You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Martin O'Shea <ap...@dsl.pipex.com> on 2013/07/18 11:34:42 UTC
Authentication from a REST service
Hello
I am in the process of setting up a web service between an android app and
Tomcat 6.0.26 implemented with Jersey. I already have client and server
communicating with each other by sending XML requests. But I would like the
user of the client to be authenticated by the server for a set period of
time and then have to re-authenticate after that time has expired.
Can anyone suggest anything?
Thanks
Martin O'Shea.
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Thanks Andre. I have already done so. I thought to ask it on both just in
case.
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: 18 Jul 2013 14 16
To: Tomcat Users List
Subject: Re: Authentication from a REST service
Martin O'Shea wrote:
> Hello
>
>
>
> I am in the process of setting up a web service between an android app
> and Tomcat 6.0.26 implemented with Jersey. I already have client and
> server communicating with each other by sending XML requests. But I
> would like the user of the client to be authenticated by the server
> for a set period of time and then have to re-authenticate after that time
has expired.
>
>
>
> Can anyone suggest anything?
>
It may be better to ask this on the Jersey user's list.
I would imagine that Jersey provides a way to force the client to be
authenticated. This would work via a session, and there is probably a way to
set the session timeout.
After the last interaction + the timeout, the session will expire, and this
should automatically force the client to re-authenticate at the next access.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by André Warnier <aw...@ice-sa.com>.
Martin O'Shea wrote:
> Hello
>
>
>
> I am in the process of setting up a web service between an android app and
> Tomcat 6.0.26 implemented with Jersey. I already have client and server
> communicating with each other by sending XML requests. But I would like the
> user of the client to be authenticated by the server for a set period of
> time and then have to re-authenticate after that time has expired.
>
>
>
> Can anyone suggest anything?
>
It may be better to ask this on the Jersey user's list.
I would imagine that Jersey provides a way to force the client to be authenticated. This
would work via a session, and there is probably a way to set the session timeout.
After the last interaction + the timeout, the session will expire, and this should
automatically force the client to re-authenticate at the next access.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Chris
I'm checking this with Jersey.
Thanks
Martin O'Shea.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 18 Jul 2013 18 52
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 1:08 PM, Martin O'Shea wrote:
> OK. So let me see if I understand what you’re suggesting: I already
> have client and server communicating with each other by sending XML
> requests via Jersey with a servlet implemented in web.xml.
>
> So in addition to this, I would need a filter set to intercept request
> with a url pattern /rest/*. This filter can then call
> HttpServletRequest.login?
Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i
lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i
ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn
Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S
5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq
SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ
/2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW
gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF
I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN
unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1
jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi
t7VKPMLheCZvqZXO4AXa
=O44G
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/29/13 12:30 PM, Martin O'Shea wrote:
> Sorry Chris, I'm not sure what I'm looking for here. Can you
> elaborate?
Just read the whole page:
>> Container-provided authentication can be done without writing any
>> code at all:
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
If you don't understand, come back and ask more specific questions.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR989xAAoJEBzwKT+lPKRY8VUP/1DQKKTOcQCfMOBjg408Ow5T
aryNprNv6d6FoOfgYkc1NSkjzhkEp9JTkcplHT+EpIAL1m7VSrP+3zWZYvdhypEN
2lOCbYO6QYnYJVkX2NUuKwU4f7jpQbiPkSC0Hl2BSz4JKJaC2OMUsPe38hsedGLY
8exZ8VntTUmmvYhKBB3On0Gm2ckSnsWwsLWlOEDFPXgA9856c6Bgy8EFlF7Cws3d
0FxIUBA3YP2SZ2Iz9n4bxSA96Bu1geh2+/lHav01I6+GSXVPDXyYk0o7N40arPQ3
88jBghVR4Z6GoqeMlj+1cDC1W/2BiAatRhzQrBIt38pv4xEkM4E/njxnDxEm/VMI
RHp57d2NHm39C/Qymrs4hWtn4llHvs5TIkFzk6cTV0bIWJIbPLyjU+6m4J6zSYto
qaw/t5qeXziElZBCY/W3RkPmenEPdgVFyaZisretiCcTmaM3M3LHGU4K8XFfJWC5
R0xsf+smPNJn7dl/BvI+9sugGTfznraJnUJTUc11O2u9HAjy7RIH4GxEcsOqgfqp
IJnCktp4lGJxA2icM4i+jYtqYOeHz8bKatkqy+TESrbZI0DdVi/cadHNky0DcMO2
5MdMKkUU/LaKNRaUmgRl94v2jdEbXlry22ZW0kltdkj3iahxH4hHfMCp69kVqmH8
3scrp+O5WeSMaUIuFrLc
=8GgT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Authentication from a REST service
> Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate?
Don't top-post; it makes the conversation impossible to follow.
Step 1: read the security section of the Servlet spec.
Step 2: read the Tomcat doc Chris pointed out to you.
Step 3: look at the WEB-INF/web.xml settings in the relevant examples that come with Tomcat, including the manager and host-manager webapps.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate?
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 29 Jul 2013 17 21
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/28/13 10:40 AM, Martin O'Shea wrote:
> Have you an example at all?
>
> At the moment, I've simply rigged a simple authentication method of my
> own . Have you a code example of container-provided authentication
> system, or could you refer me to one?
Container-provided authentication can be done without writing any code at all:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR
RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p
ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR
2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT
f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY
krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b
qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl
l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK
TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5
a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD
t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF
+iXZF8ULpPyc+HzisZUF
=eqkF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/28/13 10:40 AM, Martin O'Shea wrote:
> Have you an example at all?
>
> At the moment, I've simply rigged a simple authentication method of
> my own . Have you a code example of container-provided
> authentication system, or could you refer me to one?
Container-provided authentication can be done without writing any code
at all:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR
RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p
ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR
2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT
f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY
krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b
qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl
l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK
TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5
a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD
t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF
+iXZF8ULpPyc+HzisZUF
=eqkF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Chris
Have you an example at all?
At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one?
Thanks
Martin O'Shea.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 28 Jul 2013 15 37
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/27/13 12:00 PM, Martin O'Shea wrote:
> Are there any suggestions if I'm not using servlet 3?
Any reason the container-provided authentication system (e.g. HTTP
BASIC) isn't acceptable?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd
eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW
p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4
tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa
ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74
7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c
Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh
bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg
TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3
jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ
emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk
AE+WCdC4cDVn9G58vo7l
=Na0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/27/13 12:00 PM, Martin O'Shea wrote:
> Are there any suggestions if I'm not using servlet 3?
Any reason the container-provided authentication system (e.g. HTTP
BASIC) isn't acceptable?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd
eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW
p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4
tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa
ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74
7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c
Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh
bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg
TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3
jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ
emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk
AE+WCdC4cDVn9G58vo7l
=Na0c
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Are there any suggestions if I'm not using servlet 3?
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 18 Jul 2013 18 52
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 1:08 PM, Martin O'Shea wrote:
> OK. So let me see if I understand what you’re suggesting: I already
> have client and server communicating with each other by sending XML
> requests via Jersey with a servlet implemented in web.xml.
>
> So in addition to this, I would need a filter set to intercept request
> with a url pattern /rest/*. This filter can then call
> HttpServletRequest.login?
Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i
lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i
ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn
Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S
5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq
SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ
/2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW
gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF
I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN
unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1
jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi
t7VKPMLheCZvqZXO4AXa
=O44G
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 1:08 PM, Martin O'Shea wrote:
> OK. So let me see if I understand what you’re suggesting: I
> already have client and server communicating with each other by
> sending XML requests via Jersey with a servlet implemented in
> web.xml.
>
> So in addition to this, I would need a filter set to intercept
> request with a url pattern /rest/*. This filter can then call
> HttpServletRequest.login?
Yes, this is exactly what I'm suggesting. I'm sure there are other ways
to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal
to get authentication information from the caller (which is a reasonable
assumption IMO). If it's being done in some other way, then this
technique may not work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i
lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i
ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn
Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S
5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq
SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ
/2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW
gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF
I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN
unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1
jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi
t7VKPMLheCZvqZXO4AXa
=O44G
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml.
So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login?
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 18 Jul 2013 15 39
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 10:32 AM, Martin O'Shea wrote:
> It's a case of considering options at the moment. It doesn't matter
> too much about the actual expiration time of the session. But a
> question arises concerning use of a realm: if I have the following
> code in a realm in context.xml for existing browser-based logging
> in:
>
> <Realm className = "org.apache.catalina.realm.DataSourceRealm"
> digest="MD5"
FWIW, MD5 is basically deprecated at this point. I would use at least
SHA-256 for password-hashing. Honestly, I'd use a password-mangling algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.).
(I've been toying-around with modifications to Tomcat's Realms and underlying code to help support such things, but I haven't come up with a good patch, yet).
> debug = "99"
This should be removed: it must have come from an old configuration.
> dataSourceName = "jdbc/MyApp" localDataSource = "true" userTable =
> "User" userNameCol = "UserName" userCredCol = "Password"
> userRoleTable = "User" roleNameCol = "RoleName" />
>
> Could it be used also for the REST service?
You can use it for anything you'd like.
> And would a servlet be required to handle authentication?
No, you can use a Filter. I'm not sure how Jersey is implemented, but I suspect that you configured either a Servlet or a Filter at some point in WEB-INF/web.xml. Just make sure that your own Filter performs whatever is necessary to authenticate (e.g. calling
HttpServletRequest.login) and then sets-up the request so that Jersey knows that the user has been successfully authenticated (it probably just checks ServletRequest.getPrincipal, which will be set up correctly after a successful call to HttpServletRequest.login).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ
B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn
Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X
ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo
PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn
fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/
126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s
3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL
XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw
neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99
PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw
o7zzBwgHpk4/Ec8raBXT
=i5Uc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 10:32 AM, Martin O'Shea wrote:
> It's a case of considering options at the moment. It doesn't matter
> too much about the actual expiration time of the session. But a
> question arises concerning use of a realm: if I have the following
> code in a realm in context.xml for existing browser-based logging
> in:
>
> <Realm className = "org.apache.catalina.realm.DataSourceRealm"
> digest="MD5"
FWIW, MD5 is basically deprecated at this point. I would use at least
SHA-256 for password-hashing. Honestly, I'd use a password-mangling
algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.).
(I've been toying-around with modifications to Tomcat's Realms and
underlying code to help support such things, but I haven't come up
with a good patch, yet).
> debug = "99"
This should be removed: it must have come from an old configuration.
> dataSourceName = "jdbc/MyApp" localDataSource = "true" userTable =
> "User" userNameCol = "UserName" userCredCol = "Password"
> userRoleTable = "User" roleNameCol = "RoleName" />
>
> Could it be used also for the REST service?
You can use it for anything you'd like.
> And would a servlet be required to handle authentication?
No, you can use a Filter. I'm not sure how Jersey is implemented, but
I suspect that you configured either a Servlet or a Filter at some
point in WEB-INF/web.xml. Just make sure that your own Filter performs
whatever is necessary to authenticate (e.g. calling
HttpServletRequest.login) and then sets-up the request so that Jersey
knows that the user has been successfully authenticated (it probably
just checks ServletRequest.getPrincipal, which will be set up
correctly after a successful call to HttpServletRequest.login).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ
B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn
Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X
ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo
PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn
fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/
126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s
3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL
XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw
neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99
PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw
o7zzBwgHpk4/Ec8raBXT
=i5Uc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by André Warnier <aw...@ice-sa.com>.
Martin O'Shea wrote:
> Chris
>
> It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in:
>
> <Realm
> className = "org.apache.catalina.realm.DataSourceRealm"
> digest="MD5"
> debug = "99"
> dataSourceName = "jdbc/MyApp"
> localDataSource = "true"
> userTable = "User"
> userNameCol = "UserName"
> userCredCol = "Password"
> userRoleTable = "User"
> roleNameCol = "RoleName" />
>
> Could it be used also for the REST service? And would a servlet be required to handle authentication?
>
Well, apart from the layers of obfuscation added by Jersey, fundamentally the "REST
service" is still a webapp, composed of servlets.
So it is more a case of "does Jersey provide an authentication servlet (or filter) ? and
what can it do ?". No ?
Or does Jersey rely on container-based authentication ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication from a REST service
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Chris
It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in:
<Realm
className = "org.apache.catalina.realm.DataSourceRealm"
digest="MD5"
debug = "99"
dataSourceName = "jdbc/MyApp"
localDataSource = "true"
userTable = "User"
userNameCol = "UserName"
userCredCol = "Password"
userRoleTable = "User"
roleNameCol = "RoleName" />
Could it be used also for the REST service? And would a servlet be required to handle authentication?
Thanks
Martin O'Shea.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 18 Jul 2013 15 05
To: Tomcat Users List
Subject: Re: Authentication from a REST service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 5:34 AM, Martin O'Shea wrote:
> I am in the process of setting up a web service between an android app
> and Tomcat 6.0.26 implemented with Jersey. I already have client and
> server communicating with each other by sending XML requests. But I
> would like the user of the client to be authenticated by the server
> for a set period of time and then have to re-authenticate after that
> time has expired.
If you are using Servlet 3.0, you can use HttpServletRequest.login to authenticate the user using a realm configured for the context. If you use FORM authentication, then the session's expiration time becomes the duration of the login (a caveat being that the timeout is reset for every request the client makes).
If you want fixed-login times (like 30-minutes max regardless of how many requests are made), then stuff your own expiration date into the user's session and then check that timeout with each request. This could all be done in a Filter to keep things orthogonal to your servlet code.
Or were you looking for something more elaborate?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz
FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY
6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y
2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM
RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN
s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i
J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+
+G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3
LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC
K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw
V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9
JFMNdCl4mZQF7yt17yh1
=i2aK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication from a REST service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Martin,
On 7/18/13 5:34 AM, Martin O'Shea wrote:
> I am in the process of setting up a web service between an android
> app and Tomcat 6.0.26 implemented with Jersey. I already have
> client and server communicating with each other by sending XML
> requests. But I would like the user of the client to be
> authenticated by the server for a set period of time and then have
> to re-authenticate after that time has expired.
If you are using Servlet 3.0, you can use HttpServletRequest.login to
authenticate the user using a realm configured for the context. If you
use FORM authentication, then the session's expiration time becomes
the duration of the login (a caveat being that the timeout is reset
for every request the client makes).
If you want fixed-login times (like 30-minutes max regardless of how
many requests are made), then stuff your own expiration date into the
user's session and then check that timeout with each request. This
could all be done in a Filter to keep things orthogonal to your
servlet code.
Or were you looking for something more elaborate?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz
FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY
6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y
2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM
RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN
s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i
J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+
+G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3
LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC
K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw
V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9
JFMNdCl4mZQF7yt17yh1
=i2aK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org