Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 19016 invoked from network); 18 Aug 2006 14:27:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 18 Aug 2006 14:27:16 -0000 Received: (qmail 31429 invoked by uid 500); 18 Aug 2006 14:27:04 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 31407 invoked by uid 500); 18 Aug 2006 14:27:04 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 31395 invoked by uid 99); 18 Aug 2006 14:27:04 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Aug 2006 07:27:04 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of marc.farrow@gmail.com designates 66.249.92.173 as permitted sender) Received: from [66.249.92.173] (HELO ug-out-1314.google.com) (66.249.92.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Aug 2006 07:27:02 -0700 Received: by ug-out-1314.google.com with SMTP id u40so872530ugc for ; Fri, 18 Aug 2006 07:26:40 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=RK1hDzTyXbxBHVTvF9r+FBG8RolrScKz0Ox5iuB+IKm8hXfErpbT9bXWFtd1YhvhouRYmmhDP5HCbI9XjiDfBCRiZQ5Ywvdg5iL6Nxx5Uk5JcL+JllX3vbz4TZ8jJpUhe1ZPt20HTm91n6ysbGeKlkkNKUvrlq1qQzLqI+69Tzk= Received: by 10.66.222.9 with SMTP id u9mr1785969ugg; Fri, 18 Aug 2006 07:26:40 -0700 (PDT) Received: by 10.66.220.16 with HTTP; Fri, 18 Aug 2006 07:26:40 -0700 (PDT) Message-ID: <372d719d0608180726r4e956b8dh3a1ac35c4ac7b51c@mail.gmail.com> Date: Fri, 18 Aug 2006 10:26:40 -0400 From: "Marc Farrow" To: "Tomcat Users List" Subject: Re: Security constraint/login form In-Reply-To: <3A55348B50FD2A40AAA40ABA16C6B6D607F2973B@EXNJMB23.nam.nsroot.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_28390_23641498.1155911200372" References: <3A55348B50FD2A40AAA40ABA16C6B6D607F2973B@EXNJMB23.nam.nsroot.net> X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N ------=_Part_28390_23641498.1155911200372 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Valid roles are whatever are defined to be valid. The specific name does not matter. But if you are using a Database for validation, then the roles are pulled from the database column that you have associated as the "roles". Depending on your database, they may or may not be case-sensitive (the values that is). On 8/18/06, Propes, Barry L wrote: > > Looking at the 4.1 doco, it states about the JDBC Realm and user tables > configuration: > > "Role name of a valid role associated with this user" > > > So then I ask, what's a valid role? What are the choices? Is valid ONLY > service or admin? > > -----Original Message----- > From: David Smith [mailto:dns4@cornell.edu] > Sent: Friday, August 18, 2006 6:26 AM > To: Tomcat Users List > Subject: Re: Security constraint/login form > > > Over an hour? Not even ODBC has that kind of latency. Could you be > looking at a caching issue? > > --David > > Propes, Barry L wrote: > > >ok, thanks..I think there's a fair amount of latency between my database > query info and what's actually updated in there. > > > >Something I'd changed over an hour ago was still showing the old value, > and could have been causing some of the problems. > > > > > > > >-----Original Message----- > >From: Marc Farrow [mailto:marc.farrow@gmail.com] > >Sent: Thursday, August 17, 2006 4:03 PM > >To: Tomcat Users List > >Subject: Re: Security constraint/login form > > > > > >The names are irrelevant. They just have to match between implementation > >and setup. > > > >On 8/17/06, Propes, Barry L wrote: > > > > > >>quick answer is yes to they have to be service or admin or yes to I can > >>declare them anything that matches the column in another DB table I've > >>created or yest to my last question about the values being what I want? > >> > >>-----Original Message----- > >>From: Marc Farrow [mailto:marc.farrow@gmail.com] > >>Sent: Thursday, August 17, 2006 3:38 PM > >>To: Tomcat Users List > >>Subject: Re: Security constraint/login form > >> > >> > >>Quick answer is yes. > >> > >>On 8/17/06, Propes, Barry L wrote: > >> > >> > >>>I wonder though...do the role_names have to be service or admin or > >>>something like that? > >>> > >>>Can they be anything I declare them to be that matches the column in > >>>another DB table? > >>> > >>>i.e. > >>>I've got user_name and role_name as columns in the user_roles table. > >>> > >>>Can I make a 3rd table also having a column called role_name, but with > a > >>>value such as RISK, author, legaldept, etc.? > >>> > >>>-----Original Message----- > >>>From: Marc Farrow [mailto:marc.farrow@gmail.com] > >>>Sent: Thursday, August 17, 2006 2:11 PM > >>>To: Tomcat Users List > >>>Subject: Re: Security constraint/login form > >>> > >>> > >>>Are you talking about the tomcat-users.xml file and the roles defined > in > >>>there? > >>> > >>>The security-contraints are pretty flexible and you can use any number > >>> > >>> > >>of > >> > >> > >>>ways to define your realms. If you look at the web.xml for the manager > >>>application (that is shipped with Tomcat), you can see how that realm > is > >>>defined and used. You can even use encrypting on the passwords in that > >>>file. If you don't mind maintaing that file for roles and users, then > >>>just > >>>modify it to fit your needs and change your security contraint for your > >>>web > >>>application to match those roles. Below is a quick example. If you > are > >>>wanting something for flexible, then you can research and use your > >>>favorite > >>>database for authentication or even your favorite LDAP. Below is a > >>> > >>> > >>quick > >> > >> > >>>example of how to use a user-defined role in the tomcat-users.xml file > >>> > >>> > >>and > >> > >> > >>>how to match it to two different URLS in one web app. > >>> > >>>Please understand, this is just a quick example and I do not dare > >>> > >>> > >>declare > >> > >> > >>>that this will work. Just a springboard to help you get your feet wet. > >>> > >>> > >>>tomcat-users.xml: > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>>application's web.xml: > >>> > >>> > >>> > >>> Restrict to role1 and role2/> > >>> /welcome.jsp > >>> > >>> > >>> role1 > >>> role2 > >>> > >>> > >>> > >>> > >>> > >>> Restrict to role2 only/> > >>> /other.jsp > >>> > >>> > >>> role2 > >>> > >>> > >>> > >>> > >>> some descr > >>> role1 > >>> role2 > >>> > >>> > >>> > >>>On 8/17/06, Propes, Barry L wrote: > >>> > >>> > >>>>to add to my question earlier below, would it be something as simple > >>>> > >>>> > >>as? > >> > >> > >>>>String juser= (String) request.getAttribute("j_username"); > >>>> > >>>>Granted I have no idea what the session attribute is under the hood, > >>>> > >>>> > >>>only > >>> > >>> > >>>>know that j_username is the input name for the user_name. > >>>> > >>>>I was thinking with that info, I could then run a select query to > >>>> > >>>> > >>>extract > >>> > >>> > >>>>the role_name from an additional joined table to authenticate a step > >>>>further. Does what I am explaining make sense? Forgive me if not. > >>>> > >>>>When I say additional table, I mean one in addition to the user_name > >>>> > >>>> > >>and > >> > >> > >>>>user_roles table that Tomcat requires for the form login security > >>>> > >>>> > >>>constraint > >>> > >>> > >>>>to work. > >>>> > >>>> > >>>> > >>>>-----Original Message----- > >>>>From: Propes, Barry L > >>>>Sent: Thursday, August 17, 2006 11:13 AM > >>>>To: Tomcat Users List > >>>>Subject: Security constraint/login form > >>>> > >>>> > >>>>I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a > >>>>version on a prod. server and one ony my desktop) that you can create > >>>> > >>>> > >>>the > >>> > >>> > >>>>simple table titled users and configure it in the server.xml file and > >>>> > >>>> > >>>then > >>> > >>> > >>>>likewise configure the web.xml file's security constraint properties. > >>>> > >>>>My question is, can you add other columns to the table and then do a > >>>> > >>>> > >>>join > >>> > >>> > >>>>on another table as to further enhance security? > >>>> > >>>>If so, what is involved, and how involved is it? > >>>> > >>>>Thanks! > >>>> > >>>>Barry > >>>> > >>>> > >>>>--------------------------------------------------------------------- > >>>>To start a new topic, e-mail: users@tomcat.apache.org > >>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >>>>For additional commands, e-mail: users-help@tomcat.apache.org > >>>> > >>>> > >>>> > >>>> > >>>-- > >>>Marc Farrow > >>> > >>> > >>> > >> > >>-- > >>Marc Farrow > >> > >> > >> > > > > > > > > > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > -- Marc Farrow ------=_Part_28390_23641498.1155911200372--