Pid wrote:
It really depends on what you're trying to achieve, maybe you could
elaborate?
Do you need to restrict access to filesystem resources, servlets, jsps,
images, DB content, or something else?
Ok, I am creating a data server that is controlled by an XML configuration "catalog" of dataset objects. The dataset can refer to physical files on disk, or to virtual data that is created dynamically. It can be complicated, and large (tens of thousands of datasets) and I need to make it as easy as possible to configure.
I need to allow the administrator to specify access constraints on a per-dataset basis. This more or less rules out having Tomcat controlling access through the URL pattern. So I think I need "Programmatic Security".
When a request comes in, I can quickly determine what access constraint (if any) is needed. I was planning on using the standard Tomcat security roles and user administration stuff.
This is a data server, primarily talking to other programs (not humans using a
browser). I am also helping to develop the client software that will access the
data, so I am trying to understand all the possible ways to make this work.
I assume I need to get a session established, so that the authorization need only be done once. It would also be nice if I recieve a unauthorized request, that I could pass it to Tomcat's 401 challenge and authentication mechanism. However, im already down in my servlet code, past the point where Tomcat would handle the challenge and authentication, and I dont see any way to pass it back to Tomcat.
thanks for any thoughts on this....
Martin Gainty wrote:
Good Evening All-
The best way is to put up a Jsp / servlet which itself has the
username/password information to let you behind the firewall
There are a ton of https and firewalls you can install and configure to
your hearts content
But none would be more secure and safe than controlling authentication
(a simple username/password) via the servlet
Remember to tell .htaccces to disallow execute write and pretty much
read permissions on everything except for your username/password screen
I'm not sure introducing firewalls is any of any help inside a servlet.
Nor really, is .htaccess given that he hasn't specified that he's using
Apache.
Yes, this is a standalone Tomcat server.
Martin --
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message ----- From: "John Caron" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Tuesday, June 27, 2006 9:01 PM
Subject: Programmatic Security
I need to implement fine-grained security access, so it looks to me
like "Programmatic Security" (Servlet spec 12.3) is called for. I want
to recieve the request in my servlet, then decide what access rights
are needed for it.
In this case, if I understand correctly, the "user must already be
authenticated" means that they have tried to access a Tomcat-protected
page (eg a login page), have been successfully authenticated by
Tomcat, and further requests are returning the JSESSION cookie that
was assigned during authentication.
Is that right? Is there some other way the req.getRemoteUser() could
return non-null?
Is there some way that I can programatically trigger Tomcat to
initiate the authentication process?
Thanks for any help...
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
