tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Authentication without Authorization ( JNDI Realm )
Date Wed, 02 Dec 2009 20:53:51 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shashank,

On 12/2/2009 10:48 AM, shashank.r38@wipro.com wrote:
> Is there any way to use a Realm only for authentication and disable
> authorization ( do not check for roles ) ?

If you are using Tomcat's container-managed authentication and
authorization, you can achieve this by simply putting this in web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Everything</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

Technically speaking, this will require authentication but then let
anyone holding any role defined in web.xml to access any page on your
site. Practically speaking, you don't even need to define the roles in
web.xml because (last time I checked), Tomcat treats '*' as
"authenticated, regardless of roles".

This is the code from 6.0.20 that implements this behavior:

java/org/apache/catalina/realm/GenericPrincipal.java:

    public boolean hasRole(String role) {

        if("*".equals(role)) // Special 2.4 role meaning everyone
            return true;
        if (role == null)
            return (false);
        return (Arrays.binarySearch(roles, role) >= 0);

    }

So, yeah, '*' ought to do it.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksW094ACgkQ9CaO5/Lv0PBJwQCgn1Xn2pL2mxSaNCe4Ex7vdUgE
S0QAoJyBYrx7gq65G6h+gVlAsFP9kC8q
=7C+o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message