tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Harper" <rob...@iat-cti.com>
Subject RE: Problem with security?
Date Fri, 10 Jun 2005 15:38:05 GMT
Try basic authentication. The browser will cache the user name and password
and it will only expire when the browse closes.

Read in the documents on how to configure the authentication. You might
require authentication for all protocols and use BASIC authentication. This
will make it easier for the user with a single login and then they can go
wherever you allow them and not have to login again until they close the
browser.

Robert S. Harper
Information Access Technology, Inc.

-----Original Message-----
From: Gagnon, Joseph M (US SSA) [mailto:joseph.m.gagnon@baesystems.com] 
Sent: Friday, June 10, 2005 9:19 AM
To: Tomcat Users List
Subject: RE: Problem with security?

Did I not say that I'm new to this?

I made no mention to whether or not I was trying to make it secure.
This is only meant to be used within my company's intranet and my
intention was to take the user account and then compare it with a set of
registered users in the application's DB.

I am beginning to see that at the very least I need to create some kind
of mechanism (although I don't understand yet how to go about that, or
how many different ways it can be done) to perform user authentication.

If anyone can provide information on how to do this (keep in mind I'm
new at this), please let me know.

-----Original Message-----
From: Robert Harper [mailto:robert@iat-cti.com] 
Sent: Friday, June 10, 2005 10:59 AM
To: 'Tomcat Users List'
Subject: RE: Problem with security?

I think you have missed the point that you cannot get user information
unless the user authenticates. You don't want to have a user
authenticate
but you want to get user information. These are mutually exclusive
tasks.

If the user does not authenticate, you can only get the external IP
address
of the requestor. In order to get user information, you must have the
user
authenticate. You might have your users sent to a page that gathers the
user
ID and then store it in a cookie. You cannot count on the browser
sending
user information because the logged in user may and often is not the
actual
user.

I don't know how you can call it secure if you don't require a key to
open
the door. You may be encrypted in your transfer over SSL but if you
don't
have the user log in, you are not secure.

Robert S. Harper
Information Access Technology, Inc.

-----Original Message-----
From: Gagnon, Joseph M (US SSA) [mailto:joseph.m.gagnon@baesystems.com] 
Sent: Friday, June 10, 2005 8:43 AM
To: Tomcat Users List
Subject: RE: Problem with security?

I believe I've covered that all in my original message.  Read further.

-----Original Message-----
From: egan0019 [mailto:egan0019@umn.edu] 
Sent: Friday, June 10, 2005 10:10 AM
To: Tomcat Users List
Subject: Re: Problem with security?

Look into the ServletRequest interface.  That interface, which is
extended
in HttpServletRequest.  You can call the getRemoteAddr(),
getRemoteHost(),
etc. methods.  You receive null in your getRemoteUser because the user
hasn't been 'authenticated' yet.


On 10 Jun 2005, Gagnon, Joseph M  (US SSA) wrote:
> Hello,
> 
> I'm new to JSP development (and to dynamic web development as a whole)
> so please bear with me.  I'm investigating using JSP/Java for a
project
> at my workplace.  My system (test server, if you will) is a PC running
> Windows XP Pro and I am using Tomcat 5.5.9.
> 
> I have a situation where I want to be able to provide user access to
an
> application by determining the identity of the requesting user,
without
> them having to go through a login procedure.  Specifically, what I've
> been trying to do is call the request.getRemoteUser() method to ID the
> requesting user.  When I do so, I keep getting null.  After reading in
> the JSP and Java servlet specifications, I see that this call would
> return null if the user is not authenticated.  Reading further, I get
> the impression that by default, no authentication is needed to access
[Robert Harper] [snip]




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message