Hello
> -Ursprüngliche Nachricht-
> Von: Kevin Edward
> Gesendet: Freitag, 7. April 2023 14:26
> An: users@tomcat.apache.org
> Betreff: Tomcat needs an authenticator valve for OpenID/MSAL!
>
> Tomcat community,
>
> We have been using keycloak tomcat
Tomcat community,
We have been using keycloak tomcat valves for SAML, but now we are moving
to OpenID.
Who in the tomcat community can create/support a tomcat authenticator valve
using the MSAL library?
I have the example authentication servlet working for MSAL below. Seems it
could be easily
Jerry,
On 10/6/21 15:09, Jerry Malcolm wrote:
Chris, thanks so much. But please bear with me. I'm in the slow
group I think I have a pretty good handle on creating the
authenticator. But take me from the top, using manager as an example.
In the web.xml file it has login auth-method set
Chris, thanks so much. But please bear with me. I'm in the slow
group I think I have a pretty good handle on creating the
authenticator. But take me from the top, using manager as an example.
In the web.xml file it has login auth-method set to BASIC. I'm assuming
that invokes
the
word "Malcolm" as the prefix instead of "Basic" that it should route to
my custom Authenticator class?
You'd have to install your own Authenticator (a Valve) in your
. markt posted how to do this on 10/2 in this thread.
You can look at how the BasicAuthenticator does th
f TC finds an Authorization header with
the word Basic, it will route to the standard BasicAuthenticator class.
What would I do in order to tell TC if it finds an auth header with the
word "Malcolm" as the prefix instead of "Basic" that it should route to
my custom Authenticator clas
h that is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but y
and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but you will already have that
kind of thing
good point.
Instead of:
Authorization: Basic [base64stuff]
Using "Bearer" might be a better choice, though that is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolm
C and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but you will already have that
kind of thing because no st
ter choice, though that is also covered by
a specific RFC and might be confusing to overload that token ("Bearer")
for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need to
have a custom client
Am 2021-10-02 um 02:48 schrieb Jerry Malcolm:
I need to write a custom BasicAuthenticator class to decode a
specialized encoding of the authToken. I have been scouring google for
info. I found one post where the answer included the statement:
This would clearly violate Basic auth scheme and
great idea, and you can avoid
Tomcat's standard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in a
contex
idea, and you can avoid
Tomcat's standard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in a
context.xml
ndard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in a
context.xml file. I'm sure I'm just missing it, or
Stefan,
On 1/25/21 17:19, Stefan Mayr wrote:
Am 25.01.2021 um 19:04 schrieb Christopher Schultz:
All,
On 1/25/21 11:10, Christopher Schultz wrote:
All,
Off-topic, but I know there are plenty of Spring users on this list
who can probably help me figure this out.
Recently, Let's Encrypt
Am 25.01.2021 um 19:04 schrieb Christopher Schultz:
> All,
>
> On 1/25/21 11:10, Christopher Schultz wrote:
>> All,
>>
>> Off-topic, but I know there are plenty of Spring users on this list
>> who can probably help me figure this out.
>>
>> Recently, Let's Encrypt switched from using their
All,
On 1/25/21 11:10, Christopher Schultz wrote:
All,
Off-topic, but I know there are plenty of Spring users on this list who
can probably help me figure this out.
Recently, Let's Encrypt switched from using their soon-to-be-expiring
intermediate certificate:
Owner: CN=Let's Encrypt
Maybe try removing the old cert as its not expired yet?
On 25/01/2021 16:10, Christopher Schultz wrote:
Alias name: letsencrypt
Creation date: Dec 12, 2016
Entry type: trustedCertEntry
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature
to
me, that's the only thing that looked off.
HTH
- Jim
-Original Message-
From: Christopher Schultz
Sent: Monday, January 25, 2021 11:11 AM
To: Tomcat Users List
Subject: [OT] Spring Security LDAPS authenticator won't trust TLS cert
CAUTION EXTERNAL EMAIL: This email originated from o
All,
Off-topic, but I know there are plenty of Spring users on this list who
can probably help me figure this out.
Recently, Let's Encrypt switched from using their soon-to-be-expiring
intermediate certificate:
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST
Authenticator in context.xml
Date: Sat, 4 Jul 2020 20:54:17 +0200
Hi,
a while ago I did write a little POC of how to add a
customauthenticator scheme to tomcat.
this is what I did come up with:
https://github.com/thomasmey/BearerTokenAuthenticator
It's rather complicated solution!Is there an more easy
Am 6. Juli 2020 14:14:59 MESZ schrieb Mark Thomas :
>On 04/07/2020 19:54, Thomas Meyer wrote:
>> Hi,
>>
>> a while ago I did write a little POC of how to add a custom
>> authenticator scheme to tomcat.
>>
>> this is what I did come u
On 04/07/2020 19:54, Thomas Meyer wrote:
> Hi,
>
> a while ago I did write a little POC of how to add a custom
> authenticator scheme to tomcat.
>
> this is what I did come up with:
> https://github.com/thomasmey/BearerTokenAuthenticator
>
> It's rather complicated s
Hi,
a while ago I did write a little POC of how to add a custom
authenticator scheme to tomcat.
this is what I did come up with:
https://github.com/thomasmey/BearerTokenAuthenticator
It's rather complicated solution!
Is there an more easy solution to add a custom authenticator scheme
he.org/tomcat-8.0-doc/api/org/apache/catalina/st
> > art
> up/ContextConfig.html#setCustomAuthenticators(java.util.Map)
> >
> >
> >
> )
> >
> >
> > I want to add a custom mapping for lets say BEARER to a my
> > Authenticator. I
textConfig.html#setCustomAuthenticators(java.util.Map)
>
>
)
>
> I want to add a custom mapping for lets say BEARER to a my
> Authenticator. I searched the source code but nobody seems to call
> this method. So how and where should this map be configured?
Do you mean that you want to repla
Hi,
How do I get a custom mapping set in
ContextConfig.setCustomAuthenticators? (
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/startup/ContextConfig.html#setCustomAuthenticators(java.util.Map)
)
I want to add a custom mapping for lets say BEARER to a my Authenticator
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013-2067 Session fixation with FORM authenticator
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.32
- - Tomcat 6.0.21 to 6.0.36
Description:
FORM authentication associates the most recent
that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a Connection: close after
Hi,
several authentication mechanisms require a session (*not* HTTP session)
or connection being initiated when authentication is performed and
principal cached for subsquent requests [1], [2].
Now, I want to patch our SPNEGO authenticator in Tomcat 6 to behave
stateful. I once contributed
On 27/10/2012 14:50, Michael-O wrote:
Hi,
several authentication mechanisms require a session (*not* HTTP session)
or connection being initiated when authentication is performed and
principal cached for subsquent requests [1], [2].
Now, I want to patch our SPNEGO authenticator in Tomcat 6
to patch our SPNEGO authenticator in Tomcat 6 to behave
stateful. I once contributed that code to Apache in bug 48465 [3] which
does not behave like that. I like to align both authenticators.
This issue initially popped up while fixing an issue in libserf [4] for
the upcoming Apache Subversion version
this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticator (that is a lot further up the stack).
That could still end up being
not complicate things).
Undoing this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticator (that is a lot further up the stack
this from the authenticator (that is a lot further up the stack).
That could still end up being pretty invasive.
OK that's a statement. Tomcat does fully support persistent connections
but there is no state information maintained, right?
Correct. Tomcat fully supports HTTP/1.1 and that requires
the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a Connection: close after
successful auth. Otherwise the client
makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a Connection: close after
successful auth. Otherwise
to me.
As this [1] draft lays out Negotiate and Kerberos may apply to
connection or request level auth. We are just lucky that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain
Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get someone
who can improve your stock price!
Date: Sat, 27 Oct 2012 19:57:30 +0200
From: 1983-01...@gmx.net
To: users@tomcat.apache.org
Subject: Re: Detect in an authenticator whether a connection is persistent
On Sat, Oct 27, 2012 at 11:36 AM, ken dias kend...@hotmail.com wrote:
Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get
someone who can improve your stock price!
Que?
--
Hassan Schroeder hassan.schroe...@gmail.com
the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a Connection: close after
successful auth. Otherwise the client
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a Connection: close after
successful
2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
Hi,
I need to use custom authenticator, because a part of application is
using container authentication, and unfortunately the usersernames in
realm conflicts with usernames in application database. :(
So I need, that if anibody
to
org.apache.catalina.authenticator.FormAuthenticator.
Tnaks for help.
2012/6/28 Konstantin Kolinko knst.koli...@gmail.com:
2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
Hi,
I need to use custom authenticator, because a part of application is
using container authentication
2012/6/28 Komáromi, Zoltán komaromi.zol...@horticosoft.hu:
1. Why not a Realm?
Because the authentication depends on session attribute, and I want to
bypass the form if user is logged in.
When I used Tomcat's realm to authenticate users , that was a issue
than I missed : to access to session
I think, if I replace the FormAuthenticator with an descendant, it'll
solve the problem.
To extend FormAuthenticator is simple, but how can I make Tomcat to use it?
I tested this out at one time but it was never placed in production. My
terse notes, which might be leaving something out, on
n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
Subject: Re: tomcat security authenticator
From: kris.eas...@colorado.edu
To: users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Zoltán,
On 6/28/12 4:08 AM, Komáromi, Zoltán wrote:
1. Why not a Realm? Because the authentication depends on session
attribute, and I want to bypass the form if user is logged in.
So is this correct?
Valve
I am trying to help someone with a Tomcat 5.5 implementation of waffle
(waffle.codeplex.com). It has authenticator valve that works well with tc6.
I declare a valve inside the web app:
Context.xml
?xml version='1.0' encoding='utf-8'?
Context
Valve className
2010/11/2 dB. dbl...@dblock.org:
I am trying to help someone with a Tomcat 5.5 implementation of waffle
(waffle.codeplex.com). It has authenticator valve that works well with tc6.
I declare a valve inside the web app:
Context.xml
?xml version='1.0' encoding='utf-8'?
Context
Valve
, it's waffle.apache.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York
-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Tuesday, November 02, 2010 8:39 AM
To: Tomcat Users List
Subject: Re: Tomcat 5.5: how doesone configure an authenticator valve?
2010/11
-
From: dB. [mailto:dbl...@dblock.org]
Sent: Tuesday, November 02, 2010 4:55 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5: how doesone configure an authenticator valve?
Thanks for your help. I should have done this (logging) in the first place,
sorry. The filter is invoked properly.
The new
2010/11/3 dB. dbl...@dblock.org:
After some more code-reading I found the problem. Looking at the
implementation of response.sendError in TC5, it's clear that it dumps
whatever headers you added prior to the call. Changing this to setStatus
fixed the problem. I assume this means that Tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
On 8/14/2009 2:24 PM, Daniel Stephens wrote:
For Security reasons,
We need to do logging for IP,username, etc(AUDIT).
We need to log success and failed attempts.
We don't want to modify the internal classes(unless it's impossible).
Need some help or advice..
For Security reasons,
We need to do logging for IP,username, etc(AUDIT).
We need to log success and failed attempts.
We don't want to modify the internal classes(unless it's impossible).
We are using the FORM auth-method, we POST to j_security_check. We have
Daniel Stephens wrote:
Need some help or advice..
For Security reasons,
We need to do logging for IP,username, etc(AUDIT).
We need to log success and failed attempts.
We don't want to modify the internal classes(unless it's impossible).
We are using the FORM auth-method, we POST
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill,
Bill Barker wrote:
Suggestions on how to improve the Authenticators that ship with TC are
always welcome on [EMAIL PROTECTED] But help on
rolling-your-own-Authenticator
will likely get you pointed back to this list :).
The original
- Authenticator
Hi Bárbara, i can help you because I'm doing a new authenticator as work of my
thesis. I have analyzed BasicAuthenticator and modified it; could you tell me
the right point of your problem?
- Messaggio originale -
Da: Bárbara Vieira [EMAIL PROTECTED]
A: users
Only a question: what do you have to do with this auth? do you need to develope
a new one or simply study it?
___
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Barbara,
Bárbara Vieira wrote:
My question is: why we are putting the Principal in the Request?
So that request.getUserPrincipal() will return a value.
Why we can’t just authenticate the user if there is a principal in
internal Session?!
Hi Carlo!!
In fact I have to develop a new one and at the same time study and analyze
Authenticator package code. Why are you asking?
-Original Message-
From: Carlo Politi [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 28 de Novembro de 2007 16:52
To: Tomcat Users List
Subject: Re
to call the authenticator method(FormAuthenticator)? That
call doesn't provide any additional security, can you understand now?
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 28 de Novembro de 2007 17:09
To: Tomcat Users List
Cc: 'Carlo Politi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bárbara,
Bárbara Vieira wrote:
But if we have the Principal in cache, why we have to call the
authenticator method(FormAuthenticator)? That call doesn't provide any
additional security, can you understand now?
That's a good question. Given
Christopher Schultz [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bárbara,
Bárbara Vieira wrote:
But if we have the Principal in cache, why we have to call the
authenticator method(FormAuthenticator)? That call doesn't provide any
Hi there!
This question is about Authenticator package. I appreciate if anyone can
help me.
Im implementing a Valve and a Realm to provides authentication and
authorization using two authentications methods at the same time : FORM and
CERT-CLIENT. Obviously, Im looking to authenticator
Good day, where can i find a scheme of the life cycle of authenticator?
thanks...
___
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
http://it.docs.yahoo.com/nowyoucan.html
Hello,
does anybody know how I can contact some of Tomcat's team to be able to submit
my new authenticator? Thanks...
--
Carlo Politi
eMail: [EMAIL PROTECTED]
WebPage: http://politi.carlo.googlepages.com
Carlo Politi wrote:
Hello,
does anybody know how I can contact some of Tomcat's team to be able to
submit my new authenticator? Thanks...
Have you tried reading http://tomcat.apache.org ?
Mark
-
To start a new topic, e
This is why it is rare to write a custom Authenticator. More often you
write a custom Realm to do this sort of thing. You only need an
Authenticator if you have some non-standard way of extracting the user
credentials from the Request.
The problem with the code below is that it doesn't call
Am thinking about implementing a custom Form authenticator, does anyone
have any tips or links they can recommend before i get started?
Particularly want to know if I can use it on one webapp, not force all
on the server to use it too.
cheers,
pid
Pid,
Am thinking about implementing a custom Form authenticator, does anyone
have any tips or links they can recommend before i get started?
Particularly want to know if I can use it on one webapp, not force all
on the server to use it too.
http://securityfilter.sourceforge.net
You can
Pid [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Am thinking about implementing a custom Form authenticator, does anyone
have any tips or links they can recommend before i get started?
Particularly want to know if I can use it on one webapp, not force all
on the server to use
and
have it referenced in the server.xml as your custom realm.
Is there a class-name element I can add perhaps under security-constraint
element?
I like to add something like this to let tomcat know that it should use this
for authentication instead..
???
authenticator
class
a customized Ream
and have it referenced in the server.xml as your custom realm.
Is there a class-name element I can add perhaps under
security-constraint element?
I like to add something like this to let tomcat know that it should use
this for authentication instead..
???
authenticator
use
this
for authentication instead..
???
authenticator
class-namecom.xxx.MyAuthenticator/class-name
/authenticator
???
The syntax is:
Context ...
Valve className=com.xxx.MyAuthenticator ... /
/Context
Any other attributes you specify on the Valve / element will be passed
JavaBean
So where would this go? under /security-constraint ?? can you be more
specific.
-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Saturday, February 25, 2006 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Adding a Customized authenticator
Alex
://tomcat.apache.org/tomcat-5.5-doc/config/context.html for more
details.
-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Saturday, February 25, 2006 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Adding a Customized authenticator
Alex Jalali [EMAIL
@tomcat.apache.org
| Subject: Custom Authenticator
|
|
| Hi,
| I need to implement my custom authenticator to do some extra
| comfig i user session beside the authentication. How can I
| achive this? Is there a way to do authentication besides
| rigid j_check_security?
|
| --
| from debian manifesto
Hi,
I need to implement my custom authenticator to do some extra comfig i user
session beside the authentication. How can I achive this? Is there a way to
do authentication besides rigid j_check_security?
--
from debian manifesto:
Debian Linux is a brand-new kind of Linux distribution.
Rather
Have You thought about a request filter? All it has to do is watch for
authenticated sessions that are missing some critical session
attributes. Fill in the missing info as needed.
-David
Arash Bijanzadeh wrote:
Hi,
I need to implement my custom authenticator to do some extra comfig i user
Hi,
Is it possible to have a custom Authenticator in tomcat 4.1? I can't find
any information about it, only for 5x. I have tried configuring a
WEB-INF/context.xml with a valve referencing my authenticator class, works
well in tomcat 5.5, but not in 4.1 (which is currently the version we
82 matches
Mail list logo