You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Petr Hracek <ph...@gmail.com> on 2011/06/10 12:26:58 UTC
user tomcat authentication
Dear tomcat users,
I would like to ask you how can I authenticate users to access tomcat page?
My users are stored in standard /etc/passwd file
or users which are stored in another database engine than Realm
thank you in advance
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Mark Thomas <ma...@apache.org>.
On 13/06/2011 09:44, Petr Hracek wrote:
> Only the simple question,
> What is the flag which URLs are protected?
It is time for you to read the Servlet specification.
> I have found that link
> http://tomcat-configure.blogspot.com/2009/01/tomcat-web-xml.html
> and specially section:
>
> How to secure your application with JAAS ?
And it looks like you need to read the Tomcat documentation as well.
Mark
>
> Let's say that my htdocs directory is there:
> /opt/testApp/htdocs/index.html
> and servlet storage is there:
> /opt/testApp/servlet/
>
> Logging page is mention here: /opt/globalPages/htdocs/index.html
>
> How to configure https://<ipaddress>/testApp/ so that if HTTP COOKIE
> is not defined then /opt/globalPages/htdocs/index.html will be shown
> otherwise /opt/testApp/htdocs/index.html will be shown.
>
> Thank you very much
>
> 2011/6/13 Pid <pi...@pidster.com>:
>> On 13/06/2011 07:50, Petr Hracek wrote:
>>> First authentication is done so that if in the browser exists relevant
>>> HTTP COOKIE and validation of that cookie is done then page should be
>>> shown.
>>> How to do that I do not know from the tomcat point of view.
>>>
>>> Is there any possiblity how to check valid HTTP COOKIE otherwise
>>> showing loging page.
>>>
>>> If HTTP COOKIE is not existing than logging has to be done over my one program.
>>> How to do that I do not know as well.
>>>
>>> Are there any examples?
>>
>> From the little information you give, you're describing container
>> managed security. FORM auth as defined by the Servlet Spec can do just
>> that.
>>
>> You configure a Realm, some elements in web.xml which define where the
>> login form & error pages are, and which URLs are protected.
>>
>>
>> p
>>
>>
>>
>>> 2011/6/13 Petr Hracek <ph...@gmail.com>:
>>>> First authentication is done so that if in the browser exists relevant
>>>> HTTP COOKIE and validation of that cookie is done then page should be
>>>> shown.
>>>>
>>>>
>>>> 2011/6/12 Mark Thomas <ma...@apache.org>:
>>>>> On 12/06/2011 20:29, Pid wrote:
>>>>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>>>>> And what about in case that I have my own program for accessing to the
>>>>>>> specific
>>>>>>> databases where the passwords are stored as hashes?
>>>>>>>
>>>>>>> Are there any possibilities how to run that program for getting unhashed
>>>>>>> password from database?
>>>>>>
>>>>>> Why not hash the inbound password, then send & compare it against the
>>>>>> one in the DB, rather than decoding it?
>>>>>>
>>>>>> The Realm implementations can handle this, if you're using a standard
>>>>>> hashing method that Java recognises.
>>>>>>
>>>>>> Hopefully you've not invented your own hashing method.
>>>>>
>>>>> Hmm. Hash functions are meant to be one way. It should be impossible to
>>>>> retrieve an unhashed password from the database.
>>>>>
>>>>> I hope that the original description is inaccurate rather than an
>>>>> example of (yet another) badly broken home-grown security solution that
>>>>> needs to be thrown away.
>>>>>
>>>>> Mark
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards / S pozdravem
>>>> Petr Hracek
>>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Petr Hracek <ph...@gmail.com>.
Only the simple question,
What is the flag which URLs are protected?
I have found that link
http://tomcat-configure.blogspot.com/2009/01/tomcat-web-xml.html
and specially section:
How to secure your application with JAAS ?
Let's say that my htdocs directory is there:
/opt/testApp/htdocs/index.html
and servlet storage is there:
/opt/testApp/servlet/
Logging page is mention here: /opt/globalPages/htdocs/index.html
How to configure https://<ipaddress>/testApp/ so that if HTTP COOKIE
is not defined then /opt/globalPages/htdocs/index.html will be shown
otherwise /opt/testApp/htdocs/index.html will be shown.
Thank you very much
2011/6/13 Pid <pi...@pidster.com>:
> On 13/06/2011 07:50, Petr Hracek wrote:
>> First authentication is done so that if in the browser exists relevant
>> HTTP COOKIE and validation of that cookie is done then page should be
>> shown.
>> How to do that I do not know from the tomcat point of view.
>>
>> Is there any possiblity how to check valid HTTP COOKIE otherwise
>> showing loging page.
>>
>> If HTTP COOKIE is not existing than logging has to be done over my one program.
>> How to do that I do not know as well.
>>
>> Are there any examples?
>
> From the little information you give, you're describing container
> managed security. FORM auth as defined by the Servlet Spec can do just
> that.
>
> You configure a Realm, some elements in web.xml which define where the
> login form & error pages are, and which URLs are protected.
>
>
> p
>
>
>
>> 2011/6/13 Petr Hracek <ph...@gmail.com>:
>>> First authentication is done so that if in the browser exists relevant
>>> HTTP COOKIE and validation of that cookie is done then page should be
>>> shown.
>>>
>>>
>>> 2011/6/12 Mark Thomas <ma...@apache.org>:
>>>> On 12/06/2011 20:29, Pid wrote:
>>>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>>>> And what about in case that I have my own program for accessing to the
>>>>>> specific
>>>>>> databases where the passwords are stored as hashes?
>>>>>>
>>>>>> Are there any possibilities how to run that program for getting unhashed
>>>>>> password from database?
>>>>>
>>>>> Why not hash the inbound password, then send & compare it against the
>>>>> one in the DB, rather than decoding it?
>>>>>
>>>>> The Realm implementations can handle this, if you're using a standard
>>>>> hashing method that Java recognises.
>>>>>
>>>>> Hopefully you've not invented your own hashing method.
>>>>
>>>> Hmm. Hash functions are meant to be one way. It should be impossible to
>>>> retrieve an unhashed password from the database.
>>>>
>>>> I hope that the original description is inaccurate rather than an
>>>> example of (yet another) badly broken home-grown security solution that
>>>> needs to be thrown away.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Best Regards / S pozdravem
>>> Petr Hracek
>>>
>>
>>
>>
>
>
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Pid <pi...@pidster.com>.
On 13/06/2011 07:50, Petr Hracek wrote:
> First authentication is done so that if in the browser exists relevant
> HTTP COOKIE and validation of that cookie is done then page should be
> shown.
> How to do that I do not know from the tomcat point of view.
>
> Is there any possiblity how to check valid HTTP COOKIE otherwise
> showing loging page.
>
> If HTTP COOKIE is not existing than logging has to be done over my one program.
> How to do that I do not know as well.
>
> Are there any examples?
From the little information you give, you're describing container
managed security. FORM auth as defined by the Servlet Spec can do just
that.
You configure a Realm, some elements in web.xml which define where the
login form & error pages are, and which URLs are protected.
p
> 2011/6/13 Petr Hracek <ph...@gmail.com>:
>> First authentication is done so that if in the browser exists relevant
>> HTTP COOKIE and validation of that cookie is done then page should be
>> shown.
>>
>>
>> 2011/6/12 Mark Thomas <ma...@apache.org>:
>>> On 12/06/2011 20:29, Pid wrote:
>>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>>> And what about in case that I have my own program for accessing to the
>>>>> specific
>>>>> databases where the passwords are stored as hashes?
>>>>>
>>>>> Are there any possibilities how to run that program for getting unhashed
>>>>> password from database?
>>>>
>>>> Why not hash the inbound password, then send & compare it against the
>>>> one in the DB, rather than decoding it?
>>>>
>>>> The Realm implementations can handle this, if you're using a standard
>>>> hashing method that Java recognises.
>>>>
>>>> Hopefully you've not invented your own hashing method.
>>>
>>> Hmm. Hash functions are meant to be one way. It should be impossible to
>>> retrieve an unhashed password from the database.
>>>
>>> I hope that the original description is inaccurate rather than an
>>> example of (yet another) badly broken home-grown security solution that
>>> needs to be thrown away.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Best Regards / S pozdravem
>> Petr Hracek
>>
>
>
>
Re: user tomcat authentication
Posted by Petr Hracek <ph...@gmail.com>.
First authentication is done so that if in the browser exists relevant
HTTP COOKIE and validation of that cookie is done then page should be
shown.
How to do that I do not know from the tomcat point of view.
Is there any possiblity how to check valid HTTP COOKIE otherwise
showing loging page.
If HTTP COOKIE is not existing than logging has to be done over my one program.
How to do that I do not know as well.
Are there any examples?
2011/6/13 Petr Hracek <ph...@gmail.com>:
> First authentication is done so that if in the browser exists relevant
> HTTP COOKIE and validation of that cookie is done then page should be
> shown.
>
>
> 2011/6/12 Mark Thomas <ma...@apache.org>:
>> On 12/06/2011 20:29, Pid wrote:
>>> On 12/06/2011 17:12, Petr Hracek wrote:
>>>> And what about in case that I have my own program for accessing to the
>>>> specific
>>>> databases where the passwords are stored as hashes?
>>>>
>>>> Are there any possibilities how to run that program for getting unhashed
>>>> password from database?
>>>
>>> Why not hash the inbound password, then send & compare it against the
>>> one in the DB, rather than decoding it?
>>>
>>> The Realm implementations can handle this, if you're using a standard
>>> hashing method that Java recognises.
>>>
>>> Hopefully you've not invented your own hashing method.
>>
>> Hmm. Hash functions are meant to be one way. It should be impossible to
>> retrieve an unhashed password from the database.
>>
>> I hope that the original description is inaccurate rather than an
>> example of (yet another) badly broken home-grown security solution that
>> needs to be thrown away.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
> --
> Best Regards / S pozdravem
> Petr Hracek
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Petr Hracek <ph...@gmail.com>.
First authentication is done so that if in the browser exists relevant
HTTP COOKIE and validation of that cookie is done then page should be
shown.
2011/6/12 Mark Thomas <ma...@apache.org>:
> On 12/06/2011 20:29, Pid wrote:
>> On 12/06/2011 17:12, Petr Hracek wrote:
>>> And what about in case that I have my own program for accessing to the
>>> specific
>>> databases where the passwords are stored as hashes?
>>>
>>> Are there any possibilities how to run that program for getting unhashed
>>> password from database?
>>
>> Why not hash the inbound password, then send & compare it against the
>> one in the DB, rather than decoding it?
>>
>> The Realm implementations can handle this, if you're using a standard
>> hashing method that Java recognises.
>>
>> Hopefully you've not invented your own hashing method.
>
> Hmm. Hash functions are meant to be one way. It should be impossible to
> retrieve an unhashed password from the database.
>
> I hope that the original description is inaccurate rather than an
> example of (yet another) badly broken home-grown security solution that
> needs to be thrown away.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Mark Thomas <ma...@apache.org>.
On 12/06/2011 20:29, Pid wrote:
> On 12/06/2011 17:12, Petr Hracek wrote:
>> And what about in case that I have my own program for accessing to the
>> specific
>> databases where the passwords are stored as hashes?
>>
>> Are there any possibilities how to run that program for getting unhashed
>> password from database?
>
> Why not hash the inbound password, then send & compare it against the
> one in the DB, rather than decoding it?
>
> The Realm implementations can handle this, if you're using a standard
> hashing method that Java recognises.
>
> Hopefully you've not invented your own hashing method.
Hmm. Hash functions are meant to be one way. It should be impossible to
retrieve an unhashed password from the database.
I hope that the original description is inaccurate rather than an
example of (yet another) badly broken home-grown security solution that
needs to be thrown away.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Pid <pi...@pidster.com>.
On 12/06/2011 17:12, Petr Hracek wrote:
> And what about in case that I have my own program for accessing to the
> specific
> databases where the passwords are stored as hashes?
>
> Are there any possibilities how to run that program for getting unhashed
> password from database?
Why not hash the inbound password, then send & compare it against the
one in the DB, rather than decoding it?
The Realm implementations can handle this, if you're using a standard
hashing method that Java recognises.
Hopefully you've not invented your own hashing method.
p
> best regards
> Petr
> Dne 10.6.2011 16:23, Pid napsal(a):
>> On 10/06/2011 11:26, Petr Hracek wrote:
>>> Dear tomcat users,
>>>
>>> I would like to ask you how can I authenticate users to access tomcat
>>> page?
>>> My users are stored in standard /etc/passwd file
>> I'm not sure I'd give Tomcat access to the local user authentication.
>>
>>
>>> or users which are stored in another database engine than Realm
>> You can configure a DataSource& a DataSourceRealm to point at any
>> database.
>>
>>
>> p
>>
>>> thank you in advance
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: user tomcat authentication
Posted by Petr Hracek <ph...@gmail.com>.
And what about in case that I have my own program for accessing to the
specific
databases where the passwords are stored as hashes?
Are there any possibilities how to run that program for getting unhashed
password from database?
best regards
Petr
Dne 10.6.2011 16:23, Pid napsal(a):
> On 10/06/2011 11:26, Petr Hracek wrote:
>> Dear tomcat users,
>>
>> I would like to ask you how can I authenticate users to access tomcat page?
>> My users are stored in standard /etc/passwd file
> I'm not sure I'd give Tomcat access to the local user authentication.
>
>
>> or users which are stored in another database engine than Realm
> You can configure a DataSource& a DataSourceRealm to point at any database.
>
>
> p
>
>> thank you in advance
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: user tomcat authentication
Posted by Pid <pi...@pidster.com>.
On 10/06/2011 11:26, Petr Hracek wrote:
> Dear tomcat users,
>
> I would like to ask you how can I authenticate users to access tomcat page?
> My users are stored in standard /etc/passwd file
I'm not sure I'd give Tomcat access to the local user authentication.
> or users which are stored in another database engine than Realm
You can configure a DataSource & a DataSourceRealm to point at any database.
p
> thank you in advance
>