You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Delbecq <de...@oma.be> on 2007/08/23 10:47:36 UTC
Force auth contraint on SSL connector
Hello,
we are planning to activate our intranet with ssl. Along with this, we
would like to make this intranet available to our employees from their home.
Insite, without ssl, there is no need to identify our user. Anonymous
browsing is to be allowed. From outside however, we want to force
authentification on all the webapp. So we would like to have a
security-constraint on / that applies *only* when webapp is reached
using SSL connector. The standard web.xml, afaik, does not support
separating constraint depending on http connector. We thought about
using some valve that would force users to a specific login url if their
are not yet authenticated. Does this somehow already exist in tomcat.
Below is a short description of aimed configuration:
http://server/webapp <-- no auth constraint
http://server/webapp/admin <-- auth-constraint, role admin
http://server/webapp/edit <-- auth-constraint, role admin or publisher
https://server/webapp <-- auth contraint, no specific role (or role
"user" is needed)
https://server/webapp/admin <-- auth-constraint, role admin
https://server/webapp/edit <-- auth-constraint, role admin or publisher
--
http://www.noooxml.org/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Force auth contraint on SSL connector
Posted by David Delbecq <de...@oma.be>.
Christopher Schultz a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> David,
>
>
>> From outside however, we want to force authentification on all the
>> webapp. So we would like to have a security-constraint on / that
>> applies *only* when webapp is reached using SSL connector.
>>
>
> You might be able to avoid the entire problem by using a VPN. Is that an
> acceptable change in strategy?
Hoooo no :) VPN means installing and maintaing a vpn server + installing
vpn on clients at their home. This is a bit annoying when what you want
is make available to users general documents they might need when not at
office. And i know the answer would be like "No need, there is already
the absolutely unfriendly ssh connection + port forwarding + point your
browser to 127.0.0.1"
> What about client certificates? I think
> you're going to seriously complicate your application to add this
> requirement.
>
Cleint certificates means managing those certificate, that is something
to avoid considering its along the lines of "maintaining a set of
authentification token seperated from the general authentification
database already in use by other non-java applications"
Thanks for suggestions but it's not applicable easily in our environment.
> - -chris
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Force auth contraint on SSL connector
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David,
> From outside however, we want to force authentification on all the
> webapp. So we would like to have a security-constraint on / that
> applies *only* when webapp is reached using SSL connector.
You might be able to avoid the entire problem by using a VPN. Is that an
acceptable change in strategy? What about client certificates? I think
you're going to seriously complicate your application to add this
requirement.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGzZxA9CaO5/Lv0PARAvOuAKCo7gSdhMUdvtdLcWrvT4EsR7ZhyQCfaQcG
Qowp91xWkZYt1Gs4CtT8SNw=
=kq0I
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org