Ambarish Mitra wrote:
> On 3/3/2009 7:57 AM, Ambarish Mitra wrote:
>> Goal: I have a web-app which I have protected with an external
>> authentication engine. To achieve this, I have written a custom valve
> which
>> sets a principal.
>
> I'm not sure you need a Valve. Why not just write a custom Realm (as you
> have done) and use that instead of one of the built-in Realms?
>
>
> Ambarish: Apologies for not being detailed. I need a valve because the login
> form of the tomcat webapp is hosted in the external authentication engine.
> Before the request actually hits the tomcat server, the valve checks if the
> user is authenticated (presence of a cookie), and if not then redirects to a
> login form outside the tomcat. Users enter their creds there and it
> redirects back to tomcat, which then checks for the presence of cookie.
>
> This infra-structure is working.
>
> What is not working is: The external system has no role for the user. So,
> the valve sets the GenericPrincipal with no roles. Therefore, the principal
> is getting authorization denied (although authentication succeeds) because
> we have granted to roles=role1, tomcat in web.xml file.
>
> (The userid of the external system and tomcat is the same - that is point of
> match.)
>
> To solve this problem, I thought of writing a custom realm, which will be
> programmed that if the Principal has null role, then it will get the roles
> from the Tomcat realm.
You've already written a custom Valve, why bother to attempt half an
integration with a Realm when you could just get look up and get the
roles yourself, in the Valve?
You're making your life very difficult.
p
> I am getting difficulty in getting the principal in the custom realm. I have
> no clue on how to implement the getPrincipal method in the realm.
>
> protected java.security.Principal getPrincipal(String userName) {}
>
>
> ----
>
> You could also use the GenericPrincipal constructor which takes a list
> of role names and be sure to include any roles required by your
> application. What does your <security-constraint> look like in web.xml?
>
>
> Ambarish: The web.xml - <security-constraint> tag is below. It allows for
> roles = role1 and tomcat.
>
> <security-constraint>
> <display-name>External Security</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/security/protected/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>tomcat</role-name>
> <role-name>role1</role-name>
> </auth-constraint>
> </security-constraint>
>
>
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the
> property of Persistent Systems Ltd. It is intended only for the use of the
> individual or entity to which it is addressed. If you are not the intended
> recipient, you are not authorized to read, retain, copy, print, distribute or
> use this message. If you have received this communication in error, please
> notify the sender and delete all copies of this message. Persistent Systems
> Ltd. does not accept any liability for virus infected mails.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
