Use the tomcat authentification mecanisms in a webapp

[David Delbecq <de...@oma.be>]

Hello,

I probably will have the following webapp structure to configure
- webapp X manage authentification all by itself (using forms and so on)
but provide a way to configure your own credential using a quite basic
checkPassword(user,pass) interface.
- Tomcat is able to authenticate all my users for now (connecting to a
ldap-like JNDI structure)

Is there a way from the webapp to call tomcat api and have it check a
user/password according to configured realm?

Thanks.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Use the tomcat authentification mecanisms in a webapp

[David Delbecq <de...@oma.be>]

That's the job of the webapp :)

All i see in my point of view is a user / pass checking method to
implement (for information the webapp uses osuser authentification
mecanism. So i have to provide an implementation of
com.opensymphony.user.provider.CredentialsProvider which negociate it
with tomcat. (Please note i only want to check password, i let the
webapp manage the role system all by itself)



Poornachandran a écrit :

> Okay, I see your point.
>
> But, if a user requests a secure page without logging in, how will you
> find out? Are you using a Servlet Filter or something?
>
> Poorna
>
> David Delbecq wrote:
>
>> Hello Poornachandran,
>>
>> as i said webapp X manage authentification all by itself (basically
>> using it's own providers, so there is now security constraint and so on
>> in the web.xml, webapp does not use container managed security, and i
>> have no control over this, closed source webapp), but it provides an
>> extension mecanism (implement a given interface). I'd like to implement
>> a simple class that just do something like
>> tomcatContainer.checkCredentials(user,userprovidedpass), which will
>> check those credentials against configured realm. Or, if i have no other
>> choice, will instanciate the realm, configure it and use it. (I just
>> hope don't need to do that, this sound awfull).
>>
>> So, obviously, in webapp, a request.getUserPrincipal() will always
>> return null.
>>
>> Poornachandran a écrit :
>>
>>  
>>
>>> Hi David,
>>>
>>> I am just wondering after your app authenticates, are you able to get
>>> not-null from request.getUserPrincipal(). I understand this is how the
>>> container understands that user is logged on or not.
>>>
>>> Poorna
>>>
>>> David Delbecq wrote:
>>>
>>>   
>>>
>>>> Hello,
>>>>
>>>> I probably will have the following webapp structure to configure
>>>> - webapp X manage authentification all by itself (using forms and
>>>> so on)
>>>> but provide a way to configure your own credential using a quite basic
>>>> checkPassword(user,pass) interface.
>>>> - Tomcat is able to authenticate all my users for now (connecting to a
>>>> ldap-like JNDI structure)
>>>>
>>>> Is there a way from the webapp to call tomcat api and have it check a
>>>> user/password according to configured realm?
>>>>
>>>> Thanks.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>     
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>   
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>  
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Use the tomcat authentification mecanisms in a webapp

[Poornachandran <ch...@gmail.com>]

Okay, I see your point.

But, if a user requests a secure page without logging in, how will you 
find out? Are you using a Servlet Filter or something?

Poorna

David Delbecq wrote:

>Hello Poornachandran,
>
>as i said webapp X manage authentification all by itself (basically
>using it's own providers, so there is now security constraint and so on
>in the web.xml, webapp does not use container managed security, and i
>have no control over this, closed source webapp), but it provides an
>extension mecanism (implement a given interface). I'd like to implement
>a simple class that just do something like
>tomcatContainer.checkCredentials(user,userprovidedpass), which will
>check those credentials against configured realm. Or, if i have no other
>choice, will instanciate the realm, configure it and use it. (I just
>hope don't need to do that, this sound awfull).
>
>So, obviously, in webapp, a request.getUserPrincipal() will always
>return null.
>
>Poornachandran a écrit :
>
>  
>
>>Hi David,
>>
>>I am just wondering after your app authenticates, are you able to get
>>not-null from request.getUserPrincipal(). I understand this is how the
>>container understands that user is logged on or not.
>>
>>Poorna
>>
>>David Delbecq wrote:
>>
>>    
>>
>>>Hello,
>>>
>>>I probably will have the following webapp structure to configure
>>>- webapp X manage authentification all by itself (using forms and so on)
>>>but provide a way to configure your own credential using a quite basic
>>>checkPassword(user,pass) interface.
>>>- Tomcat is able to authenticate all my users for now (connecting to a
>>>ldap-like JNDI structure)
>>>
>>>Is there a way from the webapp to call tomcat api and have it check a
>>>user/password according to configured realm?
>>>
>>>Thanks.
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> 
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Use the tomcat authentification mecanisms in a webapp

[David Delbecq <de...@oma.be>]

Hello Poornachandran,

as i said webapp X manage authentification all by itself (basically
using it's own providers, so there is now security constraint and so on
in the web.xml, webapp does not use container managed security, and i
have no control over this, closed source webapp), but it provides an
extension mecanism (implement a given interface). I'd like to implement
a simple class that just do something like
tomcatContainer.checkCredentials(user,userprovidedpass), which will
check those credentials against configured realm. Or, if i have no other
choice, will instanciate the realm, configure it and use it. (I just
hope don't need to do that, this sound awfull).

So, obviously, in webapp, a request.getUserPrincipal() will always
return null.

Poornachandran a écrit :

> Hi David,
>
> I am just wondering after your app authenticates, are you able to get
> not-null from request.getUserPrincipal(). I understand this is how the
> container understands that user is logged on or not.
>
> Poorna
>
> David Delbecq wrote:
>
>> Hello,
>>
>> I probably will have the following webapp structure to configure
>> - webapp X manage authentification all by itself (using forms and so on)
>> but provide a way to configure your own credential using a quite basic
>> checkPassword(user,pass) interface.
>> - Tomcat is able to authenticate all my users for now (connecting to a
>> ldap-like JNDI structure)
>>
>> Is there a way from the webapp to call tomcat api and have it check a
>> user/password according to configured realm?
>>
>> Thanks.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>  
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Use the tomcat authentification mecanisms in a webapp

[Poornachandran <ch...@gmail.com>]

Hi David,

I am just wondering after your app authenticates, are you able to get 
not-null from request.getUserPrincipal(). I understand this is how the 
container understands that user is logged on or not.

Poorna

David Delbecq wrote:

>Hello,
>
>I probably will have the following webapp structure to configure
>- webapp X manage authentification all by itself (using forms and so on)
>but provide a way to configure your own credential using a quite basic
>checkPassword(user,pass) interface.
>- Tomcat is able to authenticate all my users for now (connecting to a
>ldap-like JNDI structure)
>
>Is there a way from the webapp to call tomcat api and have it check a
>user/password according to configured realm?
>
>Thanks.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org