tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Smith <d...@cornell.edu>
Subject Re: Security constraint/login form
Date Mon, 21 Aug 2006 16:47:33 GMT
Looking at the source for org.apache.catalina.JDBCRealm, the queries on 
the database are confined to the rows/columns required for 
authentication.  Other columns could be present in both users and roles 
without any impact.

Prepared statement for fetching credentials:
select userCredCol from userTable where userNameCol = ?

Prepared statement for fetching roles:
select roleNameCol from userRoleTable where userNameCol = ?

--David


Propes, Barry L wrote:

>Thanks, David. Yeah, I replied back to it a minute ago...I had the role-name elements
in the (web)XML file askew from what was in the DB.
>
>Got it working now. And, one more thing. I should be able to add a third column to the
role_name db table, shouldn't I?
>If so, do I need to add a matching third col to the users table as well? Or is that immaterial?
>
>-----Original Message-----
>From: David Smith [mailto:dns4@cornell.edu]
>Sent: Monday, August 21, 2006 10:51 AM
>To: Tomcat Users List
>Subject: Re: Security constraint/login form
>
>
>Could you post some relevant sections of your webapp?  I'm thinking the 
>security constraint section of your web.xml, a representative segment of 
>your user database table, and the logs where a request is made to 
>login.  Something just seems off here.
>
>As a test a few days ago, I changed the role name of the users that 
>could get into the manager app -- both in manager webapp's web.xml and 
>in tomcat-users.xml and it worked without a hitch.
>
>--David
>
>Propes, Barry L wrote:
>
>  
>
>>Ok, I'm finding that the names are somewhat relevant.
>>
>>For instance, if I assign a user the role service, or admin, it works with no problems.
>>
>>If I assign another name -- say senior, or legal or business -- it does not work.
>>
>>Any ideas why? And, if it's limited to this by Tomcat's default security constraint
class files, can I individually edit and recompile them, and then it will redeploy in the
war file upon restart?
>>
>>-----Original Message-----
>>From: Marc Farrow [mailto:marc.farrow@gmail.com]
>>Sent: Thursday, August 17, 2006 4:03 PM
>>To: Tomcat Users List
>>Subject: Re: Security constraint/login form
>>
>>
>>The names are irrelevant.  They just have to match between implementation
>>and setup.
>>
>>On 8/17/06, Propes, Barry L <barry.l.propes@citigroup.com> wrote:
>> 
>>
>>    
>>
>>>quick answer is yes to they have to be service or admin or yes to I can
>>>declare them anything that matches the column in another DB table I've
>>>created or yest to my last question about the values being what I want?
>>>
>>>-----Original Message-----
>>>From: Marc Farrow [mailto:marc.farrow@gmail.com]
>>>Sent: Thursday, August 17, 2006 3:38 PM
>>>To: Tomcat Users List
>>>Subject: Re: Security constraint/login form
>>>
>>>
>>>Quick answer is yes.
>>>
>>>On 8/17/06, Propes, Barry L <barry.l.propes@citigroup.com> wrote:
>>>   
>>>
>>>      
>>>
>>>>I wonder though...do the role_names have to be service or admin or
>>>>something like that?
>>>>
>>>>Can they be anything I declare them to be that matches the  column in
>>>>another DB table?
>>>>
>>>>i.e.
>>>>I've got user_name and role_name as columns in the user_roles table.
>>>>
>>>>Can I make a 3rd table also having a column called role_name, but with a
>>>>value such as RISK, author, legaldept, etc.?
>>>>
>>>>-----Original Message-----
>>>>From: Marc Farrow [mailto:marc.farrow@gmail.com]
>>>>Sent: Thursday, August 17, 2006 2:11 PM
>>>>To: Tomcat Users List
>>>>Subject: Re: Security constraint/login form
>>>>
>>>>
>>>>Are you talking about the tomcat-users.xml file and the roles defined in
>>>>there?
>>>>
>>>>The security-contraints are pretty flexible and you can use any number
>>>>     
>>>>
>>>>        
>>>>
>>>of
>>>   
>>>
>>>      
>>>
>>>>ways to define your realms.  If you look at the web.xml for the manager
>>>>application (that is shipped with Tomcat), you can see how that realm is
>>>>defined and used.  You can even use encrypting on the passwords in that
>>>>file.  If you don't mind maintaing that file for roles and users, then
>>>>just
>>>>modify it to fit your needs and change your security contraint for your
>>>>web
>>>>application to match those roles.  Below is a quick example.  If you are
>>>>wanting something for flexible, then you can research and use your
>>>>favorite
>>>>database for authentication or even your favorite LDAP.  Below is a
>>>>     
>>>>
>>>>        
>>>>
>>>quick
>>>   
>>>
>>>      
>>>
>>>>example of how to use a user-defined role in the tomcat-users.xml file
>>>>     
>>>>
>>>>        
>>>>
>>>and
>>>   
>>>
>>>      
>>>
>>>>how to match it to two different URLS in one web app.
>>>>
>>>>Please understand, this is just a quick example and I do not dare
>>>>     
>>>>
>>>>        
>>>>
>>>declare
>>>   
>>>
>>>      
>>>
>>>>that this will work.  Just a springboard to help you get your feet wet.
>>>>
>>>>
>>>>tomcat-users.xml:
>>>>
>>>><tomcat-users>
>>>>  <role rolename="role1"/>
>>>>  <role rolename="role2"/>
>>>>  <user username="user1" password="userpass1" roles="role1,role2"/>
>>>> <user username="user2" password="userpass2" roles="role2"/>
>>>></tomcat-users>
>>>>
>>>>application's web.xml:
>>>>
>>>><security-constraint>
>>>>  <web-resource-collection>
>>>>      <web-resource-name>Restrict to role1 and role2/>
>>>>      <url-pattern>/welcome.jsp</url-pattern>
>>>>  </web-resource-collection>
>>>>  <auth-contraint>
>>>>     <role-name>role1</role-name>
>>>>      <role-name>role2</role-name>
>>>>  </auth-contraint>
>>>></security-contraint>
>>>>
>>>><security-constraint>
>>>>  <web-resource-collection>
>>>>      <web-resource-name>Restrict to role2 only/>
>>>>      <url-pattern>/other.jsp</url-pattern>
>>>>  </web-resource-collection>
>>>>  <auth-contraint>
>>>>     <role-name>role2</role-name>
>>>>  </auth-contraint>
>>>></security-contraint>
>>>>
>>>><security-role>
>>>> <description>some descr</description>
>>>> <role-name>role1</role-name>
>>>>  <role-name>role2</role-name>
>>>></security-role>
>>>>
>>>>
>>>>On 8/17/06, Propes, Barry L <barry.l.propes@citigroup.com> wrote:
>>>>     
>>>>
>>>>        
>>>>
>>>>>to add to my question earlier below, would it be something as simple
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>as?
>>>   
>>>
>>>      
>>>
>>>>>String juser= (String) request.getAttribute("j_username");
>>>>>
>>>>>Granted I have no idea what the session attribute is under the hood,
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>only
>>>>     
>>>>
>>>>        
>>>>
>>>>>know that j_username is the input name for the user_name.
>>>>>
>>>>>I was thinking with that info, I could then run a select query to
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>extract
>>>>     
>>>>
>>>>        
>>>>
>>>>>the role_name from an additional joined table to authenticate a step
>>>>>further. Does what I am explaining make sense? Forgive me if not.
>>>>>
>>>>>When I say additional table, I mean one in addition to the user_name
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>and
>>>   
>>>
>>>      
>>>
>>>>>user_roles table that Tomcat requires for the form login security
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>constraint
>>>>     
>>>>
>>>>        
>>>>
>>>>>to work.
>>>>>
>>>>>
>>>>>
>>>>>-----Original Message-----
>>>>>From: Propes, Barry L
>>>>>Sent: Thursday, August 17, 2006 11:13 AM
>>>>>To: Tomcat Users List
>>>>>Subject: Security constraint/login form
>>>>>
>>>>>
>>>>>I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a
>>>>>version on a prod. server and one ony my desktop) that you can create
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>the
>>>>     
>>>>
>>>>        
>>>>
>>>>>simple table titled users and configure it in the server.xml file and
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>then
>>>>     
>>>>
>>>>        
>>>>
>>>>>likewise configure the web.xml file's security constraint properties.
>>>>>
>>>>>My question is, can you add other columns to the table and then do a
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>join
>>>>     
>>>>
>>>>        
>>>>
>>>>>on another table as to further enhance security?
>>>>>
>>>>>If so, what is involved, and how involved is it?
>>>>>
>>>>>Thanks!
>>>>>
>>>>>Barry
>>>>>
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>--
>>>>Marc Farrow
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>--
>>>Marc Farrow
>>>
>>>   
>>>
>>>      
>>>
>>
>> 
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>  
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message