You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Caron <ca...@unidata.ucar.edu> on 2006/06/28 03:01:36 UTC
Programmatic Security
I need to implement fine-grained security access, so it looks to me like "Programmatic Security" (Servlet spec 12.3) is called for. I want to recieve the request in my servlet, then decide what access rights are needed for it.
In this case, if I understand correctly, the "user must already be authenticated" means that they have tried to access a Tomcat-protected page (eg a login page), have been successfully authenticated by Tomcat, and further requests are returning the JSESSION cookie that was assigned during authentication.
Is that right? Is there some other way the req.getRemoteUser() could return non-null?
Is there some way that I can programatically trigger Tomcat to initiate the authentication process?
Thanks for any help...
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programmatic Security
Posted by John Caron <ca...@unidata.ucar.edu>.
Pid wrote:
> It really depends on what you're trying to achieve, maybe you could
> elaborate?
>
> Do you need to restrict access to filesystem resources, servlets, jsps,
> images, DB content, or something else?
Ok, I am creating a data server that is controlled by an XML configuration "catalog" of dataset objects. The dataset can refer to physical files on disk, or to virtual data that is created dynamically. It can be complicated, and large (tens of thousands of datasets) and I need to make it as easy as possible to configure.
I need to allow the administrator to specify access constraints on a per-dataset basis. This more or less rules out having Tomcat controlling access through the URL pattern. So I think I need "Programmatic Security".
When a request comes in, I can quickly determine what access constraint (if any) is needed. I was planning on using the standard Tomcat security roles and user administration stuff.
This is a data server, primarily talking to other programs (not humans using a browser). I am also helping to develop the client software that will access the data, so I am trying to understand all the possible ways to make this work.
I assume I need to get a session established, so that the authorization need only be done once. It would also be nice if I recieve a unauthorized request, that I could pass it to Tomcat's 401 challenge and authentication mechanism. However, im already down in my servlet code, past the point where Tomcat would handle the challenge and authentication, and I dont see any way to pass it back to Tomcat.
thanks for any thoughts on this....
>
>
>
> Martin Gainty wrote:
>
>>Good Evening All-
>>
>>The best way is to put up a Jsp / servlet which itself has the
>>username/password information to let you behind the firewall
>>There are a ton of https and firewalls you can install and configure to
>>your hearts content
>>But none would be more secure and safe than controlling authentication
>>(a simple username/password) via the servlet
>>Remember to tell .htaccces to disallow execute write and pretty much
>>read permissions on everything except for your username/password screen
>
>
> I'm not sure introducing firewalls is any of any help inside a servlet.
> Nor really, is .htaccess given that he hasn't specified that he's using
> Apache.
Yes, this is a standalone Tomcat server.
>
>
>>Martin --
>>
>>This email message and any files transmitted with it contain confidential
>>information intended only for the person(s) to whom this email message is
>>addressed. If you have received this email message in error, please notify
>>the sender immediately by telephone or email and destroy the original
>>message without making a copy. Thank you.
>>
>>----- Original Message ----- From: "John Caron" <ca...@unidata.ucar.edu>
>>To: "Tomcat Users List" <us...@tomcat.apache.org>
>>Sent: Tuesday, June 27, 2006 9:01 PM
>>Subject: Programmatic Security
>>
>>
>>
>>>I need to implement fine-grained security access, so it looks to me
>>>like "Programmatic Security" (Servlet spec 12.3) is called for. I want
>>>to recieve the request in my servlet, then decide what access rights
>>>are needed for it.
>>>
>>>In this case, if I understand correctly, the "user must already be
>>>authenticated" means that they have tried to access a Tomcat-protected
>>>page (eg a login page), have been successfully authenticated by
>>>Tomcat, and further requests are returning the JSESSION cookie that
>>>was assigned during authentication.
>>>
>>>Is that right? Is there some other way the req.getRemoteUser() could
>>>return non-null?
>>>
>>>Is there some way that I can programatically trigger Tomcat to
>>>initiate the authentication process?
>>>Thanks for any help...
>>>
>>>
>>>---------------------------------------------------------------------
>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programmatic Security
Posted by Pid <p...@pidster.com>.
It really depends on what you're trying to achieve, maybe you could
elaborate?
Do you need to restrict access to filesystem resources, servlets, jsps,
images, DB content, or something else?
Martin Gainty wrote:
> Good Evening All-
>
> The best way is to put up a Jsp / servlet which itself has the
> username/password information to let you behind the firewall
> There are a ton of https and firewalls you can install and configure to
> your hearts content
> But none would be more secure and safe than controlling authentication
> (a simple username/password) via the servlet
> Remember to tell .htaccces to disallow execute write and pretty much
> read permissions on everything except for your username/password screen
I'm not sure introducing firewalls is any of any help inside a servlet.
Nor really, is .htaccess given that he hasn't specified that he's using
Apache.
> Martin --
>
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed. If you have received this email message in error, please notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy. Thank you.
>
> ----- Original Message ----- From: "John Caron" <ca...@unidata.ucar.edu>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Tuesday, June 27, 2006 9:01 PM
> Subject: Programmatic Security
>
>
>> I need to implement fine-grained security access, so it looks to me
>> like "Programmatic Security" (Servlet spec 12.3) is called for. I want
>> to recieve the request in my servlet, then decide what access rights
>> are needed for it.
>>
>> In this case, if I understand correctly, the "user must already be
>> authenticated" means that they have tried to access a Tomcat-protected
>> page (eg a login page), have been successfully authenticated by
>> Tomcat, and further requests are returning the JSESSION cookie that
>> was assigned during authentication.
>>
>> Is that right? Is there some other way the req.getRemoteUser() could
>> return non-null?
>>
>> Is there some way that I can programatically trigger Tomcat to
>> initiate the authentication process?
>> Thanks for any help...
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programmatic Security
Posted by Martin Gainty <mg...@hotmail.com>.
Good Evening All-
The best way is to put up a Jsp / servlet which itself has the
username/password information to let you behind the firewall
There are a ton of https and firewalls you can install and configure to your
hearts content
But none would be more secure and safe than controlling authentication (a
simple username/password) via the servlet
Remember to tell .htaccces to disallow execute write and pretty much read
permissions on everything except for your username/password screen
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "John Caron" <ca...@unidata.ucar.edu>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Tuesday, June 27, 2006 9:01 PM
Subject: Programmatic Security
>I need to implement fine-grained security access, so it looks to me like
>"Programmatic Security" (Servlet spec 12.3) is called for. I want to
>recieve the request in my servlet, then decide what access rights are
>needed for it.
>
> In this case, if I understand correctly, the "user must already be
> authenticated" means that they have tried to access a Tomcat-protected
> page (eg a login page), have been successfully authenticated by Tomcat,
> and further requests are returning the JSESSION cookie that was assigned
> during authentication.
>
> Is that right? Is there some other way the req.getRemoteUser() could
> return non-null?
>
> Is there some way that I can programatically trigger Tomcat to initiate
> the authentication process?
> Thanks for any help...
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org