You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by alee amin <ma...@gmail.com> on 2007/09/18 12:46:45 UTC

Tomcat Security - implementing custom security

Hi,

I was able to implement the form based tomcat security on my web app. It was
good. But because of some restriction from client i need to modify it.

The password is placed as in encryppted form in DB, so i can not rely on
tomcat "authenticate" method which simple "select" the username/password
from DB and match it. I have seen the implementation of (
org.apache.catalina.realm.JDBCRealm).

Now, what i did, i wrote a CustomRealm

package org.my.security;

import java.security.Principal;
import java.util.List;
import java.util.ArrayList;

import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;



public class CustomRealm extends RealmBase{

    @Override
    protected String getName() {
        return this.getClass().getSimpleName();
    }

    @Override
    protected String getPassword(final String username) {
        return retrieveEncryptedPassAndDecrypt(username);
    }

    @Override
    protected Principal getPrincipal(final String username) {
        final List<String> roles = new ArrayList<String>();
        roles.add("tomcat");
        return new GenericPrincipal(this, username, getPassword(username),
roles);
    }

    @Override
    public Principal authenticate(String username, String credentials) {
        String serverCredentials = getPassword(username);

        //credential encrypt

        boolean validated;
        if (serverCredentials == null)
            validated = false;
        else if (hasMessageDigest())
            validated = serverCredentials.equalsIgnoreCase
(digest(credentials));
        else
            validated = serverCredentials.equals(credentials);
        if (!validated) {
            return null;
        }
        return getPrincipal(username);

    }

        public String retrieveEncryptedPassAndDecrypt(String username){
                ...
        }
}


I put that file in server/lib and changed the server.xml with this entry

<Realm className="org.my.security.CustomRealm" debug="0" />


It works fine.

but now, when i am deploying it to application, i am wandering how would i
communicate with Database, since my DB layer is combination of Spring,
Hibernate and all daos, beans of application will not be available here in
my this class, since it's in server side - application independent.

If i put this class in application WAR file and change the server.xml file
to point that class, my server give exception at startup "class not found"
which is quite logical.

Now, actually what i want - is to use the Tomcat Security to match
user/password (password is encrypted form in DB - encryption done by my
application before saving). If i use my Custom Realm, then how can i access
my DB Connection classes populated by Spring/Hibernate?


cheers,
..alee
-- 
Muhammad Ali
http://techboard.wordpress.com
Software Engineer - E2ESP
muhammadaliamin(at)gmail(dot)com

Re: Tomcat Security - implementing custom security

Posted by Mikolaj Rydzewski <mi...@ceti.pl>.

alee amin wrote:
> The password is placed as in encryppted form in DB, so i can not rely on
> tomcat "authenticate" method which simple "select" the username/password
> from DB and match it. I have seen the implementation of (
> org.apache.catalina.realm.JDBCRealm).
>   
Have you tried using 'digest' attribute? It looks it could help: 
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JDBCRealm

-- 
Mikolaj Rydzewski <mi...@ceti.pl>