tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Propes, Barry L " <>
Subject RE: Anonymous access with Tomcat Authentication configured.
Date Tue, 09 Oct 2007 22:18:33 GMT
is the bottom line that he (Semen's) wanting certain areas protected by a role, and other areas
protected/accessible only by another role?

Or is he looking for authentication at every protected juncture?

-----Original Message-----
From: Christopher Schultz []
Sent: Tuesday, October 09, 2007 5:08 PM
To: Tomcat Users List
Subject: Re: Anonymous access with Tomcat Authentication configured.

Hash: SHA1


Semen Vadishev wrote:
> Well, have you ever configured path based authentication for Subversion
> Server?

Oh, you're using WebDAV. :(

> So if there is no <security-constraint> element in
> web.xml, Tomcat doesn't provide authorization, right?

Correct. It will not perform authentication either.

I think it's important to understand what's going on here:

Tomcat's built-in A&A requires that an unauthenticated user request a
protected resource (protected by a <security-constraint>). When this
happens, Tomcat intercepts the request internally and issues the
appropriate login request (HTTP AUTH, FORM, etc.). Upon successful
authentication, Tomcat re-processes the original request.

Tomcat authorization is done separately, though probably by the same
component (Valve).

You can require authentication but not enforce any specific role by
using <role-name>*</role-name> in your <security-constraint>.

Unfortunately for you, J2EE does not do user-based authorization; it
will only do role-based authorization.

I don't think you can use Tomcat's authorization at all. I don't know
enough about the WebDAV/svn protocol to know whether it will work for

> And if
> web.xmlcontains <login-config> element and doesn't contain
> <security-constraint>
> element then servlet gets Principal object anyway (if client sent user/pass
> then request.getRemoteUser() returns "user" and if not request.getRemoteUser()
> returns null)? Well at least I will try to configure Tomcat this way.

If you want Tomcat to do authentication and not authorization (which it
sounds like is the case), then use <role-name>*</role-name> on whatever
resource you are protecting and Tomcat will demand that the user
authenticate in order to access the resource (but it won't care who the
user is).

Then, you should be able to get a Principal from the request object
during a request.

> 1. Requests with no authentication data.

I'm pretty sure you're always going to want authentication data. To get
Tomcat to work this way, you will need authentication data for pretty
much every request.

> 2. Requests with authentication data [...] so we want Tomcat to check
> if this pair username/password is valid

You can't have Tomcat do this kind of thing on demand. You can either
use their authentication mechanism (with all the requirements above) or not.

> So my question now is: If Tomcat configured to provide built-in
> authentication and do not provide built-in authorization can we get
> described behavior?

You can try using <role-name>*</role-name> as described above, but it
may not work the way you want it to work. For instance, if you want to
allow completely anonymous access (i.e. not even requiring the use of a
"guest" username and password), then you'll need to do everything yourself.

Don't worry: authentication is really easy. Authorization isn't that
bad, either, especially since you will probably only have a single
servlet that needs protecting. The problem with these things is usually
making sure you didn't miss anything (like leaving a swath of URIs

Feel free to look at Tomcat's Realm implementations for coding inspiration.

> Hope this explanation is more clear.

It is, thanks.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message