-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sodastream,
On 8/9/2011 3:52 PM, sodastream wrote:
> The app handles its own authentication via a conventional
> username/password form on a login page. I wanted to add a second
> factor to the authentication without modifying the app (except for
> its Tomcat/servlet conf).
>
> My idea was to tack on a custom Realm to Tomcat.
So, Tomcat would perform this gateway authentication and then the user
has to login separately to your webapp?
> It would be independent from the application except I had to add a
> security constraint to its web.xml. The Realm would authenticate the
> user using a password provided to the user over a separate channel
> (SMS). After authentication the Realm would be transparent and let
> the user interact with the application as usual -- all according to
> my theory.
The only types of authentication that make sense, here, are BASIC/DIGEST
and FORM authentication. Which one were you thinking of using? Both
require username/password, but your SMS factor is only a single item
(password). Will the user know what to do if they get a BASIC/DIGEST
authentication challenge, or were you going to use a FORM authentication
and just not ask the user for, say, j_username and instead provide a
stock value ("SMS")?
> After some hacking my custom Realm was in place. Following the logic
> in a debugger I could see it worked as expected and reported
> successful authentication back to the Tomcat machinery. To my
> disappointment my browser still showed 403 Forbidden.
If you were tracing the code in a debugger, you should have been able to
see why the 403 occurred -- so what happened?
> At this point I was stumped and realized I don't know enough about
> Tomcat. Is my theory viable or flawed? Overlooked something? What's
> some better way to add a second factor to authentication of an opaque
> application running on Tomcat?
Since your webapp does it's own authentication, it seems like you could
just layer a FORM authentication at the Tomcat level on top. Your custom
realm would just check the password against whatever list of random
passwords you gave-out via SMS. Perhaps you could post some of your
configuration or code for us to see, and we could give you some feedback.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5CstcACgkQ9CaO5/Lv0PAiBwCfb5fVtbAcB3RyAVfqCreOs2IC
zIUAmgLg/En5iq+d9oRnMw8Kc2eGK3DO
=JZrj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
