tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Contexts and Path and Authentication
Date Thu, 10 Dec 2009 22:56:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 12/9/2009 5:40 PM, André Warnier wrote:
> Ok, my try here.  And by the same token - haha - I will give a chance to
> Chris to jump in.

Sure, why not?

> - there is (preferably) one application.  As Chuck is saying, it should
> not care /how/ the user was authenticated, just that he is.
> That's just a getRemoteUser() for you, isn't it?

+1

> - unfortunately, the Holy Servlet Spec does not foresee nor allow that 2
> alternative methods of authentication would be used.

+1

> This looks to me the perfect case for a servlet filter.

+1

> The filter applies to all requests to the webapp.

- -1 (see below)

> - the request itself contains an "Authorization:" header.

[or]

> - the request contains an authentication cookie (header).

[or]

> B) Neither of the above is true, so the request is not authenticated.

I think Anthony wants to /always/ use FORM for some URLs, and /always/
use BASIC for others. He hasn't said whether he wants either
authentication to allow access to the "other" part of the site.

securityfilter (http://securityfilter.sourceforge.net) can be tricked
into doing this. Although the standard operating procedure is to map sf
to all URLs (i.e. <url-pattern>/*</url-pattern), one can choose to map
it to different patterns and deploy it /twice/:

    <filter>
        <filter-name>Security Filter BASIC</filter-name>
      <filter-class>org.securityfilter.filter.SecurityFilter</filter-class>
      <init-param>
         <param-name>config</param-name>
         <param-value>/WEB-INF/securityfilter-basic.xml</param-value>
      </init-param>
    </filter>

    <filter>
        <filter-name>Security Filter FORM</filter-name>
      <filter-class>org.securityfilter.filter.SecurityFilter</filter-class>
      <init-param>
         <param-name>config</param-name>
         <param-value>/WEB-INF/securityfilter-form.xml</param-value>
      </init-param>
    </filter>

...
<!--
/secure/yyy  -->Form based auth
/secure/xxx  -->Form based auth
/public/  -->Form based auth
/secure/xml/  -->basic auth
/xml/  -->basic auth
- -->

    <filter-mapping>
        <filter-name>Security Filter FORM</filter-name>
        <url-pattern>/secure/yyy/*</url-pattern>
        <url-pattern>/secure/xxx/*</url-pattern>
        <url-pattern>/public/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
        <filter-name>Security Filter BASIC</filter-name>
        <url-pattern>/secure/xml/*</url-pattern>
        <url-pattern>/xml/*</url-pattern>
    </filter-mapping>

Now, you simply have to configure each filter's instance with a
different configuration file (one using BASIC, one using FORM) and
you're good to go.

URLs that don't match any of the patterns above will basically be unable
to correctly use request.isUserInRole() and request.getPrincipal(), so
you ought to think about that very carefully.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkshfLoACgkQ9CaO5/Lv0PCxngCgsk79GtCJC7BO8Yj8gMrAlOu5
wbEAnj4Lz1lnsYyxSS4Q1EddWlB/Hrrd
=4vCr
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message