tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: tomcat-users.xml
Date Mon, 17 Apr 2000 15:19:07 GMT
Neil Davies wrote:

> Craig,
>
> How do I set up basic authentication within tomcat?
>

Two basic steps:

* Configure the users and their associated passwords and roles in the
  "conf/tomcat-users.xml" file.  It comes preconfigured with a few sample
  users.

* Set up security constraints and a login configuration in your web.xml
  file, as described in the Servlet API Specification, version 2.2.  Note
  that Tomcat 3.1 supports the BASIC <auth-method>.  You can look at
  the "webapps/examples/WEB-INF/web.xml" file for another example.

Details and examples are below in the email message you replied to when you
asked this question.

Craig


>
> Neil
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> Sent: Friday, April 14, 2000 5:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: tomcat-users.xml
>
> Peder Pedersen wrote:
>
> > Hi Neil,
> >
> > My impression is that the tomcat-users.xml authorization mechanism is
> > in an "early stage" condition. Anyway, you set up the users with
> > password and roles, like:
> >
> > <tomcat-users>
> >   <user name="tomcat" password="tomcat" roles="tomcat" />
> >   <user name="admin" password="nimda" roles="admin" />
> > </tomcat-users>
> >
>
> You can also specify a comma-delimited list of roles, if the user is
> authorized
> for more than one of them.
>
> >
> > Then you set up your web application authorization constraints in the
> > web application deployment descriptor (webappl/WEB-INF/web.xml). Check
> > out the Servlet specification, and the web.xml DTD file in particular.
> > For a very simple example, use something like:
> >
> >     <security-constraint>
> >         <web-resource-collection>
> >             <web-resource-name>Admin Pages</web-resource-name>
> >             <url-pattern>/admin/*</url-pattern>
> >             <http-method>GET</http-method>
> >             <http-method>POST</http-method>
> >         </web-resource-collection>
> >         <auth-constraint>
> >             <role-name>admin</role-name>
> >         </auth-constraint>
> >    </security-constraint>
> >
> >     <login-config>
> >         <auth-method>FORM</auth-method>
> >         <form-login-config>
> >             <form-login-page>login.html</form-login-page>
> >             <form-error-page>login.html</form-error-page>
> >         </form-login-config>
> >     </login-config>
> >
>
> For Tomcat 3.1, you will want to use BASIC authentication.  Form-based
> authentication is not yet completely implemented.  If you're using BASIC,
> you
> don't actually need the <form-login-config> element.
>
> >
> >     <security-role>
> >         <role-name>admin</role-name>
> >     </security-role>
> >
> > The login page in this example should have the format as specified in
> > the specification; something like:
> >
> > <html>
> > <head>
> >         <title> Security crap. </title>
> > </head>
> > <body>
> >         <form method="POST" action="j_security_check">
> >                 Username <input type="text" name="j_username" size=20><br>
> >                 Password <input type="password" name="j_password"
> size=20><br>
> >                 <input type="submit" name="Login" value="Login"
> size=20><br>
> >         </form>
> > </body>
> > </html>
> >
>
> Note that the values specified here for action, and the names of the
> username and
> password fields, are not arbitrary -- they are required by the spec so that
> the
> servlet container can recognize them when you use form-based authentication.
>
> >
> > Now, if you try to acccess a page in the admin folder, you are
> > automatically forwarded to the login page first.
> > Btw, I seem to recall that someone had looked into LDAP integration...
> >
> > Best regards,
> >  - Peder
> >
>
> Craig McClanahan
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message