You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Omar Belkhodja <om...@gmail.com> on 2011/09/23 00:03:43 UTC
Limiting access to resources, based on username, not on the user role
Hello,
I'm trying to create some kind of web application, that will provide access
to sensitive data for users. Each user, should login first, then after that
he will be able to display a set of pictures. So the url for pictures,
should have a protected access, based on the user name. The problem is that
:
- the pictures will be added dynamically, into new directories, so I can't
add a new rule dynamically to the web server to set a new login policy for
the new directory
- the access restriction in Tomcat is based on the user's role, not on the
username. So if I want to restrict uri access, I will have to create a new
role for each new user, and update the server configuration each time.
Does anyone, know about a solution to this kind of situation ?
Thanks !
Re: Limiting access to resources, based on username, not on the user role
Posted by Jose María Zaragoza <de...@gmail.com>.
El 23/09/2011, a las 00:10, Pid <pi...@pidster.com> escribió:
> On 22/09/2011 23:03, Omar Belkhodja wrote:
>> Hello,
>>
>> I'm trying to create some kind of web application, that will provide access
>> to sensitive data for users. Each user, should login first, then after that
>> he will be able to display a set of pictures. So the url for pictures,
>> should have a protected access, based on the user name. The problem is that
>> :
>> - the pictures will be added dynamically, into new directories, so I can't
>> add a new rule dynamically to the web server to set a new login policy for
>> the new directory
>> - the access restriction in Tomcat is based on the user's role, not on the
>> username. So if I want to restrict uri access, I will have to create a new
>> role for each new user, and update the server configuration each time.
You can define your own custom realm.
>> Does anyone, know about a solution to this kind of situation ?
>>
>> Thanks !
>
> You're going about this the wrong way.
>
> Don't actually put the images in accessibly web directories, store them
> somewhere else & forward to them via a mapping if the virtual URL passes
> auth.
>
>
> p
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Limiting access to resources, based on username, not on the user
role
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 9/23/2011 6:49 AM, Chema wrote:
>>
>> In your code, you would examine the Principal & see if it had
>> permission to proceed. Then return the resource or an error,
>> accordingly.
>>
>
> On my way , I would put "your code that examine the Principal &
> see if it had permission " into a custom realm class. This custom
> realm can check only user authorization , no role
Realms cannot check authorization at all, only authentication, so the
Realm is not the right place to do this.
> This way, you avoid to have to implement a redirection manually
You don't have to do a redirect, either.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6A24EACgkQ9CaO5/Lv0PD9qwCaA4ooJQjhb89mtkTzKpRb5B+5
JkUAn3HB8kr1bveO86LqjvqgYEJM8ro6
=wr32
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Limiting access to resources, based on username, not on the user role
Posted by Chema <de...@gmail.com>.
>
> In your code, you would examine the Principal & see if it had permission
> to proceed. Then return the resource or an error, accordingly.
>
On my way , I would put "your code that examine the Principal & see
if it had permission " into a custom realm class.
This custom realm can check only user authorization , no role
This way, you avoid to have to implement a redirection manually
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Limiting access to resources, based on username, not on the user role
Posted by Omar Belkhodja <om...@gmail.com>.
Thanks. It's clear now :)
2011/9/23 Pid <pi...@pidster.com>
> On 22/09/2011 23:23, Omar Belkhodja wrote:
> > Thanks Pid. What do you mean by "a mapping" ? Is it some kind of servlet
> > that would read the file, and create the HTTP answer after having checked
> > the login ?
>
> An arbitrary URL structure:
>
> /images/{user}/{imageid}
>
> If /images/* was secured, then any user would be authenticated before
> your Servlet or Servlet Filter was executed.
>
> In your code, you would examine the Principal & see if it had permission
> to proceed. Then return the resource or an error, accordingly.
>
> Your code could request.forward() to another Servlet which actually
> returned the image, or could read the image from where it was stored &
> serve it directly into the outputstream.
>
> Up to you, where & how you store the image.
>
>
> p
>
>
Re: Limiting access to resources, based on username, not on the user
role
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 9/23/2011 5:59 AM, Pid wrote:
> Your code could request.forward() to another Servlet which
> actually returned the image, or could read the image from where it
> was stored & serve it directly into the outputstream.
Direct-serving would be better since protecting one URL and then
forwarding to another (unprotected) URL is merely security through
obscurity.
This really seems like a good place to use a Filter: just map the
Filter to the appropriate URI space, parse the portion of the URI that
must match the username, then check it against the Principal in the
request. Return 403 if there isn't a match.
Of course, we'll find out that there is some other insane requirement,
later, that makes this impractical.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6A2+wACgkQ9CaO5/Lv0PAHlgCgrTVBA8TbCtzrJxWnOZZbfkvR
z84AoI+4HhN8ZtzV7/Tzt0m8n+mDl15i
=KXE6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Limiting access to resources, based on username, not on the user
role
Posted by Pid <pi...@pidster.com>.
On 22/09/2011 23:23, Omar Belkhodja wrote:
> Thanks Pid. What do you mean by "a mapping" ? Is it some kind of servlet
> that would read the file, and create the HTTP answer after having checked
> the login ?
An arbitrary URL structure:
/images/{user}/{imageid}
If /images/* was secured, then any user would be authenticated before
your Servlet or Servlet Filter was executed.
In your code, you would examine the Principal & see if it had permission
to proceed. Then return the resource or an error, accordingly.
Your code could request.forward() to another Servlet which actually
returned the image, or could read the image from where it was stored &
serve it directly into the outputstream.
Up to you, where & how you store the image.
p
Re: Limiting access to resources, based on username, not on the user role
Posted by Omar Belkhodja <om...@gmail.com>.
Thanks Pid. What do you mean by "a mapping" ? Is it some kind of servlet
that would read the file, and create the HTTP answer after having checked
the login ?
2011/9/22 Pid <pi...@pidster.com>
> On 22/09/2011 23:03, Omar Belkhodja wrote:
> > Hello,
> >
> > I'm trying to create some kind of web application, that will provide
> access
> > to sensitive data for users. Each user, should login first, then after
> that
> > he will be able to display a set of pictures. So the url for pictures,
> > should have a protected access, based on the user name. The problem is
> that
> > :
> > - the pictures will be added dynamically, into new directories, so I
> can't
> > add a new rule dynamically to the web server to set a new login policy
> for
> > the new directory
> > - the access restriction in Tomcat is based on the user's role, not on
> the
> > username. So if I want to restrict uri access, I will have to create a
> new
> > role for each new user, and update the server configuration each time.
> >
> > Does anyone, know about a solution to this kind of situation ?
> >
> > Thanks !
>
> You're going about this the wrong way.
>
> Don't actually put the images in accessibly web directories, store them
> somewhere else & forward to them via a mapping if the virtual URL passes
> auth.
>
>
> p
>
>
Re: Limiting access to resources, based on username, not on the user
role
Posted by Pid <pi...@pidster.com>.
On 22/09/2011 23:03, Omar Belkhodja wrote:
> Hello,
>
> I'm trying to create some kind of web application, that will provide access
> to sensitive data for users. Each user, should login first, then after that
> he will be able to display a set of pictures. So the url for pictures,
> should have a protected access, based on the user name. The problem is that
> :
> - the pictures will be added dynamically, into new directories, so I can't
> add a new rule dynamically to the web server to set a new login policy for
> the new directory
> - the access restriction in Tomcat is based on the user's role, not on the
> username. So if I want to restrict uri access, I will have to create a new
> role for each new user, and update the server configuration each time.
>
> Does anyone, know about a solution to this kind of situation ?
>
> Thanks !
You're going about this the wrong way.
Don't actually put the images in accessibly web directories, store them
somewhere else & forward to them via a mapping if the virtual URL passes
auth.
p