You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by AHartner <th...@gmail.com> on 2015/06/08 21:45:22 UTC
Configure application with optional security restrictions
I would like to be able to configure a web application with optional
security restrains. Basically I only want the application to be secured
only if an external setting such as a realm is present or application
context parameter is set.
In secure mode I want to use form based authentication as defined in the
web.xml in the usual way.
In unsecured mode I want to allow all access to the application.
I know how to update server.xml and web.xml to achieve both
independently, but I am looking for toggle to allow me to control the
operations mode outside of the application.
Would it work to create a realm which always allows access and then
configure either a proper authenticating or a less-proper allow-all
realm in the server.xml file ? Would this still prompt users for access ?
Any other suggestions on this ?
Kind regards
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure application with optional security restrictions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
AHartner,
On 6/8/15 3:45 PM, AHartner wrote:
> I would like to be able to configure a web application with
> optional security restrains. Basically I only want the application
> to be secured only if an external setting such as a realm is
> present or application context parameter is set.
>
> In secure mode I want to use form based authentication as defined
> in the web.xml in the usual way.
>
> In unsecured mode I want to allow all access to the application.
What User Principal should be used when the application is in
"unsecured mode"? What should the roles be for that principal?
> I know how to update server.xml and web.xml to achieve both
> independently, but I am looking for toggle to allow me to control
> the operations mode outside of the application.
>
> Would it work to create a realm which always allows access and
> then configure either a proper authenticating or a less-proper
> allow-all realm in the server.xml file ? Would this still prompt
> users for access ?
Yes, FORM authentication will always ask for credentials if there is
no user principal available.
If you know which user you'd like to use for auto-login, why not
create a Valve that checks for your context parameter and auto-logs-in
the user if you are in "unsecured mode"? You should be able to use the
HttpServletRequest.login() method to perform the auto-login.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVdf7vAAoJEBzwKT+lPKRY1kcQAIqyHg4PbabLj57hJU4ubDme
IEEGee77MVVrJP5eczMNjIT46vvQnz6mcdduCMEetzFFtXRvubm4A7noZwZICNec
A9mMSMVLtVw2QpX92Gf2kPr8t1ECPoII5kgcu4ey0uDqYIvhBuPtmsirK5nZrZ83
0dMVy47/1Lyh77Rf6cIv/GlY9aLNuIMSsTY7Vdx/oqSNRG9lSt1gZAjm6tNCkqOn
3KCZMaSORwfgt2w/LrRXAmxoZKctSYmsPwJ8dJwcU4tGzUko39xdxLy34Q657vTt
nPXYRwkT0eOOPKWNeW/hCKcwAtP23HZzm5yuTC6TcqFxWiKJRt6NvkRa9E094DIf
3qaURHAnXlwE8yDtBXt/aiX5+qAA5Upedd/sWbv/5vnC6O//eo5ZO4pmfjOrBdRT
nSSINBKI7o3NDvi37nXM+K8HHX/xuNKET6liQwEp57pz+seqIumQF5G3CuxmEa+W
DrBduPA3iXPv/nqOHRVm4yb9airKFy8KdarTNRH/GgnuhuzFHBUlqRlS8tU6i4uF
05q1m316uwL9sdiDQmkP5TJ5Hgg7kk+KJHeYiKluJVEU1BjruzlGKKzHMCcrJ6yO
LuiZW5nM1vbHC+SVMY/ZQXdeu/L/twQqAhllOULZGu396jBpQMmXiPYb4m/KkqhF
da1JIXaTzxqGETaRz3h8
=blvG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org