tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
Date Fri, 13 Jun 2008 21:58:56 GMT
If it may help :
I have implemented a mechanism as described below, in Apache using 
mod_perl.  I don't know how to do it under Tomcat, or if it is even 
possible without rewriting some basic Tomcat code, but maybe the 
following gives someone an idea.

(Of course, if you are running Tomcat with an Apache front-end and 
mod_jk, you could do it in Apache, and pass the user-id to Tomcat. 
That's in fact what I am doing.).

In Apache/mod_perl, it relies on the fact that there are three 
consecutive phases in request processing, with possible mod_perl hooks, 
and they run in this order :

- an "access control" phase
This phase is supposed to grant or deny access based on some request 
characteristic other than the user-id (e.g. the time of day, or the IP 
range the request is coming from).
In standard Apache config, this is the equivalent of an "Allow from 
..(IP range).." directive.  In Tomcat, it would probably be an 
"Access-control Valve". There is an example somewhere in the Tomcat 
on-line documentation.

- an "authentication phase"
where the request is authenticated (gets a user-id if it doesn't have 
one yet)

- an "authorisation phase"
where the request is allowed or not to proceed, depending on whether or 
not it has a user-id, and this user-id is supposed to be able to access 
this resource.

Basically, I "hijack" the access-control phase, to compare the origin IP 
of the request with a table containing IP addresses and corresponding 
"group user-id's".  If the origin IP matches one of the table entries, 
it gets the associated user-id.  Otherwise it does not get a user-id.
Anyway, the request is allowed to proceed.

In the authentication phase, it is checked whether the request is 
already authenticated.  If yes (for example it got a user-id during the 
access-control phase), it is allowed to proceed.  If not, it gets a 
login page.

And finally in the authorisation phase, the request is rejected if it 
does not have a user-id.

Now the questions are, in Tomcat,
1) if an "Access-control Valve" runs before an application (webapp) is 
invoked. I believe it should, since it is (can be) defined at a higher 
level than a webapp.
2) if one could, within such a Valve, attribute a user-id to the 
session.  That I really don't know, because I have never actually seen a 
method allowing to /set/ a user-id. (But I was probably looking in the 
wrong places).
3) how one could write a custom Valve, and how difficult that would be.
Considering that Tomcat is open-source, one could always take the 
standard IP-based Valve and modify it for the purpose.

Alternatively, maybe it is possible to do this IP-based authentication 
in a servlet filter wrapped around the webapp.  But I have a feeling 
that under Tomcat the authentication/authorization phase runs before 
even a servlet filter runs, and in that case it might not work.

I am interested also to learn if the above kind of thing is possible, 
and if that would be a good way of doing this under Tomcat.

Filip Hanik - Dev Lists wrote:
> hi Alex, that is an interesting use case. I don't think there is away to 
> do this without doing some customization to the tomcat code base, such 
> as implementing your own realm
> Filip
> Alex Mestiashvili wrote:
>> HI ALL .
>> I have basic authentication for my tomcat application .
>> Now I want , allow access without authentication to this app from 
>> several ip ranges , but leave auth from any other hosts .
>> I did not find any solution  in google
>> Is it possible ?
>> tomcat version is 6.0.16
>> Thanks in advance .

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message