tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
Date Fri, 03 Nov 2006 12:22:02 GMT
Out of the box - there is no Valve in Tomcat which requires 
authentication without first consulting web.xml.

As a simple(?) kludge - you could write your own Valve which forces 
authentication on anything executed by the Valve: - you'll need to fill 
in isAuthenticated(...)


public class ProtectMeValve extends ValveBase implements Lifecycle {

     ...

   public void invoke(Request request, Response response)
         throws IOException, ServletException {

     String authHeader = request.getHeader("Authorization");
     if (authHeader!=null) {
       if (isAuthenticated(request, authHeader)) {
         getNext().invoke(request, response);
       } else {
         // may need setContentType(...)
         response.setStatus(403);
         response.getWriter().write("Go away - your not allowed!");
       }
     } else {
       // may need setContentType(...)
       response.setStatus(401);
       response.addHeader("WWW-Authenticate",
                          "Basic realm=\"My Webapp\"");
       response.getWriter().write("some message");
     }
   }
}

I would think the preceding should work.

-Tim

Johannes wrote:
> With the lack of reply's I guess that Active directory connections are not used by anyone
here.
> 
> I'm making it a bit more simple then and in step one only protect this service with a
simple login / password protection.
> 
> Setup: One separate engine only accepting HTTPS connections that needs to be protected.
> I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a xml file with one
user, password and group in my server.xml section for the engine I'm protecting.
> 
> So far so good.
> Then I got everything to work when editing <webapp>/WEB-INF/web.xml and added the
following:
>   <security-constraint>
>     <display-name>Security check</display-name>
>     <web-resource-collection>
>       <web-resource-name>Protected Area</web-resource-name>
>       <!-- Define the context-relative URL(s) to be protected -->
>       <url-pattern>/*</url-pattern>
> 
>       <!-- If you list http methods, only those methods are protected -->
>       <http-method>DELETE</http-method>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>       <http-method>PUT</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>       <!-- Anyone with one of the listed roles may access this area -->
>       <role-name>testgroup</role-name>
>     </auth-constraint>
>   </security-constraint>
> 
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Security Check</realm-name>
>   </login-config>
> 
> That worked great, the login box appears and are not accessible without the correct logon.
> 
> BUT the problem is that this webapp is delivered by a 3:rd party without the above settings
in there web.xml file.
> We get regular updates and I would like to NOT be forced to remember to add the above
section every time we get a new release of the webapp.
> 
> So how can I make this Engine/webapp in the server.xml file be protected by one simple
login WITHOUT the need to modify the webapp itself every time we get a new version of the
webapp?
> 
> ~Johannes
> 
> 
> 
> -----Originalmeddelande-----
> From: Johannes johannes@idg.nu
> Date: Thu, 02 Nov 2006 12:55:13 +0100
> To: users@tomcat.apache.org
> Subject: Tomcat authenticate with Active directory
> 
>> I have a webapp that I want to protect the best way possible.
>> Our environment has previously been Windows and still are but our new system is running
tomcat 5.0.
>>
>> Now I would like to protect one part of our setup with login from our Windows 2003
Active directory domain server when there is a lot of people that is going to access this
webapp. But still it need to be secure!
>> Found some some information here:
>> http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
>> Section JNDIRealm
>>
>> But without any previous experience with LDAP connections I have no clue how to get
this to work.
>> I'w tried searching for a good tutorial/guide how to make this happen step by step
but without success.
>>
>> Have this been done by anyone here that could give me some help setting this up.
Or can direct me to a good step by step tutorial to get this up and running?


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message