You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by sh...@wipro.com on 2009/12/02 16:48:02 UTC
Authentication without Authorization ( JNDI Realm )
Hi
Is there any way to use a Realm only for authentication and disable authorization ( do not check for roles ) ?
Regards,
Shashank.
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
Re: Authentication without Authorization ( JNDI Realm ) - Resolved
Posted by Shashank Rachamalla <sh...@wipro.com>.
Hi
had to use roleSearch="(mail={1})" instead of roleSearch="(mail={0})"
{0} takes the user dn where as {1} takes the username.
Regards
Shashank.
On Fri, 2009-12-04 at 16:04 +0530, Shashank Rachamalla wrote:
> Hi
>
> The following is the Realm configuration being used:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionName="cn=Manager,dc=wipro,dc=com"
> connectionPassword="secret"
> connectionURL="ldap://ldapprime.pesgrid.wipro.com:389"
> userBase="dc=wipro,dc=com"
> userSubtree="true"
> userSearch="(mail={0})"
> roleBase="dc=wipro,dc=com"
> roleSubtree="true"
> roleName="objectClass"
> roleSearch="(mail={0})"/>
>
> The following is the security constraint specified in web.xml
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> </login-config>
>
> <security-role>
> <role-name>inetOrgPerson</role-name>
> </security-role>
>
>
> The following is an entry added to LDAP for testing:
>
> dn: uid=ccpadmin, dc=wipro,dc=com
> mail: ccpadmin@wipro.com
> uid: ccpadmin
> userPassword:: YWRtaW4xMjM=
> objectClass: inetOrgPerson
> givenName: Cloud
> sn: Administrator
> cid: cloud
> cn: Cloud Administrator
>
>
> I am able to authenticate but authorization seems to fail ( error 403
> forbidden )
>
> Regards
> Shashank
>
>
> On Wed, 2009-12-02 at 19:16 -0800, Robert Koberg wrote:
> > On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Chuck,
> > >
> > > On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
> > >>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > >>> Subject: Re: Authentication without Authorization ( JNDI Realm )
> > >>>
> > >>> Technically speaking, this will require authentication but then let
> > >>> anyone holding any role defined in web.xml to access any page on your
> > >>> site.
> > >>
> > >> But the valid roles still have to be listed in web.xml to be compliant with the spec.
> > >
> > > Yes. That's why I said "technically" and "practically".
> > >
> > >>> Practically speaking, you don't even need to define the roles in
> > >>> web.xml because (last time I checked), Tomcat treats '*' as
> > >>> "authenticated, regardless of roles".
> > >>
> > >> That was a bug, now fixed:
> > >> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
> > >
> > > I'll have to look elsewhere in the code, then. What I saw in
> > > GenericPrincipal clearly takes, ahem, liberties with the spec.
> >
> > (don't know if this has been mentioned)
> >
> > There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a servlet 3.0 container or some framework that allows it (I like Jersey).
> >
> > best,
> > -Rob
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication without Authorization ( JNDI Realm )
Posted by Shashank Rachamalla <sh...@wipro.com>.
Hi
The following is the Realm configuration being used:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionName="cn=Manager,dc=wipro,dc=com"
connectionPassword="secret"
connectionURL="ldap://ldapprime.pesgrid.wipro.com:389"
userBase="dc=wipro,dc=com"
userSubtree="true"
userSearch="(mail={0})"
roleBase="dc=wipro,dc=com"
roleSubtree="true"
roleName="objectClass"
roleSearch="(mail={0})"/>
The following is the security constraint specified in web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>inetOrgPerson</role-name>
</security-role>
The following is an entry added to LDAP for testing:
dn: uid=ccpadmin, dc=wipro,dc=com
mail: ccpadmin@wipro.com
uid: ccpadmin
userPassword:: YWRtaW4xMjM=
objectClass: inetOrgPerson
givenName: Cloud
sn: Administrator
cid: cloud
cn: Cloud Administrator
I am able to authenticate but authorization seems to fail ( error 403
forbidden )
Regards
Shashank
On Wed, 2009-12-02 at 19:16 -0800, Robert Koberg wrote:
> On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Chuck,
> >
> > On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
> >>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> >>> Subject: Re: Authentication without Authorization ( JNDI Realm )
> >>>
> >>> Technically speaking, this will require authentication but then let
> >>> anyone holding any role defined in web.xml to access any page on your
> >>> site.
> >>
> >> But the valid roles still have to be listed in web.xml to be compliant with the spec.
> >
> > Yes. That's why I said "technically" and "practically".
> >
> >>> Practically speaking, you don't even need to define the roles in
> >>> web.xml because (last time I checked), Tomcat treats '*' as
> >>> "authenticated, regardless of roles".
> >>
> >> That was a bug, now fixed:
> >> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
> >
> > I'll have to look elsewhere in the code, then. What I saw in
> > GenericPrincipal clearly takes, ahem, liberties with the spec.
>
> (don't know if this has been mentioned)
>
> There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a servlet 3.0 container or some framework that allows it (I like Jersey).
>
> best,
> -Rob
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication without Authorization ( JNDI Realm )
Posted by Robert Koberg <ro...@koberg.com>.
On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
>>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>>> Subject: Re: Authentication without Authorization ( JNDI Realm )
>>>
>>> Technically speaking, this will require authentication but then let
>>> anyone holding any role defined in web.xml to access any page on your
>>> site.
>>
>> But the valid roles still have to be listed in web.xml to be compliant with the spec.
>
> Yes. That's why I said "technically" and "practically".
>
>>> Practically speaking, you don't even need to define the roles in
>>> web.xml because (last time I checked), Tomcat treats '*' as
>>> "authenticated, regardless of roles".
>>
>> That was a bug, now fixed:
>> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
>
> I'll have to look elsewhere in the code, then. What I saw in
> GenericPrincipal clearly takes, ahem, liberties with the spec.
(don't know if this has been mentioned)
There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a servlet 3.0 container or some framework that allows it (I like Jersey).
best,
-Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication without Authorization ( JNDI Realm )
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 12/2/2009 5:15 PM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: Authentication without Authorization ( JNDI Realm )
>>
>> Technically speaking, this will require authentication but then let
>> anyone holding any role defined in web.xml to access any page on your
>> site.
>
> But the valid roles still have to be listed in web.xml to be compliant with the spec.
Yes. That's why I said "technically" and "practically".
>> Practically speaking, you don't even need to define the roles in
>> web.xml because (last time I checked), Tomcat treats '*' as
>> "authenticated, regardless of roles".
>
> That was a bug, now fixed:
> http://marc.info/?l=tomcat-user&m=123568422715010&w=2
I'll have to look elsewhere in the code, then. What I saw in
GenericPrincipal clearly takes, ahem, liberties with the spec.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksXG+IACgkQ9CaO5/Lv0PCCnQCgw/WeI9uAHgpzjtiyg48gJC2B
TIgAn1mNkpYD8mkdc9YFEtrjZ8UcpKN3
=VQ5N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Authentication without Authorization ( JNDI Realm )
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Authentication without Authorization ( JNDI Realm )
>
> Technically speaking, this will require authentication but then let
> anyone holding any role defined in web.xml to access any page on your
> site.
But the valid roles still have to be listed in web.xml to be compliant with the spec.
> Practically speaking, you don't even need to define the roles in
> web.xml because (last time I checked), Tomcat treats '*' as
> "authenticated, regardless of roles".
That was a bug, now fixed:
http://marc.info/?l=tomcat-user&m=123568422715010&w=2
Note that the spec states that "*" means any defined role, not just any role:
"The special role name “*” is a shorthand for all role names defined in the deployment descriptor."
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Authentication without Authorization ( JNDI Realm )
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Shashank,
On 12/2/2009 10:48 AM, shashank.r38@wipro.com wrote:
> Is there any way to use a Realm only for authentication and disable
> authorization ( do not check for roles ) ?
If you are using Tomcat's container-managed authentication and
authorization, you can achieve this by simply putting this in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Technically speaking, this will require authentication but then let
anyone holding any role defined in web.xml to access any page on your
site. Practically speaking, you don't even need to define the roles in
web.xml because (last time I checked), Tomcat treats '*' as
"authenticated, regardless of roles".
This is the code from 6.0.20 that implements this behavior:
java/org/apache/catalina/realm/GenericPrincipal.java:
public boolean hasRole(String role) {
if("*".equals(role)) // Special 2.4 role meaning everyone
return true;
if (role == null)
return (false);
return (Arrays.binarySearch(roles, role) >= 0);
}
So, yeah, '*' ought to do it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksW094ACgkQ9CaO5/Lv0PBJwQCgn1Xn2pL2mxSaNCe4Ex7vdUgE
S0QAoJyBYrx7gq65G6h+gVlAsFP9kC8q
=7C+o
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org