Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 10430 invoked from network); 17 Apr 2000 15:20:15 -0000
Received: from lukla.sun.com (192.18.98.31)
  by locus.apache.org with SMTP; 17 Apr 2000 15:20:15 -0000
Received: from centralmail1.Central.Sun.COM ([129.147.62.10])
	by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id JAA17756
	for <tomcat-user@jakarta.apache.org>; Mon, 17 Apr 2000 09:20:14 -0600 (MDT)
Received: from swanaba.central (swanaba.Central.Sun.COM [129.147.30.5])
	by centralmail1.Central.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id
 JAA29365
	for <tomcat-user@jakarta.apache.org>; Mon, 17 Apr 2000 09:20:13 -0600 (MDT)
Received: from eng.sun.com (salespilot.Central.Sun.COM [129.147.30.18])
	by swanaba.central (8.8.8+Sun/8.8.8) with ESMTP id JAA09452
	for <tomcat-user@jakarta.apache.org>; Mon, 17 Apr 2000 09:18:00 -0600 (MDT)
Message-ID: <38FB2B6B.ED2D4BBD@eng.sun.com>
Date: Mon, 17 Apr 2000 08:19:07 -0700
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.72 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: tomcat-users.xml
References: <FD4F6A5857C4D31182D00008C7F379A06C53BA@eulon02e.nt.boo.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Neil Davies wrote:

> Craig,
>
> How do I set up basic authentication within tomcat?
>

Two basic steps:

* Configure the users and their associated passwords and roles in the
  "conf/tomcat-users.xml" file.  It comes preconfigured with a few sample
  users.

* Set up security constraints and a login configuration in your web.xml
  file, as described in the Servlet API Specification, version 2.2.  Note
  that Tomcat 3.1 supports the BASIC <auth-method>.  You can look at
  the "webapps/examples/WEB-INF/web.xml" file for another example.

Details and examples are below in the email message you replied to when you
asked this question.

Craig


>
> Neil
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> Sent: Friday, April 14, 2000 5:06 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: tomcat-users.xml
>
> Peder Pedersen wrote:
>
> > Hi Neil,
> >
> > My impression is that the tomcat-users.xml authorization mechanism is
> > in an "early stage" condition. Anyway, you set up the users with
> > password and roles, like:
> >
> > <tomcat-users>
> >   <user name="tomcat" password="tomcat" roles="tomcat" />
> >   <user name="admin" password="nimda" roles="admin" />
> > </tomcat-users>
> >
>
> You can also specify a comma-delimited list of roles, if the user is
> authorized
> for more than one of them.
>
> >
> > Then you set up your web application authorization constraints in the
> > web application deployment descriptor (webappl/WEB-INF/web.xml). Check
> > out the Servlet specification, and the web.xml DTD file in particular.
> > For a very simple example, use something like:
> >
> >     <security-constraint>
> >         <web-resource-collection>
> >             <web-resource-name>Admin Pages</web-resource-name>
> >             <url-pattern>/admin/*</url-pattern>
> >             <http-method>GET</http-method>
> >             <http-method>POST</http-method>
> >         </web-resource-collection>
> >         <auth-constraint>
> >             <role-name>admin</role-name>
> >         </auth-constraint>
> >    </security-constraint>
> >
> >     <login-config>
> >         <auth-method>FORM</auth-method>
> >         <form-login-config>
> >             <form-login-page>login.html</form-login-page>
> >             <form-error-page>login.html</form-error-page>
> >         </form-login-config>
> >     </login-config>
> >
>
> For Tomcat 3.1, you will want to use BASIC authentication.  Form-based
> authentication is not yet completely implemented.  If you're using BASIC,
> you
> don't actually need the <form-login-config> element.
>
> >
> >     <security-role>
> >         <role-name>admin</role-name>
> >     </security-role>
> >
> > The login page in this example should have the format as specified in
> > the specification; something like:
> >
> > <html>
> > <head>
> >         <title> Security crap. </title>
> > </head>
> > <body>
> >         <form method="POST" action="j_security_check">
> >                 Username <input type="text" name="j_username" size=20><br>
> >                 Password <input type="password" name="j_password"
> size=20><br>
> >                 <input type="submit" name="Login" value="Login"
> size=20><br>
> >         </form>
> > </body>
> > </html>
> >
>
> Note that the values specified here for action, and the names of the
> username and
> password fields, are not arbitrary -- they are required by the spec so that
> the
> servlet container can recognize them when you use form-based authentication.
>
> >
> > Now, if you try to acccess a page in the admin folder, you are
> > automatically forwarded to the login page first.
> > Btw, I seem to recall that someone had looked into LDAP integration...
> >
> > Best regards,
> >  - Peder
> >
>
> Craig McClanahan
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
>
> --------------------------------------------------------------------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org