Php, tomcat, mappings and authentication.

[dfobox <df...@gmail.com>]

I'm new to this forum and already fan of it :)
Here's the story:
I have a website hosted on a remote server with private JVM. It consists of
two parts - client and admin (which is actually CMS). There is NGASI
installed. I enabled wildcard mapping so all request to web server are
forwarded to tomcat. 
Client part of website is located in
appserver/apache-tomcat-6x/webapps/ROOT. There is web.xml file in
ROOT/WEB-INF folders, in which I set <security-constraint> for admin part.
Admin part itself is in ROOT/admin directory.
I should say that I didn't write the application, but my work requires to
change it sometimes. Now I need to add mailing and registration forms. I'm
thinking of using php for that. 
Can I make php work under Tomcat? Can I make apache render php pages, while
Tomcat renders jsp?
Is it easier to implement mailing and registration on php instead of jsp, as
it seems to me?
Another question - authentication for admin part. I'm using basic
authentication provided by tomcat, with username and password stored in
tomcat-users.xml file in apache-tomcat-6x/conf directory. Does it have any
security issues? 
Any comments and suggestions would be greatly appreciated.

-- 
View this message in context: http://www.nabble.com/Php%2C-tomcat%2C-mappings-and-authentication.-tp23784848p23784848.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Php, tomcat, mappings and authentication.

[Rainer Jung <ra...@kippdata.de>]

On 29.05.2009 23:01, André Warnier wrote:
>> Or you can use a popular filter with more options:
>> http://securityfilter.sourceforge.net/
>>
> Or, if you decide to do the PHP part and do it under Apache httpd, then
> you could do all the authentication at the Apache httpd level, and pass
> the authenticated user-id to Tomcat (at least when using the mod_jk
> connector).

This works whenever AJP is used as the protocol between the web server
and Tomcat, so even with mod_proxy_ajp. You though need to set
tomcatAuthentication to false on the AJP connector for Tomcat to blindly
trust any user information it gets on the AJP connector.

Regards,

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Php, tomcat, mappings and authentication.

[André Warnier <aw...@ice-sa.com>]

Caldarale, Charles R wrote:
>> From: dfobox [mailto:dfobox@gmail.com]
>> Subject: Php, tomcat, mappings and authentication.
>>
>> Can I make php work under Tomcat?
> 
> It can be done, but it's less painful to do with httpd.
> 
>> Can I make apache render php pages, while Tomcat renders jsp?
> 
> That's probably better.
> 
>> Is it easier to implement mailing and registration on php 
>> instead of jsp, as it seems to me?
> 
> That may well be only because you're more familiar with PHP.  Personally, I would keep everything on Tomcat, in Java (admittedly, I am less familiar with PHP, plus it can become a maze of twisty little passages rather quickly).
> 
>> I'm using basic authentication provided by tomcat, with 
>> username and password stored in tomcat-users.xml file in
>> apache-tomcat-6x/conf directory.
> 
> Definitely wouldn't recommend such a mechanism for production use - not terribly robust, and subject to hacking if anyone has read access to the conf directory.  Tomcat provides several alternative built-in realms:
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
> 
> Or you can use a popular filter with more options:
> http://securityfilter.sourceforge.net/
> 
Or, if you decide to do the PHP part and do it under Apache httpd, then 
you could do all the authentication at the Apache httpd level, and pass 
the authenticated user-id to Tomcat (at least when using the mod_jk 
connector).

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Php, tomcat, mappings and authentication.

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: dfobox [mailto:dfobox@gmail.com]
> Subject: Php, tomcat, mappings and authentication.
> 
> Can I make php work under Tomcat?

It can be done, but it's less painful to do with httpd.

> Can I make apache render php pages, while Tomcat renders jsp?

That's probably better.

> Is it easier to implement mailing and registration on php 
> instead of jsp, as it seems to me?

That may well be only because you're more familiar with PHP.  Personally, I would keep everything on Tomcat, in Java (admittedly, I am less familiar with PHP, plus it can become a maze of twisty little passages rather quickly).

> I'm using basic authentication provided by tomcat, with 
> username and password stored in tomcat-users.xml file in
> apache-tomcat-6x/conf directory.

Definitely wouldn't recommend such a mechanism for production use - not terribly robust, and subject to hacking if anyone has read access to the conf directory.  Tomcat provides several alternative built-in realms:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html

Or you can use a popular filter with more options:
http://securityfilter.sourceforge.net/

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org