I would go one further and advise against using the system user accounts for web user authentication.  Even if you are using SSL to encrypt traffic, it is easy to brute force a web password because the web server typically allows unlimited retries without locking the account, or delaying and in some configurations may not even log the attempts.

Another advantage to using an alternative user accounts database is that you don't have to give every web user access to all of the other facilities on your web server.  (If the user account doesn't exist, no-one can log in with it.)

Apache provides modules for authenticating against all sorts of other user accounts.  Perhaps you could try to hook in to one of these.

-----------------------------------------------------------------------------------------------
Aaron Knauf
Implementation Consultant
Genie Systems Ltd
Auckland, New Zealand
Ph. +64-9-573 3310 x812, email: aaronk@geniesystems.com
http://www.geniesystems.com
------------------------------------------------------------------------------------------------



"Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>

03/01/2001 11:08
Please respond to tomcat-dev

       
        To:        tomcat-dev@jakarta.apache.org, mikael.pahmp@axis.com
        cc:        
        Subject:        Re: Authorization on Linux



Mikael Pahmp wrote:

> I'm using Tomcat with Apache on a RedHat 6.2 Linux. I use the form-based login mechanism and want to authorize the user logins against the users/groups that are already defined in Linux. It seems to be possible by implementing an Interceptor.

It is certainily feasible to do this with a request interceptor (Tomcat 3.x) or
valve (Tomcat 4.x).  You would need to provide a custom implementation (you can
use the existing JDBCRealm implementation as a model) and configure Tomcat to
use it
in the server.xml file.

One very important thing you should consider before doing so, however, is the
way that usernames and passwords get communicated when using HTTP authentication
methods.  If you use BASIC or FORM-BASED authentication, your username and
password are
essentially passed as clear-text.  Therefore, if I can snoop the network
connection, I can now attack your server with a known-good username and password
-- *not* something you really want to have happen.

Moral of the story -- if you are in an environment where your network
connections are subject to snooping, use SSL, or DIGEST-mode authentication.
This is a good general principle even if your usernames and passwords relate
only to the webapp
you are running, but are even more important when exposure could increase
security risks on your entire server.

>
> Has anyone already done this and is willing to share his work?
>
> Otherwise, tips for how to do it is appreciated.
>
> /Mikael
>

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org