will use a callback to get the userid and password. It will check whether the password is the reverse of the userid. If the check succeeds, it will create a principal based on the username and assign the role "jvalve" to the principal.

Filter
A filter is part of the Java Servlet specification [5]. A filter can be inserted into the request processing pipeline. It will be executed before the servlet is called and invoked again when the servlet process is done. Multiple filters can be chained together and thus can be used as an integration point for different users who want to use the filter to accomplish certain cross-cutting functions. The main requirements for a filter are:

  • It needs to extend javax.servlet.Filter.
  • It needs to call chain.doFilter(request, response).

Listing 3 shows an example filter. This filter simply calculates the time used to complete the request.

The Relationships
All three technologies, Valve, JAAS and Filter, have the following commonalities:

  • Run before the servlet is invoked
  • Allow cross-cutting functions to be implemented.
  • Provide integration points to allow multiple Valves, login modules and filters to be defined by different users.
  • Provide a common place for implementing security features.

Even though JAAS is the official method for providing security implementations, Valve and filter have been used to implement securities frequently. Especially in the Tomcat case, it is relatively hard to get a Subject in the application code (JBoss has a SharedState, WebLogic and WebSphere all provide a static method to make the "Subject" available for the application code). Implementations may use Valve for the authentication and then set the authenticated principal on the request for the filter and application code to use.

However, it's also important to understand their differences especially if you want to use them together.

  • The order that they get invoked is as follows: Valve, JAAS module, Filter and then Servlet.
  • Valve and Filter have access to a request/response/session, etc. However, JAAS only has access to the shared state. It can interact with the Tomcat container to retrieve such things as security information, but can only do so through callbacks.

Because of the above differences, it becomes a challenge if you want to use all three of them together and pass information among them. Consider the following example. Tivilo WebSeal provides a Valve engine that will set an authenticated user on the request. Your company has been using the JAAS module for the additional authentication purpose. The JAAS module will want to retrieve that authenticated user from the Valve. Tomcat will not help in this case. In the next session, we'll discuss a ThreadLocale [6] solution to address this issue.

The Sample Application
The sample application uses the Valve, the JAAS login module and the filter in Listings 1, 2, and 3. However, we want to retrieve a key in the Valve and pass it to the JAAS login module. We will use the ThreadLocale to accomplish this. Listing 4 shows the ThreadLocale class.

In Listing 1, we have set the "key" to the ThreadLocale. In Listing 2 of the JAAS code, we have code to retrieve the "key" from the ThreadLocale (it is commented out). We define the value of the password as the reverse of the username plus the key (it's commented out in Listing 2 as well).

The web.xml, which protects the secured resource and defines the filter, is listed in Listing 5.

The JAAS login module can be defined in the following login.config file:

MyAccess {
com.sas.tcserver.SampleLoginModule required
debug=true;
};

This same ThreadLocale concept can be used if a user wants to pass information from the JAAS login module to the filter.

Issues with Tomcat 6
If you are using Tomcat 6 and plan to create a user principal at the Valve, the JAAS login module will not be called by Tomcat.

For example, you have the following code in your Valve's "invoke()" method:

GenericPrincipal genericprincipal = new
GenericPrincipal(request.getContext().getRealm(), "user", null,
arraylist
, null);
request.setUserPrincipal(genericprincipal);

This problem does not occur at Tomcat 7. It should note that the construct for GenericPrincipal has been changed from 6 to 7. In Tomcat 7, you will do:

GenericPrincipal genericprincipal = new
GenericPrincipal("user", null, arraylist, null);
request.setUserPrincipal(genericprincipal);

Configure and Run the Sample Application
The sample application is packaged into the following files: 1) A src folder, which contains all source code; 2) securityvalve.jar; 3) loginmodule war file, which includes the sampleloginmodule.jar and timerfilter.jar. The files can be downloaded from here.

To run the application, complete the following process:

  • Download and install Tomcat 7.
  • Unzip the downloaded file.
  • Copy securityvalve.jar into Tomcat lib directory
  • Copy loginmodule war (in exploded format) into Tomcat webapps directory
  • Add the following xml piece into Tomcat conf/server.xml file inside Services -> Engine -> Host:

<Context path="/loginmodule">
<Realm
className="org.apache.catalina.realm.JAASRealm           
appName="MyAccess"          
userClassNames="com.sas.tcserver.SampleUserPrincipal"        
roleClassNames="com.sas.tcserver.SampleRolePrincipal"/>

<Valve className="com.sas.tcserver.SecurityValve"
debugTrace="true"/>
</Context>

  • Create login.config file in Tomcat conf directory using the content in the previous section.
  • Update Tomcat startup command to add the following parameter:

-Djava.security.auth.login.config=%CATALINA_BASE%\conf\login.config

  • Start Tomcat
  • Access the application in Web browser using the following URL: http://localhost:8080/loginmodule/index.html. When prompted, type in "jvalve/velavjsas" as username/password, you should see the following output in the Tomcat console:

Security Valve: invoke
SampleLoginModule: initialize
SampleLoginModule - initialize - subject: Subject:

SampleLoginModule - initialize - sharedState: {}
SampleLoginModule: login
SampleUserPrincipal
SampleLoginModule: commit
SampleRolePrincipal
SampleLoginModule: commit successful
TimerFilter: Time to execute request: 2 milliseconds
Security Valve: exit invoke

In the above output, you may notice that the Valve works like filters but is called before and after JAAS and the filters. We use the password "velavjsas", which is the reverse of username "jvalve" plus the key that is passed from the Valve to the JAAS module using the ThreadLocale.

Conclusion
Valve, JAAS and Filter are common technologies in Tomcat. However, to configure and use them together requires a basic understanding of their relationships. This article explained the concepts and demonstrated their usages and relationships through a sample application. The sample application can be easily expanded and used in various authentication processes.

The concept discussed here can also be used in other Tomcat based application servers such as the VMware vFabric tc Server [7].

Resources

  1. How do I integrate SSO on Apache Tomcat
  2. Apache Tomcat 7: The Valve Component
  3. All that JAAS
  4. Tomcat Class JAASRealm
  5. The Essentials of Filters
  6. ThreadLocale
  7. VMware vFabric tc Server

More Stories By Zhiyong Li

Zhiyong Li is a senior manager of SAS Platform Division and the chair of the Java Technology Board at SAS institute. He started coding in Java in 1995 as a Sun’s development staff. He worked at IBM and iBiomatics as lead architect and developer for several enterprises Java applications. He holds a Ph.D from Computer Science Department of Duke University. He has published many papers in AI, parallel computation and program languages. He has also published several patents.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
One of the biggest impacts of the Internet of Things is and will continue to be on data; specifically data volume, management and usage. Companies are scrambling to adapt to this new and unpredictable data reality with legacy infrastructure that cannot handle the speed and volume of data. In his session at @ThingsExpo, Don DeLoach, CEO and president of Infobright, will discuss how companies need to rethink their data infrastructure to participate in the IoT, including: Data storage: Understanding the kinds of data: structured, unstructured, big/small? Analytics: What kinds and how responsiv...
Since 2008 and for the first time in history, more than half of humans live in urban areas, urging cities to become “smart.” Today, cities can leverage the wide availability of smartphones combined with new technologies such as Beacons or NFC to connect their urban furniture and environment to create citizen-first services that improve transportation, way-finding and information delivery. In her session at @ThingsExpo, Laetitia Gazel-Anthoine, CEO of Connecthings, will focus on successful use cases.
The Workspace-as-a-Service (WaaS) market will grow to $6.4B by 2018. In his session at 16th Cloud Expo, Seth Bostock, CEO of IndependenceIT, will begin by walking the audience through the evolution of Workspace as-a-Service, where it is now vs. where it going. To look beyond the desktop we must understand exactly what WaaS is, who the users are, and where it is going in the future. IT departments, ISVs and service providers must look to workflow and automation capabilities to adapt to growing demand and the rapidly changing workspace model.
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Hadoop as a Service (as offered by handful of niche vendors now) is a cloud computing solution that makes medium and large-scale data processing accessible, easy, fast and inexpensive. In his session at Big Data Expo, Kumar Ramamurthy, Vice President and Chief Technologist, EIM & Big Data, at Virtusa, will discuss how this is achieved by eliminating the operational challenges of running Hadoop, so one can focus on business growth. The fragmented Hadoop distribution world and various PaaS solutions that provide a Hadoop flavor either make choices for customers very flexible in the name of opti...
The true value of the Internet of Things (IoT) lies not just in the data, but through the services that protect the data, perform the analysis and present findings in a usable way. With many IoT elements rooted in traditional IT components, Big Data and IoT isn’t just a play for enterprise. In fact, the IoT presents SMBs with the prospect of launching entirely new activities and exploring innovative areas. CompTIA research identifies several areas where IoT is expected to have the greatest impact.
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
Wearable devices have come of age. The primary applications of wearables so far have been "the Quantified Self" or the tracking of one's fitness and health status. We propose the evolution of wearables into social and emotional communication devices. Our BE(tm) sensor uses light to visualize the skin conductance response. Our sensors are very inexpensive and can be massively distributed to audiences or groups of any size, in order to gauge reactions to performances, video, or any kind of presentation. In her session at @ThingsExpo, Jocelyn Scheirer, CEO & Founder of Bionolux, will discuss ho...
The cloud is now a fact of life but generating recurring revenues that are driven by solutions and services on a consumption model have been hard to implement, until now. In their session at 16th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, will discuss how a top European telco has leveraged the innovative recurring revenue generating capability of the consumption cloud to enable a unique cloud monetization model to drive results.
Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services. In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...
As organizations shift toward IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection &E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his session at 16th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships, will discuss how to cut costs, scale easily, and unleash insight with CommVault Simpana software, the only si...
Analytics is the foundation of smart data and now, with the ability to run Hadoop directly on smart storage systems like Cloudian HyperStore, enterprises will gain huge business advantages in terms of scalability, efficiency and cost savings as they move closer to realizing the potential of the Internet of Things. In his session at 16th Cloud Expo, Paul Turner, technology evangelist and CMO at Cloudian, Inc., will discuss the revolutionary notion that the storage world is transitioning from mere Big Data to smart data. He will argue that today’s hybrid cloud storage solutions, with commodity...
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.