Re: LDAP authentication for Tomcat's webapp 'Opengrok'

2017-03-30 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alfie,

On 3/27/17 7:07 AM, Alfie Patolilic wrote:
>> Tomcat Version : 6.0.36

You need to upgrade. Current 6.0.x version if 6.0.51. Current stable
version is (IMO) 8.0.42.

>> I have a question on how I am able to set the following,
>> regarding the web application that runs under Apache Tomcat,
>> 'Opengrok'. The idea is to set a hostname for
>> 'localhost:8080/grok', so when users try and access the page via
>> the hostname, they are prompted for authentication of their
>> username and password.
>> 
>> I have currently configured the server.xml to connect to LDAP. I
>>  have added below the configuration on my server.xml. I am unsure
>> as to where to go from here, how I will be able to link the
>> hostname. I have changed some values in the information given for
>> security purposes.
>> 
>>  > className="org.apache.catalina.realm.LockOutRealm"> > className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/> > className="org.apache.catalina.realm.JNDIRealm" debug="99" 
>> connectionURL="ldap:// " connectionName="ldap@company " 
>> connectionPassword="password" referrals="follow" 
>> userBase="DC=" userSearch="(sAMAccountName={0})" 
>> userSubtree="true" roleBase="DC=" roleName="cn" 
>> roleSubtree="true" roleSearch="(member={0})" 
>> allRolesMode="strictAuthOnly" /> 

Does the application understand anything about LDAP authentication, or
are you asking how Tomcat can be configured to request the username
and password for the user?

The LDAP backend is just the way that the authentication and
authorization is performed. Credential-gathering is typically
performed using one of the following:

1. HTTP Basic "authentication"
2. HTTP Digest "authentication"
3. FORM login (username/password in a web form)
4. SSL/TLS client certificate

Which of the above did you have in mind? If you are just slapping
authentication on top of an existing application that doesn't have its
own login process, then I would recommend using HTTP Basic
"authentication" (I use parens around "authentication" because it's
not authenticating at all... it's just providing credentials that the
server can use for authentication). When using HTTP Basic
"authentication" it is absolutely required that you use TLS to encrypt
the channel.

>> I have checked the web for blogs and asked other tomcat groups
>> but was not able to get any answers.
>> 
>> I am aware that the version of Apache Tomcat I am using is 
>> outdated and has reached its end of life. Though necessary, I 
>> cannot update to a newer version of the application due to some 
>> issues.

You need to resolve those issues. Any software product that has
security components cannot be trusted after it reaches end-of-life.
Any EOL'd product should be considered known-vulnerable as soon as
that EOL date arrives.

> I meant that currently, I can access opengrok via
> localhost:8080/grok.
> 
> I am planning on configuring a hostname called 'grok.company.com' 
> which redirects to localhost:8080/grok.

Redirects or proxies? Adding a redirect will only work for users who
are sitting at your actual computer (localhost).

> When they access grok using grok.company.com, they will be
> prompted with a userid and password using LDAP.

Is there a reason not to require a username and password for all
users, regardless of the hostname they use to access the application?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY3V7CAAoJEBzwKT+lPKRYtIIQAKyR04cPJRlHbAj98YHfNmht
0OONt5mOyTsvtrK5qQ/SCpYBVaSQc36/lZuzStjVM45VLleKa7zjRhz8Rru6zywp
nOGF0UySkI+/gAUIQVPeySx5e7JhvTDbcjvVyPV8kO2vWn3+XJb0wTmIwdwslNLo
sshP0vJBqq9YkgnzGm97GfKNhw5ZsHlV+HZqx/ASynEn4vQ4saSFjkFFin2naogy
TNilBBGnVBErVyvf4oPgMQRaqDyt70hME5e02EyZWCsijYYKl1/aQZDIFrTvVDQD
sCc4EM5/0RUp3JUAhgz4klPUhCEmTXikonliqQOWoz5vIm7rZTkcP1CMlIbXrBST
BvSZh23HNqmrUsgfqdoN05xOJ0vFjeB02ezDwWBpl7pxJ9kB0WCJYdusy94p4ixN
XJZic8sBQA7ijSRBGy4MgynPPQ4lnX94vR6eu0tcqZd/QUOXI75d3FoXpDiyrFci
2q51wv/4rHKFeLzg1GO6XmMdqBMcEkt6u9TX0QZSKxXV6mFsUIzG4EPk+8xcbsNM
SRGy91sRtUWgFdpJyov/QsSpxXLaLISsLuR3gW5kX6v5IBpFA0aWLBvYsLUhCZR5
NMEULjea6kSppTVE2CqHHJykmDQcYSK+YCuW/0XNkbuf/AVqb1WJhBdM1GowT4NN
Ivxb5EnyXg/9XeI09It+
=WjqC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP authentication for Tomcat's webapp 'Opengrok'

2017-03-27 Thread tomcat

On 27.03.2017 13:07, Alfie Patolilic wrote:

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: 27 March 2017 11:12
To: users@tomcat.apache.org
Subject: Re: LDAP authentication for Tomcat's webapp 'Opengrok'

On 27.03.2017 11:01, Alfie Patolilic wrote:

Tomcat Version : 6.0.36
OS : Red Hat Enterprise Linux 7.3

Hello,

I have a question on how I am able to set the following, regarding the web 
application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a 
hostname for 'localhost:8080/grok', so when users try and access the page via 
the hostname, they are prompted for authentication of their username and 
password.
I have currently configured the server.xml to connect to LDAP. I have added 
below the configuration on my server.xml. I am unsure as to where to go from 
here, how I will be able to link the hostname. I have changed some values in 
the information given for security purposes.



  
  


I have checked the web for blogs and asked other tomcat groups but was not able 
to get any answers.

I am aware that the version of Apache Tomcat I am using is outdated and has 
reached its end of life. Though necessary, I cannot update to a newer version 
of the application due to some issues.

Hi.

I believe that you are confused about 2 separate topics : "hostnames" and "web 
application
security".
It is the web application which is "protected" by a userid/password login 
requirement, not
the hostname.
This page of the on-line tomcat 6 documentation provides some hints :
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
In the "Quick Start" section, you will see that in order to "force" someone to
authenticate in order to use the application, you need to specify some things 
in the
web.xml of the application.
And in the "Example Application" section, it points to an example application 
that has
these things.
Maybe you can start from there ?

And for the "host name" part, see this section :
http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html
But that is a different issue.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


Hi André,

Thank you for the reply, I apologize for the unclear question, It is just one 
host instance.
I meant that currently, I can access opengrok via localhost:8080/grok . I am 
planning on configuring a hostname called 'grok.company.com' which redirects to 
localhost:8080/grok.
When they access grok using grok.company.com, they will be prompted with a 
userid and password using LDAP. I have configured the Realm element as stated 
on the previous message.



That is what I meant : you /are/ confused.
It is not when "they" will access "http://grok.company.com"; that they will be prompted for 
a user-id and password. It is when they will access /an application/ running under that 
host that they will be prompted, /if/ this application is configured to require a 
user-id/password.
And, the realm that you configured, will help, in the sense that /in the application 
configuration/, you will tell tomcat to use this realm, as a "how" to do the 
authentication precisely.


A separate issue is of you want to make your "grok" application be the tomcat default 
application (normally, the default application is called "ROOT").

And for that, look at this article :
https://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: LDAP authentication for Tomcat's webapp 'Opengrok'

2017-03-27 Thread Alfie Patolilic
-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: 27 March 2017 11:12
To: users@tomcat.apache.org
Subject: Re: LDAP authentication for Tomcat's webapp 'Opengrok'

On 27.03.2017 11:01, Alfie Patolilic wrote:
> Tomcat Version : 6.0.36
> OS : Red Hat Enterprise Linux 7.3
>
> Hello,
>
> I have a question on how I am able to set the following, regarding the web 
> application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a 
> hostname for 'localhost:8080/grok', so when users try and access the page via 
> the hostname, they are prompted for authentication of their username and 
> password.
> I have currently configured the server.xml to connect to LDAP. I have added 
> below the configuration on my server.xml. I am unsure as to where to go from 
> here, how I will be able to link the hostname. I have changed some values in 
> the information given for security purposes.
>
> 
>
>   resourceName="UserDatabase"/>
>   connectionURL="ldap:// "
> connectionName="ldap@company "
> connectionPassword="password"
> referrals="follow"
> userBase="DC="
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
> roleBase="DC="
> roleName="cn"
> roleSubtree="true"
> roleSearch="(member={0})"
> allRolesMode="strictAuthOnly"
> />
>
>
> I have checked the web for blogs and asked other tomcat groups but was not 
> able to get any answers.
>
> I am aware that the version of Apache Tomcat I am using is outdated and has 
> reached its end of life. Though necessary, I cannot update to a newer version 
> of the application due to some issues.
>
> Hi.
>
> I believe that you are confused about 2 separate topics : "hostnames" and 
> "web application 
> security".
> It is the web application which is "protected" by a userid/password login 
> requirement, not 
> the hostname.
> This page of the on-line tomcat 6 documentation provides some hints :
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
> In the "Quick Start" section, you will see that in order to "force" someone 
> to 
> authenticate in order to use the application, you need to specify some things 
> in the 
> web.xml of the application.
> And in the "Example Application" section, it points to an example application 
> that has 
> these things.
> Maybe you can start from there ?
>
> And for the "host name" part, see this section :
> http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html
> But that is a different issue.


> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Hi André,

Thank you for the reply, I apologize for the unclear question, It is just one 
host instance.
I meant that currently, I can access opengrok via localhost:8080/grok . I am 
planning on configuring a hostname called 'grok.company.com' which redirects to 
localhost:8080/grok.
When they access grok using grok.company.com, they will be prompted with a 
userid and password using LDAP. I have configured the Realm element as stated 
on the previous message.

Thank you,
Alfie

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: LDAP authentication for Tomcat's webapp 'Opengrok'

2017-03-27 Thread tomcat

On 27.03.2017 11:01, Alfie Patolilic wrote:

Tomcat Version : 6.0.36
OS : Red Hat Enterprise Linux 7.3

Hello,

I have a question on how I am able to set the following, regarding the web 
application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a 
hostname for 'localhost:8080/grok', so when users try and access the page via 
the hostname, they are prompted for authentication of their username and 
password.
I have currently configured the server.xml to connect to LDAP. I have added 
below the configuration on my server.xml. I am unsure as to where to go from 
here, how I will be able to link the hostname. I have changed some values in 
the information given for security purposes.


   
 
 
   

I have checked the web for blogs and asked other tomcat groups but was not able 
to get any answers.

I am aware that the version of Apache Tomcat I am using is outdated and has 
reached its end of life. Though necessary, I cannot update to a newer version 
of the application due to some issues.


Hi.

I believe that you are confused about 2 separate topics : "hostnames" and "web application 
security".
It is the web application which is "protected" by a userid/password login requirement, not 
the hostname.

This page of the on-line tomcat 6 documentation provides some hints :
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
In the "Quick Start" section, you will see that in order to "force" someone to 
authenticate in order to use the application, you need to specify some things in the 
web.xml of the application.
And in the "Example Application" section, it points to an example application that has 
these things.

Maybe you can start from there ?

And for the "host name" part, see this section :
http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html
But that is a different issue.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org