Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 84474 invoked from network); 17 Jul 2003 05:12:48 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 17 Jul 2003 05:12:48 -0000 Received: (qmail 4946 invoked by uid 97); 17 Jul 2003 05:15:28 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 4939 invoked from network); 17 Jul 2003 05:15:28 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 17 Jul 2003 05:15:28 -0000 Received: (qmail 82997 invoked by uid 500); 17 Jul 2003 05:12:33 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 82977 invoked from network); 17 Jul 2003 05:12:33 -0000 Received: from mail011.syd.optusnet.com.au (210.49.20.139) by daedalus.apache.org with SMTP; 17 Jul 2003 05:12:33 -0000 Received: from boss (c210-49-195-145.eburwd3.vic.optusnet.com.au [210.49.195.145]) by mail011.syd.optusnet.com.au (8.11.6p2/8.11.6) with SMTP id h6H5CgX00758 for ; Thu, 17 Jul 2003 15:12:42 +1000 From: "Murray" To: "Tomcat Users List" Subject: RE: Authentication by role Date: Thu, 17 Jul 2003 15:11:25 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 In-Reply-To: Importance: Normal X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N I've made some progress but not solved it all. By reinstating the auth-constraint stanza and including a default role there then including that role for each user, I can produce the logon dialogue pop-up. Furthermore, from that point I can override the role checking by placing limits in the page header as shown below and generating errors if the user is not a member of the my chosen (non-default) role. Thus, I can use auth-constraint to insist that the page is restricted to users who can authenticate with the "members" role then I can place header code in the page to decide whether that role is sufficient to proceed. What I still can't do is relaunch the logon dialogue pop-up after raising the error (HTTP-403) I've modified the authority checking header code as follows to try to force a new request for logon credentials: <% System.out.println("not logged on"); %> BASIC realm="scoutgroup" <% boolean validRole = false; %> <% validRole = true; %> <% if (!validRole) { System.out.println("access is not allowed"); %> BASIC realm="scoutgroup" <% } %> Specific questions: What do I need to do to force a prompt for userid and password and/or to invalidate the current session? Is there a better way to control access based on roles? I don't want to build auth-constraints for every web resource because that requires restarting Tomcat every time I add a new page. -----Original Message----- From: Murray [mailto:mpnix@optusnet.com.au] Sent: Thursday, 17 July 2003 09:57 To: tomcat-user@jakarta.apache.org Subject: Authentication by role I am trying to control access to web pages using a list of authorised roles. The model would have each page in the secure area accessible by one or more roles and have users authenticate themselves and be assigned one or more roles. If the user has been assigned a role which is permitted access to the page, the page will be displayed otherwise an error message will appear and, ideally, the user will be offered the opportunity to log on again in case the browser has been shared between different users. I'm using a JDBC realm with a user and a role table. Authentication of the user works and, in the simplest case, assignment of the role works. If my web.xml file contains and auth-constraint stanza and the user has the role specified, access is granted. If I remove the auth-constraint stanza so I can do my own checking in the web page header, I get an SSL certificate prompt but no logon prompt and then receive a "not authorized" (HTTP 401) error. web.xml snippet: ScoutGroup-Secure /members/* CONFIDENTIAL BASIC scoutgroup The checking in my web page is as follows (using JSP and taglibs): <%@ page import="java.sql.*" %> <%@ taglib uri="http://jakarta.apache.org/taglibs/request-1.0" prefix="req" %> <%@ taglib uri="http://jakarta.apache.org/taglibs/response-1.0" prefix="rsp" %> <% Class.forName("org.gjt.mm.mysql.Driver"); %> <% System.out.println("not logged on"); %> "BASIC realm=\"scoutgroup\"" <% boolean validRole = false; %> <% validRole = true; %> <% if (!validRole) { System.out.println("access is not allowed"); %> <% } %> etc etc I have built a filter to display headers before and after the web page. The results follow (note the "not logged on" message written by my web page checking for the "authorization" header): Filtering... accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms- excel, application/msword, application/vnd.ms-powerpoint, application/x-shockwav e-flash, */* accept-language: en-au accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) host: localhost:8443 connection: Keep-Alive accept-language: en-au accept-encoding: gzip, deflate Chaining... not logged on ...chained accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms- excel, application/msword, application/vnd.ms-powerpoint, application/x-shockwav e-flash, */* accept-language: en-au accept-encoding: gzip, deflate user-agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) host: localhost:8443 connection: Keep-Alive accept-language: en-au accept-encoding: gzip, deflate ...filtered I never receive a BASIC authentication dialogue box prompting for userid and password despite setting the "WWW-Authenticate" header. Please, someone, point me in the right direction and/or tell me where there is more "how-to" documentation. I find that the Tomcat doc tells me what is available but doesn't describe how it works or what the effect of making different choices is. Murray Nicholas --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org