tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Murtari <mrl...@thebook.com>
Subject Virtual Hosting /manager with better user authentication
Date Wed, 23 Oct 2002 17:45:53 GMT
We are currently using Tomcat 4.1.12.  We are doing virtual hosting 
and install the /manager for each virt host. It all looks something
like :

<Host name="www.abc.com" debug="0"  appBase="/pub/users/abc/www"  unpackWARs="true" autoDeploy="true">
  <Logger className="org.apache.catalina.logger.FileLogger" prefix="abc_log." suffix=".txt"
 verbosity="4" timestamp="true"/>
  <Context path="/manager" docBase="/usr/local/etc/tomcat/server/webapps/manager" debug="1"
reloadable="true" crossContext="true" privileged="true">
    <Logger className="org.apache.catalina.logger.FileLogger" prefix="abc-manager_log."
suffix=".txt"  verbosity="4" timestamp="true"/>
  </Context>
</Host>


<Host name="www.xyz.com" debug="0"  appBase="/pub/users/xyz/www"  unpackWARs="true" autoDeploy="true">
  <Logger className="org.apache.catalina.logger.FileLogger" prefix="xyz_log." suffix=".txt"
 verbosity="4" timestamp="true"/>
  <Context path="/manager" docBase="/usr/local/etc/tomcat/server/webapps/manager" debug="1"
reloadable="true" crossContext="true" privileged="true">
    <Logger className="org.apache.catalina.logger.FileLogger" prefix="xyz-manager_log."
suffix=".txt"  verbosity="4" timestamp="true"/>
  </Context>
</Host>

We are using the JDBC realm to authenticate users through mysql and
this is working well.  The problem is that there does not seem to be a
way to limit a user to a particular virtual host.  I have looked
through the documentation and there is a Valve to restict based on IP
address or hostname, but nothing to restict based on the username.

ie - www.abc.com/manager/html/list authenticates with abc/123
     www.xyz.com/manager/html/list authenticates with xyz/987

but user xyz can also get into  www.abc.com/manager/html/list
and user abc can also get into   www.xyz.com/manager/html/list

The way I have solved this is to make a copy of the default manager
WAR - ie manager-abc, manager-xyz and point the Context to this unique
WAR.  Within the web.xml file for this manager WAR, I change
both instances of   <role-name>manager</role-name> to a unique 
role for this user.  ie :

manager-abc/WEB-INF/web.xml contains <role-name>manager-abc</role-name>
manager-xyz/WEB-INF/web.xml contains <role-name>manager-xyz</role-name>

In the user_roles mysql table, I use this new role instead of
manager.  This seems to work OK and keeps user xyz out of abc's
/manager, but this seems like an awful hack.  Is there a better
(easier) way of doing this?

-- 
                                          John
___________________________________________________________________
John Murtari                              Software Workshop Inc.
mrlist@thebook.com 315.695.1301(x-211)    "TheBook.Com" (TM)
http://www.thebook.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message