You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ge...@beapgroup.com on 2002/05/03 00:36:15 UTC
security, roles, and single signon
I am planning to write a security realm to authenticate
against our internal security system. This does not seem
to be overly difficult. I then plan to use the
SingleSignOn valve to propagate security between multiple
web applications. Again, that seems straight forward.
Now it starts to get a little tricky. In our security
model a user belongs to many roles, but is only acting in
one role at a time.
Does anyone have any ideas on how to handle this ???
I have considered that I will need to prompt the user for
the role they are performing, and then store this role
somewhere. Ideally I would like to store this single role
in the Tomcat Generic Security object for that user. This
seems like it would require changing Tomcat code. Not out
of the question, but perhaps a little beyond my current
abilities.
Alternatively, I could store this role in the users
session. This will work for an individual web application,
but the role would not be propagated between web
applications like the security object is.
To clarify, this single role is passed on every call to
our application server. I could just write our own
security system entirely, but I prefer to stick as closely
as possible to the J2EE security model (i.e. have the
security object propogated to the application server from
tomcat - the single role is extra information that does
not seem to be available in the standard model).
Hopefully someone will have some fresh ideas.
Thanks for any help.
Geoff Apps
geoff@beapgroup.com
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Tomcat Timeout
Posted by Jon Nadelberg <jo...@pacbell.net>.
I'm having a problem getting Tomcat to work with Apache when being
connected outside my local network.
I have installed Apache 1.3.23 and Tomcat 4.0.2 on my win 98 machine,
and it works just fine when I access it from http://localhost:8080/
locally. It also works if I enter my static IP address, that is
http://xxx.xxx.xxx.xxx:8080 (not 127.0.0.1).
Everything works ok like that. When someone else tries to access my
machine by entering my address, it times them out. They can access port
80 just fine. But 8080 does not respond.
What may I be not doing right here? I just want to have someone outside
be able to access the index.html page for jakarta so they can access the
JSP samples. I've even turned off the firewall to see if that might
correct the problem, it didn't, and it's back on now.
Any ideas?
Thanks.>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: security, roles, and single signon
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 2 May 2002 geoff@beapgroup.com wrote:
> Date: Thu, 02 May 2002 14:36:15 -0800
> From: geoff@beapgroup.com
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: security, roles, and single signon
>
> I am planning to write a security realm to authenticate
> against our internal security system. This does not seem
> to be overly difficult. I then plan to use the
> SingleSignOn valve to propagate security between multiple
> web applications. Again, that seems straight forward.
>
> Now it starts to get a little tricky. In our security
> model a user belongs to many roles, but is only acting in
> one role at a time.
>
> Does anyone have any ideas on how to handle this ???
>
Umm, maybe, rethink it? :-)
All of the standard login mechanisms supported by the servlet spec are
based solely on username and password -- the best you can probably do is
combine (say) the username and desired role into the "username" field and
separate them inside the authenticate() method of your Realm
implementation. Then, I could log on as:
Username: craigmcc/manager Password: foo
or as:
Username: craigmcc/admin Password: foo
or even have different passwords for different roles, if you wanted to
set things up that way.
The Principal that you return in either case could have a name of
"craigmcc", and hasRole() would return "true" for only the role name that
was extracted in the authenticate() method.
Craig
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>