Bug 43392

Summary: Tomcat6 JAASRealm ignores useContextClassLoader in parseClassNames
Product: Tomcat 6 Reporter: David <computabloke>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: regression    
Priority: P2    
Version: 6.0.14   
Target Milestone: default   
Hardware: PC   
OS: All   
URL: http://support.liferay.com/browse/LEP-2995;jsessionid=C72F970D8B99F4BD60185FB0A1567A8F

Description David 2007-09-13 21:34:49 UTC
Issue when specifying custom User/Role security principal classes in a JAASRealm
element within a /META-INF/context.xml of a war. Tomcat 6 should obey the
useContextClassLoader configuration of the JAASRealm when parsing the user/role


Upon server startup, the Tomcat 6.0.14 JAASRealm attempts to load the
userClassNames and roleClassNames in parseClassNames with Class.forName(), and
since these classes reside only in the webapp context (/WEB-INF/lib/) they are
not found on the classpath, and causes the following output in the Tomcat
console upon startup:
         SEVERE: Class com.liferay.portal.security.jaas.PortalPrincipal not
found! Class not added.
         SEVERE: Class com.liferay.portal.security.jaas.PortalRole not found!
Class not added.

Tomcat 5.5.x did not report these failures, because it did not attempt to
perform a Class.forName() lookup. Instead, it only saved the userClassNames and
roleClassNames in a java.util.List object.
Comment 1 David 2007-09-13 21:45:36 UTC
Sorry, I meant the issue occurs when using useContextClassLoader="true" in the
original report (which is the default according to

As a temporary work-around for this issue you can:
1. Move your classes to the Tomcat shared /lib directory.
2. Since all principals must implement java.security.Principal, and the first
principal 'must' be the user principal, you can just use the base class:
Comment 2 Kurt Zettel 2007-10-05 14:24:15 UTC
I think this was caused by the changes for bug 40150
Comment 3 Noah Levitt 2007-12-15 14:55:14 UTC
Just noticed this bug report. I put up a patch at bug 44084, would be cool if
you could try it.

The logic also seemed to be backwards to me. I assume useContextClassLoader
means to use Thread.currentThread().getContextClassLoader(), which is the
webapp's class loader, and useContextClassLoader="false" means the servlet class
loader, which is retrieved by getClass().getClassLoader() from the JAASRealm.
Comment 4 David 2007-12-20 19:22:10 UTC
Thanks Noah, The patch looks perfect to me. I hope it makes it into the next
Since the patch is in 44084, I'll mark this one as a duplicate.
See also bug 40150 that Ate re-opened so that the patch could be applied to T5.5

*** This bug has been marked as a duplicate of 44084 ***