tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joseph Morgan" <joseph.mor...@ignitesales.com>
Subject RE: Best Basic Auth Approach
Date Wed, 13 Jan 2010 21:39:03 GMT
Sounds to me the better solution is to make Tomcat inaccessible from
outside, and then have Apache route only authenticated requests.  

-----Original Message-----
From: cgswtsu78 [mailto:cgray@proofpoint.com] 
Sent: Wednesday, January 13, 2010 3:34 PM
To: users@tomcat.apache.org
Subject: Re: Best Basic Auth Approach


Chris, 

Thanks for the info below.  The problem I have is that the
authentication is
already being done on the apache side as my java/tomcat web application
lives within an apache perl application.  I'm just trying to prevent
anyone
from being able to deep dive directly to the java/tomcat application via
the
URL (i.e. http GET is the only issue).  I was wondering if there is any
way
that tomcat can check a flag to see if the user is auth'd and if not
redirect somewhere.  Maybe I'm too narrowly focused here...

Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Colin,
> 
> On 1/13/2010 4:01 PM, cgswtsu78 wrote:
>> I'm new to tomcat and apache and I've seen some of the tomcat basic
auth
>> examples on the web and all of them hardcode a user id/password for a
>> role
>> in the tomcat-users.xml file.
> 
> Yuck!
> 
>> What if there is a 1000 userid/pwd
>> combinations for that role that are valid, how can the userid/pwd
>> configuration be made dynamic?
> 
> Remember that the authentication method is really two steps:
> 
> 1. Credential gathering
> 2. Authentication of credentials
> 
> HTTP BASIC AUTH is your strategy for #1 (other spec-supported
strategies
> are FORM, DIGEST, and CLIENT-CERT).
> 
> For the second of those steps, Tomcat uses "realms". The realm you
> mention above is the UserDatabaseRealm and is configured by default
like
> this:
> 
>       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
> This realm is provided mostly to get people up-and-running with things
> like the Tomcat manager app without forcing them to use a
fully-fledged
> database system for authentication. In your case, you actually want
> something more robust than that flat-file-based authentication
mechanism.
> 
> Instead, you should probably use something like a real database. One
> advantage to using a real database is that changes to the
authentication
> database are effective immediately, instead of having to restart
Tomcat
> for the tomcat-users.xml file to be reloaded.
> 
> You should read the documentation for Realms on the Tomcat website,
here:
> http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
> 
> It describes each type of realm and how to setup each one.
> 
> If you are going to use a RDBMS for your authentication database, I
> highly recommend using DataSourceRealm which has a nice HOWTO here:
>
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm
> 
>> What is the best approach when you have 1000s of userid/pwds that
>> are verified by apache and you need to make sure that the user is
>> auth'd when they get to the webapp in the tomcat container?
> 
> I think it's best to have Tomcat handle the authentication for you.
The
> above information ought to get you started.
> 
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAktONsQACgkQ9CaO5/Lv0PAyegCfa+RzlKYGTzEGSPO879eAjOYp
> qHwAoIBF4jIjEHmtFpGHuxXOusWIDul4
> =cDfv
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context:
http://old.nabble.com/Best-Basic-Auth-Approach-tp27151922p27152143.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message