tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neil Davies <neil.dav...@uk.boo.com>
Subject RE: tomcat-users.xml
Date Mon, 17 Apr 2000 08:34:08 GMT
Craig,

How do I set up basic authentication within tomcat?

Neil

-----Original Message-----
From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Friday, April 14, 2000 5:06 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: tomcat-users.xml




Peder Pedersen wrote:

> Hi Neil,
>
> My impression is that the tomcat-users.xml authorization mechanism is
> in an "early stage" condition. Anyway, you set up the users with
> password and roles, like:
>
> <tomcat-users>
>   <user name="tomcat" password="tomcat" roles="tomcat" />
>   <user name="admin" password="nimda" roles="admin" />
> </tomcat-users>
>

You can also specify a comma-delimited list of roles, if the user is
authorized
for more than one of them.

>
> Then you set up your web application authorization constraints in the
> web application deployment descriptor (webappl/WEB-INF/web.xml). Check
> out the Servlet specification, and the web.xml DTD file in particular.
> For a very simple example, use something like:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Admin Pages</web-resource-name>
>             <url-pattern>/admin/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>    </security-constraint>
>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>             <form-login-page>login.html</form-login-page>
>             <form-error-page>login.html</form-error-page>
>         </form-login-config>
>     </login-config>
>

For Tomcat 3.1, you will want to use BASIC authentication.  Form-based
authentication is not yet completely implemented.  If you're using BASIC,
you
don't actually need the <form-login-config> element.

>
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>
> The login page in this example should have the format as specified in
> the specification; something like:
>
> <html>
> <head>
>         <title> Security crap. </title>
> </head>
> <body>
>         <form method="POST" action="j_security_check">
>                 Username <input type="text" name="j_username" size=20><br>
>                 Password <input type="password" name="j_password"
size=20><br>
>                 <input type="submit" name="Login" value="Login"
size=20><br>
>         </form>
> </body>
> </html>
>

Note that the values specified here for action, and the names of the
username and
password fields, are not arbitrary -- they are required by the spec so that
the
servlet container can recognize them when you use form-based authentication.

>
> Now, if you try to acccess a page in the admin folder, you are
> automatically forwarded to the login page first.
> Btw, I seem to recall that someone had looked into LDAP integration...
>
> Best regards,
>  - Peder
>

Craig McClanahan





--------------------------------------------------------------------------
To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
For additional commmands, email: tomcat-user-help@jakarta.apache.org

Mime
View raw message