tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
Date Fri, 03 Nov 2006 12:22:02 GMT
Out of the box - there is no Valve in Tomcat which requires 
authentication without first consulting web.xml.

As a simple(?) kludge - you could write your own Valve which forces 
authentication on anything executed by the Valve: - you'll need to fill 
in isAuthenticated(...)

public class ProtectMeValve extends ValveBase implements Lifecycle {


   public void invoke(Request request, Response response)
         throws IOException, ServletException {

     String authHeader = request.getHeader("Authorization");
     if (authHeader!=null) {
       if (isAuthenticated(request, authHeader)) {
         getNext().invoke(request, response);
       } else {
         // may need setContentType(...)
         response.getWriter().write("Go away - your not allowed!");
     } else {
       // may need setContentType(...)
                          "Basic realm=\"My Webapp\"");
       response.getWriter().write("some message");

I would think the preceding should work.


Johannes wrote:
> With the lack of reply's I guess that Active directory connections are not used by anyone
> I'm making it a bit more simple then and in step one only protect this service with a
simple login / password protection.
> Setup: One separate engine only accepting HTTPS connections that needs to be protected.
> I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a xml file with one
user, password and group in my server.xml section for the engine I'm protecting.
> So far so good.
> Then I got everything to work when editing <webapp>/WEB-INF/web.xml and added the
>   <security-constraint>
>     <display-name>Security check</display-name>
>     <web-resource-collection>
>       <web-resource-name>Protected Area</web-resource-name>
>       <!-- Define the context-relative URL(s) to be protected -->
>       <url-pattern>/*</url-pattern>
>       <!-- If you list http methods, only those methods are protected -->
>       <http-method>DELETE</http-method>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>       <http-method>PUT</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>       <!-- Anyone with one of the listed roles may access this area -->
>       <role-name>testgroup</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Security Check</realm-name>
>   </login-config>
> That worked great, the login box appears and are not accessible without the correct logon.
> BUT the problem is that this webapp is delivered by a 3:rd party without the above settings
in there web.xml file.
> We get regular updates and I would like to NOT be forced to remember to add the above
section every time we get a new release of the webapp.
> So how can I make this Engine/webapp in the server.xml file be protected by one simple
login WITHOUT the need to modify the webapp itself every time we get a new version of the
> ~Johannes
> -----Originalmeddelande-----
> From: Johannes
> Date: Thu, 02 Nov 2006 12:55:13 +0100
> To:
> Subject: Tomcat authenticate with Active directory
>> I have a webapp that I want to protect the best way possible.
>> Our environment has previously been Windows and still are but our new system is running
tomcat 5.0.
>> Now I would like to protect one part of our setup with login from our Windows 2003
Active directory domain server when there is a lot of people that is going to access this
webapp. But still it need to be secure!
>> Found some some information here:
>> Section JNDIRealm
>> But without any previous experience with LDAP connections I have no clue how to get
this to work.
>> I'w tried searching for a good tutorial/guide how to make this happen step by step
but without success.
>> Have this been done by anyone here that could give me some help setting this up.
Or can direct me to a good step by step tutorial to get this up and running?

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message