tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Authorization on Linux
Date Tue, 02 Jan 2001 22:08:49 GMT
Mikael Pahmp wrote:

> I'm using Tomcat with Apache on a RedHat 6.2 Linux. I use the form-based login mechanism
and want to authorize the user logins against the users/groups that are already defined in
Linux. It seems to be possible by implementing an Interceptor.

It is certainily feasible to do this with a request interceptor (Tomcat 3.x) or
valve (Tomcat 4.x).  You would need to provide a custom implementation (you can
use the existing JDBCRealm implementation as a model) and configure Tomcat to
use it
in the server.xml file.

One very important thing you should consider before doing so, however, is the
way that usernames and passwords get communicated when using HTTP authentication
methods.  If you use BASIC or FORM-BASED authentication, your username and
password are
essentially passed as clear-text.  Therefore, if I can snoop the network
connection, I can now attack your server with a known-good username and password
-- *not* something you really want to have happen.

Moral of the story -- if you are in an environment where your network
connections are subject to snooping, use SSL, or DIGEST-mode authentication. 
This is a good general principle even if your usernames and passwords relate
only to the webapp
you are running, but are even more important when exposure could increase
security risks on your entire server.

> Has anyone already done this and is willing to share his work?
> Otherwise, tips for how to do it is appreciated.
> /Mikael


View raw message