Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
To: tomcat-dev@jakarta.apache.org
Subject: Re: Authorization on Linux
From: "Aaron Knauf" <AaronK@geniesystems.com>
Message-ID: <OF192D058F.B50ADBDF-ONCC2569C8.007EE438@akl.nz.geniesystems.com>
Date: Wed, 3 Jan 2001 12:19:13 +1200
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_alternative 007FD4BFCC2569C8_="

--=_alternative 007FD4BFCC2569C8_=
Content-Type: text/plain; charset="us-ascii"

I would go one further and advise against using the system user accounts 
for web user authentication.  Even if you are using SSL to encrypt 
traffic, it is easy to brute force a web password because the web server 
typically allows unlimited retries without locking the account, or 
delaying and in some configurations may not even log the attempts.

Another advantage to using an alternative user accounts database is that 
you don't have to give every web user access to all of the other 
facilities on your web server.  (If the user account doesn't exist, no-one 
can log in with it.)

Apache provides modules for authenticating against all sorts of other user 
accounts.  Perhaps you could try to hook in to one of these.

-----------------------------------------------------------------------------------------------
Aaron Knauf
Implementation Consultant
Genie Systems Ltd
Auckland, New Zealand
Ph. +64-9-573 3310 x812, email: aaronk@geniesystems.com
http://www.geniesystems.com
------------------------------------------------------------------------------------------------


"Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
03/01/2001 11:08
Please respond to tomcat-dev

 
        To:     tomcat-dev@jakarta.apache.org, mikael.pahmp@axis.com
        cc: 
        Subject:        Re: Authorization on Linux


Mikael Pahmp wrote:

> I'm using Tomcat with Apache on a RedHat 6.2 Linux. I use the form-based 
login mechanism and want to authorize the user logins against the 
users/groups that are already defined in Linux. It seems to be possible by 
implementing an Interceptor.

It is certainily feasible to do this with a request interceptor (Tomcat 
3.x) or
valve (Tomcat 4.x).  You would need to provide a custom implementation 
(you can
use the existing JDBCRealm implementation as a model) and configure Tomcat 
to
use it
in the server.xml file.

One very important thing you should consider before doing so, however, is 
the
way that usernames and passwords get communicated when using HTTP 
authentication
methods.  If you use BASIC or FORM-BASED authentication, your username and
password are
essentially passed as clear-text.  Therefore, if I can snoop the network
connection, I can now attack your server with a known-good username and 
password
-- *not* something you really want to have happen.

Moral of the story -- if you are in an environment where your network
connections are subject to snooping, use SSL, or DIGEST-mode 
authentication.
This is a good general principle even if your usernames and passwords 
relate
only to the webapp
you are running, but are even more important when exposure could increase
security risks on your entire server.

>
> Has anyone already done this and is willing to share his work?
>
> Otherwise, tips for how to do it is appreciated.
>
> /Mikael
>

Craig

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org


--=_alternative 007FD4BFCC2569C8_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">I would go one further and advise against using the system user accounts for web user authentication. &nbsp;Even if you are using SSL to encrypt traffic, it is easy to brute force a web password because the web server typically allows unlimited retries without locking the account, or delaying and in some configurations may not even log the attempts.</font>
<br>
<br><font size=2 face="sans-serif">Another advantage to using an alternative user accounts database is that you don't have to give every web user access to all of the other facilities on your web server. &nbsp;(If the user account doesn't exist, no-one can log in with it.)</font>
<br>
<br><font size=2 face="sans-serif">Apache provides modules for authenticating against all sorts of other user accounts. &nbsp;Perhaps you could try to hook in to one of these.</font>
<br>
<br><font size=2 face="sans-serif">-----------------------------------------------------------------------------------------------<br>
Aaron Knauf<br>
Implementation Consultant<br>
Genie Systems Ltd<br>
Auckland, New Zealand<br>
Ph. +64-9-573 3310 x812, email: aaronk@geniesystems.com<br>
http://www.geniesystems.com<br>
------------------------------------------------------------------------------------------------</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>&quot;Craig R. McClanahan&quot; &lt;Craig.McClanahan@eng.sun.com&gt;</b></font>
<p><font size=1 face="sans-serif">03/01/2001 11:08</font>
<br><font size=1 face="sans-serif">Please respond to tomcat-dev</font>
<br>
<td><font size=1 face="Arial">&nbsp; &nbsp; &nbsp; &nbsp; </font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; To: &nbsp; &nbsp; &nbsp; &nbsp;tomcat-dev@jakarta.apache.org, mikael.pahmp@axis.com</font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; cc: &nbsp; &nbsp; &nbsp; &nbsp;</font>
<br><font size=1 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; Subject: &nbsp; &nbsp; &nbsp; &nbsp;Re: Authorization on Linux</font></table>
<br>
<br>
<br><font size=2><tt>Mikael Pahmp wrote:<br>
</tt></font>
<br><font size=2><tt>&gt; I'm using Tomcat with Apache on a RedHat 6.2 Linux. I use the form-based login mechanism and want to authorize the user logins against the users/groups that are already defined in Linux. It seems to be possible by implementing an Interceptor.<br>
</tt></font>
<br><font size=2><tt>It is certainily feasible to do this with a request interceptor (Tomcat 3.x) or<br>
valve (Tomcat 4.x). &nbsp;You would need to provide a custom implementation (you can<br>
use the existing JDBCRealm implementation as a model) and configure Tomcat to<br>
use it<br>
in the server.xml file.<br>
</tt></font>
<br><font size=2><tt>One very important thing you should consider before doing so, however, is the<br>
way that usernames and passwords get communicated when using HTTP authentication<br>
methods. &nbsp;If you use BASIC or FORM-BASED authentication, your username and<br>
password are<br>
essentially passed as clear-text. &nbsp;Therefore, if I can snoop the network<br>
connection, I can now attack your server with a known-good username and password<br>
-- *not* something you really want to have happen.<br>
</tt></font>
<br><font size=2><tt>Moral of the story -- if you are in an environment where your network<br>
connections are subject to snooping, use SSL, or DIGEST-mode authentication.<br>
This is a good general principle even if your usernames and passwords relate<br>
only to the webapp<br>
you are running, but are even more important when exposure could increase<br>
security risks on your entire server.<br>
</tt></font>
<br><font size=2><tt>&gt;<br>
&gt; Has anyone already done this and is willing to share his work?<br>
&gt;<br>
&gt; Otherwise, tips for how to do it is appreciated.<br>
&gt;<br>
&gt; /Mikael<br>
&gt;<br>
</tt></font>
<br><font size=2><tt>Craig<br>
</tt></font>
<br><font size=2><tt>---------------------------------------------------------------------<br>
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org<br>
For additional commands, email: tomcat-dev-help@jakarta.apache.org</tt></font>
<br>
<br>
<br>
--=_alternative 007FD4BFCC2569C8_=--