tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: user tomcat authentication
Date Mon, 13 Jun 2011 08:55:14 GMT
On 13/06/2011 09:44, Petr Hracek wrote:
> Only the simple question,
> What is the flag which URLs are protected?

It is time for you to read the Servlet specification.

> I have found that link
> http://tomcat-configure.blogspot.com/2009/01/tomcat-web-xml.html
> and specially section:
> 
>     How to secure your application with JAAS ?

And it looks like you need to read the Tomcat documentation as well.

Mark

> 
> Let's say that my htdocs directory is there:
>    /opt/testApp/htdocs/index.html
> and servlet storage is there:
>   /opt/testApp/servlet/
> 
> Logging page is mention here: /opt/globalPages/htdocs/index.html
> 
> How to configure https://<ipaddress>/testApp/ so that if HTTP COOKIE
> is not defined then /opt/globalPages/htdocs/index.html will be shown
> otherwise /opt/testApp/htdocs/index.html will be shown.
> 
> Thank you very much
> 
> 2011/6/13 Pid <pid@pidster.com>:
>> On 13/06/2011 07:50, Petr Hracek wrote:
>>> First authentication is done so that if in the browser exists relevant
>>> HTTP COOKIE and validation of that cookie is done then page should be
>>> shown.
>>>     How to do that I do not know from the tomcat point of view.
>>>
>>> Is there any possiblity how to check valid HTTP COOKIE otherwise
>>> showing loging page.
>>>
>>> If HTTP COOKIE is not existing than logging has to be done over my one program.
>>>     How to do that I do not know as well.
>>>
>>> Are there any examples?
>>
>> From the little information you give, you're describing container
>> managed security.  FORM auth as defined by the Servlet Spec can do just
>> that.
>>
>> You configure a Realm, some elements in web.xml which define where the
>> login form & error pages are, and which URLs are protected.
>>
>>
>> p
>>
>>
>>
>>> 2011/6/13 Petr Hracek <phracek2@gmail.com>:
>>>> First authentication is done so that if in the browser exists relevant
>>>> HTTP COOKIE and validation of that cookie is done then page should be
>>>> shown.
>>>>
>>>>
>>>> 2011/6/12 Mark Thomas <markt@apache.org>:
>>>>> On 12/06/2011 20:29, Pid wrote:
>>>>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>>>>> And what about in case that I have my own program for accessing
to the
>>>>>>> specific
>>>>>>> databases where the passwords are stored as hashes?
>>>>>>>
>>>>>>> Are there any possibilities how to run that program for getting
unhashed
>>>>>>> password from database?
>>>>>>
>>>>>> Why not hash the inbound password, then send & compare it against
the
>>>>>> one in the DB, rather than decoding it?
>>>>>>
>>>>>> The Realm implementations can handle this, if you're using a standard
>>>>>> hashing method that Java recognises.
>>>>>>
>>>>>> Hopefully you've not invented your own hashing method.
>>>>>
>>>>> Hmm. Hash functions are meant to be one way. It should be impossible
to
>>>>> retrieve an unhashed password from the database.
>>>>>
>>>>> I hope that the original description is inaccurate rather than an
>>>>> example of (yet another) badly broken home-grown security solution that
>>>>> needs to be thrown away.
>>>>>
>>>>> Mark
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards / S pozdravem
>>>> Petr Hracek
>>>>
>>>
>>>
>>>
>>
>>
>>
> 
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message