You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Johannes <jo...@idg.nu> on 2006/11/03 12:18:59 UTC
Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
With the lack of reply's I guess that Active directory connections are not used by anyone here.
I'm making it a bit more simple then and in step one only protect this service with a simple login / password protection.
Setup: One separate engine only accepting HTTPS connections that needs to be protected.
I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a xml file with one user, password and group in my server.xml section for the engine I'm protecting.
So far so good.
Then I got everything to work when editing <webapp>/WEB-INF/web.xml and added the following:
<security-constraint>
<display-name>Security check</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>testgroup</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Security Check</realm-name>
</login-config>
That worked great, the login box appears and are not accessible without the correct logon.
BUT the problem is that this webapp is delivered by a 3:rd party without the above settings in there web.xml file.
We get regular updates and I would like to NOT be forced to remember to add the above section every time we get a new release of the webapp.
So how can I make this Engine/webapp in the server.xml file be protected by one simple login WITHOUT the need to modify the webapp itself every time we get a new version of the webapp?
~Johannes
-----Originalmeddelande-----
From: Johannes johannes@idg.nu
Date: Thu, 02 Nov 2006 12:55:13 +0100
To: users@tomcat.apache.org
Subject: Tomcat authenticate with Active directory
> I have a webapp that I want to protect the best way possible.
> Our environment has previously been Windows and still are but our new system is running tomcat 5.0.
>
> Now I would like to protect one part of our setup with login from our Windows 2003 Active directory domain server when there is a lot of people that is going to access this webapp. But still it need to be secure!
> Found some some information here:
> http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
> Section JNDIRealm
>
> But without any previous experience with LDAP connections I have no clue how to get this to work.
> I'w tried searching for a good tutorial/guide how to make this happen step by step but without success.
>
> Have this been done by anyone here that could give me some help setting this up. Or can direct me to a good step by step tutorial to get this up and running?
>
> ~Johannes
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
Posted by Pid <p...@pidster.com>.
If you deploy the webapp inside another directory that is already
protected, you can use SingleSignOn to execute login via the parent/ROOT
web app?
Tim Funk wrote:
> Out of the box - there is no Valve in Tomcat which requires
> authentication without first consulting web.xml.
>
> As a simple(?) kludge - you could write your own Valve which forces
> authentication on anything executed by the Valve: - you'll need to fill
> in isAuthenticated(...)
>
>
> public class ProtectMeValve extends ValveBase implements Lifecycle {
>
> ...
>
> public void invoke(Request request, Response response)
> throws IOException, ServletException {
>
> String authHeader = request.getHeader("Authorization");
> if (authHeader!=null) {
> if (isAuthenticated(request, authHeader)) {
> getNext().invoke(request, response);
> } else {
> // may need setContentType(...)
> response.setStatus(403);
> response.getWriter().write("Go away - your not allowed!");
> }
> } else {
> // may need setContentType(...)
> response.setStatus(401);
> response.addHeader("WWW-Authenticate",
> "Basic realm=\"My Webapp\"");
> response.getWriter().write("some message");
> }
> }
> }
>
> I would think the preceding should work.
>
> -Tim
>
> Johannes wrote:
>> With the lack of reply's I guess that Active directory connections are
>> not used by anyone here.
>>
>> I'm making it a bit more simple then and in step one only protect this
>> service with a simple login / password protection.
>>
>> Setup: One separate engine only accepting HTTPS connections that needs
>> to be protected.
>> I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a
>> xml file with one user, password and group in my server.xml section
>> for the engine I'm protecting.
>>
>> So far so good.
>> Then I got everything to work when editing <webapp>/WEB-INF/web.xml
>> and added the following:
>> <security-constraint>
>> <display-name>Security check</display-name>
>> <web-resource-collection>
>> <web-resource-name>Protected Area</web-resource-name>
>> <!-- Define the context-relative URL(s) to be protected -->
>> <url-pattern>/*</url-pattern>
>>
>> <!-- If you list http methods, only those methods are protected -->
>> <http-method>DELETE</http-method>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> <http-method>PUT</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <!-- Anyone with one of the listed roles may access this area -->
>> <role-name>testgroup</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>Security Check</realm-name>
>> </login-config>
>>
>> That worked great, the login box appears and are not accessible
>> without the correct logon.
>>
>> BUT the problem is that this webapp is delivered by a 3:rd party
>> without the above settings in there web.xml file.
>> We get regular updates and I would like to NOT be forced to remember
>> to add the above section every time we get a new release of the webapp.
>>
>> So how can I make this Engine/webapp in the server.xml file be
>> protected by one simple login WITHOUT the need to modify the webapp
>> itself every time we get a new version of the webapp?
>>
>> ~Johannes
>>
>>
>>
>> -----Originalmeddelande-----
>> From: Johannes johannes@idg.nu
>> Date: Thu, 02 Nov 2006 12:55:13 +0100
>> To: users@tomcat.apache.org
>> Subject: Tomcat authenticate with Active directory
>>
>>> I have a webapp that I want to protect the best way possible.
>>> Our environment has previously been Windows and still are but our new
>>> system is running tomcat 5.0.
>>>
>>> Now I would like to protect one part of our setup with login from our
>>> Windows 2003 Active directory domain server when there is a lot of
>>> people that is going to access this webapp. But still it need to be
>>> secure!
>>> Found some some information here:
>>> http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
>>> Section JNDIRealm
>>>
>>> But without any previous experience with LDAP connections I have no
>>> clue how to get this to work.
>>> I'w tried searching for a good tutorial/guide how to make this happen
>>> step by step but without success.
>>>
>>> Have this been done by anyone here that could give me some help
>>> setting this up. Or can direct me to a good step by step tutorial to
>>> get this up and running?
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat authenticate with BASIC Auth (Pre: Active directory)
Posted by Tim Funk <fu...@joedog.org>.
Out of the box - there is no Valve in Tomcat which requires
authentication without first consulting web.xml.
As a simple(?) kludge - you could write your own Valve which forces
authentication on anything executed by the Valve: - you'll need to fill
in isAuthenticated(...)
public class ProtectMeValve extends ValveBase implements Lifecycle {
...
public void invoke(Request request, Response response)
throws IOException, ServletException {
String authHeader = request.getHeader("Authorization");
if (authHeader!=null) {
if (isAuthenticated(request, authHeader)) {
getNext().invoke(request, response);
} else {
// may need setContentType(...)
response.setStatus(403);
response.getWriter().write("Go away - your not allowed!");
}
} else {
// may need setContentType(...)
response.setStatus(401);
response.addHeader("WWW-Authenticate",
"Basic realm=\"My Webapp\"");
response.getWriter().write("some message");
}
}
}
I would think the preceding should work.
-Tim
Johannes wrote:
> With the lack of reply's I guess that Active directory connections are not used by anyone here.
>
> I'm making it a bit more simple then and in step one only protect this service with a simple login / password protection.
>
> Setup: One separate engine only accepting HTTPS connections that needs to be protected.
> I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a xml file with one user, password and group in my server.xml section for the engine I'm protecting.
>
> So far so good.
> Then I got everything to work when editing <webapp>/WEB-INF/web.xml and added the following:
> <security-constraint>
> <display-name>Security check</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>testgroup</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Security Check</realm-name>
> </login-config>
>
> That worked great, the login box appears and are not accessible without the correct logon.
>
> BUT the problem is that this webapp is delivered by a 3:rd party without the above settings in there web.xml file.
> We get regular updates and I would like to NOT be forced to remember to add the above section every time we get a new release of the webapp.
>
> So how can I make this Engine/webapp in the server.xml file be protected by one simple login WITHOUT the need to modify the webapp itself every time we get a new version of the webapp?
>
> ~Johannes
>
>
>
> -----Originalmeddelande-----
> From: Johannes johannes@idg.nu
> Date: Thu, 02 Nov 2006 12:55:13 +0100
> To: users@tomcat.apache.org
> Subject: Tomcat authenticate with Active directory
>
>> I have a webapp that I want to protect the best way possible.
>> Our environment has previously been Windows and still are but our new system is running tomcat 5.0.
>>
>> Now I would like to protect one part of our setup with login from our Windows 2003 Active directory domain server when there is a lot of people that is going to access this webapp. But still it need to be secure!
>> Found some some information here:
>> http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
>> Section JNDIRealm
>>
>> But without any previous experience with LDAP connections I have no clue how to get this to work.
>> I'w tried searching for a good tutorial/guide how to make this happen step by step but without success.
>>
>> Have this been done by anyone here that could give me some help setting this up. Or can direct me to a good step by step tutorial to get this up and running?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org