You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kristian Rink <kr...@zimmer428.net> on 2006/07/27 17:21:21 UTC
servlet and HTTP authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all;
gotta solve a very special authentication situation: Users need to have
access to certain file packages using an URL like
http://.../packages/<package-id>
with <package-id> referring to an identifier stored in a local document
management system. User information (id, password) are stored in the DMS
database as well. To provide access to a certain package, I need to ensure
(a) the user is valid (thus, has authenticated)
(b) the user is owner of the package (which I can find out using the DMS
database as well)
However, following this approach I cannot use container-based
authentication as the DBMS user management repository is not easily
accessible via such a configuration but there are Java classes to
authenticate the user using an API which to be called from another Java
class, a servlet, ...
So, my question: Is there a way to configure Tomcat that, for a given
servlet or resource, a HTTP authentication window will appear and, then,
the data entered there (username, password) is given to the servlet in
order to do anything useful with it? I _suppose_ those parameters should
be available as part of the Request, but I don't know how to make tomcat
demand HTTP authentication _without_ automatically validating these
parameters.
Any hints on that?
TIA and bye,
Kristian
- --
Kristian Rink * http://zimmer428.net * jab: kawazu@jabber.ccc.de
icq: 48874445 * fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEyNnIcxBAPOA1m6wRAiUDAJ0dye/TauPE+I6aN/zozzGbIDWA1gCfWaV5
GP9iBHbOOjIsMPA1TLIq+/s=
=1z5/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: servlet and HTTP authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Kristian,
> However, following this approach I cannot use container-based
> authentication as the DBMS user management repository is not easily
> accessible via such a configuration but there are Java classes to
> authenticate the user using an API which to be called from another Java
> class, a servlet, ...
One option is to create your own Realm implementation and use that for
authentication. I think you can pretty much use any authentication
mechanism that you want (including the existing Java classes you mention
that are available).
It's a relatively simple interface that you have to implement that
basically takes a username and password and returns a Principal object.
You'll have to install your new class into Tomcat (i.e. it can't just go
into WEB-INF/classes) because Tomcat needs direct access to that class
before your webapp is initialized.
If this solution doesn't seem to meet your needs, you can try looking at
the securityfilter project (http://securityfilter.sourceforge.net/). I
have used this filter for doing authentication and authorization. It can
be used as a drop-in replacement for Tomcat's built-in authentication,
and you can configure your own authenticator that does anything it
wants. For example, I created an authenticator that logs failed logins
as well as recording the IP address of the offending remote host. This
last part is not possible (that I know of) using the Tomcat Realm strategy.
-chris
Re: servlet and HTTP authentication
Posted by Kristian Rink <kr...@zimmer428.net>.
Hey there;
and, at first, thanks a lot for the hint.
DJohnson@desknetinc.com schrieb:
> WWW-Authenticate: Basic realm="My Document Management System"
>
> I'm not sure if tomcat will interpret the resulting "Authorization" header
> in the next request, given that you asked him not to authenticate, but you
> can always ask for the contents of that header, strip off the "Basic "
> from the front, and Base64.decode the rest, yielding userid:password.
> Split on the ":" and you have your id and password.
Hmmm, I feel stupid right now as I could have thought about that myself.
Thanks for enlightening me, that's pretty much what I needed! :)
Thanks and bye,
Kristian
--
Kristian Rink * http://zimmer428.net * jab: kawazu@jabber.ccc.de
icq: 48874445 * fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: servlet and HTTP authentication
Posted by DJ...@desknetinc.com.
<Sorry for top post: Notes e-mail client restriction>
If you configure Tomcat to NOT require authentication for this particular
servlet, then your servlet can examine the credentials, and if they are
absent or insufficient, send a 401 - Not Authorized response, which causes
the browser to prompt for id/pass. You can also manipulate the "realm"
identified in that prompt by adding a WWW-Authenticate header to the 401
response:
WWW-Authenticate: Basic realm="My Document Management System"
I'm not sure if tomcat will interpret the resulting "Authorization" header
in the next request, given that you asked him not to authenticate, but you
can always ask for the contents of that header, strip off the "Basic "
from the front, and Base64.decode the rest, yielding userid:password.
Split on the ":" and you have your id and password.
Please respond to "Tomcat Users List" <us...@tomcat.apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
cc:
Subject: servlet and HTTP authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all;
gotta solve a very special authentication situation: Users need to have
access to certain file packages using an URL like
http://.../packages/<package-id>
with <package-id> referring to an identifier stored in a local document
management system. User information (id, password) are stored in the DMS
database as well. To provide access to a certain package, I need to ensure
(a) the user is valid (thus, has authenticated)
(b) the user is owner of the package (which I can find out using the DMS
database as well)
However, following this approach I cannot use container-based
authentication as the DBMS user management repository is not easily
accessible via such a configuration but there are Java classes to
authenticate the user using an API which to be called from another Java
class, a servlet, ...
So, my question: Is there a way to configure Tomcat that, for a given
servlet or resource, a HTTP authentication window will appear and, then,
the data entered there (username, password) is given to the servlet in
order to do anything useful with it? I _suppose_ those parameters should
be available as part of the Request, but I don't know how to make tomcat
demand HTTP authentication _without_ automatically validating these
parameters.
Any hints on that?
TIA and bye,
Kristian
- --
Kristian Rink * http://zimmer428.net * jab: kawazu@jabber.ccc.de
icq: 48874445 * fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEyNnIcxBAPOA1m6wRAiUDAJ0dye/TauPE+I6aN/zozzGbIDWA1gCfWaV5
GP9iBHbOOjIsMPA1TLIq+/s=
=1z5/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org