tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dunkle, Ed" <Ed.Dun...@ameriserve.com>
Subject RE: protecting all resources
Date Wed, 03 May 2000 15:34:43 GMT
What would be nice is if you could configure a servlet container to use your
own custom class that accepted a principal and credentials in a validate()
method and returned a boolean.  Then we could implement our own logic for
the validation but rely on the container to protect resources.

Since it doesn't appear to work that way, I am trying to figure out how to
do this myself.  In Tomcat, I can extend the DefaultServlet with a session
object check before delegating to super.doGet().  And I have a LoginServlet,
invoked from a custom form, that authenticates and creates the session
object.  Is there a better way to do this?  Extending DefaultServlet is not
a portable solution.

Thanks,
Ed

-----Original Message-----
From: Craig McClanahan [mailto:Craig.McClanahan@eng.sun.com]
Sent: Tuesday, May 02, 2000 7:21 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: protecting all resources


"Dunkle, Ed" wrote:

> Admittedly, I have not finished reading the JSDK 2.2 spec yet, but I'm
> working on it.  But, before I spend a lot of time on this, I was hoping
> someone could give me a clue.
>
> I am using form-based custom authorization.  So we have our own HTML form
> that posts to a servlet that then validates the credentials.  That's fine
> for a login, but I am wanting to ensure that the login has been successful
> before serving up any other files, mainly HTML and JSPs.
>

The idea in the spec is that you should be able to delegate all this stuff
to
the servlet container, instead of building it into your application -- the
same way that you can delegate authentication to a web server for password
protected directories.

>
> I am thinking that I need to write a custom "file" servlet that would
first
> check for a valid login before allowing the file to be sent.  IF there is
> another way to do this, please let me know!
>

If you wanted to protect an entire web application (requiring a valid
username/password), rather than just part of it, you might do something like
this in your web.xml file:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Entire Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>My Password-Protected Web Application</realm-name>
        <login-config>
            <form-login-page>/loginForm.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </login-config>
    </login-config>

This way, you don't have to write anything inside your application itself to
enforce security.

A couple of notes if you want to try this with Tomcat 3.1:

* Unfortunately, Tomcat 3.1 does not support form-based security as
described
  in the specification yet.  You might try changing the authentication
method
to
  BASIC instead, to trigger the browser pop-up dialog box for logging in.
(Remember
  that this is not secure over the Internet).

* By default, Tomcat will load its list of valid users from a file named
"conf/tomcat-users.xml"
  under the Tomcat home directory.

* It is also possible to write a custom implementation of security checking
so
that you
  can process users and passwords in whatever database or directory server
you
might
  have them in -- this is somewhat more work but it's certainly feasible.

>
> Thanks,
> Ed
>

Craig McClanahan



--------------------------------------------------------------------------
To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
For additional commmands, email: tomcat-user-help@jakarta.apache.org

Mime
View raw message