You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Aggarwal, Ajay" <Aj...@stratus.com> on 2010/10/19 15:45:15 UTC
Source Address based Realms
I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this?
Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?
-Ajay
RE: Source Address based Realms
Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Servlet filter was the first thing that came to my mind, but I was
hoping to leverage tomcat's built-in Realm support, if I could.
Thanks for your suggestions.
-Ajay
-----Original Message-----
From: Srinivasa Rao.Kandula [mailto:srinivas_j2ee@yahoo.com]
Sent: Wednesday, October 20, 2010 4:46 PM
To: Tomcat Users List
Subject: Re: Source Address based Realms
I'm providing my comments assuming that you are a Java developer.
1. Do you see any issues using a Servlet filter for doing this?
2. You could use realms if you can access ServletRequest object
which will give
you the IP address of the client. But I don't think you can access
ServletRequest object in relam class in tomcat. I know you can do it
with JBoss
3. You may be able to write custom callback handlers and
callback and get
client IP to realm(a wild guess)
Regards,
Srinivas.
________________________________
From: "Aggarwal, Ajay" <Aj...@stratus.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wed, October 20, 2010 12:53:42 PM
Subject: RE: Source Address based Realms
bump... looking for ideas... anybody?
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms
Sorry. I meant...
"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms
I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this?
Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?
-Ajay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Source Address based Realms
Posted by "Srinivasa Rao.Kandula" <sr...@yahoo.com>.
I'm providing my comments assuming that you are a Java developer.
1. Do you see any issues using a Servlet filter for doing this?
2. You could use realms if you can access ServletRequest object which will give
you the IP address of the client. But I don't think you can access
ServletRequest object in relam class in tomcat. I know you can do it with JBoss
3. You may be able to write custom callback handlers and callback and get
client IP to realm(a wild guess)
Regards,
Srinivas.
________________________________
From: "Aggarwal, Ajay" <Aj...@stratus.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wed, October 20, 2010 12:53:42 PM
Subject: RE: Source Address based Realms
bump... looking for ideas... anybody?
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms
Sorry. I meant...
"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms
I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this?
Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?
-Ajay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Source Address based Realms
Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Thanks for the pointers!
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Thursday, October 21, 2010 3:55 AM
To: Tomcat Users List
Subject: Re: Source Address based Realms
Aggarwal, Ajay wrote:
> bump... looking for ideas... anybody?
If the question finally is "..without using *container-based*
authentication/authorisation", then have a look at
http://securityfilter.sourceforge.net/
There is good explanation of the difference between the "container-based" and
"filter-based" approach to AAA, and maybe it already offers what you want.
Another good place to look would be
http://www.tuckey.org/urlrewrite/
which is not properly-speaking an authentication filter, but which may help in your purpose.
Both of these are open-source, so it should not be very hard to add the functionality you
want, if it is not there already.
>
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
> Sent: Tuesday, October 19, 2010 10:29 AM
> To: Tomcat Users List
> Subject: RE: Source Address based Realms
>
> Sorry. I meant...
>
> "Is there another way to achieve this, i.e. without using Realms or
> mixing valve/filters with Realms?"
>
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
> Sent: Tuesday, October 19, 2010 9:45 AM
> To: users@tomcat.apache.org
> Subject: Source Address based Realms
>
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this?
>
>
>
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
>
>
>
> -Ajay
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Source Address based Realms
Posted by André Warnier <aw...@ice-sa.com>.
Aggarwal, Ajay wrote:
> bump... looking for ideas... anybody?
If the question finally is "..without using *container-based*
authentication/authorisation", then have a look at
http://securityfilter.sourceforge.net/
There is good explanation of the difference between the "container-based" and
"filter-based" approach to AAA, and maybe it already offers what you want.
Another good place to look would be
http://www.tuckey.org/urlrewrite/
which is not properly-speaking an authentication filter, but which may help in your purpose.
Both of these are open-source, so it should not be very hard to add the functionality you
want, if it is not there already.
>
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
> Sent: Tuesday, October 19, 2010 10:29 AM
> To: Tomcat Users List
> Subject: RE: Source Address based Realms
>
> Sorry. I meant...
>
> "Is there another way to achieve this, i.e. without using Realms or
> mixing valve/filters with Realms?"
>
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
> Sent: Tuesday, October 19, 2010 9:45 AM
> To: users@tomcat.apache.org
> Subject: Source Address based Realms
>
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this?
>
>
>
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
>
>
>
> -Ajay
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Source Address based Realms
Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
bump... looking for ideas... anybody?
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms
Sorry. I meant...
"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms
I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this?
Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?
-Ajay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Source Address based Realms
Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Sorry. I meant...
"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"
-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com]
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms
I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this?
Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?
-Ajay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Source Address based Realms
Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
> you are already fronting Tomcat with another webserver ?
No, Tomcat is the only web server and I am not looking to front it with another webserver.
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: Tuesday, October 19, 2010 11:01 AM
To: Tomcat Users List
Subject: Re: Source Address based Realms
Aggarwal, Ajay wrote:
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this?
>
>
>
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
>
>
Maybe phrasing the problem in a different way would throw another light on the issue :
You want to automatically authenticate requests coming from a given IP (or IP range), for
example by authenticating them as user "local", and not do this for other requests, which
then would have to go through a normal authentication.
Since I am more familiar with Apache httpd than with Tomcat, I will ask if by any chance
you are already fronting Tomcat with another webserver ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Source Address based Realms
Posted by André Warnier <aw...@ice-sa.com>.
Aggarwal, Ajay wrote:
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this?
>
>
>
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
>
>
Maybe phrasing the problem in a different way would throw another light on the issue :
You want to automatically authenticate requests coming from a given IP (or IP range), for
example by authenticating them as user "local", and not do this for other requests, which
then would have to go through a normal authentication.
Since I am more familiar with Apache httpd than with Tomcat, I will ask if by any chance
you are already fronting Tomcat with another webserver ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org