You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Alex Lau <al...@dentonlive.com> on 2002/06/28 19:39:32 UTC

Re: JNDI--- Tomcat

Craig R. McClanahan

>On Fri, 28 Jun 2002, Alex Lau wrote:
>
>  
>
>>Date: Fri, 28 Jun 2002 10:01:38 -0500
>>From: Alex Lau <al...@dentonlive.com>
>>To: Craig R. McClanahan <cr...@apache.org>
>>Subject: Re: JNDI--- Tomcat
>>
>>Sorry about that... Let me try to explain a little.
>>When you are trying to implement the JNDI authentication, base of
>>different protocols or whatever directory services you are
>>implementing....( or
>>it will be generic e.g. any JNDI protocol? LDAP, NIS etc.. )
>>they may have some kind of user limit.. ( e.g. how many user info in one
>>server ) And I'm just wondering what is the direction of the module
>>going to be. Mainly because any web servers may have a lot front end
>>user, but a little bit or smaller sub of the maintainer/admin. On a business
>>internal site... that may be the other way around. Either way, I'm just
>>wondering
>>what the direction of that authentication for?
>>1) replace existing normal partice , database info authenticate user.
>>or
>>    
>>
>
>I don't know if it is "normal practice" or not :-), but I view JNDIRealm
>as an alternative to MemoryRealm (which loads users from an XML file) and
>JDBCRealm (which loads users from a database).  JNDIRealm can talk to
>anything that JNDI can talk to, as long as the internal data structure of
>the accessed resource can be modelled so that you can configure the right
>kinds of search expressions.  In practice, that makes LDAP a natural fit
>-- I haven't tried any of the others, but it is probably practical.
>  
>
Sorry about the normal.... part :) ( I use ldap too... ) I think I mean 
"most
often seen". And that is exactly what I'm trying to get at, is what is 
the plan
for JNDIRealm to handle user (number wise.....) e.g. to use a XML file 
to handle
1,000,000 user may be not very particle. But it make very much sence for
roles Infomation!

>>2) most so to the admin login to maintain the site setting
>>
>>    
>>
>
>No matter which Realm implementation you use, there is no direct API for
>managing users in the Realm itself -- that has to be done separately.  For
>example, in Tomcat 4.1.x there is an administration webapp that lets you
>add new users and roles dynamically at any time.
>
>No matter which Realm implementation you use, it is easy to create
>privileged users that can do more things that other users.  Simply assign
>roles like "admin" or "manager" to the users who should be able to do
>certain things, and then use security constraints in your web.xml file to
>protect the resources you need -- essentially, these security constraints
>are saying "you need privilege ABC in order to execute this particular
>URL".
>  
>
I think I understand that. The usually seen problem of that security model
in high usage web app will back to the too many user, too many role.
Sometime the right design may not work in real world..... ( I hate to say
that...I want to do everything right also... )
I'm not try to say this is good or bad design. I just want to know what
the direction is it going. IMHO different design fit different enviornment.
In my mind of using JNDI could have multiple implementation that able
to fit different condition. That's why I ask that question.
I think I kind of know where is it going now.

Thanks

>See the servlet specification's chapter on security for more info:
>
>  http://java.sun.com/products/servlet/download.html
>
>and you'd be better of subscribing to TOMCAT-USER (send an empty mail
>message to TOMCAT-USER-SUBSCRIBE@JAKARTA.APACHE.ORG) for how to set up
>Tomcat in particular.
>
>  
>
>>Thanks
>>Alex
>>
>>    
>>
>
>Craig
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: JNDI--- Tomcat

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Fri, 28 Jun 2002, Alex Lau wrote:

> Date: Fri, 28 Jun 2002 12:39:32 -0500
> From: Alex Lau <al...@dentonlive.com>
> To: Craig R. McClanahan <cr...@apache.org>, tomcat-user@jakarta.apache.org
> Subject: Re: JNDI--- Tomcat
>
> Craig R. McClanahan
>
> >On Fri, 28 Jun 2002, Alex Lau wrote:
> >
> >
> >
> >>Date: Fri, 28 Jun 2002 10:01:38 -0500
> >>From: Alex Lau <al...@dentonlive.com>
> >>To: Craig R. McClanahan <cr...@apache.org>
> >>Subject: Re: JNDI--- Tomcat
> >>
> >>Sorry about that... Let me try to explain a little.
> >>When you are trying to implement the JNDI authentication, base of
> >>different protocols or whatever directory services you are
> >>implementing....( or
> >>it will be generic e.g. any JNDI protocol? LDAP, NIS etc.. )
> >>they may have some kind of user limit.. ( e.g. how many user info in one
> >>server ) And I'm just wondering what is the direction of the module
> >>going to be. Mainly because any web servers may have a lot front end
> >>user, but a little bit or smaller sub of the maintainer/admin. On a business
> >>internal site... that may be the other way around. Either way, I'm just
> >>wondering
> >>what the direction of that authentication for?
> >>1) replace existing normal partice , database info authenticate user.
> >>or
> >>
> >>
> >
> >I don't know if it is "normal practice" or not :-), but I view JNDIRealm
> >as an alternative to MemoryRealm (which loads users from an XML file) and
> >JDBCRealm (which loads users from a database).  JNDIRealm can talk to
> >anything that JNDI can talk to, as long as the internal data structure of
> >the accessed resource can be modelled so that you can configure the right
> >kinds of search expressions.  In practice, that makes LDAP a natural fit
> >-- I haven't tried any of the others, but it is probably practical.
> >
> >
> Sorry about the normal.... part :) ( I use ldap too... ) I think I mean
> "most
> often seen". And that is exactly what I'm trying to get at, is what is
> the plan
> for JNDIRealm to handle user (number wise.....) e.g. to use a XML file
> to handle
> 1,000,000 user may be not very particle. But it make very much sence for
> roles Infomation!
>

Tomcat doesn't care how many users you have in your directory server
(accessed via JNDIRealm) or database (accessed via JDBCRealm) -- that is
totally up to how many users your server can handle.  Obviously, as you
note, an XML file is not the way to go for large numbers of users.

> >>2) most so to the admin login to maintain the site setting
> >>
> >>
> >>
> >
> >No matter which Realm implementation you use, there is no direct API for
> >managing users in the Realm itself -- that has to be done separately.  For
> >example, in Tomcat 4.1.x there is an administration webapp that lets you
> >add new users and roles dynamically at any time.
> >
> >No matter which Realm implementation you use, it is easy to create
> >privileged users that can do more things that other users.  Simply assign
> >roles like "admin" or "manager" to the users who should be able to do
> >certain things, and then use security constraints in your web.xml file to
> >protect the resources you need -- essentially, these security constraints
> >are saying "you need privilege ABC in order to execute this particular
> >URL".
> >
> >
> I think I understand that. The usually seen problem of that security model
> in high usage web app will back to the too many user, too many role.
> Sometime the right design may not work in real world..... ( I hate to say
> that...I want to do everything right also... )
> I'm not try to say this is good or bad design. I just want to know what
> the direction is it going. IMHO different design fit different enviornment.
> In my mind of using JNDI could have multiple implementation that able
> to fit different condition. That's why I ask that question.
> I think I kind of know where is it going now.
>

Security architectures always have to be designed carefully -- but the
idea that there can be "too many" users or roles does not sound right, at
least from a technical perspective.  It's certainly feasible to buy a
server big enough to support millions of users in the directory server or
database -- and the number of users stored there doesn't affect Tomcat at
all.  The important thing to get right is ensuring that the schema in your
directory server can be navigated by the search parameters you can
configure for JNDIRealm, and that you have your directory server's indexes
set up to make the performance fast enough.

In other words, it's just an issue of getting the right sized server and
configuring it for optimum performance -- looking up users and roles is no
different than looking up any other kind of data.

You should note that container managed security (i.e. using roles the way
we are talking about here) is a standard feature of all J2EE servers,
including implementations of very large scale distributed applications
with very large numbers of users and roles.  Also, if you are using (or
planning to use) EJBs, you're going to need to do this anyway, because
accssing an EJB basically requires container managed security.

> Thanks
>

Craig


> >See the servlet specification's chapter on security for more info:
> >
> >  http://java.sun.com/products/servlet/download.html
> >
> >and you'd be better of subscribing to TOMCAT-USER (send an empty mail
> >message to TOMCAT-USER-SUBSCRIBE@JAKARTA.APACHE.ORG) for how to set up
> >Tomcat in particular.
> >
> >
> >
> >>Thanks
> >>Alex
> >>
> >>
> >>
> >
> >Craig
> >
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>