tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Murray" <mp...@optusnet.com.au>
Subject RE: Authentication by role
Date Thu, 17 Jul 2003 05:11:25 GMT
I've made some progress but not solved it all.

By reinstating the auth-constraint stanza and including a default role there
then including that role for each user, I can produce the logon dialogue
pop-up.  Furthermore, from that point I can override the role checking by
placing limits in the page header as shown below and generating errors if
the user is not a member of the my chosen (non-default) role.  Thus, I can
use auth-constraint to insist that the page is restricted to users who can
authenticate with the "members" role then I can place header code in the
page to decide whether that role is sufficient to proceed.

What I still can't do is relaunch the logon dialogue pop-up after raising
the error (HTTP-403)

I've modified the authority checking header code as follows to try to force
a new request for logon credentials:

<req:request id="rq"/>
<req:existsHeader name="authorization" value="false">
 <%
  System.out.println("not logged on");
 %>
 <rsp:sendError error="SC_UNAUTHORIZED" reset="true"/>
 <rsp:setHeader name="WWW-Authenticate">BASIC
realm="scoutgroup"</rsp:setHeader>
</req:existsHeader>
<%
 boolean validRole = false;
%>
<req:isUserInRole role="leader">
 <%
  validRole = true;
 %>
</req:isUserInRole>
<%
 if (!validRole)
 {
  System.out.println("access is not allowed");
  %>
  <rsp:sendError error="SC_FORBIDDEN" reset="true"/>
  <rsp:setHeader name="WWW-Authenticate">BASIC
realm="scoutgroup"</rsp:setHeader>
  <rsp:skipPage/>
  <%
 }
%>


Specific questions:
What do I need to do to force a prompt for userid and password and/or to
invalidate the current session?
Is there a better way to control access based on roles?  I don't want to
build auth-constraints for every web resource because that requires
restarting Tomcat every time I add a new page.

-----Original Message-----
From: Murray [mailto:mpnix@optusnet.com.au]
Sent: Thursday, 17 July 2003 09:57
To: tomcat-user@jakarta.apache.org
Subject: Authentication by role


I am trying to control access to web pages using a list of authorised roles.
The model would have each page in the secure area accessible by one or more
roles and have users authenticate themselves and be assigned one or more
roles.  If the user has been assigned a role which is permitted access to
the page, the page will be displayed otherwise an error message will appear
and, ideally, the user will be offered the opportunity to log on again in
case the browser has been shared between different users.

I'm using a JDBC realm with a user and a role table.  Authentication of the
user works and, in the simplest case, assignment of the role works.

If my web.xml file contains and auth-constraint stanza and the user has the
role specified, access is granted.  If I remove the auth-constraint stanza
so I can do my own checking in the web page header, I get an SSL certificate
prompt but no logon prompt and then receive a "not authorized" (HTTP 401)
error.


web.xml snippet:
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>ScoutGroup-Secure</web-resource-name>
   <url-pattern>/members/*</url-pattern>
  </web-resource-collection>
  <!--
  <auth-constraint>
    <role-name>member</role-name>
  </auth-constraint>
  -->
  <user-data-constraint>
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
 </security-constraint>

 <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>scoutgroup</realm-name>
 </login-config>



The checking in my web page is as follows (using JSP and taglibs):
<%@ page import="java.sql.*" %>
<%@ taglib uri="http://jakarta.apache.org/taglibs/request-1.0" prefix="req"
%>
<%@ taglib uri="http://jakarta.apache.org/taglibs/response-1.0" prefix="rsp"
%>
<% Class.forName("org.gjt.mm.mysql.Driver"); %>

<req:request id="rq"/>
<req:existsHeader name="authorization" value="false">
 <%
  System.out.println("not logged on");
 %>
 <rsp:setStatus status="SC_UNAUTHORIZED"/>
 <rsp:setHeader name="WWW-Authenticate">"BASIC
realm=\"scoutgroup\""</rsp:setHeader>
 <rsp:skipPage/>
</req:existsHeader>
<%
 boolean validRole = false;
%>
<req:isUserInRole role="member">
 <%
  validRole = true;
 %>
</req:isUserInRole>
<%
 if (!validRole)
 {
  System.out.println("access is not allowed");
  %> <rsp:sendError error="SC_FORBIDDEN"/>
  <rsp:skipPage/> <%
 }
%>

<HTML>
 <HEAD> etc etc




I have built a filter to display headers before and after the web page.  The
results follow  (note the "not logged on" message written by my web page
checking for the "authorization" header):
Filtering...
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
excel, application/msword, application/vnd.ms-powerpoint,
application/x-shockwav
e-flash, */*
accept-language: en-au
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
host: localhost:8443
connection: Keep-Alive
accept-language: en-au
accept-encoding: gzip, deflate
Chaining...
not logged on
...chained
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-
excel, application/msword, application/vnd.ms-powerpoint,
application/x-shockwav
e-flash, */*
accept-language: en-au
accept-encoding: gzip, deflate
user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
host: localhost:8443
connection: Keep-Alive
accept-language: en-au
accept-encoding: gzip, deflate
...filtered



I never receive a BASIC authentication dialogue box prompting for userid and
password despite setting the "WWW-Authenticate" header.

Please, someone, point me in the right direction and/or tell me where there
is more "how-to" documentation.  I find that the Tomcat doc tells me what is
available but doesn't describe how it works or what the effect of making
different choices is.


Murray Nicholas




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message