tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Single-sign on without form-based authentication
Date Thu, 30 Aug 2007 18:25:20 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lb,

lightbulb432 wrote:
> Views would definitely allow me to keep the two tables separate, but then I'd
> have to authenticate against the two source tables separately (i.e. each
> application would point to the source table rather than to the view). If
> pointing both applications to the common view, then doesn't the original
> problem exist?

Don't do that. Create separate views for each of your applications, and
use the app-appropriate view for authentication.

If you think this sounds like too much trouble, you're right. Just
remember that Tomcat implements the simplest thing that could possibly
work wrt authentication. If you don't like it, you can always override
the authentication mechanism with something else (securityfilter!) or
hand-roll your own realm.

> I took a look at JAASRealm and its authenticate method only takes two
> parameters (username and "credentials", which is really just a single
> password string). 
>
>> Is it possible to pass my other credentials to the JAASRealm so that I can
>> pass everything at one time (username, password, other credentials) to the
>> stored procedure, rather than - if I've interepreted this correctly -
>> authenticating once through the JAAS username/password, then again through
>> my stored procedure to "cancel out" the previous authentication.

Uh, you could always pass a concatenated "credential" which includes
more than just the password. For instance:

JAASRealm.authenticate(username, appId + ":" + hash(password));

Then, in your stored procedure, tear apart the "credential" and use part
of it as the app identifier. Or, put the appId into the username.
Whatever you want to do. There are lots of options.

> So if not JAASRealm, perhaps I need to look at something else to customize?
> I could of course implement my own authentication, but if I can get around
> this one shortcoming of the "credentials" concept being considered a
> password String rather than a generic Collection of multiple Objects, then I
> think I might be able to use Tomcat authentication.

You can still use Tomcat's authentication "mechanism"... you just might
have to use your own Realm implementation. Frankly, the
org.apache.catalina.Realm interface is baffling to me.

One option is to create a Realm that extends JDBCRealm (or, better yet,
DataSourceRealm) and override the authentication method to do your own
SQL queries, but keep all the configuration options provided by the
superclass. You can even add a configuration option by adding a mutator
and accessor to specify the app's id. Then you can do something like
this in your context.xml:

      <Realm  className="package.to.your.Realm"   // extends JDBCRealm
             driverName="org.gjt.mm.mysql.Driver"
          connectionURL="jdbc:mysql://localhost/authority"
         connectionName="test"
      connectionPassword="test"
               userTable="users"
             userNameCol="user_name"
             userCredCol="user_pass"
          userRoleTable="user_roles"
            roleNameCol="role_name"
                  appId="application-1" />

Just make sure you have setAppId and getAppId methods on your Realm
implementation, and then use them when you build your SQL query to
verify a login.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1wuQ9CaO5/Lv0PARAh6IAKCIY9aMp59xFxXHIj9z4eCfF+SYngCeMfDF
O1Gr8CyGEsukK3BFtBw5voQ=
=Tzs2
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message