tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Thu, 01 Dec 2011 18:17:19 GMT

---- "André Warnier" <> wrote: 
> wrote:
> > Hi,
> > 
> > I'm new here, and hope that someone can help.
> > 
> > I was wondering if any of the LDAP-type realms (e.g., JNDIRealm, etc.) support an
authentication mode where no password or credentials are required?  In other words, where
just a userID/username is presented, and if that userID/username is present in the LDAP, then
the user gets authenticated?
> > 
> You have to be VERY specific here about what you mean, because this is a very delicate
> If you mean : "does there exist any way by which Tomcat can authenticate a user, without

> forcing this user to go through a login dialog with userid and password ?"
> then the answer is : yes, several (*).  But the applicability of each depends very much
> the exact circumstances.
> If you mean : "does there exist any /standard/ authentication mechanism in Tomcat whereby,

> /with/ a login dialog, the user could be authenticated without providing a password,

> although the authentication back-end (e.g. LDAP) has a non-empty password registered
> that user ?"
> then the answer is no, definitely.  Because such a mechanism would be a HUGE security

> hole, so it is certainly not provided as any standard authentication framework.
> (which does not mean that you could not invent your own mechanism).
> Also, when you are mentioning LDAP, do you really mean the standard LDAP (which is just

> basically a database, and is not per se an "authentication mechanism"), or do you mean

> "Windows domain authentication, backed up by an Active Directory server" ?
> Or something else ?
> There is so much variation possible here, that it may be better to describe what you
> to achieve really, rather than asking questions about this or that mechanism right away.
> (*) for example, look here :

Hi Andre,

Sorry.  I should have been clearer in my explanation and my question, so let me try again.

Our configuration has an Apache in front of the Tomcat, with the Apache reverse-proxying (using
mod_proxy, for now) to the Tomcat.

In the Apache proxy, we do client-authenticated certificate authentication, and we also have
a web agent/module that authenticates the user into a commercial SSO product.  After the user
is authenticated, the requests that go to/get proxied to the Tomcat have some HTTP headers,
including a header containing the userID of the user that got authenticated by the SSO product.

I've been working on Tomcat valve that does "ID assertion", i.e., when the code in my valve
sees the HTTP header with the authenticated userID, it "asserts" the user into Tomcat.  

Specifically,  my valve code calls org.apache.catalina.connector.Request.setUserPrincipal(getPrincipal(paramRequest)),
where "paramRequest" is the org.apache.catalina.connector.Request object.

When I posted my message, I had just started on my valve code.  As I said, I'm kind of new
to Tomcat security, but at that time, I *thought* that after my valve did the setUserPrincipal(),
that the user had to somehow be authenticated into the Tomcat realm (i.e., that the asserted
userID had to actually exist in the Tomcat realm).

I've since gotten an initial version of my valve code kind of working, but I'm still a little.

I can get the userID from the request header and call the setUserPrincipal() in the valve
code successfully, and from some test JSP pages I use, I can see that when the JSP calls request.getUserPrincipal(),
it appears to return the asserted user.

The thing that is puzzling me is that, on my test Tomcat, I just have the default realm (the
one that uses tomcat-user.xml for the user base), with only the default set of dummy users.

And yet, when I test with my valve and the test JSP, it appears that everything just works,
even when the userID that I assert is not in the Tomcat realm!

For example, I guess in the default realm, there's only a comple of users (tomcat, etc.),
but if I send a request into the Tomcat with a header with a userID of "foobar" (and even
though there is no user "foobar" in the Tomcat realm), things seem to work ok, i.e., my JSP
displays "foobar" for request.getUserPrincipal().

Having said all of that, I guess that my question has changed somewhat.  Specifically, now
I'm wondering:  With what I described above, and with my valve as described above, does the
asserted user NOT have to be in the Tomcat realm at all?

It's almost like, with Tomcat, when my valve code calls setUserPrincipal(), Tomcat doesn't
"care" whether the user that I'm asserting actually exists or doesn't exist in the Tomcat

Again, as I said, I'm new, so I may  (and probably am) misunderstanding something about how
Tomcat security works...

Sorry for the longish post, but I hope that things are clearer now?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message