Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of mgainty@hotmail.com
 designates 65.55.111.92 as permitted sender)
Message-ID: <BLU142-W26DAABE8FA45F4B2ADAF4CAE370@phx.gbl>
Content-Type: multipart/alternative;
	boundary="_e2deb410-b8c7-45a4-b67a-c38426b74092_"
From: Martin Gainty <mgainty@hotmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Help: auth-constraint with Tomcat 6
Date: Wed, 24 Jun 2009 13:12:35 -0400
Importance: Normal
In-Reply-To: <529a33110906240812j3021993dn4fc901d0f656879@mail.gmail.com>
References: <529a33110906232038n101d58f3v2babf4ab6d76e905@mail.gmail.com>
	 <4A4207CD.10709@apache.org>
 <529a33110906240812j3021993dn4fc901d0f656879@mail.gmail.com>
MIME-Version: 1.0

--_e2deb410-b8c7-45a4-b67a-c38426b74092_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


Tomcat Realms would 'silo' access based on authentication to role=20
Ralams would also provide the capability to work with whitelist=2Cblacklist=
 scenarios

However if you want access to governed Resource based on your authenticated=
 SSO Portlet-level Security check=20
you will need JSR286 Portal in which case i would suggest Jetspeed
http://portals.apache.org/jetspeed-2

HTH
Martin Gainty=20
______________________________________________=20
Verzicht und Vertraulichkeitanmerkung/Note de d=E9ni et de confidentialit=
=E9
=20
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaeng=
er sein=2C so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiter=
leitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient l=
ediglich dem Austausch von Informationen und entfaltet keine rechtliche Bin=
dungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen w=
ir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut =EAtre privil=E9gi=E9. Si vous n'=EAtes=
 pas le destinataire pr=E9vu=2C nous te demandons avec bont=E9 que pour sat=
isfaire informez l'exp=E9diteur. N'importe quelle diffusion non autoris=E9e=
 ou la copie de ceci est interdite. Ce message sert =E0 l'information seule=
ment et n'aura pas n'importe quel effet l=E9galement obligatoire. =C9tant d=
onn=E9 que les email peuvent facilement =EAtre sujets =E0 la manipulation=
=2C nous ne pouvons accepter aucune responsabilit=E9 pour le contenu fourni=
.


> Date: Wed=2C 24 Jun 2009 23:12:35 +0800
> Subject: Re: Help: auth-constraint with Tomcat 6
> From: ehchong@gmail.com
> To: users@tomcat.apache.org
>=20
> Hi Tim=2C
>=20
> Basically the first realm contains list of users we want to deny access. =
The
> password would be dynamic=2C making it difficult to get through. Well=2C =
maybe I
> should really consider working with specific roles. That is=2C grant user=
s
> with roles that would allow them access. Then I would probably just need =
a
> single realm for authentication.
>=20
> However=2C this would mean almost all users require such a role granted e=
xcept
> for some whom we like deny access. Then every new users would also probab=
ly
> need granted the role. A little extra work there=2C besides working with =
IT to
> get the new role setup.. A black list would work better than a white list=
 in
> this case.
>=20
>=20
> Thanks=2C
> Clement
>=20
> On Wed=2C Jun 24=2C 2009 at 7:02 PM=2C Tim Funk <funkman@apache.org> wrot=
e:
>=20
> > Do you really want to have allow different passwords for the same user =
id?
> > Sounds dangerous.
> >
> > For different access control restrictions you needs to set up various
> > roles=2C which are names chosen by you. Which can be something like
> > - reader=2C writer
> > - admin=2C superuser=2C user
> > - it=2C sales=2C marketing=2C hr
> >
> > Then your role names * would be gone and you would need a
> > <security-constraint> for each resource category you need to protect.
> > (Google for more details on <security-constraint> for more help on that=
)
> >
> > -Tim
> >
> >
> > Clement Chong wrote:
> >
> >> Hi tomcat users=2C
> >>
> >> I am using Tomcat 6.0.20 and have successfully implemented a lockout r=
ealm
> >> with nested JDBCRealm and JNDIRealm. The security constraint has also =
been
> >> setup in my application WEB-INF/web.xml file:
> >>
> >> <auth-constraint>
> >>      <!-- Anyone with one of the listed roles may access this area -->
> >>      <role-name>*</role-name>
> >> </auth-constraint>
> >>
> >> User is now authenticated via JDBCRealm followed by JNDIRealm and woul=
d be
> >> able to access protected pages with any role.
> >>
> >> The question I have is how can I deny a group of users with a particul=
ar
> >> role to all protected pages even if they can provide correct combinati=
on
> >> of
> >> username/password?
> >>
> >> Would it also be possible to change the behavior of the
> >> combinedRealm/LockoutRealm such that if username is found in prior rea=
lm
> >> and
> >> password is incorrect=2C then it skips the other realms? It only look =
into
> >> the
> >> other realms if username is not found in prior realms.
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe=2C e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands=2C e-mail: users-help@tomcat.apache.org
> >
> >

_________________________________________________________________
Bing=99  brings you maps=2C menus=2C and reviews organized in one place.   =
Try it now.
http://www.bing.com/search?q=3Drestaurants&form=3DMLOGEN&publ=3DWLHMTAG&cre=
a=3DTEXT_MLOGEN_Core_tagline_local_1x1=

--_e2deb410-b8c7-45a4-b67a-c38426b74092_--