tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Do any of the Tomcat LDAP-type realms support "no password" authentication?
Date Sun, 04 Dec 2011 06:49:39 GMT
> From: ohaya@cox.net [mailto:ohaya@cox.net] 
> Subject: Re: Do any of the Tomcat LDAP-type realms support "no password" authentication?

> In other words, even though my valve code can assert a user 
> into Tomcat, and even if that same user already exists in the
> Tomcat realm, the asserted user seems to be 'disassociated'
> from the same user in the Tomcat realm?  

Need to get some terminology correct here.  A Realm does not normally contain users, roles,
or any other authentication or authorization _data_; rather, it is a Java class that embodies
rules for examining the credentials supplied by a login attempt and comparing them to credentials
and roles stored in some external location.  By default (and never meant to be used in production),
the external location is the file tomcat-users.xml, and the Realm is UserDatabaseRealm (augmented
by LockOutRealm to discourage probing).  Several other Realm classes are supplied with Tomcat,
to allow access to credentials from LDAP servers, relational databases, JAAS, etc.

I think what you need is essentially a Realm that does no authentication of its own (trusting
httpd to do that), but does perform the authorization function.  It can then map the userid
to whatever set of roles are appropriate for that user, and return the appropriate response
when queried.  See the doc for details:

http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html

It would seem likely that someone out there has written a Realm that performs the above functions
in conjunction with httpd authentication.  (Note: you keep using the word "Apache" - which
is a software organization with many products - when you're referring to httpd, a specific
Apache product, as is Tomcat.)

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

Mime
View raw message