On 3/3/2009 7:57 AM, Ambarish Mitra wrote:
> Goal: I have a web-app which I have protected with an external
> authentication engine. To achieve this, I have written a custom valve
which
> sets a principal.
I'm not sure you need a Valve. Why not just write a custom Realm (as you
have done) and use that instead of one of the built-in Realms?
Ambarish: Apologies for not being detailed. I need a valve because the login
form of the tomcat webapp is hosted in the external authentication engine.
Before the request actually hits the tomcat server, the valve checks if the
user is authenticated (presence of a cookie), and if not then redirects to a
login form outside the tomcat. Users enter their creds there and it
redirects back to tomcat, which then checks for the presence of cookie.
This infra-structure is working.
What is not working is: The external system has no role for the user. So,
the valve sets the GenericPrincipal with no roles. Therefore, the principal
is getting authorization denied (although authentication succeeds) because
we have granted to roles=role1, tomcat in web.xml file.
(The userid of the external system and tomcat is the same - that is point of
match.)
To solve this problem, I thought of writing a custom realm, which will be
programmed that if the Principal has null role, then it will get the roles
from the Tomcat realm.
I am getting difficulty in getting the principal in the custom realm. I have
no clue on how to implement the getPrincipal method in the realm.
protected java.security.Principal getPrincipal(String userName) {}
----
You could also use the GenericPrincipal constructor which takes a list
of role names and be sure to include any roles required by your
application. What does your <security-constraint> look like in web.xml?
Ambarish: The web.xml - <security-constraint> tag is below. It allows for
roles = role1 and tomcat.
<security-constraint>
<display-name>External Security</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/security/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
