You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stéphanie Cettou <s....@gmail.com> on 2010/03/30 16:57:20 UTC
Tomcat login
Hi,
I use Tomcat 5.5.
I have a JSP application.
The login is implemented with database.
<Realm className="org.apache.catalina.realm.JDBCRealm" .....
I need to increase the security. I want that the user have only 3
retry for the login, the user must change the password every months, I
need a password policy (8 char, Maj and min,...).
How I can implement this?
I think to use active directory, but I can't manage user and passwords
directly with tomcat, or yes?
Thanks,
Stéphanie
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by Stéphanie Cettou <s....@gmail.com>.
Hi,
I found:
http://jeftek.com/222/using-java-code-with-active-directory/
I think I will use this exemples to manage the users via java.
Or I found Spring Security framework..but I don't understand if it
doe's all of my issues or not...
thank you very much for all answer!
Stéphanie
2010/3/30 David kerber <dc...@verizon.net>:
> On 3/30/2010 12:04 PM, Stéphanie Cettou wrote:
>>
>> I will get the "issue" list, because I think that with Tomcat 6 I
>> can't do all..(But I don't know Tomcat)
>> - Get more roles at an user (my code is ready for a JDBCRealm login) *
>> read/modify pages and object
>> - Check type of password (more that 8 char, special char,...)
>> - Ask new password every month (from the web site)
>> - Block the user after 3 failed login
>> - Block inactive user (ex after 90 days)
>> - (ev. Single-Sing-On for some users, but I think not possible with
>> more active directory) not Mandatory
>> - Add/modify/delete user from web site
>>
>> I can do it with Tomcat 6 update? how?
>
> Write a webapp (program) to do all of the above.
>
>
>> Or it exist others solution / applications?
>
> I don't know of any, but they may exist.
>
> D
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by David kerber <dc...@verizon.net>.
On 3/30/2010 12:04 PM, Stéphanie Cettou wrote:
> I will get the "issue" list, because I think that with Tomcat 6 I
> can't do all..(But I don't know Tomcat)
> - Get more roles at an user (my code is ready for a JDBCRealm login) *
> read/modify pages and object
> - Check type of password (more that 8 char, special char,...)
> - Ask new password every month (from the web site)
> - Block the user after 3 failed login
> - Block inactive user (ex after 90 days)
> - (ev. Single-Sing-On for some users, but I think not possible with
> more active directory) not Mandatory
> - Add/modify/delete user from web site
>
> I can do it with Tomcat 6 update? how?
Write a webapp (program) to do all of the above.
> Or it exist others solution / applications?
I don't know of any, but they may exist.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by Stéphanie Cettou <s....@gmail.com>.
I will get the "issue" list, because I think that with Tomcat 6 I
can't do all..(But I don't know Tomcat)
- Get more roles at an user (my code is ready for a JDBCRealm login) *
read/modify pages and object
- Check type of password (more that 8 char, special char,...)
- Ask new password every month (from the web site)
- Block the user after 3 failed login
- Block inactive user (ex after 90 days)
- (ev. Single-Sing-On for some users, but I think not possible with
more active directory) not Mandatory
- Add/modify/delete user from web site
I can do it with Tomcat 6 update? how?
Or it exist others solution / applications?
thanks,
Stéphanie
2010/3/30 Caldarale, Charles R <Ch...@unisys.com>:
>> From: Stéphanie Cettou [mailto:s.cettou@gmail.com]
>> Subject: Re: Tomcat login
>>
>> There are an other solution?
>
> Best if you can upgrade to Tomcat 6 (usually very easy to do from 5.5), and then use the CombinedRealm in conjunction with the JNDIRealm and LockOutRealm:
>
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#LockOutRealm
>
> You always create a custom Realm to extend the capabilities of the above.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat login
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Stéphanie Cettou [mailto:s.cettou@gmail.com]
> Subject: Re: Tomcat login
>
> There are an other solution?
Best if you can upgrade to Tomcat 6 (usually very easy to do from 5.5), and then use the CombinedRealm in conjunction with the JNDIRealm and LockOutRealm:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#LockOutRealm
You always create a custom Realm to extend the capabilities of the above.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by André Warnier <aw...@ice-sa.com>.
Stéphanie Cettou wrote:
> Thank you very much,
> I will learn more for this solution.
> But all points of my "issue" list must be covered...
> And the other problem is that the user should be access everywhere
> (not only from their pc).
Can you define this more precisely ?
Do you mean like, for example, from an Internet café using a public PC ?
The Jespa mechanism from ioplex allows for a "fallback" to a normal
login page if the domain authentication doesn't work, but I don't know
if in your case that is applicable.
>
> And I have an other question, how I can get more roles at an user?
There is an explanation about that in the documentation at ioplex.
Basically, I think you can use "user groups" (a Windows domain concept)
as rolenames in Tomcat.
Those rolenames have to be defined in Tomcat itself.
Have a look at (tomcat_dir)/conf/tomcat-users.xml
>
> A tomcat solution exist? Or I must in java programming? Or an other
> "ready" solution exist?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by Stéphanie Cettou <s....@gmail.com>.
Thank you very much,
I will learn more for this solution.
But all points of my "issue" list must be covered...
And the other problem is that the user should be access everywhere
(not only from their pc).
And I have an other question, how I can get more roles at an user?
A tomcat solution exist? Or I must in java programming? Or an other
"ready" solution exist?
Thanks
Stéphanie
2010/3/30 André Warnier <aw...@ice-sa.com>:
> Stéphanie,
>
> I don't want to interfere with the other people here who are trying to help
> you in the direction of a "pure Tomcat" solution. I am incompetent in that
> area, while they are, and their recommendations may in the end be better
> than mine.
> So let's say that there are alternative ways in which your basic issue could
> be solved, and what I am suggesting is one of these possible alternatives.
>
> The solution I am suggesting consists of separating the "user management
> business" from the "Tomcat application business".
>
> My first premise is that managing users, passwords, rules for these
> passwords, aging, people coming and going etc.. is a complicated and
> time-consuming task and, if there already exists an AD infrastructure (or 3)
> that does this and people who manage it, maybe you do not want to create and
> manage a 4th system.
> (For example, if you create a mechanism based on a database, then you will
> probably have to synchronise that database with the 3 existing AD databases;
> and you will probably never obtain from the separate admins of the 3 AD
> domains, that they send you every day a new list of their users and
> passwords).
> My second premise is that users, in general, do not like to have to login
> several times, and remember different user-id's and/or passwords for
> different things.
> So if you can propose a solution which requires less additional programming
> and setup, and less management hassle later on, that may be to your own and
> to the users' advantage.
>
> Based on your previous explanations, I will imagine that there are 3
> locations from where users can access your Tomcat system; that at each of
> those locations, there is a Windows domain based on an AD system; and that
> the users in each of those locations already login to their local domain
> before they access your Tomcat applications; and that these systems already
> manage the business of password rules and aging, and the day-to-day business
> of people coming and going.
> If it is so, you can set up a system whereby the local login which each user
> has already done once when they started their workstation, can be used by
> your Tomcat application(s). Your Tomcat application(s) will automatically
> receive, for each access, a unique and pre-authenticated user-id for each
> user, just as if you had done the authentication yourself at the Tomcat
> level. This user-id can include the original domain name of the user (iow
> the location), so that if two users "john.smith" exist in two separate AD
> domains, they will not be confused.
>
> This method does not necessarily cover all your needs, and it may still
> require some user data and some management at the Tomcat level, but it may
> also avoid having to re-implement and manage stuff that is already being
> done elsewhere.
>
> If you are still interested, then go have a look here :
> http://www.ioplex.com/
>
> I am not saying that this is necessarily the solution for you, but it is
> maybe worth having a look at it.
>
> (and no, I am not an employee of that company; it is just something I use
> myself with Tomcat, in contexts apparently similar to yours.)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by André Warnier <aw...@ice-sa.com>.
Stéphanie,
I don't want to interfere with the other people here who are trying to
help you in the direction of a "pure Tomcat" solution. I am incompetent
in that area, while they are, and their recommendations may in the end
be better than mine.
So let's say that there are alternative ways in which your basic issue
could be solved, and what I am suggesting is one of these possible
alternatives.
The solution I am suggesting consists of separating the "user management
business" from the "Tomcat application business".
My first premise is that managing users, passwords, rules for these
passwords, aging, people coming and going etc.. is a complicated and
time-consuming task and, if there already exists an AD infrastructure
(or 3) that does this and people who manage it, maybe you do not want to
create and manage a 4th system.
(For example, if you create a mechanism based on a database, then you
will probably have to synchronise that database with the 3 existing AD
databases; and you will probably never obtain from the separate admins
of the 3 AD domains, that they send you every day a new list of their
users and passwords).
My second premise is that users, in general, do not like to have to
login several times, and remember different user-id's and/or passwords
for different things.
So if you can propose a solution which requires less additional
programming and setup, and less management hassle later on, that may be
to your own and to the users' advantage.
Based on your previous explanations, I will imagine that there are 3
locations from where users can access your Tomcat system; that at each
of those locations, there is a Windows domain based on an AD system; and
that the users in each of those locations already login to their local
domain before they access your Tomcat applications; and that these
systems already manage the business of password rules and aging, and the
day-to-day business of people coming and going.
If it is so, you can set up a system whereby the local login which each
user has already done once when they started their workstation, can be
used by your Tomcat application(s). Your Tomcat application(s) will
automatically receive, for each access, a unique and pre-authenticated
user-id for each user, just as if you had done the authentication
yourself at the Tomcat level. This user-id can include the original
domain name of the user (iow the location), so that if two users
"john.smith" exist in two separate AD domains, they will not be confused.
This method does not necessarily cover all your needs, and it may still
require some user data and some management at the Tomcat level, but it
may also avoid having to re-implement and manage stuff that is already
being done elsewhere.
If you are still interested, then go have a look here :
http://www.ioplex.com/
I am not saying that this is necessarily the solution for you, but it is
maybe worth having a look at it.
(and no, I am not an employee of that company; it is just something I
use myself with Tomcat, in contexts apparently similar to yours.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by Stéphanie Cettou <s....@gmail.com>.
Hi André,
thank you very much for your fast answer.
No, not all user have an active directory account (or yes but in 3
different emplacement...). And the web site must to be accessible
everytime from anywhere...
My idea is to use a new active directory only to manage user and
password...the problem is to manage it from the web site...
But, if there are an alternative, for me is ok.
There are an other solution?
Thanks,
Stéphanie
2010/3/30 André Warnier <aw...@ice-sa.com>:
> Stéphanie Cettou wrote:
>>
>> Hi,
>>
>> I use Tomcat 5.5.
>> I have a JSP application.
>> The login is implemented with database.
>>
>> <Realm className="org.apache.catalina.realm.JDBCRealm" .....
>>
>> I need to increase the security. I want that the user have only 3
>> retry for the login, the user must change the password every months, I
>> need a password policy (8 char, Maj and min,...).
>>
>> How I can implement this?
>>
>> I think to use active directory, but I can't manage user and passwords
>> directly with tomcat, or yes?
>>
> Hi Stéphanie.
>
> Maybe as an alternative..
>
> If you mention Active Directory, does that mean that all your Tomcat users
> are working on MS Windows workstations, and login to a Windows domain before
> they call up the browser and access your Tomcat-based applications ?
>
> I am asking because if that is the case, then there exist solutions which
> would allow your users to not even have to login (to your Tomcat
> applications), and will automatically use their Windows domain user-id for
> Tomcat.
> And the management of users and passwords is then left to the AD system, and
> you get a Single-Sign-On solution at the same time.
>
> This scenario may or may not fit your needs, but if it does, it may be a big
> simplification for you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat login
Posted by André Warnier <aw...@ice-sa.com>.
Stéphanie Cettou wrote:
> Hi,
>
> I use Tomcat 5.5.
> I have a JSP application.
> The login is implemented with database.
>
> <Realm className="org.apache.catalina.realm.JDBCRealm" .....
>
> I need to increase the security. I want that the user have only 3
> retry for the login, the user must change the password every months, I
> need a password policy (8 char, Maj and min,...).
>
> How I can implement this?
>
> I think to use active directory, but I can't manage user and passwords
> directly with tomcat, or yes?
>
Hi Stéphanie.
Maybe as an alternative..
If you mention Active Directory, does that mean that all your Tomcat
users are working on MS Windows workstations, and login to a Windows
domain before they call up the browser and access your Tomcat-based
applications ?
I am asking because if that is the case, then there exist solutions
which would allow your users to not even have to login (to your Tomcat
applications), and will automatically use their Windows domain user-id
for Tomcat.
And the management of users and passwords is then left to the AD system,
and you get a Single-Sign-On solution at the same time.
This scenario may or may not fit your needs, but if it does, it may be a
big simplification for you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org