You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by ge...@beapgroup.com on 2002/05/03 00:36:15 UTC

security, roles, and single signon

I am planning to write a security realm to authenticate 
against our internal security system. This does not seem 
to be overly difficult. I then plan to use the 
SingleSignOn valve to propagate security between multiple 
web applications. Again, that seems straight forward.

Now it starts to get a little tricky. In our security 
model a user belongs to many roles, but is only acting in 
one role at a time.

Does anyone have any ideas on how to handle this ???

I have considered that I will need to prompt the user for 
the role they are performing, and then store this role 
somewhere. Ideally I would like to store this single role 
in the Tomcat Generic Security object for that user. This 
seems like it would require changing Tomcat code. Not out 
of the question, but perhaps a little beyond my current 
abilities.

Alternatively, I could store this role in the users 
session. This will work for an individual web application, 
but the role would not be propagated between web 
applications like the security object is.

To clarify, this single role is passed on every call to 
our application server. I could just write our own 
security system entirely, but I prefer to stick as closely 
as possible to the J2EE security model (i.e. have the 
security object propogated to the application server from 
tomcat - the single role is extra information that does 
not seem to be available in the standard model).

Hopefully someone will have some fresh ideas.

Thanks for any help.

Geoff Apps
geoff@beapgroup.com

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Tomcat Timeout

Posted by Jon Nadelberg <jo...@pacbell.net>.

I'm having a problem getting Tomcat to work with Apache when being
connected outside my local network.

I have installed Apache 1.3.23 and Tomcat 4.0.2 on my win 98 machine,
and it works just fine when I access it from http://localhost:8080/
locally.  It also works if I enter my static IP address, that is
http://xxx.xxx.xxx.xxx:8080 (not 127.0.0.1).

Everything works ok like that.  When someone else tries to access my
machine by entering my address, it times them out.  They can access port
80 just fine.  But 8080 does not respond.  

What may I be not doing right here?  I just want to have someone outside
be able to access the index.html page for jakarta so they can access the
JSP samples.  I've even turned off the firewall to see if that might
correct the problem, it didn't, and it's back on now.

Any ideas?  

Thanks.> 

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: security, roles, and single signon

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Thu, 2 May 2002 geoff@beapgroup.com wrote:

> Date: Thu, 02 May 2002 14:36:15 -0800
> From: geoff@beapgroup.com
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: security, roles, and single signon
>
> I am planning to write a security realm to authenticate
> against our internal security system. This does not seem
> to be overly difficult. I then plan to use the
> SingleSignOn valve to propagate security between multiple
> web applications. Again, that seems straight forward.
>
> Now it starts to get a little tricky. In our security
> model a user belongs to many roles, but is only acting in
> one role at a time.
>
> Does anyone have any ideas on how to handle this ???
>

Umm, maybe, rethink it?  :-)

All of the standard login mechanisms supported by the servlet spec are
based solely on username and password -- the best you can probably do is
combine (say) the username and desired role into the "username" field and
separate them inside the authenticate() method of your Realm
implementation.  Then, I could log on as:

  Username:  craigmcc/manager   Password: foo

or as:

  Username:  craigmcc/admin     Password: foo

or even have different passwords for different roles, if you wanted to
set things up that way.

The Principal that you return in either case could have a name of
"craigmcc", and hasRole()  would return "true" for only the role name that
was extracted in the authenticate() method.

Craig

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>