You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim De Pauw <ti...@hogent.be> on 2012/01/20 16:19:12 UTC
Per-user management rights
Hi all,
I'm trying to configure Tomcat so that a separate login is required to
deploy certain apps. Let's say I have a '/someapp' context, which I
would like 'someuser' to deploy remotely. However, 'someuser' cannot
deploy apps to '/someotherapp', and conversely, 'someotheruser' cannot
touch '/someapp'.
So far, I tried to add a Context to server.xml (I know it's discouraged)
for the app, containing a memory realm that has its own user list:
<Context path="/someapp" docBase="someapp">
<Realm className="org.apache.catalina.realm.MemoryRealm"
pathname="conf/realm.someapp.xml" />
</Context>
The file realm.someapp.xml simply contains:
<tomcat-users>
<user username="someuser" password="secret"
roles="manager-script"/>
</tomcat-users>
But now, I'm mostly stuck. I'm guessing 'someuser' would also have to
have access to the manager app in order to deploy, but that would mean
that this user would also have management access to other people's apps.
I assume I'm doing something fundamentally wrong here, but the docs
don't seem to cover this sort of thing explicitly. I guess I could
create separate hosts for each app and user, but that seems tedious and
unnecessary.
Any pointers? Thanks.
Kind regards,
--
Tim De Pauw <ti...@hogent.be>
Vakgroep Informatica
Geassocieerde faculteit Toegepaste Ingenieurswetenschappen
Hogeschool Gent
http://tiwi.be/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Tim De Pauw <ti...@hogent.be>.
Then my conclusion was premature. I stand corrected!
Tim
On 1/20/2012 5:50 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim,
>
> On 1/20/12 11:30 AM, Tim De Pauw wrote:
>> Not sure; a quick test seemed to suggest this, but I may have been
>> doing something wrong. If I have two hosts X and Y that resolve to
>> the same IP, can I still use AJP to forward requests to the
>> respective Tomcat host?
>
> Absolutely. AJP forwards everything from the web server to Tomcat.
> Tomcat can determine which virtual host should service the request
> just like the web server can.
>
>> Regardless, I came across an old discussion [1], which suggests
>> implementing a servlet filter to check the authenticated user
>> against an ACL, and throwing a 403 if necessary. I hacked a filter
>> together, placed the class file under
>> /webapps/manager/WEB-INF/classes, mapped it to /text/* in
>> /webapps/manager/WEB-INF/web.xml, and I was good to go!
>
> That will definitely work.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8Zm3AACgkQ9CaO5/Lv0PDwsACfaY5OJYMt5jPms9Y3vxB3YcYe
> sNsAni3yxlXvaSwkZYBJ0THRN0DubbKU
> =E9d/
> -----END PGP SIGNATURE-----
--
Tim De Pauw <ti...@hogent.be>
Vakgroep Informatica
Geassocieerde faculteit Toegepaste Ingenieurswetenschappen
Hogeschool Gent
http://tiwi.be/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
On 1/20/12 11:30 AM, Tim De Pauw wrote:
> Not sure; a quick test seemed to suggest this, but I may have been
> doing something wrong. If I have two hosts X and Y that resolve to
> the same IP, can I still use AJP to forward requests to the
> respective Tomcat host?
Absolutely. AJP forwards everything from the web server to Tomcat.
Tomcat can determine which virtual host should service the request
just like the web server can.
> Regardless, I came across an old discussion [1], which suggests
> implementing a servlet filter to check the authenticated user
> against an ACL, and throwing a 403 if necessary. I hacked a filter
> together, placed the class file under
> /webapps/manager/WEB-INF/classes, mapped it to /text/* in
> /webapps/manager/WEB-INF/web.xml, and I was good to go!
That will definitely work.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8Zm3AACgkQ9CaO5/Lv0PDwsACfaY5OJYMt5jPms9Y3vxB3YcYe
sNsAni3yxlXvaSwkZYBJ0THRN0DubbKU
=E9d/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Tim De Pauw <ti...@hogent.be>.
Not sure; a quick test seemed to suggest this, but I may have been doing
something wrong. If I have two hosts X and Y that resolve to the same
IP, can I still use AJP to forward requests to the respective Tomcat host?
Regardless, I came across an old discussion [1], which suggests
implementing a servlet filter to check the authenticated user against an
ACL, and throwing a 403 if necessary. I hacked a filter together, placed
the class file under /webapps/manager/WEB-INF/classes, mapped it to
/text/* in /webapps/manager/WEB-INF/web.xml, and I was good to go!
Tim
[1]
http://grokbase.com/t/tomcat.apache.org/users/2003/04/mananger-roles/10m2nulzpoufgawoj6xp2bfyxcr4
On 1/20/2012 5:00 PM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim,
>
> On 1/20/12 10:35 AM, Tim De Pauw wrote:
>> Multiple hosts probably won't solve this problem either. I'm using
>> AJP, which doesn't seem to play well with vhosts.
>
> Wait, what?
>
> In what way does AJP not play well with vhosts?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk8Zj6YACgkQ9CaO5/Lv0PBPYwCfbfYEdMGVGcSYcem+7PKmqZFB
> VTkAn3P1JIFjt/shlOxlneGmnRz8wbst
> =Zail
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
Tim De Pauw <ti...@hogent.be>
Vakgroep Informatica
Geassocieerde faculteit Toegepaste Ingenieurswetenschappen
Hogeschool Gent
http://tiwi.be/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tim,
On 1/20/12 10:35 AM, Tim De Pauw wrote:
> Multiple hosts probably won't solve this problem either. I'm using
> AJP, which doesn't seem to play well with vhosts.
Wait, what?
In what way does AJP not play well with vhosts?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8Zj6YACgkQ9CaO5/Lv0PBPYwCfbfYEdMGVGcSYcem+7PKmqZFB
VTkAn3P1JIFjt/shlOxlneGmnRz8wbst
=Zail
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Tim De Pauw <ti...@hogent.be>.
Thanks for your reply.
I don't suppose there's an alternative to the Manager app floating
around that would allow this? I came across a commercial solution at
some point (which I forgot to bookmark, apparently), but that's not
really an option.
Multiple hosts probably won't solve this problem either. I'm using AJP,
which doesn't seem to play well with vhosts.
I guess I'll either have to trust my users (actually, students), or cook
up something filesystem-based. Pity, but oh well.
Tim
On 1/20/2012 4:23 PM, Mark Thomas wrote:
> On 20/01/2012 15:19, Tim De Pauw wrote:
>> I assume I'm doing something fundamentally wrong here, but the docs
>> don't seem to cover this sort of thing explicitly. I guess I could
>> create separate hosts for each app and user, but that seems tedious and
>> unnecessary.
>>
>> Any pointers? Thanks.
>
> You can't do what you want to do with the Manager app. It doesn't
> support that granularity of security. You can control individual
> operations but not the combination of operation *and* context.
>
> Multiple hosts would give you more control but a user would still be
> able to deploy any context on the host on which they had deploy permission.
>
> Mark
--
Tim De Pauw <ti...@hogent.be>
Vakgroep Informatica
Geassocieerde faculteit Toegepaste Ingenieurswetenschappen
Hogeschool Gent
http://tiwi.be/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Per-user management rights
Posted by Mark Thomas <ma...@apache.org>.
On 20/01/2012 15:19, Tim De Pauw wrote:
> I assume I'm doing something fundamentally wrong here, but the docs
> don't seem to cover this sort of thing explicitly. I guess I could
> create separate hosts for each app and user, but that seems tedious and
> unnecessary.
>
> Any pointers? Thanks.
You can't do what you want to do with the Manager app. It doesn't
support that granularity of security. You can control individual
operations but not the combination of operation *and* context.
Multiple hosts would give you more control but a user would still be
able to deploy any context on the host on which they had deploy permission.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org