You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Aggarwal, Ajay" <Aj...@stratus.com> on 2010/10/19 15:45:15 UTC

Source Address based Realms

I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this? 

 

Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?

 

-Ajay

RE: Source Address based Realms

Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Servlet filter was the first thing that came to my mind, but I was
hoping to leverage tomcat's built-in Realm support, if I could.

Thanks for your suggestions.

-Ajay

-----Original Message-----
From: Srinivasa Rao.Kandula [mailto:srinivas_j2ee@yahoo.com] 
Sent: Wednesday, October 20, 2010 4:46 PM
To: Tomcat Users List
Subject: Re: Source Address based Realms

I'm providing my comments assuming that you are a Java developer.

	1. Do you see any issues using a Servlet filter for doing this?
	2. You could use realms if you can access ServletRequest object
which will give 
you the IP address of the client. But I don't think you can access 
ServletRequest object in relam class in tomcat. I know you can do it
with JBoss
	3. You may be able to write custom callback handlers and
callback and get 
client IP to realm(a wild guess)

 Regards,
Srinivas.




________________________________
From: "Aggarwal, Ajay" <Aj...@stratus.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wed, October 20, 2010 12:53:42 PM
Subject: RE: Source Address based Realms

bump... looking for ideas... anybody?

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms

Sorry. I meant...

"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms

I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this? 



Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?



-Ajay


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Source Address based Realms

Posted by "Srinivasa Rao.Kandula" <sr...@yahoo.com>.
I'm providing my comments assuming that you are a Java developer.

	1. Do you see any issues using a Servlet filter for doing this?
	2. You could use realms if you can access ServletRequest object which will give 
you the IP address of the client. But I don't think you can access 
ServletRequest object in relam class in tomcat. I know you can do it with JBoss
	3. You may be able to write custom callback handlers and callback and get 
client IP to realm(a wild guess)

 Regards,
Srinivas.




________________________________
From: "Aggarwal, Ajay" <Aj...@stratus.com>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Wed, October 20, 2010 12:53:42 PM
Subject: RE: Source Address based Realms

bump... looking for ideas... anybody?

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms

Sorry. I meant...

"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms

I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this? 



Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?



-Ajay


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Source Address based Realms

Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Thanks for the pointers!

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Thursday, October 21, 2010 3:55 AM
To: Tomcat Users List
Subject: Re: Source Address based Realms

Aggarwal, Ajay wrote:
> bump... looking for ideas... anybody?

If the question finally is "..without using *container-based* 
authentication/authorisation", then have a look at

http://securityfilter.sourceforge.net/

There is good explanation of the difference between the "container-based" and 
"filter-based" approach to AAA, and maybe it already offers what you want.

Another good place to look would be

http://www.tuckey.org/urlrewrite/

which is not properly-speaking an authentication filter, but which may help in your purpose.

Both of these are open-source, so it should not be very hard to add the functionality you 
want, if it is not there already.





> 
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
> Sent: Tuesday, October 19, 2010 10:29 AM
> To: Tomcat Users List
> Subject: RE: Source Address based Realms
> 
> Sorry. I meant...
> 
> "Is there another way to achieve this, i.e. without using Realms or
> mixing valve/filters with Realms?"
> 
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
> Sent: Tuesday, October 19, 2010 9:45 AM
> To: users@tomcat.apache.org
> Subject: Source Address based Realms
> 
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this? 
> 
>  
> 
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
> 
>  
> 
> -Ajay
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Source Address based Realms

Posted by André Warnier <aw...@ice-sa.com>.
Aggarwal, Ajay wrote:
> bump... looking for ideas... anybody?

If the question finally is "..without using *container-based* 
authentication/authorisation", then have a look at

http://securityfilter.sourceforge.net/

There is good explanation of the difference between the "container-based" and 
"filter-based" approach to AAA, and maybe it already offers what you want.

Another good place to look would be

http://www.tuckey.org/urlrewrite/

which is not properly-speaking an authentication filter, but which may help in your purpose.

Both of these are open-source, so it should not be very hard to add the functionality you 
want, if it is not there already.





> 
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
> Sent: Tuesday, October 19, 2010 10:29 AM
> To: Tomcat Users List
> Subject: RE: Source Address based Realms
> 
> Sorry. I meant...
> 
> "Is there another way to achieve this, i.e. without using Realms or
> mixing valve/filters with Realms?"
> 
> -----Original Message-----
> From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
> Sent: Tuesday, October 19, 2010 9:45 AM
> To: users@tomcat.apache.org
> Subject: Source Address based Realms
> 
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this? 
> 
>  
> 
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
> 
>  
> 
> -Ajay
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Source Address based Realms

Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
bump... looking for ideas... anybody?

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 10:29 AM
To: Tomcat Users List
Subject: RE: Source Address based Realms

Sorry. I meant...

"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms

I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this? 

 

Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?

 

-Ajay


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Source Address based Realms

Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
Sorry. I meant...

"Is there another way to achieve this, i.e. without using Realms or
mixing valve/filters with Realms?"

-----Original Message-----
From: Aggarwal, Ajay [mailto:Ajay.Aggarwal@stratus.com] 
Sent: Tuesday, October 19, 2010 9:45 AM
To: users@tomcat.apache.org
Subject: Source Address based Realms

I need to treat my clients differently depending on where they came
from. I need to trust all requests coming locally (i.e. from
127.0.0.1/localhost) and not require them to authentication. However all
external requests need to go through authentication. Is there a way to
configure Realms in Tomcat to accommodate this? 

 

Is there another way to achieve this, i.e. without using Realms or
missing valve/filters with Realms?

 

-Ajay


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Source Address based Realms

Posted by "Aggarwal, Ajay" <Aj...@stratus.com>.
> you are already fronting Tomcat with another webserver ?
No, Tomcat is the only web server and I am not looking to front it with another webserver.

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Tuesday, October 19, 2010 11:01 AM
To: Tomcat Users List
Subject: Re: Source Address based Realms

Aggarwal, Ajay wrote:
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this? 
> 
>  
> 
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
> 
>  
Maybe phrasing the problem in a different way would throw another light on the issue :

You want to automatically authenticate requests coming from a given IP (or IP range), for 
example by authenticating them as user "local", and not do this for other requests, which 
then would have to go through a normal authentication.

Since I am more familiar with Apache httpd than with Tomcat, I will ask if by any chance 
you are already fronting Tomcat with another webserver ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Source Address based Realms

Posted by André Warnier <aw...@ice-sa.com>.
Aggarwal, Ajay wrote:
> I need to treat my clients differently depending on where they came
> from. I need to trust all requests coming locally (i.e. from
> 127.0.0.1/localhost) and not require them to authentication. However all
> external requests need to go through authentication. Is there a way to
> configure Realms in Tomcat to accommodate this? 
> 
>  
> 
> Is there another way to achieve this, i.e. without using Realms or
> missing valve/filters with Realms?
> 
>  
Maybe phrasing the problem in a different way would throw another light on the issue :

You want to automatically authenticate requests coming from a given IP (or IP range), for 
example by authenticating them as user "local", and not do this for other requests, which 
then would have to go through a normal authentication.

Since I am more familiar with Apache httpd than with Tomcat, I will ask if by any chance 
you are already fronting Tomcat with another webserver ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org