tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: REALM question - please help
Date Fri, 27 Jun 2003 17:27:41 GMT


Dinh, Chinh wrote:

>Thanks for your help . I'm new to TOMCAT , so I may have some confusion.
>I thought it's the way that TOMCAT does.  We have to use REALM to authenticate as we define
this in web.xml :
>
>  <login-config>
>    <auth-method>BASIC</auth-method>
>    <realm-name>MyRealm</realm-name>
>  </login-config>
> 
>It will pop up a log in box, and Realm's authentication method will does the authentication.
  After the Login , it 'll call the Servlet's service().   In the Realm class, which extends
org.apache.catalina.realm.RealmBase, there is no access to HttpRequest, Response, or Session
at this point .  
>
>How do I store a data member of the Realm class some where (?) so that my servlet can
access to it ? 
>
Bill is right except that I don't know how to do that with Tomcat 4.1.x 
(without writting you own Authenticator class). With Tomcat 5, the Realm 
class contains 3 more methods you can use to achieve your goal:

- hasResourcePermission(HttpServletRequest,HttpServletResponse, 
SecurityConstraint, constraint)
- hasUserDataPermission(HttpServletRequest,HttpServletResponse, 
SecurityConstraint)
- findSecurityConstraint(HttpServletRequest,Context)

The Authentication mechanism will:

- (1) call the realm.findSecurityConstraint
- (2) call the realm.hasUserData
- (3) call realm.authenticate
- (4) call realm.hasResourcePermission

So you may add the realm instance to the session when (1) is invoked.

If you want to do it with Tomcat 4.1.x, you may overide 
Authenticator.findSecurityConstraint(....).

For Tomcat 5.0.4, I would like to first do (3) then (1) (2)....but I'm 
still thinking the way I would propose the change :-)

-- Jeanfrancois


>Or is it something that should never be done ? What'd be an alternative solution ?  I
don't think Filter serves the goal that I describe above, am I correct ? 
>Thank you very much. - Chinh
>
>Bill Barker <wbarker@wilshire.com> wrote:
>I agree with Jean-Francois that the design is less than perfect ;-). You
>should probably re-think it. However, I'm willing to give you more than
>enough rope to hang yourself ;-).
>
>1) If your custom Realm is configured under a , then simply
>have if save an instance of itself into the Session.
>2) If not, or otherwise, have it set a request-attribute with itself as the
>value.
>
>"Dinh, Chinh" wrote in message
>news:20030626213918.33246.qmail@web41012.mail.yahoo.com...
>  
>
>>Thanks for the response. My situation is like this:
>>- I created my own Realm for webDAV access. When I launch
>>    
>>
>http://localhost:8080/webdav, it will first call myREalm's authentication().
>Within authentication(), I calls some existing authentication class, which
>returns a USER object (basically, has some application specific user
>properties).
>  
>
>>- After the authentication is successful (from a Log-in Dialog box, for
>>    
>>
>example), it will get to my servlet (in this case, a webDAVservlet). In this
>webDavServlet, I would like to get the USER object that I stored as a data
>member in my Realm class.
>  
>
>>- That is the reason I want to be able to get the realm object from the
>>    
>>
>servlet. Any advise ? Thanks . - Chinh
>  
>
>>Jean-Francois Arcand wrote:
>>
>>
>>Dinh, Chinh wrote:
>>
>>    
>>
>>>I have a tomcat question for you .
>>>
>>>
>>>
>>>In Tomcat's server.xml, we define a realm (only ONE)
>>>
>>>
>>>
>>>
>>>
>>>When tomcat starts, I think it will instantiate a realm object of this
>>>      
>>>
>type .
>  
>
>>>
>>>I am trying to find a way to access this realm object in my servlet (the
>>>      
>>>
>servlet that starts after the realm's authentication
>  
>
>>>succeeds).
>>>
>>>There's a method "getRealm()" from org.apache.catalina.core.ContainerBase
>>>      
>>>
>, but how would we get this ContainerBase ?
>  
>
>>No. For security reason, a servlet should not have access to any Tomcat
>>classes. If your app is able to have access to those methods, any
>>malicious app can also have access and snif the information.
>>
>>Why do you want to have access to the realm?
>>
>>    
>>
>>>Does Tomcat have some kind of global object of this type ?
>>>
>>>      
>>>
>>No...and in Tomcat 5,we have enforced the security protection mechanism
>>so it is mostly impossible to invoke Tomcat internal classes (when the
>>security manager is turned on)
>>
>>    
>>
>>>
>>>Thank you . Chinh
>>>
>>>      
>>>
>>-- Jeanfrancois
>>
>>    
>>
>>>
>>>---------------------------------
>>>Do you Yahoo!?
>>>SBC Yahoo! DSL - Now only $29.95 per month!
>>>
>>>
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>SBC Yahoo! DSL - Now only $29.95 per month!
>>    
>>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>---------------------------------
>Do you Yahoo!?
>SBC Yahoo! DSL - Now only $29.95 per month!
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message