tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Liles <Andrew.Li...@Wheel.co.uk>
Subject RE: HOWTO obtain UserDatabase from a servlet? [SOLVED]
Date Thu, 24 Jul 2003 13:23:44 GMT
I am going to answer my own question, for the benefit of anyone else who has
the same question.

The question arose because I wanted to permit a webapp to change password in
the Memory database that backed the authentication scheme I was using.

server.xml:
in the context your code will run in, add this link to a global resource...

  <Context path=""
		docBase="ROOT"
		debug="0">
	<ResourceLink name="glbUserDatabase"
				  global="UserDatabase"
				  type="org.apache.catalina.UserDatabase" />
  </Context>

this assumes you have this Global resource:
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved">
    </Resource>
    <ResourceParams name="UserDatabase">
      <parameter>
        <name>factory</name>
        <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
      </parameter>
      <parameter>
        <name>pathname</name>
        <value>conf/tomcat-users.xml</value>
      </parameter>
    </ResourceParams>
  </GlobalNamingResources>

java code:
	Context initCtx = new InitialContext();
	Context envCtx = (Context) initCtx.lookup("java:comp/env");
	UserDatabase db = (UserDatabase) envCtx.lookup("glbUserDatabase");

Then the next issue, is that you need to get hold of the interface
"UserDatabase".  This is in catalina.jar but this resides in a Classloader
that is not normally allowed to be seen by Web Applications.

The issues:
1) the Web Apps don't normally get permission to see the internal Tomcat
Server classes
2) if you place your class where it CAN see the Tomcat Server classes then
your class cannot see the rest of your application 

A really ugly and security-prone solution is to   
   Move all jars from tomcat/server/lib to tomcat/common/lib
   Move any jars of yours to tomcat/common/lib or classes to
tomcat/common/classes

The security risk is that webapps now have unfettered access to the Tomcat
server code; which in my case is not a problem.

[Request for feature: could the Tomcat team create a .jar with the just the
wrapper interfaces in them??? Then I think you could put in code for
UserDatabase manipulation in tomcat/common/lib without needing to move and
expose the full server code.]

> -----Original Message-----
> From: Andrew Liles [mailto:Andrew.Liles@Wheel.co.uk]
> Sent: 10 July 2003 16:30
> To: 'tomcat-user@jakarta.apache.org'
> Subject: HOWTO obtain UserDatabase from a servlet?
> 
> 
> I wish to secure a website with a simple realm/user database
> setup for a low usage site with low numbers of users.
> 
> UserDatabaseRealm (underpinned by MemoryUserDatabase) would
> seem to be ideally suited.
> 
> How do I access the MemoryUserDatabase from a regular
> application to be able to SET passwords, etc.
> 
> Once I have got a UserDatabase interface I know I can then
> use findUser(..), but how do I get something implementing
> the interface in the first case?  Is it some JNDI lookup or
> ServletContext access?
> 
> I would appreciate your pointing me to some HOWTO
> documentation.
> 
> Andrew.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message