You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Daniel Curran <da...@dotech.com> on 2007/05/09 22:51:04 UTC
SingleSignOn Valve Not Challenging
I am attempting to get the SingleSignOn valve to challenge requests to
my web application.
I have a basic LDAP setup and would like the validation to be routed to
the LDAP.
The engine portion of server.xml is as follows:
<Engine name="Catalina" defaultHost="localhost">
<!--<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>-->
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="dc=site,dc=com"
userPattern="uid={0},ou=People,dc=site,dc=com"
connectionURL="ldap://ldap:389"/>
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
</Host>
</Engine>
I then have the following in my web.xml file :
<web-app>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Single Sign-on Example</realm-name>
</login-config>
...
However when I access my webapp via the browser
http://127.0.0.1:8080/site/ I am given access to the site without being
challenged.
What might I be doing wrong?
Thanks,
Dan
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SingleSignOn Valve Not Challenging
Posted by David Delbecq <de...@oma.be>.
Or, like us, use an old "bugged" tomcat version that allowed, on * role
"all authenticated users" instead of "all user having a role enumerated
in web.xml". Those old tomcat version break servlet specs but are handy
if you are not too regardant to specifications :)
Or use your own realm that add a fake 'authenticated' role to any user
it authenticated
Or just give a bit of work to your lazy ldap admin. :D
Christopher Schultz a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel,
>
> Daniel Curran wrote:
>
>> Is there a way to authenticate the user without requiring a specific role?
>>
>
> As has been previously stated, the <role-name>*</role-name> in your
> <auth-constraint> deployment descriptor will work; you just have to make
> sure that you have define all possible roles in the deployment
> descriptor using <security-role> elements.
>
> Otherwise, Tomcat has no idea which ones should be okay. The '*' is just
> an alias for "any role defined in the deployment descriptor". I don't
> think you can accept any arbitrary role. It has to be pre-defined
> (though it does not matter which one it matches). I think that means
> that you can't administer this particular part of your application
> through JDAP exclusively. :(
>
> - -chris
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGQ0zZ9CaO5/Lv0PARAjC2AKCi66x/MA+T6nJOgxwTMri2+u9DCACgvCu8
> e81L+OkigQBqo89+3ZXfKys=
> =Y1ec
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SingleSignOn Valve Not Challenging
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel,
Daniel Curran wrote:
> Is there a way to authenticate the user without requiring a specific role?
As has been previously stated, the <role-name>*</role-name> in your
<auth-constraint> deployment descriptor will work; you just have to make
sure that you have define all possible roles in the deployment
descriptor using <security-role> elements.
Otherwise, Tomcat has no idea which ones should be okay. The '*' is just
an alias for "any role defined in the deployment descriptor". I don't
think you can accept any arbitrary role. It has to be pre-defined
(though it does not matter which one it matches). I think that means
that you can't administer this particular part of your application
through JDAP exclusively. :(
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGQ0zZ9CaO5/Lv0PARAjC2AKCi66x/MA+T6nJOgxwTMri2+u9DCACgvCu8
e81L+OkigQBqo89+3ZXfKys=
=Y1ec
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SingleSignOn Valve Not Challenging
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Daniel Curran [mailto:daniel.curran@dotech.com]
> Subject: Re: SingleSignOn Valve Not Challenging
>
> The role has to be in LDAP as well as enumerated in a
> security-role list?
Yes. The source of the role associated with the principal is completely
independent of the authorization checks.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SingleSignOn Valve Not Challenging
Posted by Daniel Curran <da...@dotech.com>.
When you mention valid roles.
The role has to be in LDAP as well as enumerated in a security-role list?
I am not sure where how the connection should be working here. Is there
a way to authenticate the user without requiring a specific role?
Thanks,
Dan
Caldarale, Charles R wrote:
>> From: Daniel Curran [mailto:daniel.curran@dotech.com]
>> Subject: Re: SingleSignOn Valve Not Challenging
>>
>> I have added an auth constraint
>>
>> <auth-constraint>
>> <role-name>*</role-name>
>> </auth-constraint>
>>
>
> To quote from the servlet spec:
>
> 'The special role name "*" is a shorthand for all role names defined in
> the deployment descriptor.'
>
> You still need to enumerate the valid roles with <security-role>
> elements.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SingleSignOn Valve Not Challenging
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Daniel Curran [mailto:daniel.curran@dotech.com]
> Subject: Re: SingleSignOn Valve Not Challenging
>
> I have added an auth constraint
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
To quote from the servlet spec:
'The special role name "*" is a shorthand for all role names defined in
the deployment descriptor.'
You still need to enumerate the valid roles with <security-role>
elements.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SingleSignOn Valve Not Challenging
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
you're expecting the * (wildcard) to apply to stuff in your realm, it
doesn't.
I believe you have to define the roles in (security-role) web.xml, and
your * applies to the roles defined by security-role
Filip
Daniel Curran wrote:
> I have added an auth constraint
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
>
> I am now challenged but when I login I get an error: HTTP Status 403 -
> Access to the requested resource has been denied
>
> When I look at the LDAP logs I see that I am successfully returning 1
> entry, and if I provide invalid credentials I continue to be challenged.
>
> I think this would be an issue with tomcat's security setup, but I am
> not sure where to look or how to debug this as no logs are being
> generated that would show me what/where the error might be.
>
> Thanks,
> Dan
>
> Caldarale, Charles R wrote:
>>> From: Daniel Curran [mailto:daniel.curran@dotech.com] Subject:
>>> SingleSignOn Valve Not Challenging
>>>
>>> <security-constraint>
>>> <display-name>Example Security Constraint</display-name>
>>> <web-resource-collection>
>>> <web-resource-name>Protected Area</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> </web-resource-collection>
>>> </security-constraint>
>>> <login-config>
>>> <auth-method>BASIC</auth-method>
>>> <realm-name>Single Sign-on Example</realm-name>
>>> </login-config>
>>>
>>
>> You're missing <auth-constraint> within <security-constraint> and
>> <security-role> within <web-app>.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SingleSignOn Valve Not Challenging
Posted by Daniel Curran <da...@dotech.com>.
I have added an auth constraint
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
I am now challenged but when I login I get an error: HTTP Status 403 -
Access to the requested resource has been denied
When I look at the LDAP logs I see that I am successfully returning 1
entry, and if I provide invalid credentials I continue to be challenged.
I think this would be an issue with tomcat's security setup, but I am
not sure where to look or how to debug this as no logs are being
generated that would show me what/where the error might be.
Thanks,
Dan
Caldarale, Charles R wrote:
>> From: Daniel Curran [mailto:daniel.curran@dotech.com]
>> Subject: SingleSignOn Valve Not Challenging
>>
>> <security-constraint>
>> <display-name>Example Security Constraint</display-name>
>> <web-resource-collection>
>> <web-resource-name>Protected Area</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> </security-constraint>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>Single Sign-on Example</realm-name>
>> </login-config>
>>
>
> You're missing <auth-constraint> within <security-constraint> and
> <security-role> within <web-app>.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SingleSignOn Valve Not Challenging
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Daniel Curran [mailto:daniel.curran@dotech.com]
> Subject: SingleSignOn Valve Not Challenging
>
> <security-constraint>
> <display-name>Example Security Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Single Sign-on Example</realm-name>
> </login-config>
You're missing <auth-constraint> within <security-constraint> and
<security-role> within <web-app>.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org