Re: [partially OT] combination of RemoteAddrValve und basic authentication

[André Warnier <aw...@ice-sa.com>]

Remon Sadikni wrote:
> Dear Tomcat developers and users,
> 
> I managed to restrict a web application by IP-adress with 
> RemoteAddrValve and to restrict another one by basic authentication. Now 
> I would like to restrict the same web application by both methods:
> - If the user is inside a specific network (e.g. 134.134.*.*), then he 
> should get direct access to the web application (without login window).
> - If he is outside this network he has to authenticate via username / 
> password.
> I tried to combine RemoteAddrValve und basic authentication, but I only 
> managed an "AND" conjunction. What I want is a disjunctive combination 
> ("OR") of these 2 methods . How can I do that?
> 

Remon,

I do not know how familiar you are with the "web authentication area", but I am quite 
familiar with it, and apart from the purely technical side, let me give you some tips 
based on experience :

If you are going to do user authentication :

It is almost always a bad idea to do such "group authentication" (like you say above : 
"all users within this network").  Some reasons are :
a) it does not allow you afterward, to know "who did what".  This is not only in a 
"police" kind of way, but also for support when something goes wrong.  You will have for 
example a bunch of lines in your server's logfiles, and will not know which ones are 
related to the user who just called you for a problem.
b) it is almost guaranteed that as soon as this works, whoever asked you to do this, will 
come back to you within the next weeks/months, saying : "Now I would like that the users 
of /this/ sub-group (e.g. this sub-series of IP addresses within 134.134.*.*) get 
something slightly different". (Or, "Now we would like access statistics by country".)

So my recommendation would be that, right from the start, you design a system that allows 
to identify *every* user individually, even if for some of them you do not present a login 
dialog and get their user-id from somewhere else, and even if initially the rules for all 
of them are the same.
You will probably thank yourself later.

For example, it is possible that your network "134.134.*.*" is some kind of "inside 
network", which also is a Windows Domain; and that all users within that domain which 
access your server, have first to login to the Windows Domain on their workstation.
In such a case, you could use a module which allows Tomcat to authenticate the user 
automatically (without any visible login dialog) via his Domain user-id.
And such a module, if it cannot find a Domain user-id for a user, could have a "fall-back" 
feature that is Basic Authentication.

I do not know if the relatively recent Tomcat NTLM Realm has such a fall-back feature; but 
one module that has it is Jespa, which you can read about at http://www.ioplex.com.
It is a commercial module, but it is not expensive, and it works.
It also allows you, for a user authenticated automatically through the Windows Domain, to 
request some "user attributes" from the AD directory, such as "user groups", which you can 
then use much like the "roles" in Tomcat, to allow or not access to some applications.
And it works as a Servlet Filter, which means that you can combine it with other filters 
(maybe of your own design), to achieve precisely what you want, on an 
application-by-application base.

I am not trying to sell you one particular module or method. Maybe your case is different, 
and maybe the above is not applicable.  I am just trying to get you to think maybe a bit 
ahead of the particular issue you are having now, and a maybe in a more general way.

(And I have no percentage on Jespa sales; I am just a satisfied user of it).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org