You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jan Vávra <va...@602.cz> on 2012/02/02 12:26:05 UTC
Two auth methods for one application
Hello,
I have implemented own realm. I extended RealmBase, overrided methods
(1) public Principal authenticate(X509Certificate[] certs),
(2) public Principal authenticate(String username, String credentials).
I have Tomcat 6 that runs behind Apache Server over AJP. In the
situation (1) client connects to HOST1, Apache Server challenges for
client certificate. In the situation (2) client connects to HOST2. Both
HOST1, HOST2 are configured to do a reverse proxy to /myapp on tomcat.
I am not able to configure tomcat to call both methods. In the myapp's
web.xml I have
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>SecustampRealm</realm-name>
</login-config>
and tomcat calls the function (1). When I replace CLIENT-CERT for BASIC
tomcat calls the function (2).
Is it possible to configure tomcat to call both variants of functions?
I'd like to write something like <auth-method>CLIENT-CERT or
BASIC</auth-method>.
Jan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two auth methods for one application
Posted by Remon Sadikni <re...@zmaw.de>.
Hi Jan,
> The servlet spec doesn't support anything like this. I think what
> you'll have to do is write your own Authenticator. You can configure
> your own Authenticator by registering a<Valve> that is an
> Authenticator in your webapp's<Context>. Just write your own code and
> register it using<Valve>.
>
I don't know if that helps: I recently had a similar problem and I
solved it (also thanks to support of this mailing list) in Tomcat 6
(also with apache and ajp) this way:
I wanted two different auth-mechanisms for two classes of users: One
inside our network, the other one outside. The outside users have to
login via Basic Auth, the others not (because of their IP-address).
I extended RequestFilterValve and overwrote the method process. If the
IP address is one of the allowed ones, a UserPrincipal with a generell
access is created, which logins the user automatically. If not, the user
has to authenticate by username and password.
protected void process(String property,
Request request, Response response)
throws IOException, ServletException {
// Check the allow patterns, if any
for (int i = 0; i < allows.length; i++) {
if (allows[i].matcher(property).matches()) {
// create a principal for an existing fake user
final List<String> roles = new ArrayList<String>();
roles.add("USER_ROLE");
final Principal principal = new GenericPrincipal(null,
"USER", "PASS", roles);
// set it in this request
request.setUserPrincipal(principal);
}
}
// pass this request to the next valve (basic auth)
getNext().invoke(request, response);
return;
}
You have to use the new Valve in your context file and switch on Basic
Auth in WEB-INF/web.xml of your webapp.
<?xml version="1.0" encoding="UTF-8"?>
<Context path="/YOUR_WEBAPP">
<Valve className="org.apache.catalina.valves.RemoteAddrOrAuthValve"
allow="YOUR_IP_MASK"/>
</Context>
<security-constraint>
<web-resource-collection>
<web-resource-name>restrict by URL</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER_ROLE</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Beste Regards,
Remon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two auth methods for one application
Posted by Pid <pi...@pidster.com>.
On 02/02/2012 15:34, Christopher Schultz wrote:
> Pid,
>
> On 2/2/12 10:28 AM, Pid wrote:
>> On 02/02/2012 15:00, Christopher Schultz wrote:
>>> Tomcat has a "CombinedRealm" which allows authentication against
>>> one of several sub-realms (like LDAP /or/ JDBC), but does not
>>> have a CombinedAuthenticator, which might be a useful addition.
>>> If you come up with something that works, consider donating it to
>>> the project.
>
>> Jan, are you trying to achieve something like:
>
>> http://wiki.apache.org/tomcat/SSLWithFORMFallback
>
> Good call. I didn't know that was in the Wiki.
Or even:
http://wiki.apache.org/tomcat/SSLWithFORMFallback6
note the +6
p
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: Two auth methods for one application
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 2/2/12 10:28 AM, Pid wrote:
> On 02/02/2012 15:00, Christopher Schultz wrote:
>> Tomcat has a "CombinedRealm" which allows authentication against
>> one of several sub-realms (like LDAP /or/ JDBC), but does not
>> have a CombinedAuthenticator, which might be a useful addition.
>> If you come up with something that works, consider donating it to
>> the project.
>
> Jan, are you trying to achieve something like:
>
> http://wiki.apache.org/tomcat/SSLWithFORMFallback
Good call. I didn't know that was in the Wiki.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8qrRsACgkQ9CaO5/Lv0PCoRACfWOllUHVUbsi0StznMuGkNdky
OL4An1LsfgpwFFW+77cahL8ooYoXWyYZ
=HOsX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two auth methods for one application
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan,
On 2/2/12 11:05 AM, Jan Vávra wrote:
> I'm trying to do SSL or Basic auth. This is slightly different: SSL
> or Form auth. How I'm thinking about that basic vs. form auth
> should be the only one difference. I'll explore this.
The code posted on the wiki is essentially what I proposed, except
that it's not configurable: the SSL + Form is hard-coded. It should be
trivial to change that from FormAuthenticator to BasicAuthenticator.
If this were configurable and a true CombinedAuthenticator, I think it
would be really useful to the Tomcat community and I would support its
addition to the core product.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8rAOYACgkQ9CaO5/Lv0PBmiQCgg5NXeG9iX3hZCcaTxiilFzN4
2E8AoLdVdQC1w5lCxey2bve5FfvTGRmf
=ajhe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two auth methods for one application
Posted by Jan Vávra <va...@602.cz>.
> On 02/02/2012 15:00, Christopher Schultz wrote:
>> Jan,
>>
>> On 2/2/12 6:26 AM, Jan Vávra wrote:
>>> Is it possible to configure tomcat to call both variants of
>>> functions? I'd like to write something like
>>> <auth-method>CLIENT-CERT or BASIC</auth-method>.
>> The servlet spec doesn't support anything like this. I think what
>> you'll have to do is write your own Authenticator. You can configure
>> your own Authenticator by registering a<Valve> that is an
>> Authenticator in your webapp's<Context>. Just write your own code and
>> register it using<Valve>.
>>
>> You can look at the documentation for, say, BasicAuthenticatorValve:
>> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Basic_Authenticator_Valve
>>
>> And you're going to want to extend AuthenticatorBase.
>>
>> Tomcat has a "CombinedRealm" which allows authentication against one
>> of several sub-realms (like LDAP /or/ JDBC), but does not have a
>> CombinedAuthenticator, which might be a useful addition. If you come
>> up with something that works, consider donating it to the project.
> Jan, are you trying to achieve something like:
>
> http://wiki.apache.org/tomcat/SSLWithFORMFallback
>
> ?
>
I'm trying to do SSL or Basic auth. This is slightly different: SSL or
Form auth.
How I'm thinking about that basic vs. form auth should be the only one
difference.
I'll explore this.
Thanks.
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two auth methods for one application
Posted by Pid <pi...@pidster.com>.
On 02/02/2012 15:00, Christopher Schultz wrote:
> Jan,
>
> On 2/2/12 6:26 AM, Jan Vávra wrote:
>> Is it possible to configure tomcat to call both variants of
>> functions? I'd like to write something like
>> <auth-method>CLIENT-CERT or BASIC</auth-method>.
>
> The servlet spec doesn't support anything like this. I think what
> you'll have to do is write your own Authenticator. You can configure
> your own Authenticator by registering a <Valve> that is an
> Authenticator in your webapp's <Context>. Just write your own code and
> register it using <Valve>.
>
> You can look at the documentation for, say, BasicAuthenticatorValve:
> http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Basic_Authenticator_Valve
>
> And you're going to want to extend AuthenticatorBase.
>
> Tomcat has a "CombinedRealm" which allows authentication against one
> of several sub-realms (like LDAP /or/ JDBC), but does not have a
> CombinedAuthenticator, which might be a useful addition. If you come
> up with something that works, consider donating it to the project.
Jan, are you trying to achieve something like:
http://wiki.apache.org/tomcat/SSLWithFORMFallback
?
p
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
[key:62590808]
Re: Two auth methods for one application
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jan,
On 2/2/12 6:26 AM, Jan Vávra wrote:
> Is it possible to configure tomcat to call both variants of
> functions? I'd like to write something like
> <auth-method>CLIENT-CERT or BASIC</auth-method>.
The servlet spec doesn't support anything like this. I think what
you'll have to do is write your own Authenticator. You can configure
your own Authenticator by registering a <Valve> that is an
Authenticator in your webapp's <Context>. Just write your own code and
register it using <Valve>.
You can look at the documentation for, say, BasicAuthenticatorValve:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Basic_Authenticator_Valve
And you're going to want to extend AuthenticatorBase.
Tomcat has a "CombinedRealm" which allows authentication against one
of several sub-realms (like LDAP /or/ JDBC), but does not have a
CombinedAuthenticator, which might be a useful addition. If you come
up with something that works, consider donating it to the project.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8qpP4ACgkQ9CaO5/Lv0PA5sACghn/zNiYE2Ibcpb6VQNzduVtL
rl8An1pMRYD1k8NXHv+bPTIGZz4uFWcG
=bSq+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org