Adding two-factor authentication to a Tomcat app??

[sodastream <pr...@yahoo.se>]

Given: Commercial application running as a servlet on Tomcat. Tomcat
configuration (server.xml, web.xml) is open and may be modified. The app
handles its own authentication via a conventional username/password form on
a login page. I wanted to add a second factor to the authentication without
modifying the app (except for its Tomcat/servlet conf).

My idea was to tack on a custom Realm to Tomcat. It would be independent
from the application except I had to add a security constraint to its
web.xml. The Realm would authenticate the user using a password provided to
the user over a separate channel (SMS). After authentication the Realm would
be transparent and let the user interact with the application as usual --
all according to my theory.

After some hacking my custom Realm was in place. Following the logic in a
debugger I could see it worked as expected and reported successful
authentication back to the Tomcat machinery. To my disappointment my browser
still showed 403 Forbidden.

At this point I was stumped and realized I don't know enough about Tomcat.
Is my theory viable or flawed? Overlooked something? What's some better way
to add a second factor to authentication of an opaque application running on
Tomcat?

All kinds of ideas and pointers are appreciated, thanks a lot.
-- 
View this message in context: http://old.nabble.com/Adding-two-factor-authentication-to-a-Tomcat-app---tp32229121p32229121.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Adding two-factor authentication to a Tomcat app??

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sodastream,

On 8/9/2011 3:52 PM, sodastream wrote:
> The app handles its own authentication via a conventional
> username/password form on a login page. I wanted to add a second
> factor to the authentication without modifying the app (except for
> its Tomcat/servlet conf).
> 
> My idea was to tack on a custom Realm to Tomcat.

So, Tomcat would perform this gateway authentication and then the user
has to login separately to your webapp?

> It would be independent from the application except I had to add a
> security constraint to its web.xml. The Realm would authenticate the
> user using a password provided to the user over a separate channel
> (SMS). After authentication the Realm would be transparent and let
> the user interact with the application as usual -- all according to
> my theory.

The only types of authentication that make sense, here, are BASIC/DIGEST
and FORM authentication. Which one were you thinking of using? Both
require username/password, but your SMS factor is only a single item
(password). Will the user know what to do if they get a BASIC/DIGEST
authentication challenge, or were you going to use a FORM authentication
and just not ask the user for, say, j_username and instead provide a
stock value ("SMS")?

> After some hacking my custom Realm was in place. Following the logic
> in a debugger I could see it worked as expected and reported
> successful authentication back to the Tomcat machinery. To my
> disappointment my browser still showed 403 Forbidden.

If you were tracing the code in a debugger, you should have been able to
see why the 403 occurred -- so what happened?

> At this point I was stumped and realized I don't know enough about
> Tomcat. Is my theory viable or flawed? Overlooked something? What's
> some better way to add a second factor to authentication of an opaque
> application running on Tomcat?

Since your webapp does it's own authentication, it seems like you could
just layer a FORM authentication at the Tomcat level on top. Your custom
realm would just check the password against whatever list of random
passwords you gave-out via SMS. Perhaps you could post some of your
configuration or code for us to see, and we could give you some feedback.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5CstcACgkQ9CaO5/Lv0PAiBwCfb5fVtbAcB3RyAVfqCreOs2IC
zIUAmgLg/En5iq+d9oRnMw8Kc2eGK3DO
=JZrj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Adding two-factor authentication to a Tomcat app??

[Mark Eggers <it...@yahoo.com>]

----- Original Message -----

> From: sodastream <pr...@yahoo.se>
> To: users@tomcat.apache.org
> Cc: 
> Sent: Tuesday, August 9, 2011 12:52 PM
> Subject: Adding two-factor authentication to a Tomcat app??
> 
> 
> Given: Commercial application running as a servlet on Tomcat. Tomcat
> configuration (server.xml, web.xml) is open and may be modified. The app
> handles its own authentication via a conventional username/password form on
> a login page. I wanted to add a second factor to the authentication without
> modifying the app (except for its Tomcat/servlet conf).
> 
> My idea was to tack on a custom Realm to Tomcat. It would be independent
> from the application except I had to add a security constraint to its
> web.xml. The Realm would authenticate the user using a password provided to
> the user over a separate channel (SMS). After authentication the Realm would
> be transparent and let the user interact with the application as usual --
> all according to my theory.
> 
> After some hacking my custom Realm was in place. Following the logic in a
> debugger I could see it worked as expected and reported successful
> authentication back to the Tomcat machinery. To my disappointment my browser
> still showed 403 Forbidden.
> 
> At this point I was stumped and realized I don't know enough about Tomcat.
> Is my theory viable or flawed? Overlooked something? What's some better way
> to add a second factor to authentication of an opaque application running on
> Tomcat?
> 
> All kinds of ideas and pointers are appreciated, thanks a lot.


A quick search turns up the following:

http://directory.apache.org/triplesec/index.html

https://cwiki.apache.org/DIRxTRIPLESEC/simple-demo-servlet-application.html


I've not explored it any further, so I cannot answer questions.

Take a look and see if that doesn't meet your needs.

. . . . just my two cents.
/mde/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org