You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Semen Vadishev <sv...@gmail.com> on 2007/10/09 14:00:44 UTC
Anonymous access with Tomcat Authentication configured.
Hi,
I'm developing servlet using servlet API 2.3 on Tomact application server,
now my task is to implement path based authentication (pba) with the
following Tomcat configuration:
auth-method= BASIC
Realm className="org.apache.catalina.realm.MemoryRealm"
But behavior I need is:
1. If Tomcat gets request with no user information data (username/password)
it should pass it to servlet and then servlet after handling request's URI
according to pba config file may send SC_UNAUTHORIZED (if it needs
authenticated user) or SC_FORBIDDEN (if any access denied).
2. If Tomcat gets request with username and password it should check them
according to conf/tomcat-users.xml and if user authenticated pass it to
servlet.
After some research I found that there is no way to pass request to servlet
at 1clause using configuration I've pointed. So what should I do to get
behaviour I need.
All thoughts, advice and everything is welcome.
Thanks!
S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Semen,
Semen Vadishev wrote:
> So implementing internal server component (probably valve) is the only
> solution, right?
No. Since you only have one servlet, you can even implement directly in
that one servlet. Your other option is to use a Filter, which would
nicely separate your code into A&A and "real work" components. That's
always nice.
> And is this container independent solution?
Valves are absolutely /not/ container-independent. They are Tomcat-only
and, I would imagine, not guaranteed to work across major versions of
Tomcat.
Stick with a Filter. Those will always work, since they are part of the
servlet spec ;)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHDN/X9CaO5/Lv0PARAg2QAJ9meGHhU+Cd+GdDKBqqafrMA4DCawCeOQr7
XCr0bOTIIq7BrVFsOaCXLYw=
=5BIz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anonymous access with Tomcat Authentication configured.
Posted by Semen Vadishev <sv...@gmail.com>.
Christopher,
2007/10/10, Christopher Schultz <ch...@christopherschultz.net>:
> Tomcat's built-in A&A requires that an unauthenticated user request a
> protected resource (protected by a <security-constraint>). When this
> happens, Tomcat intercepts the request internally and issues the
> appropriate login request (HTTP AUTH, FORM, etc.). Upon successful
> authentication, Tomcat re-processes the original request.
>
> Tomcat authorization is done separately, though probably by the same
> component (Valve).
[...]
>
> Don't worry: authentication is really easy. Authorization isn't that
> bad, either, especially since you will probably only have a single
> servlet that needs protecting. The problem with these things is usually
> making sure you didn't miss anything (like leaving a swath of URIs
> unprotected).
>
> Feel free to look at Tomcat's Realm implementations for coding
> inspiration.
So implementing internal server component (probably valve) is the only
solution, right? And is this container independent solution?
Thanks,
S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Semen,
Semen Vadishev wrote:
> Well, have you ever configured path based authentication for Subversion
> Server?
Oh, you're using WebDAV. :(
> So if there is no <security-constraint> element in
> web.xml, Tomcat doesn't provide authorization, right?
Correct. It will not perform authentication either.
I think it's important to understand what's going on here:
Tomcat's built-in A&A requires that an unauthenticated user request a
protected resource (protected by a <security-constraint>). When this
happens, Tomcat intercepts the request internally and issues the
appropriate login request (HTTP AUTH, FORM, etc.). Upon successful
authentication, Tomcat re-processes the original request.
Tomcat authorization is done separately, though probably by the same
component (Valve).
You can require authentication but not enforce any specific role by
using <role-name>*</role-name> in your <security-constraint>.
Unfortunately for you, J2EE does not do user-based authorization; it
will only do role-based authorization.
I don't think you can use Tomcat's authorization at all. I don't know
enough about the WebDAV/svn protocol to know whether it will work for
authentication.
> And if
> web.xmlcontains <login-config> element and doesn't contain
> <security-constraint>
> element then servlet gets Principal object anyway (if client sent user/pass
> then request.getRemoteUser() returns "user" and if not request.getRemoteUser()
> returns null)? Well at least I will try to configure Tomcat this way.
If you want Tomcat to do authentication and not authorization (which it
sounds like is the case), then use <role-name>*</role-name> on whatever
resource you are protecting and Tomcat will demand that the user
authenticate in order to access the resource (but it won't care who the
user is).
Then, you should be able to get a Principal from the request object
during a request.
> 1. Requests with no authentication data.
I'm pretty sure you're always going to want authentication data. To get
Tomcat to work this way, you will need authentication data for pretty
much every request.
> 2. Requests with authentication data [...] so we want Tomcat to check
> if this pair username/password is valid
You can't have Tomcat do this kind of thing on demand. You can either
use their authentication mechanism (with all the requirements above) or not.
> So my question now is: If Tomcat configured to provide built-in
> authentication and do not provide built-in authorization can we get
> described behavior?
You can try using <role-name>*</role-name> as described above, but it
may not work the way you want it to work. For instance, if you want to
allow completely anonymous access (i.e. not even requiring the use of a
"guest" username and password), then you'll need to do everything yourself.
Don't worry: authentication is really easy. Authorization isn't that
bad, either, especially since you will probably only have a single
servlet that needs protecting. The problem with these things is usually
making sure you didn't miss anything (like leaving a swath of URIs
unprotected).
Feel free to look at Tomcat's Realm implementations for coding inspiration.
> Hope this explanation is more clear.
It is, thanks.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHC/uy9CaO5/Lv0PARAghHAKCVnSxdBUrmVruDS9rbq6qhKgZ2PgCfQMAU
mQuDZdXT7R+mZsiEP8l/GmI=
=4bmb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anonymous access with Tomcat Authentication configured.
Posted by Semen Vadishev <sv...@gmail.com>.
Christopher, thank you for your great help,
2007/10/10, Christopher Schultz <ch...@christopherschultz.net>:
> >> ...why you want your own servlets to do the authorization instead
> >> of the container (or securityfilter)?
> >
> > This is the main question. Today we decided to do nothing new with
> > authentication and use special "guest" user in the first version of
> servlet.
>
> I'm not sure what that means.
Well, have you ever configured path based authentication for Subversion
Server? Pba config file contains a set of rules and they look like
[/path/in/repos]
*=
user1=r
So anonymous user has any read permisions but a user logged on as "user1"
may read from /path/in/repos. In our case, configuration above means that
user logged on as a "guest" has no permissions and "user1" has read
permissions.
> And only if users will ask for anonymous access I described earlier, we'll
> > develop custom mechanism or maybe use security filter.
>
> I'm not convinced you need either. You can use the built-in Tomcat
> authentication to do logins.
It sounds interesting. So if there is no <security-constraint> element in
web.xml, Tomcat doesn't provide authorization, right? And if
web.xmlcontains <login-config> element and doesn't contain
<security-constraint>
element then servlet gets Principal object anyway (if client sent user/pass
then request.getRemoteUser() returns "user" and if not request.getRemoteUser()
returns null)? Well at least I will try to configure Tomcat this way.
You can also use the built-in
> authorization, but it looks like you don't want authorization at all:
> you want a site that basically lets anyone use it, but also allows
> logins for other things (but you haven't mentioned any of them).
There is no site and pages, we have servlet that handles requests via webDAV
protocol (an extension of HTTP1.1). There are two types of requests we
should handle in servlet:
1. Requests with no authentication data. If such request tries to access
/some/path and pba config file contains rule :
[/some/path]
*=r
then we do not send any error, handle request and normally send result ,
otherwise we send SC_UNAUTHORIZED error.
2. Requests with authentication data, for instance client sends to us
usename/password and tries to access /some/path. So we want Tomcat to check
if this pair username/password is valid (at this moment Tomcat looks at
Realm class as I think), so if it's not valid, Tomcat should send
SC_UNAUTHORIZED otherwise servlet checks request using pba and if pba config
file has rule:
[/some/path]
username=r
then we do not send any error and handle request normally, otherwise we send
SC_FORBIDDEN error.
So my question now is: If Tomcat configured to provide built-in
authentication and do not provide built-in authorization can we get
described behavior?
Hope this explanation is more clear.
Thanks,
S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Semen,
Semen Vadishev wrote:
> Christopher,
>
> 2007/10/9, Christopher Schultz <ch...@christopherschultz.net>:
>>>> You cannot do this with Tomcat's authentication mechanism. You will
>>>> have to provide an alternative implementation. I recommend looking
>>>> st securityfilter ( http://securityfilter.sourceforge.net ).
>>> Well, securityfilter doesn't satisfy some servlet's requirements
>> Like what?
>
> Sorry if I was wrong, but does security filter supports such auth-methods as
> BASIC, DIGEST, etc.? It was pointed that "BASIC authentication will be
> supported in an upcoming 1.1 release" at
> http://securityfilter.sourceforge.net . But at
> http://sourceforge.net/projects/securityfilter/ I found some newer release
> notes, but I found nothing about added support of other auth methods.
Right. The documentation for securityfilter is horrible. Fortunately,
there's not much code there, so it's possible to go into it and see if
something is implemented and how.
I do not believe that securityfilter supports BASIC, DIGEST, or
CLIENT-CERT authentication schemes. It might support BASIC, but I don't
use that so I don't know.
>> ...why you want your own servlets to do the authorization instead
>> of the container (or securityfilter)?
>
> This is the main question. Today we decided to do nothing new with
> authentication and use special "guest" user in the first version of servlet.
I'm not sure what that means.
> And only if users will ask for anonymous access I described earlier, we'll
> develop custom mechanism or maybe use security filter.
I'm not convinced you need either. You can use the built-in Tomcat
authentication to do logins. You can also use the built-in
authorization, but it looks like you don't want authorization at all:
you want a site that basically lets anyone use it, but also allows
logins for other things (but you haven't mentioned any of them).
Tomcat can do this: just don't make anything protected except for a
single "protected" page that can be used to trigger a login request.
> As I understood you
> represents interests of security filter's developers (sorry if it's mistake)
Not really. I use securityfilter because Tomcat's implementation does
not meet my needs (I need to be able to accept unexpected logins instead
of first requesting a protected resource), but I am not a contributor.
> it will be great if you' ll look at servlet's code
I'm not going to read through your code to figure out your requirements.
>>> It will be my first implementation, so any help will be appreciated.
>>
>> First servlet implementation, or first authentication and authorization
>> implementation?
>
> First authentication and authorization implementation.
Again, I don't think you need to implement anything yourself, whether
you use Tomcat's built-in A&A or if you use securityfilter.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHC9599CaO5/Lv0PARAufGAKCrMiD2hgTWGtDcoNaO8uWTZwOmaACginZ9
e2Wo5D5k6CgMMXBfnOH5udE=
=MB4n
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anonymous access with Tomcat Authentication configured.
Posted by Semen Vadishev <sv...@gmail.com>.
Christopher,
2007/10/9, Christopher Schultz <ch...@christopherschultz.net>:
>
> >> You cannot do this with Tomcat's authentication mechanism. You will
> >> have to provide an alternative implementation. I recommend looking
> >> st securityfilter ( http://securityfilter.sourceforge.net ).
> >
> > Well, securityfilter doesn't satisfy some servlet's requirements
>
> Like what?
Sorry if I was wrong, but does security filter supports such auth-methods as
BASIC, DIGEST, etc.? It was pointed that "BASIC authentication will be
supported in an upcoming 1.1 release" at
http://securityfilter.sourceforge.net . But at
http://sourceforge.net/projects/securityfilter/ I found some newer release
notes, but I found nothing about added support of other auth methods.
> so as you said I will have to provide my own low level authentication
> > mechanism.
>
> You can use Tomcat's built-in Realm as a basis for the authentication --
> so, for instance, you don't have to write your own SELECT query, etc.
Thanks, I've got it.
...why you want your own servlets to do the authorization instead
> of the container (or securityfilter)?
This is the main question. Today we decided to do nothing new with
authentication and use special "guest" user in the first version of servlet.
And only if users will ask for anonymous access I decribed earlier, we'll
develop custom mechanism or maybe use security filter. As I understood you
represents interests of security filter's developers (sorry if it's mistake)
and it will be greate if you' ll look at servlet's code at
http://svn.svnkit.com/repos/svnkit/trunk/ (svnkit-dav subdirectory) and give
me a response of how to use security filter with our servlet.
> It will be my first implementation, so any help will be appreciated.
>
> First servlet implementation, or first authentication and authorization
> implementation?
First authentication and authorization implementation.
Thanks,
S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Semen,
Semen Vadishev wrote:
> Christopher, thanks for reply.
>
> 2007/10/9, Christopher Schultz <ch...@christopherschultz.net>:
>
>> You cannot do this with Tomcat's authentication mechanism. You will
>> have to provide an alternative implementation. I recommend looking
>> st securityfilter ( http://securityfilter.sourceforge.net ).
>
> Well, securityfilter doesn't satisfy some servlet's requirements
Like what?
> so as you said I will have to provide my own low level authentication
> mechanism.
You can use Tomcat's built-in Realm as a basis for the authentication --
so, for instance, you don't have to write your own SELECT query, etc.
Can I ask why you want your own servlets to do the authorization instead
of the container (or securityfilter)?
> It will be my first implementation, so any help will be appreciated.
First servlet implementation, or first authentication and authorization
implementation?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHC6to9CaO5/Lv0PARAuLwAJwOxMCxIpHka7S1KPRz56EZcOX6twCfaS1x
jWqHtOk9bvkGEtaKH5UiGfE=
=QR6J
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Anonymous access with Tomcat Authentication configured.
Posted by Semen Vadishev <sv...@gmail.com>.
Christopher, thanks for reply.
2007/10/9, Christopher Schultz <ch...@christopherschultz.net>:
>
> You cannot do this with Tomcat's authentication mechanism. You will have
> to provide an alternative implementation. I recommend looking st
> securityfilter ( http://securityfilter.sourceforge.net ).
Well, securityfilter doesn't satisfy some servlet's requirements, so as you
said I will have to provide my own low level authentication mechanism. It
will be my first implementation, so any help will be appreciated.
Thanks,
S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Semen,
Semen Vadishev wrote:
> But behavior I need is: 1. If Tomcat gets request with no user
> information data (username/password) it should pass it to servlet and
> then servlet after handling request's URI according to pba config
> file may send SC_UNAUTHORIZED (if it needs authenticated user) or
> SC_FORBIDDEN (if any access denied). 2. If Tomcat gets request with
> username and password it should check them according to
> conf/tomcat-users.xml and if user authenticated pass it to servlet.
You cannot do this with Tomcat's authentication mechanism. You will have
to provide an alternative implementation. I recommend looking st
securityfilter (http://securityfilter.sourceforge.net).
It's implemented as a filter, so it works with any servlet container. It
can work with Tomcat's built-in realms or you can write your own. It
supports unsolicited logins (i.e. you can use your own login page that
submits to j_security_check without having to first request a protected
resource). It has configuration similar to that in web.xml, so you don't
have to learn a new configuration format.
You are free to use securityfilter's authentication mechanisms and
completely skip authorization, which is what it looks like you want to
do (by implementing it yourself).
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHC4mU9CaO5/Lv0PARAm/tAJ4/SAUdOsMlZSugPtOsJaXpFGbRQACfRGov
R26GvoQR29oZmVyMcH0EPmc=
=N9aS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org