tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johannes <johan...@idg.nu>
Subject Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
Date Fri, 03 Nov 2006 15:38:58 GMT
That is really a REALLY good idea!
And if that works the solution is solved.

To bad that I have to go home now and I'll have to wait until Monday to try it.
But this sounds like the solution!
I'll get back with the answer on Monday.

~Johannes


-----Originalmeddelande-----
From: Pid p@pidster.com
Date: Fri, 03 Nov 2006 14:28:29 +0100
To: Tomcat Users List users@tomcat.apache.org
Subject: Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)

> 
> If you deploy the webapp inside another directory that is already
> protected, you can use SingleSignOn to execute login via the parent/ROOT
> web app?
> 
> 
> 
> 
> Tim Funk wrote:
> > Out of the box - there is no Valve in Tomcat which requires
> > authentication without first consulting web.xml.
> > 
> > As a simple(?) kludge - you could write your own Valve which forces
> > authentication on anything executed by the Valve: - you'll need to fill
> > in isAuthenticated(...)
> > 
> > 
> > public class ProtectMeValve extends ValveBase implements Lifecycle {
> > 
> >     ...
> > 
> >   public void invoke(Request request, Response response)
> >         throws IOException, ServletException {
> > 
> >     String authHeader = request.getHeader("Authorization");
> >     if (authHeader!=null) {
> >       if (isAuthenticated(request, authHeader)) {
> >         getNext().invoke(request, response);
> >       } else {
> >         // may need setContentType(...)
> >         response.setStatus(403);
> >         response.getWriter().write("Go away - your not allowed!");
> >       }
> >     } else {
> >       // may need setContentType(...)
> >       response.setStatus(401);
> >       response.addHeader("WWW-Authenticate",
> >                          "Basic realm=\"My Webapp\"");
> >       response.getWriter().write("some message");
> >     }
> >   }
> > }
> > 
> > I would think the preceding should work.
> > 
> > -Tim
> > 
> > Johannes wrote:
> >> With the lack of reply's I guess that Active directory connections are
> >> not used by anyone here.
> >>
> >> I'm making it a bit more simple then and in step one only protect this
> >> service with a simple login / password protection.
> >>
> >> Setup: One separate engine only accepting HTTPS connections that needs
> >> to be protected.
> >> I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a
> >> xml file with one user, password and group in my server.xml section
> >> for the engine I'm protecting.
> >>
> >> So far so good.
> >> Then I got everything to work when editing <webapp>/WEB-INF/web.xml
> >> and added the following:
> >>   <security-constraint>
> >>     <display-name>Security check</display-name>
> >>     <web-resource-collection>
> >>       <web-resource-name>Protected Area</web-resource-name>
> >>       <!-- Define the context-relative URL(s) to be protected -->
> >>       <url-pattern>/*</url-pattern>
> >>
> >>       <!-- If you list http methods, only those methods are protected -->
> >>       <http-method>DELETE</http-method>
> >>       <http-method>GET</http-method>
> >>       <http-method>POST</http-method>
> >>       <http-method>PUT</http-method>
> >>     </web-resource-collection>
> >>     <auth-constraint>
> >>       <!-- Anyone with one of the listed roles may access this area -->
> >>       <role-name>testgroup</role-name>
> >>     </auth-constraint>
> >>   </security-constraint>
> >>
> >>   <login-config>
> >>     <auth-method>BASIC</auth-method>
> >>     <realm-name>Security Check</realm-name>
> >>   </login-config>
> >>
> >> That worked great, the login box appears and are not accessible
> >> without the correct logon.
> >>
> >> BUT the problem is that this webapp is delivered by a 3:rd party
> >> without the above settings in there web.xml file.
> >> We get regular updates and I would like to NOT be forced to remember
> >> to add the above section every time we get a new release of the webapp.
> >>
> >> So how can I make this Engine/webapp in the server.xml file be
> >> protected by one simple login WITHOUT the need to modify the webapp
> >> itself every time we get a new version of the webapp?
> >>
> >> ~Johannes
> >>
> >>
> >>
> >> -----Originalmeddelande-----
> >> From: Johannes johannes@idg.nu
> >> Date: Thu, 02 Nov 2006 12:55:13 +0100
> >> To: users@tomcat.apache.org
> >> Subject: Tomcat authenticate with Active directory
> >>
> >>> I have a webapp that I want to protect the best way possible.
> >>> Our environment has previously been Windows and still are but our new
> >>> system is running tomcat 5.0.
> >>>
> >>> Now I would like to protect one part of our setup with login from our
> >>> Windows 2003 Active directory domain server when there is a lot of
> >>> people that is going to access this webapp. But still it need to be
> >>> secure!
> >>> Found some some information here:
> >>> http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
> >>> Section JNDIRealm
> >>>
> >>> But without any previous experience with LDAP connections I have no
> >>> clue how to get this to work.
> >>> I'w tried searching for a good tutorial/guide how to make this happen
> >>> step by step but without success.
> >>>
> >>> Have this been done by anyone here that could give me some help
> >>> setting this up. Or can direct me to a good step by step tutorial to
> >>> get this up and running?
> > 
> > 
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message