tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: Help: auth-constraint with Tomcat 6
Date Wed, 24 Jun 2009 17:12:35 GMT

Tomcat Realms would 'silo' access based on authentication to role 
Ralams would also provide the capability to work with whitelist,blacklist scenarios

However if you want access to governed Resource based on your authenticated SSO Portlet-level
Security check 
you will need JSR286 Portal in which case i would suggest Jetspeed
http://portals.apache.org/jetspeed-2

HTH
Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.




> Date: Wed, 24 Jun 2009 23:12:35 +0800
> Subject: Re: Help: auth-constraint with Tomcat 6
> From: ehchong@gmail.com
> To: users@tomcat.apache.org
> 
> Hi Tim,
> 
> Basically the first realm contains list of users we want to deny access. The
> password would be dynamic, making it difficult to get through. Well, maybe I
> should really consider working with specific roles. That is, grant users
> with roles that would allow them access. Then I would probably just need a
> single realm for authentication.
> 
> However, this would mean almost all users require such a role granted except
> for some whom we like deny access. Then every new users would also probably
> need granted the role. A little extra work there, besides working with IT to
> get the new role setup.. A black list would work better than a white list in
> this case.
> 
> 
> Thanks,
> Clement
> 
> On Wed, Jun 24, 2009 at 7:02 PM, Tim Funk <funkman@apache.org> wrote:
> 
> > Do you really want to have allow different passwords for the same user id?
> > Sounds dangerous.
> >
> > For different access control restrictions you needs to set up various
> > roles, which are names chosen by you. Which can be something like
> > - reader, writer
> > - admin, superuser, user
> > - it, sales, marketing, hr
> >
> > Then your role names * would be gone and you would need a
> > <security-constraint> for each resource category you need to protect.
> > (Google for more details on <security-constraint> for more help on that)
> >
> > -Tim
> >
> >
> > Clement Chong wrote:
> >
> >> Hi tomcat users,
> >>
> >> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
> >> with nested JDBCRealm and JNDIRealm. The security constraint has also been
> >> setup in my application WEB-INF/web.xml file:
> >>
> >> <auth-constraint>
> >>      <!-- Anyone with one of the listed roles may access this area -->
> >>      <role-name>*</role-name>
> >> </auth-constraint>
> >>
> >> User is now authenticated via JDBCRealm followed by JNDIRealm and would be
> >> able to access protected pages with any role.
> >>
> >> The question I have is how can I deny a group of users with a particular
> >> role to all protected pages even if they can provide correct combination
> >> of
> >> username/password?
> >>
> >> Would it also be possible to change the behavior of the
> >> combinedRealm/LockoutRealm such that if username is found in prior realm
> >> and
> >> password is incorrect, then it skips the other realms? It only look into
> >> the
> >> other realms if username is not found in prior realms.
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >

_________________________________________________________________
Bing™  brings you maps, menus, and reviews organized in one place.   Try it now.
http://www.bing.com/search?q=restaurants&form=MLOGEN&publ=WLHMTAG&crea=TEXT_MLOGEN_Core_tagline_local_1x1
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message