tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kotsiras, Alexandros" <AKotsi...@mediaondemand.com>
Subject RE: Login Security design strategy
Date Thu, 19 Oct 2000 16:41:26 GMT
I faced similar issues recently with a project. 
The only way that i could actually make it work was your second approach :

Custom Form-based Authentication :

2) Route all incoming requests for a certain context to a servlet which...
    a) performs a login check
    b) if logged in, forwards the user to the page actually requested

As you said the built in protection mechanism of Tomcat only protects
.jsp/servlets but not .html 
since .html are being served by Apache. (Of course on port 8080 Tomcat will
pop up a login box even for .html files but...)
Ok there is a solution for this : 
Rename all you .html files that you want to protect to .jsp and let Tomcat
serve them instead of Apache. 
If you don't have 1000s of protected .html files it's not a big deal to make
them .jsp.

BUT :

What would you do in mycase  where i wanted to protect .ram files (Real
Player Meta files that point to  Real Server video files)
I couldn't rename(treat) .ram files as .jsp so the build it Tomcat Realms
wouldn't help.

The only solution was to create all the links to these files via an
Authenticator servlet which will check the user's sesion for the appropriate
permissions and forward to the requested .ram file if permissions are OK ,
or forwrd to login.jsp if the user does not have permissions
Now what happens if a smart user knows the path to the .ram file directly
and tries to type it on the browser ? ?

2 independent solutions :

1. Use Apache's RewriteRule engine and tell Apache to send all the requests
to .ram files to the Authenticator servlet.
2. Password protect the folder with the secure content via Apache so the
user wil get a pop-up to enter a passowrd that he will never know. 
    Keep in mind that when you forward(request, response) from a servet to a
protected resource you bypass the Apache/Tomcat Realms so the user will
    not get a login pop-up . If you do sendRedirect() instead of forward()
then the pop-up will show. 


Alex.

 






-----Original Message-----
From: Bragg, Casey [mailto:Casey.Bragg@allegiancetelecom.com]
Sent: Thursday, October 19, 2000 12:11 PM
To: tomcat-user@jakarta.apache.org
Subject: Login Security design strategy


I'm currently implementing form based login by having each secured page
execute jsp code which performs a security check.

Example : 
   helloSecureWorld.jsp
      <%
          myClass.securityCheck(request); // this handles all redirection to
login pages
      %>
      <html>
      <body>
      <p> Hello! I am very secure with myself! </p>
      </body>
      </html>


The main problem with this method is that only my jsp files which perform
the security check are secure.  My static files are left unsecured.  Its
time for a change.

What is the currently recommended method for providing form based login with
Tomcat?

Here are the methods I'm currently aware of : 

1) Wait for Tomcat 4 which apparently will include a stable form based login
function...

2) Route all incoming requests for a certain context to a servlet which...
    a) performs a login check
    b) if logged in, forwards the user to the page actually requested

Thanks...

...Casey

==============================================
Casey Bragg - Software Engineer
Allegiance Telecom, Inc.  Dallas, TX
214-261-8679 - casey.bragg@allegiancetelecom.com
==============================================


Mime
View raw message