tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: combination of RemoteAddrValve und basic authentication
Date Mon, 26 Sep 2011 13:29:25 GMT
Remon Sadikni wrote:
> Dear Tomcat developers and users,
> I managed to restrict a web application by IP-adress with 
> RemoteAddrValve and to restrict another one by basic authentication. Now 
> I would like to restrict the same web application by both methods:
> - If the user is inside a specific network (e.g. 134.134.*.*), then he 
> should get direct access to the web application (without login window).
> - If he is outside this network he has to authenticate via username / 
> password.
> I tried to combine RemoteAddrValve und basic authentication, but I only 
> managed an "AND" conjunction. What I want is a disjunctive combination 
> ("OR") of these 2 methods . How can I do that?

Those 2 things do not happen at the same time.
The Valve executes first, and it either blocks the request totally, or lets it through 
Then, if the Valve let the request pass through, comes the authentication/authorization logic.
But by then of course it is too late, because if the request was blocked by the Valve, it

will not even make it to the AA stage.

What you could do, is write a custom Valve.  This Valve would have to check the client IP

address, and if it matches the "specific network", it should "pre-authenticate" the 
request, using some dummy user-id (like "internal_user") before it forwards the request.

I am not sure how easy that is however, since I do not know if Tomcat's Basic 
Authentication mechanism /always/ checks the "Authorization:" header first, or if it first

checks if the request has already a UserPrincipal assigned to it.

(Gurus, please fill in here : ........ )

If the Valve needs to add an "Authorization:" header to the request, then you are in for a

bit more complexity.

This would be a case where I would handle the problem at the level of a front-end Apache 
httpd, where such things are easier (for me) by an order of magnitude.
I even happen to have written an Apache/mod_perl module which does exactly what you want,

and more.

You may also want to have a look at SecurityFilter, which could well be an easier way for

you (
I do not think that it has provisions for "automatically" authenticating a user based on 
his client IP address, but it may be easier to just add the required code there.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message