You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by attr <at...@o2.pl> on 2013/09/25 14:49:48 UTC
Keeping user roles in different realm than users
Is it possible to authenticate a user against one realm (i.e.: LDAP) but authorize (obtain roles the user belongs to) against another realm (i.e. database)?
Any other solutions than writing an error-prone homegrown one that will allow to keep users in one realm, user roles in the other realm and still be able to use container-managed authentication with authorization. Best regards.Kamil
Re: Keeping user roles in different realm than users
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 9/25/2013 7:49 AM, attr wrote:
> Is it possible to authenticate a user against one realm (i.e.: LDAP) but authorize (obtain roles the user belongs to) against another realm (i.e. database)?
> Any other solutions than writing an error-prone homegrown one that will allow to keep users in one realm, user roles in the other realm and still be able to use container-managed authentication with authorization. Best regards.Kamil
Error-prone homegrown? Who's writing your software?
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Keeping user roles in different realm than users
Posted by André Warnier <aw...@ice-sa.com>.
attr wrote:
> Is it possible to authenticate a user against one realm (i.e.: LDAP) but authorize (obtain roles the user belongs to) against another realm (i.e. database)?
> Any other solutions than writing an error-prone homegrown one that will allow to keep users in one realm, user roles in the other realm and still be able to use container-managed authentication with authorization. Best regards.Kamil
No idea about your real question.
But a note/warning : if you manage to do this, it means that in the future you will always
have to synchronise your LDAP directory with your database "roles" table, in terms of
which user-id's are valid (new users, users leaving etc.). That is not necessarily
trivial in practical cases.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Keeping user roles in different realm than users
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chuck,
On 9/25/13 4:52 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Keeping user roles in different realm than users
>
>>> Any other solutions than writing an error-prone homegrown one
>>> that will allow to keep users in one realm, user roles in the
>>> other realm and still be able to use container-managed
>>> authentication with authorization.
>
>> Tomcat does not ship with anything like this out of the box.
>
> There is the CombinedRealm, which might make the implementation
> somewhat easier. The OP would still need a second Realm
> implementation for the roles, but that could be another LDAP one.
I'm not sure that would work, but I can't say that I have tried it.
I've only briefly looked at the CombinedRealm implementation, but it
does not appear to handle roles at all. I think the roles are
wrapped-up in the Principal, which would come from the authentication
step. That means that successful authentication against the LDAP realm
would mean that authorization would likely be checked only against
that realm.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSQ07XAAoJEBzwKT+lPKRY75wQAJBcKNNJj+wBANcx/oXOUmiO
V+XKbgdbBB1PW3XcPbgH+9Us5iHzWZPooL7xYhDhzXcX3kCuJDGTluaZWEQlEj5Z
B6upbrlDf6zgqlMd0n2MOR687bATjrKuyuhm01PJNNbRnB910VvYC1+tOWvNMiTK
1RfxK3tOiPLm3/iE8XRTYBSM/PROUIc8yYLyX1ZhPCELLWYxg7lxFkjK1hY9I1MH
nEf2uj/CvmoArTvIRmE36tvf26mOR/rLC1gp4cmsyWl9sxpRAsRYeOzKSl7J1H4q
/J14+CEKHH5XJxOTSf2kQJ75/8fNGXvpFwWpD9Im+u8608qVJCqaFKYizoOMEGiI
Uh+QkFwZOpkB2m2XoTOKuIURbwLqq6X0s4hU880OTVRBqrdWuQumP2QDEH6BO/D5
Q092iaSLbLGo5KuPlAVTa5BFH4a4IcP1krJw15E6bR8u5BrQ24XaQH/UnKvADvhZ
L72lRjHaHLhoIUOsB526vgSXSs/fW0ZFxMcNWem8Kfr/djbHOdbfhGh9XO3HVNxG
G9VLKsbPhx2WVkKM3TJ+EzIpdYb/3GEKlva+A13NY4SKqfWt4+PCN8QuNgEEG4vQ
CETtJOe/FzwbRkDuxGzAxKEI24jyJBN50EYld71UVBKiOkFzHSPmk+dvuYiTnkh9
sFpNIz/tr0wGSvxTDY6G
=nn4I
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Keeping user roles in different realm than users
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Keeping user roles in different realm than users
> > Any other solutions than writing an error-prone homegrown one that
> > will allow to keep users in one realm, user roles in the other
> > realm and still be able to use container-managed authentication
> > with authorization.
> Tomcat does not ship with anything like this out of the box.
There is the CombinedRealm, which might make the implementation somewhat easier. The OP would still need a second Realm implementation for the roles, but that could be another LDAP one.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Keeping user roles in different realm than users
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Kamil,
On 9/25/13 8:49 AM, attr wrote:
> Is it possible to authenticate a user against one realm (i.e.:
> LDAP) but authorize (obtain roles the user belongs to) against
> another realm (i.e. database)?
I'm interested in the use case, here: why would you /want/ to do this
separately?
> Any other solutions than writing an error-prone homegrown one that
> will allow to keep users in one realm, user roles in the other
> realm and still be able to use container-managed authentication
> with authorization.
Tomcat does not ship with anything like this out of the box.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSQ0vNAAoJEBzwKT+lPKRYH0YQAJbZyIxd1wZdXT8xZwyTWigx
Irz+kkvLCN9dhjdSxLWhQH1fwT6WcCJhyyI9+LWtwYopiwKU8CHx4UetH8R7ZqEO
Y9EqhfbkArnstfuPuDsya7Nd57wS0QsBFi2TqgsF+4hzjqU7OL0C1Ce9gbCDM/aO
USEu+GInEkTG4WVAzL2J11sXpg8tP+hmAO/uQnQIhrl3NNPWKK0JunuNfABhYXVe
HXd0FiU93owE58BGp+bGkfBSvFAYYoiklEQPXFNlIK/4SGbQ7J4kOeEeMEGEX8JC
voKzrTloR0fvVLXE/+8Zblv2mniXyZxlSQtpA8dCkW2ssRxjfZSH64AvJAzxgkkh
Zwza9C3MfNDU7I7iD++HM3UNh/GhcZwvgJHhZq3Ysu5g+LpBWKty1LdOjpEZOrcC
4XziLGMoDgWPGaK64wRc7hXBrZDvCsskwCltfzM4ck49IsOKrIJslKjr4p8lyEnX
dlMDHJO40kGHaJSQ5wYI/LNeYFusoYUx00bq7Clt8+AUIQIU1GeCcTKSa/186noT
PhJpsBir/NL3Oob0iZsbF080MlniSCCocaFhr1+6yNS2YzIuR/FecuHk1kFwImI4
DCiAzgC5UwNm5w9HhdDr5QEnfCrDyXQhrDW9s6xY6ccraJBLvC8+SAQTGD2U7FXY
m1PqtVx3lCtnn3HmgA5p
=X5cC
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org