You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Klancer <ca...@calhoun.plus.com> on 2003/04/04 18:52:38 UTC
Single authentication between IIS & Tomcat - My ip-based solution okay?
Hello
Let me preface by saying my knowledge and experience with seurity is
primitive.
I am now working on a project wherein we have a set of ASP pages with a
custom authentication process. I have embedded a servlet into one of
these asp pages but want to avoid making the user authenticate twice
(once for the ASP pages, once again to access the servlet).
To that end, I have been doing a lot of online research, but haven't
found any pre-existing solutions (which surprises me). First question -
does anyone know of anything already out there? If I do have to create
my own solution, I was thinking of having IIS, on the user's
authentication, store the IP address of the authenticating user in a
file on the server (say %TOMCAT%\conf\auth-users.xml or something).
Then, when the user attempts to access the servlet, a custom Realm would
check to see if his/her ip is in auth-users.xml and grant/deny access
based on that.
My question is - is this feasible? Equally important, is it truly
secure?
Thanks for helping out a total security n00b.
- John
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Single authentication between IIS & Tomcat - My ip-based solution
okay?
Posted by Gary Gwin <to...@cafesoft.com>.
John,
You definitely don't want to rely on an IP address, which can be
spoofed, proxied for use with many users (as in the case of AOL), and
change between HTTP requests with some proxy servers.
What you're looking for is a web single sign-on solution. I'm in the
process of writing a white paper on security requirements that should be
considered for a web single sign on solution and will send you a link to
the document when I post it.
Gary
John Klancer wrote:
> Hello
>
> Let me preface by saying my knowledge and experience with seurity is
> primitive.
>
> I am now working on a project wherein we have a set of ASP pages with a
> custom authentication process. I have embedded a servlet into one of
> these asp pages but want to avoid making the user authenticate twice
> (once for the ASP pages, once again to access the servlet).
>
> To that end, I have been doing a lot of online research, but haven't
> found any pre-existing solutions (which surprises me). First question -
> does anyone know of anything already out there? If I do have to create
> my own solution, I was thinking of having IIS, on the user's
> authentication, store the IP address of the authenticating user in a
> file on the server (say %TOMCAT%\conf\auth-users.xml or something).
> Then, when the user attempts to access the servlet, a custom Realm would
> check to see if his/her ip is in auth-users.xml and grant/deny access
> based on that.
>
> My question is - is this feasible? Equally important, is it truly
> secure?
>
> Thanks for helping out a total security n00b.
>
> - John
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
--
Gary Gwin
http://www.cafesoft.com
*****************************************************************
* *
* The Cafesoft Access Management System, Cams, is security *
* software that provides single sign-on authentication and *
* centralized access control for Apache, Tomcat, and custom *
* resources. *
* *
*****************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org