You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Hector Gonzalez <hg...@questionexchange.com> on 2000/11/09 22:51:14 UTC
Programatic management of security
Hi all,
I am working with Tomcat 3.1 beta 6, and Jonas 2.1. I plan to user JDBCRealm
for user authentication. Is it possible to:
1. Modify the realm programatically, that is add users, remove users, add
roles, etc.
2. Tell tomcat that user x should be logged into the application. I would
like to automatically log some users based on a cookie.
Thanks in advance
Hector Gonzalez
Re: Programatic management of security
Posted by Hector Gonzalez <hg...@mindspring.com>.
Hi John,
Thanks for responding.
I am indeed using Jonas 2.1.1 and the integration with tomcat through
jeremie. The problem is that on the jonas side you need a text file
describing the users and their roles. This file should be identical to the
information contained in the tomcat authentication file/database but as far
as I understand the programmer needs to maintain the file manually. The
application I am writing will handle a few hundred thousand users and a text
file to do authentication is not acceptable.
Regards
Hector
----- Original Message -----
From: "John Ellis" <jd...@home.com>
To: <to...@jakarta.apache.org>
Sent: Thursday, November 09, 2000 4:55 PM
Subject: Re: Programatic management of security
> You might take a look at JOnAS 2.1.1. The Jermie version has an
integration of
> Tomcat security and EJB method access. At leaset, it shows how to
intercept the
> Tomcat user information.
>
> Hector Gonzalez wrote:
>
> > Hi all,
> >
> > I am working with Tomcat 3.1 beta 6, and Jonas 2.1. I plan to user
JDBCRealm
> > for user authentication. Is it possible to:
> >
> > 1. Modify the realm programatically, that is add users, remove users,
add
> > roles, etc.
> > 2. Tell tomcat that user x should be logged into the application. I
would
> > like to automatically log some users based on a cookie.
> >
> > Thanks in advance
> >
> > Hector Gonzalez
>
Re: Programatic management of security
Posted by John Ellis <jd...@home.com>.
You might take a look at JOnAS 2.1.1. The Jermie version has an integration of
Tomcat security and EJB method access. At leaset, it shows how to intercept the
Tomcat user information.
Hector Gonzalez wrote:
> Hi all,
>
> I am working with Tomcat 3.1 beta 6, and Jonas 2.1. I plan to user JDBCRealm
> for user authentication. Is it possible to:
>
> 1. Modify the realm programatically, that is add users, remove users, add
> roles, etc.
> 2. Tell tomcat that user x should be logged into the application. I would
> like to automatically log some users based on a cookie.
>
> Thanks in advance
>
> Hector Gonzalez
Re: Programatic management of security
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
"Craig R. McClanahan" wrote:
> Hector Gonzalez wrote:
>
> > Hi all,
> >
> > I am working with Tomcat 3.1 beta 6, and Jonas 2.1. I plan to user JDBCRealm
> > for user authentication. Is it possible to:
> >
> > 1. Modify the realm programatically, that is add users, remove users, add
> > roles, etc.
>
> This one is easy ... simply update the database. For example, adding a new row
> in the users table makes that user instantly able to log in.
>
> You can do these updates either through a web-based administration application
> that you might right, or through external applications or SQL scripts.
>
Oops, s/right/write/ ... :-)
>
> >
> > 2. Tell tomcat that user x should be logged into the application. I would
> > like to automatically log some users based on a cookie.
> >
>
> This one is not easy ... you would need to modify Tomcat to make it possible.
>
> >
> > Thanks in advance
> >
> > Hector Gonzalez
>
> Craig
Re: Programatic management of security
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Hector Gonzalez wrote:
> Hi Craig,
>
> Thanks a lot for the answer. I have a few follow up questions though.
>
> > >
> > > 1. Modify the realm programatically, that is add users, remove users,
> add
> > > roles, etc.
> >
> > This one is easy ... simply update the database. For example, adding a
> new row
> > in the users table makes that user instantly able to log in.
>
> Sun defines methods like addUser and addRole to the Realm class they
> implement for the J2EE petstore application. I though that the Tomcat Realm
> class was similar to that one but looking at the source code I can see that
> those methods do not exist. They do exist in the SimpleRealm sample file.
>
I didn't make myself very clear here ... let me try again.
The JDBCRealm class in Tomcat reads the database every time to decide whether a
user is valid or not, and what their roles are. But the JDBCRealm class does
*not* provide any mechanisms to modify the contents of the realm -- the
assumption is that you will be doing that by external means.
Thus, you will need to write an application to add users directly to the
database. As long as your application updates the same database tables and
columns that the JDBCRealm is looking at, those changes will be instantly
available to Tomcat. Because you can do this, there is no need to provide any
APIs *inside* of Tomcat to modify users. (And, you would not be able to access
them anyway from a servlet.)
>
> >
> > You can do these updates either through a web-based administration
> application
> > that you might right, or through external applications or SQL scripts.
> >
> > >
> > > 2. Tell tomcat that user x should be logged into the application. I
> would
> > > like to automatically log some users based on a cookie.
> > >
> >
> > This one is not easy ... you would need to modify Tomcat to make it
> possible.
> >
>
> I was looking into the source code and the file SecurityTools checks for
> user and password reading two attributes from the session: j_username and
> j_password. The comments in the source code say:
> "It is possible for a servlet to set the attibutes and bypass the security
> checking - but that's ok, since everything happens inside a web application
> and all servlets are in the same domain". I have not tried it yet though.
>
Those aren't my comments, so I can't vouch for them.
You can certainly do this kind of stuff with a RequestInterceptor (Tomcat 3.x)
or Valve (Tomcat 4.x). But you cannot do it from a servlet -- thus, this
counts as "modifying Tomcat" in my book. That's fine, if that is what you want
to do, but your changes will be specific to Tomcat, and not portable to other
containers.
>
> Regards
> Hector
Craig
Re: Programatic management of security
Posted by Hector Gonzalez <hg...@mindspring.com>.
Hi Craig,
Thanks a lot for the answer. I have a few follow up questions though.
> >
> > 1. Modify the realm programatically, that is add users, remove users,
add
> > roles, etc.
>
> This one is easy ... simply update the database. For example, adding a
new row
> in the users table makes that user instantly able to log in.
Sun defines methods like addUser and addRole to the Realm class they
implement for the J2EE petstore application. I though that the Tomcat Realm
class was similar to that one but looking at the source code I can see that
those methods do not exist. They do exist in the SimpleRealm sample file.
>
> You can do these updates either through a web-based administration
application
> that you might right, or through external applications or SQL scripts.
>
> >
> > 2. Tell tomcat that user x should be logged into the application. I
would
> > like to automatically log some users based on a cookie.
> >
>
> This one is not easy ... you would need to modify Tomcat to make it
possible.
>
I was looking into the source code and the file SecurityTools checks for
user and password reading two attributes from the session: j_username and
j_password. The comments in the source code say:
"It is possible for a servlet to set the attibutes and bypass the security
checking - but that's ok, since everything happens inside a web application
and all servlets are in the same domain". I have not tried it yet though.
Regards
Hector
Re: Programatic management of security
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Hector Gonzalez wrote:
> Hi all,
>
> I am working with Tomcat 3.1 beta 6, and Jonas 2.1. I plan to user JDBCRealm
> for user authentication. Is it possible to:
>
> 1. Modify the realm programatically, that is add users, remove users, add
> roles, etc.
This one is easy ... simply update the database. For example, adding a new row
in the users table makes that user instantly able to log in.
You can do these updates either through a web-based administration application
that you might right, or through external applications or SQL scripts.
>
> 2. Tell tomcat that user x should be logged into the application. I would
> like to automatically log some users based on a cookie.
>
This one is not easy ... you would need to modify Tomcat to make it possible.
>
> Thanks in advance
>
> Hector Gonzalez
Craig