tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <Craig.McClana...@eng.sun.com>
Subject Re: protecting all resources
Date Wed, 03 May 2000 00:20:53 GMT
"Dunkle, Ed" wrote:

> Admittedly, I have not finished reading the JSDK 2.2 spec yet, but I'm
> working on it.  But, before I spend a lot of time on this, I was hoping
> someone could give me a clue.
>
> I am using form-based custom authorization.  So we have our own HTML form
> that posts to a servlet that then validates the credentials.  That's fine
> for a login, but I am wanting to ensure that the login has been successful
> before serving up any other files, mainly HTML and JSPs.
>

The idea in the spec is that you should be able to delegate all this stuff to
the servlet container, instead of building it into your application -- the
same way that you can delegate authentication to a web server for password
protected directories.

>
> I am thinking that I need to write a custom "file" servlet that would first
> check for a valid login before allowing the file to be sent.  IF there is
> another way to do this, please let me know!
>

If you wanted to protect an entire web application (requiring a valid
username/password), rather than just part of it, you might do something like
this in your web.xml file:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Entire Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>My Password-Protected Web Application</realm-name>
        <login-config>
            <form-login-page>/loginForm.jsp</form-login-page>
            <form-error-page>/loginError.jsp</form-error-page>
        </login-config>
    </login-config>

This way, you don't have to write anything inside your application itself to
enforce security.

A couple of notes if you want to try this with Tomcat 3.1:

* Unfortunately, Tomcat 3.1 does not support form-based security as described
  in the specification yet.  You might try changing the authentication method
to
  BASIC instead, to trigger the browser pop-up dialog box for logging in.
(Remember
  that this is not secure over the Internet).

* By default, Tomcat will load its list of valid users from a file named
"conf/tomcat-users.xml"
  under the Tomcat home directory.

* It is also possible to write a custom implementation of security checking so
that you
  can process users and passwords in whatever database or directory server you
might
  have them in -- this is somewhat more work but it's certainly feasible.

>
> Thanks,
> Ed
>

Craig McClanahan



Mime
View raw message