From 8eb2eac080c2e9595b506f49f25d2c1718453bbc Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata <edewata@redhat.com>
Date: Tue, 21 Aug 2012 17:38:29 -0500
Subject: Added proxy realm.

CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.

Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.

Ticket #89
---
 base/ca/shared/webapps/ca/META-INF/context.xml     |  31 ++++
 base/common/shared/conf/context.xml                |   4 -
 base/common/src/CMakeLists.txt                     |  51 ++++++-
 .../netscape/cms/servlet/base/CMSStartServlet.java |   8 +
 .../src/com/netscape/cms/tomcat/ProxyRealm.java    | 139 +++++++++++++++++
 .../cms/tomcat/SSLAuthenticatorWithFallback.java   | 167 +++++++++++++++++++++
 .../realm/SSLAuthenticatorWithFallback.java        | 167 ---------------------
 base/deploy/scripts/operations                     |  52 +++++--
 base/deploy/src/scriptlets/instance_layout.py      |  14 +-
 base/deploy/src/scriptlets/pkiparser.py            |  83 +++++-----
 base/deploy/src/scriptlets/webapp_deployment.py    |  12 ++
 base/kra/shared/webapps/kra/META-INF/context.xml   |  31 ++++
 base/ocsp/shared/webapps/ocsp/META-INF/context.xml |  31 ++++
 base/setup/scripts/functions                       |   3 +-
 base/tks/shared/webapps/tks/META-INF/context.xml   |  31 ++++
 specs/pki-core.spec                                |   7 +-
 16 files changed, 583 insertions(+), 248 deletions(-)
 create mode 100644 base/ca/shared/webapps/ca/META-INF/context.xml
 create mode 100644 base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
 create mode 100644 base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
 delete mode 100644 base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java
 create mode 100644 base/kra/shared/webapps/kra/META-INF/context.xml
 create mode 100644 base/ocsp/shared/webapps/ocsp/META-INF/context.xml
 create mode 100644 base/tks/shared/webapps/tks/META-INF/context.xml

diff --git a/base/ca/shared/webapps/ca/META-INF/context.xml b/base/ca/shared/webapps/ca/META-INF/context.xml
new file mode 100644
index 000000000..975ecabf1
--- /dev/null
+++ b/base/ca/shared/webapps/ca/META-INF/context.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context crossContext="true" allowLinking="true">
+
+    <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" />
+
+    <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
+
+</Context>
diff --git a/base/common/shared/conf/context.xml b/base/common/shared/conf/context.xml
index b28f1bd20..4b00dbe3c 100644
--- a/base/common/shared/conf/context.xml
+++ b/base/common/shared/conf/context.xml
@@ -39,8 +39,4 @@
     <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
     -->
 
-    <Valve className="com.netscape.cmscore.realm.SSLAuthenticatorWithFallback" />
-
-    <Realm className="com.netscape.cmscore.realm.PKIRealm" />
-
 </Context>
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index dc61b4ca7..f3702d454 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -171,6 +171,8 @@ set(PKI_CERTSRV_JAR ${CMAKE_BINARY_DIR}/dist/pki-certsrv.jar CACHE INTERNAL "pki
 javac(pki-cms-classes
     SOURCES
         com/netscape/cms/*.java
+    EXCLUDE
+        com/netscape/cms/tomcat/*.java
     CLASSPATH
         ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
@@ -192,6 +194,8 @@ jar(pki-cms-jar
         ${CMAKE_BINARY_DIR}/classes
     FILES
         com/netscape/cms/*.class
+    EXCLUDE
+        com/netscape/cms/tomcat/*.class
     DEPENDS
         pki-cms-classes
 )
@@ -249,12 +253,55 @@ if(WITH_JAVADOC)
 endif(WITH_JAVADOC)
 
 
+# build pki-tomcat
+javac(pki-tomcat-classes
+    SOURCES
+        com/netscape/cms/tomcat/*.java
+    CLASSPATH
+        ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR}
+    OUTPUT_DIR
+        ${CMAKE_BINARY_DIR}/classes
+    DEPENDS
+        pki-cms
+)
+
+jar(pki-tomcat-jar
+    CREATE
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+    INPUT_DIR
+        ${CMAKE_BINARY_DIR}/classes
+    FILES
+        com/netscape/cms/tomcat/*.class
+    DEPENDS
+        pki-tomcat-classes
+)
+
+link(pki-tomcat
+    SOURCE
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+    DEST
+        pki-tomcat-${APPLICATION_VERSION}.jar
+    DEPENDS
+        pki-tomcat-jar
+)
+
+install(
+    FILES
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar
+        ${CMAKE_BINARY_DIR}/dist/pki-tomcat-${APPLICATION_VERSION}.jar
+    DESTINATION
+        ${JAVA_JAR_INSTALL_DIR}/pki
+)
+
+set(PKI_TOMCAT_JAR ${CMAKE_BINARY_DIR}/dist/pki-tomcat.jar CACHE INTERNAL "pki-tomcat jar file")
+
+
 # build pki-cmscore
 javac(pki-cmscore-classes
     SOURCES
         com/netscape/cmscore/*.java
     CLASSPATH
-        ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
+        ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_TOMCAT_JAR}
         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
         ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
         ${APACHE_COMMONS_LANG_JAR}
@@ -264,7 +311,7 @@ javac(pki-cmscore-classes
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/classes
     DEPENDS
-        pki-nsutil pki-cmsutil pki-certsrv pki-cms
+        pki-nsutil pki-cmsutil pki-certsrv pki-cms pki-tomcat
 )
 
 jar(pki-cmscore-jar
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
index a8a4008b7..e00f2bdba 100644
--- a/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSStartServlet.java
@@ -29,6 +29,8 @@ import javax.servlet.http.HttpServletResponse;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.cms.tomcat.ProxyRealm;
+import com.netscape.cmscore.realm.PKIRealm;
 import com.netscape.cmsutil.util.Utils;
 
 /**
@@ -89,10 +91,16 @@ public class CMSStartServlet extends HttpServlet {
                 }
             }
         }
+
         try {
             CMS.start(path);
         } catch (EBaseException e) {
         }
+
+        // Register realm for this subsystem
+        String context = getServletContext().getContextPath();
+        if (context.startsWith("/")) context = context.substring(1);
+        ProxyRealm.registerRealm(context, new PKIRealm());
     }
 
     public void doGet(HttpServletRequest req, HttpServletResponse res)
diff --git a/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
new file mode 100644
index 000000000..094c0561f
--- /dev/null
+++ b/base/common/src/com/netscape/cms/tomcat/ProxyRealm.java
@@ -0,0 +1,139 @@
+package com.netscape.cms.tomcat;
+
+import java.beans.PropertyChangeListener;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.catalina.Container;
+import org.apache.catalina.Context;
+import org.apache.catalina.Realm;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.SecurityConstraint;
+import org.ietf.jgss.GSSContext;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class ProxyRealm implements Realm {
+
+    public static Map<String, ProxyRealm> proxies = new HashMap<String, ProxyRealm>();
+
+    public Container container;
+    public Realm realm;
+
+    public ProxyRealm() {
+    }
+
+    @Override
+    public Container getContainer() {
+        return container;
+    }
+
+    @Override
+    public void setContainer(Container container) {
+        this.container = container;
+        if (container instanceof Context) {
+            Context context = (Context)container;
+            proxies.put(context.getBaseName(), this);
+        }
+    }
+
+    public Realm getRealm() {
+        return realm;
+    }
+
+    public void setRealm(Realm realm) {
+        this.realm = realm;
+        realm.setContainer(container);
+    }
+
+    public static void registerRealm(String contextName, Realm realm) {
+        ProxyRealm proxy = proxies.get(contextName);
+        if (proxy == null) return;
+
+        proxy.setRealm(realm);
+    }
+
+    @Override
+    public Principal authenticate(String username, String password) {
+        return realm.authenticate(username, password);
+    }
+
+    @Override
+    public Principal authenticate(X509Certificate certs[]) {
+        return realm.authenticate(certs);
+    }
+
+    @Override
+    public Principal authenticate(
+            String username,
+            String digest,
+            String nonce,
+            String nc,
+            String cnonce,
+            String qop,
+            String realmName,
+            String md5a2
+    ) {
+        return realm.authenticate(username, digest, nonce, nc, cnonce, qop, realmName, md5a2);
+    }
+
+    @Override
+    public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
+        return realm.authenticate(gssContext, storeCreds);
+    }
+
+    @Override
+    public boolean hasResourcePermission(
+            Request request,
+            Response response,
+            SecurityConstraint[] constraints,
+            Context context
+    ) throws IOException {
+        return realm.hasResourcePermission(request, response, constraints, context);
+    }
+
+    @Override
+    public String getInfo() {
+        return realm.getInfo();
+    }
+
+    @Override
+    public void backgroundProcess() {
+        realm.backgroundProcess();
+    }
+
+    @Override
+    public SecurityConstraint[] findSecurityConstraints(Request request, Context context) {
+        return realm.findSecurityConstraints(request, context);
+    }
+
+    @Override
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+        return realm.hasRole(wrapper, principal, role);
+    }
+
+    @Override
+    public boolean hasUserDataPermission(
+            Request request,
+            Response response,
+            SecurityConstraint[] constraint
+    ) throws IOException {
+        return realm.hasUserDataPermission(request,  response, constraint);
+    }
+
+    @Override
+    public void addPropertyChangeListener(PropertyChangeListener listener) {
+        realm.addPropertyChangeListener(listener);
+    }
+
+    @Override
+    public void removePropertyChangeListener(PropertyChangeListener listener) {
+        realm.removePropertyChangeListener(listener);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
new file mode 100644
index 000000000..d1b3dc3f2
--- /dev/null
+++ b/base/common/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
@@ -0,0 +1,167 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponseWrapper;
+
+import org.apache.catalina.Container;
+import org.apache.catalina.Globals;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.authenticator.AuthenticatorBase;
+import org.apache.catalina.authenticator.BasicAuthenticator;
+import org.apache.catalina.authenticator.FormAuthenticator;
+import org.apache.catalina.authenticator.SSLAuthenticator;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.deploy.LoginConfig;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
+
+    public final static String BASIC_AUTHENTICATOR = "BASIC";
+    public final static String FORM_AUTHENTICATOR = "FORM";
+
+    String fallbackMethod = BASIC_AUTHENTICATOR;
+
+    AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
+    AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
+
+    public SSLAuthenticatorWithFallback() {
+        log("Creating SSL authenticator with fallback");
+    }
+
+    @Override
+    public String getInfo() {
+        return "SSL authenticator with "+fallbackMethod+" fallback.";
+    }
+
+    public String getFallbackMethod() {
+        return fallbackMethod;
+    }
+
+    public void setFallbackMethod(String fallbackMethod) {
+        log("Fallback method: "+fallbackMethod);
+        this.fallbackMethod = fallbackMethod;
+
+        if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
+            fallbackAuthenticator = new BasicAuthenticator();
+
+        } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
+            fallbackAuthenticator = new FormAuthenticator();
+        }
+
+    }
+
+    @Override
+    public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
+
+        X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
+        boolean result;
+
+        if (certs != null && certs.length > 0) {
+            log("Authenticate with client certificate authentication");
+            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
+                public void setHeader(String name, String value) {
+                    log("SSL auth header: "+name+"="+value);
+                };
+                public void sendError(int code) {
+                    log("SSL auth return code: "+code);
+                }
+            };
+            result = sslAuthenticator.authenticate(request, wrapper, config);
+
+        } else {
+            log("Authenticating with "+fallbackMethod+" authentication");
+            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
+                public void setHeader(String name, String value) {
+                    log("Fallback auth header: "+name+"="+value);
+                };
+                public void sendError(int code) {
+                    log("Fallback auth return code: "+code);
+                }
+            };
+            result = fallbackAuthenticator.authenticate(request, wrapper, config);
+        }
+
+        if (result)
+            return true;
+
+        log("Result: "+result);
+
+        StringBuilder value = new StringBuilder(16);
+        value.append("Basic realm=\"");
+        if (config.getRealmName() == null) {
+            value.append(REALM_NAME);
+        } else {
+            value.append(config.getRealmName());
+        }
+        value.append('\"');
+        response.setHeader(AUTH_HEADER_NAME, value.toString());
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+
+        return false;
+    }
+
+    @Override
+    protected String getAuthMethod() {
+        return HttpServletRequest.CLIENT_CERT_AUTH;
+    };
+
+    @Override
+    public void setContainer(Container container) {
+        log("Setting container");
+        super.setContainer(container);
+        sslAuthenticator.setContainer(container);
+        fallbackAuthenticator.setContainer(container);
+    }
+
+    @Override
+    protected void initInternal() throws LifecycleException {
+        log("Initializing authenticators");
+        super.initInternal();
+        sslAuthenticator.init();
+        fallbackAuthenticator.init();
+    }
+
+    @Override
+    public void startInternal() throws LifecycleException {
+        log("Starting authenticators");
+        super.startInternal();
+        sslAuthenticator.start();
+        fallbackAuthenticator.start();
+    }
+
+    @Override
+    public void stopInternal() throws LifecycleException {
+        log("Stopping authenticators");
+        super.stopInternal();
+        sslAuthenticator.stop();
+        fallbackAuthenticator.stop();
+    }
+
+    public void log(String message) {
+        System.out.println("SSLAuthenticatorWithFallback: "+message);
+    }
+}
diff --git a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java b/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java
deleted file mode 100644
index 6b6af78a7..000000000
--- a/base/common/src/com/netscape/cmscore/realm/SSLAuthenticatorWithFallback.java
+++ /dev/null
@@ -1,167 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2012 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-
-package com.netscape.cmscore.realm;
-
-import java.io.IOException;
-import java.security.cert.X509Certificate;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
-
-import org.apache.catalina.Container;
-import org.apache.catalina.Globals;
-import org.apache.catalina.LifecycleException;
-import org.apache.catalina.authenticator.AuthenticatorBase;
-import org.apache.catalina.authenticator.BasicAuthenticator;
-import org.apache.catalina.authenticator.FormAuthenticator;
-import org.apache.catalina.authenticator.SSLAuthenticator;
-import org.apache.catalina.connector.Request;
-import org.apache.catalina.deploy.LoginConfig;
-
-/**
- * @author Endi S. Dewata
- */
-public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
-
-    public final static String BASIC_AUTHENTICATOR = "BASIC";
-    public final static String FORM_AUTHENTICATOR = "FORM";
-
-    String fallbackMethod = BASIC_AUTHENTICATOR;
-
-    AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
-    AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
-
-    public SSLAuthenticatorWithFallback() {
-        log("Creating SSL authenticator with fallback");
-    }
-
-    @Override
-    public String getInfo() {
-        return "SSL authenticator with "+fallbackMethod+" fallback.";
-    }
-
-    public String getFallbackMethod() {
-        return fallbackMethod;
-    }
-
-    public void setFallbackMethod(String fallbackMethod) {
-        log("Fallback method: "+fallbackMethod);
-        this.fallbackMethod = fallbackMethod;
-
-        if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new BasicAuthenticator();
-
-        } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new FormAuthenticator();
-        }
-
-    }
-
-    @Override
-    public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
-
-        X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
-        boolean result;
-
-        if (certs != null && certs.length > 0) {
-            log("Authenticate with client certificate authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("SSL auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("SSL auth return code: "+code);
-                }
-            };
-            result = sslAuthenticator.authenticate(request, wrapper, config);
-
-        } else {
-            log("Authenticating with "+fallbackMethod+" authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("Fallback auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("Fallback auth return code: "+code);
-                }
-            };
-            result = fallbackAuthenticator.authenticate(request, wrapper, config);
-        }
-
-        if (result)
-            return true;
-
-        log("Result: "+result);
-
-        StringBuilder value = new StringBuilder(16);
-        value.append("Basic realm=\"");
-        if (config.getRealmName() == null) {
-            value.append(REALM_NAME);
-        } else {
-            value.append(config.getRealmName());
-        }
-        value.append('\"');
-        response.setHeader(AUTH_HEADER_NAME, value.toString());
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-
-        return false;
-    }
-
-    @Override
-    protected String getAuthMethod() {
-        return HttpServletRequest.CLIENT_CERT_AUTH;
-    };
-
-    @Override
-    public void setContainer(Container container) {
-        log("Setting container");
-        super.setContainer(container);
-        sslAuthenticator.setContainer(container);
-        fallbackAuthenticator.setContainer(container);
-    }
-
-    @Override
-    protected void initInternal() throws LifecycleException {
-        log("Initializing authenticators");
-        super.initInternal();
-        sslAuthenticator.init();
-        fallbackAuthenticator.init();
-    }
-
-    @Override
-    public void startInternal() throws LifecycleException {
-        log("Starting authenticators");
-        super.startInternal();
-        sslAuthenticator.start();
-        fallbackAuthenticator.start();
-    }
-
-    @Override
-    public void stopInternal() throws LifecycleException {
-        log("Stopping authenticators");
-        super.stopInternal();
-        sslAuthenticator.stop();
-        fallbackAuthenticator.stop();
-    }
-
-    public void log(String message) {
-        System.out.println("SSLAuthenticatorWithFallback: "+message);
-    }
-}
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
index bb573fcaf..61e4e5de9 100644
--- a/base/deploy/scripts/operations
+++ b/base/deploy/scripts/operations
@@ -951,11 +951,10 @@ verify_symlinks()
     pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}"
     pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants"
     pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service"
-    # FUTURE: "pki_<pki_subsystem>_webapps_jar_dir" directories
-    pki_ca_jar_dir="${pki_common_jar_dir}"
-    pki_kra_jar_dir="${pki_common_jar_dir}"
-    pki_ocsp_jar_dir="${pki_common_jar_dir}"
-    pki_tks_jar_dir="${pki_common_jar_dir}"
+    pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib"
+    pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib"
+    pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib"
+    pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib"
 
     # '${PKI_INSTANCE_PATH}' symlinks
     base_symlinks=(
@@ -977,7 +976,14 @@ verify_symlinks()
         [webapps]=${PKI_INSTANCE_PATH}/webapps)
 
     # '${pki_ca_jar_dir}' symlinks
-    ca_jar_symlinks[pki-ca.jar]=/usr/share/java/pki/pki-ca.jar
+    ca_jar_symlinks=(
+        [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar
+        [pki-cms.jar]=${java_dir}/pki/pki-cms.jar
+        [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar
+        [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar
+        [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar
+        [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar
+        [pki-ca.jar]=${java_dir}/pki/pki-ca.jar)
 
     # '${PKI_INSTANCE_PATH}/kra' symlinks
     kra_symlinks=(
@@ -988,7 +994,14 @@ verify_symlinks()
         [webapps]=${PKI_INSTANCE_PATH}/webapps)
 
     # '${pki_kra_jar_dir}' symlinks
-    kra_jar_symlinks[pki-kra.jar]=/usr/share/java/pki/pki-kra.jar
+    kra_jar_symlinks=(
+        [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar
+        [pki-cms.jar]=${java_dir}/pki/pki-cms.jar
+        [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar
+        [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar
+        [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar
+        [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar
+        [pki-kra.jar]=${java_dir}/pki/pki-kra.jar)
 
     # '${PKI_INSTANCE_PATH}/ocsp' symlinks
     ocsp_symlinks=(
@@ -999,7 +1012,14 @@ verify_symlinks()
         [webapps]=${PKI_INSTANCE_PATH}/webapps)
 
     # '${pki_ocsp_jar_dir}' symlinks
-    ocsp_jar_symlinks[pki-ocsp.jar]=/usr/share/java/pki/pki-ocsp.jar
+    ocsp_jar_symlinks=(
+        [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar
+        [pki-cms.jar]=${java_dir}/pki/pki-cms.jar
+        [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar
+        [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar
+        [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar
+        [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar
+        [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar)
 
     # '${PKI_INSTANCE_PATH}/tks' symlinks
     tks_symlinks=(
@@ -1010,7 +1030,14 @@ verify_symlinks()
         [webapps]=${PKI_INSTANCE_PATH}/webapps)
 
     # '${pki_tks_jar_dir}' symlinks
-    tks_jar_symlinks[pki-tks.jar]=/usr/share/java/pki/pki-tks.jar
+    tks_jar_symlinks=(
+        [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar
+        [pki-cms.jar]=${java_dir}/pki/pki-cms.jar
+        [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar
+        [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar
+        [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar
+        [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar
+        [pki-tks.jar]=${java_dir}/pki/pki-tks.jar)
 
     # '${pki_common_jar_dir}' symlinks
     common_jar_symlinks=(
@@ -1025,12 +1052,7 @@ verify_symlinks()
         [jettison.jar]=${java_dir}/jettison.jar
         [jss4.jar]=${jni_dir}/jss4.jar
         [ldapjdk.jar]=${java_dir}/ldapjdk.jar
-        [pki-certsrv.jar]=/usr/share/java/pki/pki-certsrv.jar
-        [pki-cms.jar]=/usr/share/java/pki/pki-cms.jar
-        [pki-cmsbundle.jar]=/usr/share/java/pki/pki-cmsbundle.jar
-        [pki-cmscore.jar]=/usr/share/java/pki/pki-cmscore.jar
-        [pki-cmsutil.jar]=/usr/share/java/pki/pki-cmsutil.jar
-        [pki-nsutil.jar]=/usr/share/java/pki/pki-nsutil.jar
+        [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar
         [resteasy-atom-provider.jar]=${resteasy_java_dir}/resteasy-atom-provider.jar
         [resteasy-jaxb-provider.jar]=${resteasy_java_dir}/resteasy-jaxb-provider.jar
         [resteasy-jaxrs.jar]=${resteasy_java_dir}/resteasy-jaxrs.jar
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index d29b2d2d2..8fd0396bc 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -97,18 +97,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 master['pki_jss_jar_link'])
             util.symlink.create(master['pki_ldapjdk_jar'],
                 master['pki_ldapjdk_jar_link'])
-            util.symlink.create(master['pki_certsrv_jar'],
-                master['pki_certsrv_jar_link'])
-            util.symlink.create(master['pki_cmsbundle'],
-                master['pki_cmsbundle_jar_link'])
-            util.symlink.create(master['pki_cmscore'],
-                master['pki_cmscore_jar_link'])
-            util.symlink.create(master['pki_cms'],
-                master['pki_cms_jar_link'])
-            util.symlink.create(master['pki_cmsutil'],
-                master['pki_cmsutil_jar_link'])
-            util.symlink.create(master['pki_nsutil'],
-                master['pki_nsutil_jar_link'])
+            util.symlink.create(master['pki_tomcat_jar'],
+                master['pki_tomcat_jar_link'])
             util.symlink.create(master['pki_resteasy_atom_provider_jar'],
                 master['pki_resteasy_atom_provider_jar_link'])
             util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 09424120c..b1daa3b21 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -689,6 +689,9 @@ def compose_pki_master_dictionary():
             config.pki_master_dict['pki_nsutil'] =\
                 os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
                              "pki-nsutil.jar")
+            config.pki_master_dict['pki_tomcat_jar'] =\
+                os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
+                             "pki-tomcat.jar")
             config.pki_master_dict['pki_resteasy_atom_provider_jar'] =\
                 os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT,
                              "resteasy-atom-provider.jar")
@@ -768,30 +771,10 @@ def compose_pki_master_dictionary():
                 os.path.join(
                     config.pki_master_dict['pki_tomcat_common_lib_path'],
                     "ldapjdk.jar")
-            config.pki_master_dict['pki_certsrv_jar_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-certsrv.jar")
-            config.pki_master_dict['pki_cmsbundle_jar_link'] =\
+            config.pki_master_dict['pki_tomcat_jar_link'] =\
                 os.path.join(
                     config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-cmsbundle.jar")
-            config.pki_master_dict['pki_cmscore_jar_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-cmscore.jar")
-            config.pki_master_dict['pki_cms_jar_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-cms.jar")
-            config.pki_master_dict['pki_cmsutil_jar_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-cmsutil.jar")
-            config.pki_master_dict['pki_nsutil_jar_link'] =\
-                os.path.join(
-                    config.pki_master_dict['pki_tomcat_common_lib_path'],
-                    "pki-nsutil.jar")
+                    "pki-tomcat.jar")
             config.pki_master_dict['pki_resteasy_atom_provider_jar_link'] =\
                 os.path.join(
                     config.pki_master_dict['pki_tomcat_common_lib_path'],
@@ -931,58 +914,66 @@ def compose_pki_master_dictionary():
                     config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
                     "WEB-INF",
                     "lib")
+            config.pki_master_dict['pki_certsrv_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-certsrv.jar")
+            config.pki_master_dict['pki_cmsbundle_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-cmsbundle.jar")
+            config.pki_master_dict['pki_cmscore_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-cmscore.jar")
+            config.pki_master_dict['pki_cms_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-cms.jar")
+            config.pki_master_dict['pki_cmsutil_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-cmsutil.jar")
+            config.pki_master_dict['pki_nsutil_jar_link'] =\
+                os.path.join(
+                    config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'],
+                    "pki-nsutil.jar")
             # Tomcat PKI subsystem war file convenience symbolic links
             if config.pki_master_dict['pki_subsystem'] == "CA":
                 config.pki_master_dict['pki_ca_jar'] =\
                     os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
                                  "pki-ca.jar")
-                # config.pki_master_dict['pki_ca_jar_link'] =\
-                #     os.path.join(
-                #         config.pki_master_dict\
-                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
-                #         "pki-ca.jar")
                 config.pki_master_dict['pki_ca_jar_link'] =\
                     os.path.join(
-                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        config.pki_master_dict\
+                        ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
                         "pki-ca.jar")
             elif config.pki_master_dict['pki_subsystem'] == "KRA":
                 config.pki_master_dict['pki_kra_jar'] =\
                     os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
                                  "pki-kra.jar")
-                # config.pki_master_dict['pki_kra_jar_link'] =\
-                #     os.path.join(
-                #         config.pki_master_dict\
-                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
-                #         "pki-kra.jar")
                 config.pki_master_dict['pki_kra_jar_link'] =\
                     os.path.join(
-                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        config.pki_master_dict\
+                        ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
                         "pki-kra.jar")
             elif config.pki_master_dict['pki_subsystem'] == "OCSP":
                 config.pki_master_dict['pki_ocsp_jar'] =\
                     os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
                                  "pki-ocsp.jar")
-                # config.pki_master_dict['pki_ocsp_jar_link'] =\
-                #     os.path.join(
-                #         config.pki_master_dict\
-                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
-                #         "pki-ocsp.jar")
                 config.pki_master_dict['pki_ocsp_jar_link'] =\
                     os.path.join(
-                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        config.pki_master_dict\
+                        ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
                         "pki-ocsp.jar")
             elif config.pki_master_dict['pki_subsystem'] == "TKS":
                 config.pki_master_dict['pki_tks_jar'] =\
                     os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT,
                                  "pki-tks.jar")
-                # config.pki_master_dict['pki_tks_jar_link'] =\
-                #     os.path.join(
-                #         config.pki_master_dict\
-                #         ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
-                #         "pki-tks.jar")
                 config.pki_master_dict['pki_tks_jar_link'] =\
                     os.path.join(
-                        config.pki_master_dict['pki_tomcat_common_lib_path'],
+                        config.pki_master_dict\
+                        ['pki_tomcat_webapps_subsystem_webinf_lib_path'],
                         "pki-tks.jar")
         # PKI Target (slot substitution) name/value pairs
         config.pki_master_dict['pki_target_cs_cfg'] =\
diff --git a/base/deploy/src/scriptlets/webapp_deployment.py b/base/deploy/src/scriptlets/webapp_deployment.py
index 17b1bc349..cc2086fc7 100644
--- a/base/deploy/src/scriptlets/webapp_deployment.py
+++ b/base/deploy/src/scriptlets/webapp_deployment.py
@@ -68,6 +68,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             util.directory.create(
                 master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
             # establish Tomcat webapps subsystem WEB-INF lib symbolic links
+            util.symlink.create(master['pki_certsrv_jar'],
+                master['pki_certsrv_jar_link'])
+            util.symlink.create(master['pki_cmsbundle'],
+                master['pki_cmsbundle_jar_link'])
+            util.symlink.create(master['pki_cmscore'],
+                master['pki_cmscore_jar_link'])
+            util.symlink.create(master['pki_cms'],
+                master['pki_cms_jar_link'])
+            util.symlink.create(master['pki_cmsutil'],
+                master['pki_cmsutil_jar_link'])
+            util.symlink.create(master['pki_nsutil'],
+                master['pki_nsutil_jar_link'])
             if master['pki_subsystem'] == "CA":
                 util.symlink.create(master['pki_ca_jar'],
                                     master['pki_ca_jar_link'])
diff --git a/base/kra/shared/webapps/kra/META-INF/context.xml b/base/kra/shared/webapps/kra/META-INF/context.xml
new file mode 100644
index 000000000..975ecabf1
--- /dev/null
+++ b/base/kra/shared/webapps/kra/META-INF/context.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context crossContext="true" allowLinking="true">
+
+    <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" />
+
+    <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
+
+</Context>
diff --git a/base/ocsp/shared/webapps/ocsp/META-INF/context.xml b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
new file mode 100644
index 000000000..975ecabf1
--- /dev/null
+++ b/base/ocsp/shared/webapps/ocsp/META-INF/context.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context crossContext="true" allowLinking="true">
+
+    <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" />
+
+    <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
+
+</Context>
diff --git a/base/setup/scripts/functions b/base/setup/scripts/functions
index 20e5dcdff..7eacd7e1f 100644
--- a/base/setup/scripts/functions
+++ b/base/setup/scripts/functions
@@ -955,7 +955,8 @@ verify_symlinks()
         [jss4.jar]=${jni_dir}/jss4.jar
         [tomcatjss.jar]=/usr/share/java/tomcatjss.jar
         # Dogtag 9 -> Dogtag 10
-        [apache-commons-codec.jar]=/usr/share/java/commons-codec.jar)
+        [apache-commons-codec.jar]=/usr/share/java/commons-codec.jar
+        [pki-tomcat.jar]=/usr/share/java/pki/pki-tomcat.jar)
 
     # '${pki_webapps_jar_dir}' symlinks
     webapps_jar_symlinks=(
diff --git a/base/tks/shared/webapps/tks/META-INF/context.xml b/base/tks/shared/webapps/tks/META-INF/context.xml
new file mode 100644
index 000000000..975ecabf1
--- /dev/null
+++ b/base/tks/shared/webapps/tks/META-INF/context.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!-- BEGIN COPYRIGHT BLOCK
+     Copyright (C) 2012 Red Hat, Inc.
+     All rights reserved.
+     Modifications: configuration parameters
+     END COPYRIGHT BLOCK
+-->
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context crossContext="true" allowLinking="true">
+
+    <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback" />
+
+    <Realm className="com.netscape.cms.tomcat.ProxyRealm" />
+
+</Context>
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 9e2197a2b..e59f538dd 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:             pki-core
 Version:          10.0.0
-Release:          %{?relprefix}27%{?prerel}%{?dist}
+Release:          %{?relprefix}28%{?prerel}%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -1197,6 +1197,8 @@ fi
 %{_javadir}/pki/pki-cmsbundle.jar
 %{_javadir}/pki/pki-cmscore-%{version}.jar
 %{_javadir}/pki/pki-cmscore.jar
+%{_javadir}/pki/pki-tomcat-%{version}.jar
+%{_javadir}/pki/pki-tomcat.jar
 %dir %{_localstatedir}/lock/pki/tomcat
 %dir %{_localstatedir}/run/pki/tomcat
 
@@ -1345,6 +1347,9 @@ fi
 
 
 %changelog
+* Thu Aug 30 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.28.a1
+- Added pki-tomcat.jar.
+
 * Thu Aug 30 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.27.a1
 - Moved webapp creation code into pkispawn.
 
-- 
cgit