tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Wang <aw...@ptc.com>
Subject Re: Tomcat, REMOTE_USER, getRemoteUser()
Date Tue, 28 Jul 2015 20:10:17 GMT


On 07/28/2015 03:02 PM, Andy Wang wrote:
>>> I'd also like a better way and after discussing with some
>>> security-geeks, we were wondering if there's some way we can
>>> implement a Valve that takes a username and a signature using a
>>> shared secret. The problem is signing in Apache: I've not looked
>>> too hard for a module to do this but maybe one exists? If one does
>>> exist, then the mod_jk module could use the same strategy to ensure
>>> Tomcat only trusts a username + valid signature.
>
> Take a look at the RemoteIpValve.  One could make something similar, say
> a RemoteAuthenticationValve, would be my guess.  Given that you're using
> a shared secret already, I'm not sure what signing will buy you.  If
> some malicious entity gets the shared secret, the signature/encryption
> is going to do nothing for you.  If you're concerned about the message
> secured by the shared secret being in plain text across a remote
> http<->tomcat configuration, I imagine stunnel would help solve the problem
>

clarification - given that you're already "talking" a shared secret (not 
using - since you're discussing a hypothetical mechanism - i.e. 
non-existent).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message