tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: REALM question - please help
Date Sat, 28 Jun 2003 03:39:57 GMT
Ok, so I forgot that TC 4.1 doesn't allow access to the Request in Realm
:-(.  So the easiest way to do this is to put a reference to Realm in your
own custom Principal, and in your Servlet, cast up and get it from there.
Or, better, just store the USER in your principal when you create it.

This is the only reason that I ever use custom Realms:  to provide extended
user information in the Principal.

"Jean-Francois Arcand" <jfarcand@apache.org> wrote in message
news:3EFC7E8D.9070308@apache.org...
>
>
> Dinh, Chinh wrote:
>
> >Thanks for your help . I'm new to TOMCAT , so I may have some confusion.
> >I thought it's the way that TOMCAT does.  We have to use REALM to
authenticate as we define this in web.xml :
> >
> >  <login-config>
> >    <auth-method>BASIC</auth-method>
> >    <realm-name>MyRealm</realm-name>
> >  </login-config>
> >
> >It will pop up a log in box, and Realm's authentication method will does
the authentication.   After the Login , it 'll call the Servlet's service().
In the Realm class, which extends org.apache.catalina.realm.RealmBase, there
is no access to HttpRequest, Response, or Session at this point .
> >
> >How do I store a data member of the Realm class some where (?) so that my
servlet can access to it ?
> >
> Bill is right except that I don't know how to do that with Tomcat 4.1.x
> (without writting you own Authenticator class). With Tomcat 5, the Realm
> class contains 3 more methods you can use to achieve your goal:
>
> - hasResourcePermission(HttpServletRequest,HttpServletResponse,
> SecurityConstraint, constraint)
> - hasUserDataPermission(HttpServletRequest,HttpServletResponse,
> SecurityConstraint)
> - findSecurityConstraint(HttpServletRequest,Context)
>
> The Authentication mechanism will:
>
> - (1) call the realm.findSecurityConstraint
> - (2) call the realm.hasUserData
> - (3) call realm.authenticate
> - (4) call realm.hasResourcePermission
>
> So you may add the realm instance to the session when (1) is invoked.
>
> If you want to do it with Tomcat 4.1.x, you may overide
> Authenticator.findSecurityConstraint(....).
>
> For Tomcat 5.0.4, I would like to first do (3) then (1) (2)....but I'm
> still thinking the way I would propose the change :-)
>
> -- Jeanfrancois
>
>
> >Or is it something that should never be done ? What'd be an alternative
solution ?  I don't think Filter serves the goal that I describe above, am I
correct ?
> >Thank you very much. - Chinh
> >
> >Bill Barker <wbarker@wilshire.com> wrote:
> >I agree with Jean-Francois that the design is less than perfect ;-). You
> >should probably re-think it. However, I'm willing to give you more than
> >enough rope to hang yourself ;-).
> >
> >1) If your custom Realm is configured under a , then simply
> >have if save an instance of itself into the Session.
> >2) If not, or otherwise, have it set a request-attribute with itself as
the
> >value.
> >
> >"Dinh, Chinh" wrote in message
> >news:20030626213918.33246.qmail@web41012.mail.yahoo.com...
> >
> >
> >>Thanks for the response. My situation is like this:
> >>- I created my own Realm for webDAV access. When I launch
> >>
> >>
> >http://localhost:8080/webdav, it will first call myREalm's
authentication().
> >Within authentication(), I calls some existing authentication class,
which
> >returns a USER object (basically, has some application specific user
> >properties).
> >
> >
> >>- After the authentication is successful (from a Log-in Dialog box, for
> >>
> >>
> >example), it will get to my servlet (in this case, a webDAVservlet). In
this
> >webDavServlet, I would like to get the USER object that I stored as a
data
> >member in my Realm class.
> >
> >
> >>- That is the reason I want to be able to get the realm object from the
> >>
> >>
> >servlet. Any advise ? Thanks . - Chinh
> >
> >
> >>Jean-Francois Arcand wrote:
> >>
> >>
> >>Dinh, Chinh wrote:
> >>
> >>
> >>
> >>>I have a tomcat question for you .
> >>>
> >>>
> >>>
> >>>In Tomcat's server.xml, we define a realm (only ONE)
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>When tomcat starts, I think it will instantiate a realm object of this
> >>>
> >>>
> >type .
> >
> >
> >>>
> >>>I am trying to find a way to access this realm object in my servlet
(the
> >>>
> >>>
> >servlet that starts after the realm's authentication
> >
> >
> >>>succeeds).
> >>>
> >>>There's a method "getRealm()" from
org.apache.catalina.core.ContainerBase
> >>>
> >>>
> >, but how would we get this ContainerBase ?
> >
> >
> >>No. For security reason, a servlet should not have access to any Tomcat
> >>classes. If your app is able to have access to those methods, any
> >>malicious app can also have access and snif the information.
> >>
> >>Why do you want to have access to the realm?
> >>
> >>
> >>
> >>>Does Tomcat have some kind of global object of this type ?
> >>>
> >>>
> >>>
> >>No...and in Tomcat 5,we have enforced the security protection mechanism
> >>so it is mostly impossible to invoke Tomcat internal classes (when the
> >>security manager is turned on)
> >>
> >>
> >>
> >>>
> >>>Thank you . Chinh
> >>>
> >>>
> >>>
> >>-- Jeanfrancois
> >>
> >>
> >>
> >>>
> >>>---------------------------------
> >>>Do you Yahoo!?
> >>>SBC Yahoo! DSL - Now only $29.95 per month!
> >>>
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> >>
> >>---------------------------------
> >>Do you Yahoo!?
> >>SBC Yahoo! DSL - Now only $29.95 per month!
> >>
> >>
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >---------------------------------
> >Do you Yahoo!?
> >SBC Yahoo! DSL - Now only $29.95 per month!
> >
> >




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message