You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Danno Ferrin <sh...@earthlink.net> on 2000/11/16 00:24:50 UTC

Re: WWW-Auth

What you would want to do then is to use form based authentication and 
enable the JDBC realm.

--Danno
p.s. please continue discussion in the tomcat-user list.  The dev list 
is for patches, comments about the code, etc., and not use of tomcat 
itself.  tomcat-user@jakarta.apache.org is meant for the use of tomcat 
itself and for configuration questions such as this.

shahed wrote:

> I am using Tomcat 3.1 with Apache/Stronghold.
> I assumed that all the web.xml stuff would not work.
> Am I right ? or will it still work ?
> 
> Also, I want to auth against a database. In the book Professional JSP, 
> there is an example of using a security interceptor. But again,
> will that work if I am using Apache + Tomcat ?
> 
>> You need to set up the web-app to require authentication.  In the
>> web.xml in the WEB-APP directory you need to add a security-constraint
>> element and a login-config element.  There are examples in the examples
>> web-app.
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> 
>

Re: WWW-Authentication using Tomcat-form-based-login and Apache

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Marco van Meegen wrote:

> sounds like I've got exactly the same problem. I didn't follow the thread in
> the dev-mailinglist,
> so I'm sorry if I repeat problems already solved there...
>
> I'd like to set up exactly the same thing and found the same source in the
> Professional JSP-book.
> The questions for me are:
>
> 1) Tomcat 3.1 declares security-related features as alpha; anyone got an idea,
> if security in 3.2b7
>     might be suitable for production use already ?

Yes -- BASIC and FORM-BASED authentication should work well in 3.2b7.  For DIGEST
or CLIENT-CERT you will need Tomcat 4.0.

>
> 2) If I define a security-constraint in Tomcat, using Apache and Tomcat; will
> Apache know about this constraint ?

No.  The easiest way to understand what Apache knows about and what it doesn't is
that the part of Tomcat that creates "tomcat-apache.conf" does *not* read web.xml
-- it only reads server.xml.  Therefore, it does not know anything about security
constraints you've defined there.  You will need to configure them separately in
Apache.

This is something that is going to change in the Tomcat 4.0 web connectors -- they
are webapp-aware, so you won't need to worry about double configuring anything.

>
>    Or do I have to serve all files under security constraints using tomcat,
> even the static ones ?
>    If so, would there be any reason for using Apache at all ?
>

For Tomcat 3.x, if you are running behind Apache, the web server gets first crack
at security and imposes it's own rules.  Because Apache is handling the static
resources, Tomcat never even finds out about those requests -- so you *must* use
Apache security if you want to protect the static resources.  Servlet security
only applies to the requests that are actually forwarded to Tomcat (i.e. JSP pages
and /servlet/* patterns).

For Tomcat 4.0, the servlet 2.3 spec requires that the "server" (in our case, that
means the Apache+Tomcat combination) must impose the security constraints in
web.xml for both dynamic and static resources.  This is one of the major reasons a
new connector is being written.

>
> Thanks for any clue in the darkness of authentication...
>
> Marco
>

Craig McClanhaan

Re: WWW-Authentication using Tomcat-form-based-login and Apache

Posted by Marco van Meegen <Ma...@t-online.de>.

sounds like I've got exactly the same problem. I didn't follow the thread in
the dev-mailinglist,
so I'm sorry if I repeat problems already solved there...

I'd like to set up exactly the same thing and found the same source in the
Professional JSP-book.
The questions for me are:

1) Tomcat 3.1 declares security-related features as alpha; anyone got an idea,
if security in 3.2b7
    might be suitable for production use already ?
2) If I define a security-constraint in Tomcat, using Apache and Tomcat; will
Apache know about this constraint ?
   Or do I have to serve all files under security constraints using tomcat,
even the static ones ?
   If so, would there be any reason for using Apache at all ?

Thanks for any clue in the darkness of authentication...

Marco



Danno Ferrin wrote:

> What you would want to do then is to use form based authentication and
> enable the JDBC realm.
>
> --Danno
> p.s. please continue discussion in the tomcat-user list.  The dev list
> is for patches, comments about the code, etc., and not use of tomcat
> itself.  tomcat-user@jakarta.apache.org is meant for the use of tomcat
> itself and for configuration questions such as this.
>
> shahed wrote:
>
> > I am using Tomcat 3.1 with Apache/Stronghold.
> > I assumed that all the web.xml stuff would not work.
> > Am I right ? or will it still work ?
> >
> > Also, I want to auth against a database. In the book Professional JSP,
> > there is an example of using a security interceptor. But again,
> > will that work if I am using Apache + Tomcat ?
> >
> >> You need to set up the web-app to require authentication.  In the
> >> web.xml in the WEB-APP directory you need to add a security-constraint
> >> element and a login-config element.  There are examples in the examples
> >> web-app.
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> >
> >
> >
> >