Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 99166 invoked from network); 14 Apr 2000 16:59:23 -0000
Received: from lukla.sun.com (192.18.98.31)
  by locus.apache.org with SMTP; 14 Apr 2000 16:59:23 -0000
Received: from centralmail1.Central.Sun.COM ([129.147.62.10])
	by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id KAA21251
	for <tomcat-user@jakarta.apache.org>; Fri, 14 Apr 2000 10:59:09 -0600 (MDT)
Received: from swanaba.central (swanaba.Central.Sun.COM [129.147.30.5])
	by centralmail1.Central.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id
 KAA22927
	for <tomcat-user@jakarta.apache.org>; Fri, 14 Apr 2000 10:59:08 -0600 (MDT)
Received: from eng.sun.com (salespilot.Central.Sun.COM [129.147.30.18])
	by swanaba.central (8.8.8+Sun/8.8.8) with ESMTP id KAA17631
	for <tomcat-user@jakarta.apache.org>; Fri, 14 Apr 2000 10:56:58 -0600 (MDT)
Message-ID: <38F741E1.40B01864@eng.sun.com>
Date: Fri, 14 Apr 2000 09:05:54 -0700
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.72 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: tomcat-users.xml
References: <FD4F6A5857C4D31182D00008C7F379A06C53B5@eulon02e.nt.boo.com>
 <20000414.9545800@peder.caput.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N



Peder Pedersen wrote:

> Hi Neil,
>
> My impression is that the tomcat-users.xml authorization mechanism is
> in an "early stage" condition. Anyway, you set up the users with
> password and roles, like:
>
> <tomcat-users>
>   <user name="tomcat" password="tomcat" roles="tomcat" />
>   <user name="admin" password="nimda" roles="admin" />
> </tomcat-users>
>

You can also specify a comma-delimited list of roles, if the user is authorized
for more than one of them.

>
> Then you set up your web application authorization constraints in the
> web application deployment descriptor (webappl/WEB-INF/web.xml). Check
> out the Servlet specification, and the web.xml DTD file in particular.
> For a very simple example, use something like:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Admin Pages</web-resource-name>
>             <url-pattern>/admin/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>    </security-constraint>
>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>             <form-login-page>login.html</form-login-page>
>             <form-error-page>login.html</form-error-page>
>         </form-login-config>
>     </login-config>
>

For Tomcat 3.1, you will want to use BASIC authentication.  Form-based
authentication is not yet completely implemented.  If you're using BASIC, you
don't actually need the <form-login-config> element.

>
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>
> The login page in this example should have the format as specified in
> the specification; something like:
>
> <html>
> <head>
>         <title> Security crap. </title>
> </head>
> <body>
>         <form method="POST" action="j_security_check">
>                 Username <input type="text" name="j_username" size=20><br>
>                 Password <input type="password" name="j_password" size=20><br>
>                 <input type="submit" name="Login" value="Login" size=20><br>
>         </form>
> </body>
> </html>
>

Note that the values specified here for action, and the names of the username and
password fields, are not arbitrary -- they are required by the spec so that the
servlet container can recognize them when you use form-based authentication.

>
> Now, if you try to acccess a page in the admin folder, you are
> automatically forwarded to the login page first.
> Btw, I seem to recall that someone had looked into LDAP integration...
>
> Best regards,
>  - Peder
>

Craig McClanahan