Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 931B297A2 for ; Sun, 4 Dec 2011 07:44:51 +0000 (UTC) Received: (qmail 24097 invoked by uid 500); 4 Dec 2011 07:44:48 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 24020 invoked by uid 500); 4 Dec 2011 07:44:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 24011 invoked by uid 99); 4 Dec 2011 07:44:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Dec 2011 07:44:45 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of ohaya@cox.net designates 68.230.241.218 as permitted sender) Received: from [68.230.241.218] (HELO eastrmfepo203.cox.net) (68.230.241.218) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 04 Dec 2011 07:44:37 +0000 Received: from eastrmimpo109.cox.net ([68.230.241.222]) by eastrmfepo203.cox.net (InterMail vM.8.01.04.00 201-2260-137-20101110) with ESMTP id <20111204074416.OOVW25070.eastrmfepo203.cox.net@eastrmimpo109.cox.net>; Sun, 4 Dec 2011 02:44:16 -0500 Received: from eastrmwml106 ([172.18.18.217]) by eastrmimpo109.cox.net with bizsmtp id 4vkG1i00C4h0NJL02vkGq5; Sun, 04 Dec 2011 02:44:16 -0500 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020208.4EDB24D0.008E,ss=1,re=0.000,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=1.1 cv=2Acw8yP2NENfRiZJ4RZtk6v+/jC/vIz8qOrlh6BYtZI= c=1 sm=1 a=oDu9JGl69GgA:10 a=G8Uczd0VNMoA:10 a=HmblazRPy8UA:10 a=IkcTkHD0fZMA:10 a=t1PrUrtrk04foxyHgvPcUw==:17 a=kviXuzpPAAAA:8 a=mV9VRH-2AAAA:8 a=xeG23dVQ_GO0mpf9XQEA:9 a=-mjNUPKwK1ZpWHUp2XsA:7 a=QEXdDO2ut3YA:10 a=DygyAWTlXvYA:10 a=4vB-4DCPJfMA:10 a=t1PrUrtrk04foxyHgvPcUw==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; none Received: from 72.205.21.101 by webmail.east.cox.net; Sun, 4 Dec 2011 2:44:16 -0500 Message-ID: <20111204024416.F1IY4.212267.imail@eastrmwml106> Date: Sun, 4 Dec 2011 2:44:16 -0500 From: To: Tomcat Users List Subject: RE: Do any of the Tomcat LDAP-type realms support "no password" authentication? Cc: "Caldarale, Charles R" In-Reply-To: <99C8B2929B39C24493377AC7A121E21FB00BD56F07@USEA-EXCH8.na.uis.unisys.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal ---- "Caldarale wrote: > > From: ohaya@cox.net [mailto:ohaya@cox.net] > > Subject: Re: Do any of the Tomcat LDAP-type realms support "no password" authentication? > > > In other words, even though my valve code can assert a user > > into Tomcat, and even if that same user already exists in the > > Tomcat realm, the asserted user seems to be 'disassociated' > > from the same user in the Tomcat realm? > > Need to get some terminology correct here. A Realm does not normally contain users, roles, or any other authentication or authorization _data_; rather, it is a Java class that embodies rules for examining the credentials supplied by a login attempt and comparing them to credentials and roles stored in some external location. By default (and never meant to be used in production), the external location is the file tomcat-users.xml, and the Realm is UserDatabaseRealm (augmented by LockOutRealm to discourage probing). Several other Realm classes are supplied with Tomcat, to allow access to credentials from LDAP servers, relational databases, JAAS, etc. > > I think what you need is essentially a Realm that does no authentication of its own (trusting httpd to do that), but does perform the authorization function. It can then map the userid to whatever set of roles are appropriate for that user, and return the appropriate response when queried. See the doc for details: > > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > > It would seem likely that someone out there has written a Realm that performs the above functions in conjunction with httpd authentication. (Note: you keep using the word "Apache" - which is a software organization with many products - when you're referring to httpd, a specific Apache product, as is Tomcat.) > > - Chuck > Hi Chuck, Corrections understood, and I'll try to be more careful. As you point out, and as I mentioned earlier in the thread, it seems like I've come all the way around to the original subject "...Tomcat LDAP-type realms support "no password" authentication?". I've been and still am looking around for something like that, but haven't found it yet. I'm still puzzled by something though. Even if I did find (or implement) a realm that was a "no password realm", how do I tie the two pieces that I end up with, the valve and the no-password realm, together? In other words, I can pull the userID from the incoming header in the valve, but then I think that the valve code then needs to authenticate against the no-password realm. Is that correct? And, if so, how to do that? I've been looking for a way (API?) to programmatically "authenticate the user" against Tomcat, so that I could add that into my valve code, but haven't been find anything yet. Thanks, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org