You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jan Vávra <va...@602.cz> on 2014/05/20 10:11:45 UTC
realm, access to Request object
Hello.
I write my own realm implementation for Tomcat 7.x. In the method
Principal authenticate(X509Certificate[] certs)
I'd like to read request headers. My authentication would be based on
client certificate + custom http request value.
Is it possible?
The method authenticate is called in
SSLAuthenticator.authenticate(Request request,
HttpServletResponse response,
LoginConfig config)
But I do not see that the Request object is passed to realm instance.
Is there something similar like WebServiceContext that is used for WS?
...
@Resource
WebServiceContext wsctx;
MessageContext mctx = wsctx.getMessageContext();
HttpServletRequest request = (HttpServletRequest)
mctx.get("javax.xml.ws.servlet.request");
...
Jan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: realm, access to Request object
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jan,
On 5/26/14, 2:58 AM, Jan Vávra wrote:
> Hello.
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>>
>> Mark,
>>
>> On 5/20/14, 4:28 AM, Mark Thomas wrote:
>>> On 20/05/2014 09:11, Jan Vávra wrote:
>>>> Hello.
>>>>
>>>> I write my own realm implementation for Tomcat 7.x. In the
>>>> method Principal authenticate(X509Certificate[] certs) I'd
>>>> like to read request headers. My authentication would be
>>>> based on client certificate + custom http request value. Is
>>>> it possible?
>>> In Tomcat, the Authenticator is responsible for gathering the
>>> credentials. This often requires interaction with the Request
>>> and related objects.
>>>
>>> The Realm is responsible for validating credentials. Therefore
>>> the Realm does not need access to the Request and related
>>> objects.
>> This is something that securityfilter supports using a
>> sub-interface of the Realm (analog) interface that has the
>> ability to access the request directly. It's a bad architecture,
>> but very useful for doing things such as recording login failures
>> and their source IP addresses, etc.
>>
>> Is there some way that additional information (e.g. source IP
>> address) could be provided to the Realm for things such as this?
>> It's one of the reasons we still use sf instead of Tomcat's
>> built-in realms. (Another is the lack of decent password-checking
>> algorithms, but I'm working on that:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=56403).
> Well, I looked at Chris's SecurityFilter and I'll go the same way.
> I'll get rid of realm and write my own simple security filter. We
> also plan to support OAuth 2.0 authentication where is transferred
> auth. header in form Authorization: Bearer xxxxx. And in other
> cases I need to combine clicert auth with basic auth. In the other
> project we' re also behind an authentication system that sends my
> tomcat X-Authorized-As header.
>
> So I have many reasons to access the Request object and writing
> the filter seems me as the only way how to authenticate web service
> method (server side).
You haven't done your homework. Read about CombinedRealm.
I thought someone contributed an OAuth provider at some point, but I
can't find that reference, so you might need to do that outside of
Tomcat anyway. But since you can use ServletRequest.login(), you can
probably make it work as long as the user always uses OAuth to
authenticate (which is pretty much the whole point).
But re-writing the whole authentication and authorization system is a
big task if all you want to do is add OAuth to the things that Tomcat
can already do. You should try to find a way to get
ServletRequest.login() to do what you need so that you don't have to
write your own URL pattern handler, session management code, etc.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTg4pEAAoJEBzwKT+lPKRYwOEP/iOMSS0zoOM0NtlUckkAsaiS
4J8US8L4eeJHXm+YRoo6mEJMn4jgfzy8/E9Htj8zayX66rbZ8E0v0zhj50jSu9hh
44Eo+DNHPQFYv5QvcHjr99SWliB1sTakVX7cUo2XJt6dLRaYHk5iMs7vrcAOy9qE
BonA+Niqb5UuoIPC5WHc7ykMOKq0Px4xj3VvXWjuNCOVob5I9nBeRKRG99GaaXgQ
CK+0iE94kpOHWW33XkNAIpRIFsBajO2zsh8jaNRntfHVOb4hU/Fw7n+Yh14P2Zlr
uGJhsSWenQfSDyOL0oxm7mmoOJcY1rRg9UO0a1yDoOzDa+CZli5W4MESorJ8BQBv
eHcMmw/Cfcs0a/OUkJsMkV3M3RvVP2s8oQoEAmMIZBAcIFu2wyn01zV9epWB77ma
/esqvhBVce/V3L168X/HqI1eQC8op2ZabXU9RJINLxqkzjZikFfe1BN/nBTCUswf
87muowpF8zOfcz4zstoFf70N6ptCPkv85NL6An6BF+SwDiQIwVu4nOB8Z/VXdlAC
K//K47LLqNHtjT5dT18D9TnUsl94JuwK3IvioMmN1iTpIw65/cxuUhN4C4HWGqgR
nRhY9fsOcg5TDI+Ir4wUz3qqXttKg6M/J5KBYqFxiZok9P+6B3GIB1B9SHISZSQk
rcYMz1/IttWrKapOnQxV
=lxbP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: realm, access to Request object
Posted by Jan Vávra <va...@602.cz>.
Hello.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Mark,
>
> On 5/20/14, 4:28 AM, Mark Thomas wrote:
>> On 20/05/2014 09:11, Jan Vávra wrote:
>>> Hello.
>>>
>>> I write my own realm implementation for Tomcat 7.x. In the
>>> method Principal authenticate(X509Certificate[] certs) I'd like
>>> to read request headers. My authentication would be based on
>>> client certificate + custom http request value. Is it possible?
>> In Tomcat, the Authenticator is responsible for gathering the
>> credentials. This often requires interaction with the Request and
>> related objects.
>>
>> The Realm is responsible for validating credentials. Therefore the
>> Realm does not need access to the Request and related objects.
> This is something that securityfilter supports using a sub-interface
> of the Realm (analog) interface that has the ability to access the
> request directly. It's a bad architecture, but very useful for doing
> things such as recording login failures and their source IP addresses,
> etc.
>
> Is there some way that additional information (e.g. source IP address)
> could be provided to the Realm for things such as this? It's one of
> the reasons we still use sf instead of Tomcat's built-in realms.
> (Another is the lack of decent password-checking algorithms, but I'm
> working on that:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=56403).
Well, I looked at Chris's SecurityFilter and I'll go the same way. I'll
get rid of realm and write my own simple security filter. We also plan
to support OAuth 2.0 authentication where is transferred auth. header in
form Authorization: Bearer xxxxx. And in other cases I need to combine
clicert auth with basic auth. In the other project we' re also behind an
authentication system that sends my tomcat X-Authorized-As header.
So I have many reasons to access the Request object and writing the
filter seems me as the only way how to authenticate web service method
(server side).
Jan.
> *
>
> Thanks,
> - -chris
>
Re: realm, access to Request object
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 5/20/14, 4:28 AM, Mark Thomas wrote:
> On 20/05/2014 09:11, Jan Vávra wrote:
>> Hello.
>>
>> I write my own realm implementation for Tomcat 7.x. In the
>> method Principal authenticate(X509Certificate[] certs) I'd like
>> to read request headers. My authentication would be based on
>> client certificate + custom http request value. Is it possible?
>
> In Tomcat, the Authenticator is responsible for gathering the
> credentials. This often requires interaction with the Request and
> related objects.
>
> The Realm is responsible for validating credentials. Therefore the
> Realm does not need access to the Request and related objects.
This is something that securityfilter supports using a sub-interface
of the Realm (analog) interface that has the ability to access the
request directly. It's a bad architecture, but very useful for doing
things such as recording login failures and their source IP addresses,
etc.
Is there some way that additional information (e.g. source IP address)
could be provided to the Realm for things such as this? It's one of
the reasons we still use sf instead of Tomcat's built-in realms.
(Another is the lack of decent password-checking algorithms, but I'm
working on that:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403).
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTe3omAAoJEBzwKT+lPKRY8U0P/RkUu4Ov1cHSGIFwBCWcXKhr
Rx5DRmgtDWFIffQooc94bsABayjh0mGNNLQhrZ8PPnsPVZdtPVgr4ygMon1jOreL
UM6MtMvhpNsLVBaBp76YG5Gq1NXydxSg78pzY7seFhSm4fTetmADt1DxZUwe2oCP
Hp0JJjCMq9ldKJClCNl0wCgdDSS9NBb2HBrk/NXsN62Rd089ONjfIqqTl+iIaAVR
Fx5a8QqxpfrevVb+UEBvlOU8uMFvBkAGhY3gniN7NuKdBp11IYvRnueLjARXg+Je
yrBYrx7ZgI5OPz0s8o3jCysUe7EAscYq8OCnocWmlqhgVobFhpMgH9UT1zVBVKRP
2t0gN9MOnojYAY5pv0efT2ld9a0EAu8VdkOTpFCBpd5h6Wu89yEz4Z1EO0Vej1GP
SXfX5gsPAIGZW1AcuIUPm3Em/iiVXvYltexJjvSBG/kxWwrDSFL8fn1fCV0z1gWG
iY2/moj1ANSuuRaBvHUynodw/+GAVROleR94U22UNPn1XXP/D6TJV5De9NmOG65B
pOLJaFajiOtRq1LSZGuI2UGOYp4ndRjcZob94U+DSTKJ+u7szlnrGmb6b6N6hC8l
ARIBLo7OxUtAqQXtdSNHfjo1YKLufPBaRDY62jxDhOypyyDkELv1sOPpV9hku0T+
MrXUt6BiNM0Ej5RBguIx
=7ubz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: realm, access to Request object
Posted by Mark Thomas <ma...@apache.org>.
On 20/05/2014 09:11, Jan Vávra wrote:
> Hello.
>
> I write my own realm implementation for Tomcat 7.x. In the method
> Principal authenticate(X509Certificate[] certs)
> I'd like to read request headers. My authentication would be based on
> client certificate + custom http request value.
> Is it possible?
In Tomcat, the Authenticator is responsible for gathering the
credentials. This often requires interaction with the Request and
related objects.
The Realm is responsible for validating credentials. Therefore the Realm
does not need access to the Request and related objects.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org