tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Knauf" <>
Subject Re: Authorization on Linux
Date Wed, 03 Jan 2001 00:19:13 GMT
I would go one further and advise against using the system user accounts 
for web user authentication.  Even if you are using SSL to encrypt 
traffic, it is easy to brute force a web password because the web server 
typically allows unlimited retries without locking the account, or 
delaying and in some configurations may not even log the attempts.

Another advantage to using an alternative user accounts database is that 
you don't have to give every web user access to all of the other 
facilities on your web server.  (If the user account doesn't exist, no-one 
can log in with it.)

Apache provides modules for authenticating against all sorts of other user 
accounts.  Perhaps you could try to hook in to one of these.

Aaron Knauf
Implementation Consultant
Genie Systems Ltd
Auckland, New Zealand
Ph. +64-9-573 3310 x812, email:

"Craig R. McClanahan" <>
03/01/2001 11:08
Please respond to tomcat-dev

        Subject:        Re: Authorization on Linux

Mikael Pahmp wrote:

> I'm using Tomcat with Apache on a RedHat 6.2 Linux. I use the form-based 
login mechanism and want to authorize the user logins against the 
users/groups that are already defined in Linux. It seems to be possible by 
implementing an Interceptor.

It is certainily feasible to do this with a request interceptor (Tomcat 
3.x) or
valve (Tomcat 4.x).  You would need to provide a custom implementation 
(you can
use the existing JDBCRealm implementation as a model) and configure Tomcat 
use it
in the server.xml file.

One very important thing you should consider before doing so, however, is 
way that usernames and passwords get communicated when using HTTP 
methods.  If you use BASIC or FORM-BASED authentication, your username and
password are
essentially passed as clear-text.  Therefore, if I can snoop the network
connection, I can now attack your server with a known-good username and 
-- *not* something you really want to have happen.

Moral of the story -- if you are in an environment where your network
connections are subject to snooping, use SSL, or DIGEST-mode 
This is a good general principle even if your usernames and passwords 
only to the webapp
you are running, but are even more important when exposure could increase
security risks on your entire server.

> Has anyone already done this and is willing to share his work?
> Otherwise, tips for how to do it is appreciated.
> /Mikael


To unsubscribe, e-mail:
For additional commands, email:

View raw message