Introduction

Ceptor is an entire security solution that protects portals and application servers, regardless of the communication type used, be it JSP, Servlets, EJB or other type of communication. Ceptor can provide Authentication and Authorization checking on all resources, as well as provide secure communication clients and servers.
Any number of web servers, application servers or other types of servers can be integrated, and used to create personalized content and session sharing between all applications, so users experience single signon with access (depending on authorization of course) to all applications available in your portal.
This document describes how to integrate Ceptor with the Tomcat Application Server.

Installation

In the Ceptor distribution, you can find the required .jar files in samples/integration/tomcat. To install the Tomcat Realm, you will need to copy CeptorTomcat_6.jar or CeptorTomcat_7.jar depending on your tomcat version to your tomcat lib directory, along with CeptorAgent.jar and slf4j-api-.jar and an implementation of slf4j, e.g. logback-core-.jar and logback-classic-*.jar which are all required by the Ceptor Agent.
You will also need a configuration for the logging framework, e.g. logback.xml – see the Ceptor Distribution for examples which you can copy from.
Then you need to change conf/server.xml and add the following:

<Valve className="dk.itp.portalprotect.tomcat.valves.SessionIDValve"/>
<Realm className="dk.itp.portalprotect.tomcat.realm.PPRealm"/>

This will tell tomcat to load the appropriate Ceptor security realm, and the SessionIDValve ensures that the realm has access to the session ID from the cookie in the request.
To configure Ceptor Agent, you will also need to either set the system properties portalprotect.server.name/server.name to the name of the server, and portalprotect.config.servers/config.servers to the list of configuration servers, or you need to provide ptservers.properties in the classpath with these properties.

Example:
set CATALINA_OPTS=-Dportalprotect.server.name=webserver1 –Dportalprotect.config.servers=localhost:21233

Webapp Configuration

For the user principal and groups to be available within tomcat, you will need to protect access to your webapp.
This is an example of how to configure web.xml to do just that.

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
  <display-name>Welcome to Tomcat</display-name>
  <description>
    Welcome to Tomcat
  </description>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Default constraint</web-resource-name>
      <description>Default security constraints</description>
      <url-pattern>/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>Default constraint</description>
      <role-name>pp_everyone</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
    <description>All users going though PP</description>
    <role-name>pp_everyone</role-name>
  </security-role>
</web-app>

This is all you need to be able to do J2EE security from within your webapp – the following is an example you can add to a .jsp page to try it out:

Current user: <%=request.getRemoteUser() %><br/>
Auth type: <%=request.getAuthType() %><br/>
Has role pp_everyone: <%=request.isUserInRole("pp_everyone") %><br/>
Has role pp_identifiedusers: <%=request.isUserInRole("pp_identifiedusers") %><br/>
Has role pp_anonymous: <%=request.isUserInRole("pp_anonymous") %><br/>

You do not need to add all the roles you are checking against in your webapp to <security-role> tags in the web.xml.