Re: LDAP authentication for Tomcat's webapp 'Opengrok'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alfie, On 3/27/17 7:07 AM, Alfie Patolilic wrote: >> Tomcat Version : 6.0.36 You need to upgrade. Current 6.0.x version if 6.0.51. Current stable version is (IMO) 8.0.42. >> I have a question on how I am able to set the following, >> regarding the web application that runs under Apache Tomcat, >> 'Opengrok'. The idea is to set a hostname for >> 'localhost:8080/grok', so when users try and access the page via >> the hostname, they are prompted for authentication of their >> username and password. >> >> I have currently configured the server.xml to connect to LDAP. I >> have added below the configuration on my server.xml. I am unsure >> as to where to go from here, how I will be able to link the >> hostname. I have changed some values in the information given for >> security purposes. >> >> > className="org.apache.catalina.realm.LockOutRealm"> > className="org.apache.catalina.realm.UserDatabaseRealm" >> resourceName="UserDatabase"/> > className="org.apache.catalina.realm.JNDIRealm" debug="99" >> connectionURL="ldap:// " connectionName="ldap@company " >> connectionPassword="password" referrals="follow" >> userBase="DC=" userSearch="(sAMAccountName={0})" >> userSubtree="true" roleBase="DC=" roleName="cn" >> roleSubtree="true" roleSearch="(member={0})" >> allRolesMode="strictAuthOnly" /> Does the application understand anything about LDAP authentication, or are you asking how Tomcat can be configured to request the username and password for the user? The LDAP backend is just the way that the authentication and authorization is performed. Credential-gathering is typically performed using one of the following: 1. HTTP Basic "authentication" 2. HTTP Digest "authentication" 3. FORM login (username/password in a web form) 4. SSL/TLS client certificate Which of the above did you have in mind? If you are just slapping authentication on top of an existing application that doesn't have its own login process, then I would recommend using HTTP Basic "authentication" (I use parens around "authentication" because it's not authenticating at all... it's just providing credentials that the server can use for authentication). When using HTTP Basic "authentication" it is absolutely required that you use TLS to encrypt the channel. >> I have checked the web for blogs and asked other tomcat groups >> but was not able to get any answers. >> >> I am aware that the version of Apache Tomcat I am using is >> outdated and has reached its end of life. Though necessary, I >> cannot update to a newer version of the application due to some >> issues. You need to resolve those issues. Any software product that has security components cannot be trusted after it reaches end-of-life. Any EOL'd product should be considered known-vulnerable as soon as that EOL date arrives. > I meant that currently, I can access opengrok via > localhost:8080/grok. > > I am planning on configuring a hostname called 'grok.company.com' > which redirects to localhost:8080/grok. Redirects or proxies? Adding a redirect will only work for users who are sitting at your actual computer (localhost). > When they access grok using grok.company.com, they will be > prompted with a userid and password using LDAP. Is there a reason not to require a username and password for all users, regardless of the hostname they use to access the application? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJY3V7CAAoJEBzwKT+lPKRYtIIQAKyR04cPJRlHbAj98YHfNmht 0OONt5mOyTsvtrK5qQ/SCpYBVaSQc36/lZuzStjVM45VLleKa7zjRhz8Rru6zywp nOGF0UySkI+/gAUIQVPeySx5e7JhvTDbcjvVyPV8kO2vWn3+XJb0wTmIwdwslNLo sshP0vJBqq9YkgnzGm97GfKNhw5ZsHlV+HZqx/ASynEn4vQ4saSFjkFFin2naogy TNilBBGnVBErVyvf4oPgMQRaqDyt70hME5e02EyZWCsijYYKl1/aQZDIFrTvVDQD sCc4EM5/0RUp3JUAhgz4klPUhCEmTXikonliqQOWoz5vIm7rZTkcP1CMlIbXrBST BvSZh23HNqmrUsgfqdoN05xOJ0vFjeB02ezDwWBpl7pxJ9kB0WCJYdusy94p4ixN XJZic8sBQA7ijSRBGy4MgynPPQ4lnX94vR6eu0tcqZd/QUOXI75d3FoXpDiyrFci 2q51wv/4rHKFeLzg1GO6XmMdqBMcEkt6u9TX0QZSKxXV6mFsUIzG4EPk+8xcbsNM SRGy91sRtUWgFdpJyov/QsSpxXLaLISsLuR3gW5kX6v5IBpFA0aWLBvYsLUhCZR5 NMEULjea6kSppTVE2CqHHJykmDQcYSK+YCuW/0XNkbuf/AVqb1WJhBdM1GowT4NN Ivxb5EnyXg/9XeI09It+ =WjqC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP authentication for Tomcat's webapp 'Opengrok'
On 27.03.2017 13:07, Alfie Patolilic wrote: -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: 27 March 2017 11:12 To: users@tomcat.apache.org Subject: Re: LDAP authentication for Tomcat's webapp 'Opengrok' On 27.03.2017 11:01, Alfie Patolilic wrote: Tomcat Version : 6.0.36 OS : Red Hat Enterprise Linux 7.3 Hello, I have a question on how I am able to set the following, regarding the web application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a hostname for 'localhost:8080/grok', so when users try and access the page via the hostname, they are prompted for authentication of their username and password. I have currently configured the server.xml to connect to LDAP. I have added below the configuration on my server.xml. I am unsure as to where to go from here, how I will be able to link the hostname. I have changed some values in the information given for security purposes. I have checked the web for blogs and asked other tomcat groups but was not able to get any answers. I am aware that the version of Apache Tomcat I am using is outdated and has reached its end of life. Though necessary, I cannot update to a newer version of the application due to some issues. Hi. I believe that you are confused about 2 separate topics : "hostnames" and "web application security". It is the web application which is "protected" by a userid/password login requirement, not the hostname. This page of the on-line tomcat 6 documentation provides some hints : http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html In the "Quick Start" section, you will see that in order to "force" someone to authenticate in order to use the application, you need to specify some things in the web.xml of the application. And in the "Example Application" section, it points to an example application that has these things. Maybe you can start from there ? And for the "host name" part, see this section : http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html But that is a different issue. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi André, Thank you for the reply, I apologize for the unclear question, It is just one host instance. I meant that currently, I can access opengrok via localhost:8080/grok . I am planning on configuring a hostname called 'grok.company.com' which redirects to localhost:8080/grok. When they access grok using grok.company.com, they will be prompted with a userid and password using LDAP. I have configured the Realm element as stated on the previous message. That is what I meant : you /are/ confused. It is not when "they" will access "http://grok.company.com"; that they will be prompted for a user-id and password. It is when they will access /an application/ running under that host that they will be prompted, /if/ this application is configured to require a user-id/password. And, the realm that you configured, will help, in the sense that /in the application configuration/, you will tell tomcat to use this realm, as a "how" to do the authentication precisely. A separate issue is of you want to make your "grok" application be the tomcat default application (normally, the default application is called "ROOT"). And for that, look at this article : https://wiki.apache.org/tomcat/HowTo#How_do_I_make_my_web_application_be_the_Tomcat_default_application.3F - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: LDAP authentication for Tomcat's webapp 'Opengrok'
-Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: 27 March 2017 11:12 To: users@tomcat.apache.org Subject: Re: LDAP authentication for Tomcat's webapp 'Opengrok' On 27.03.2017 11:01, Alfie Patolilic wrote: > Tomcat Version : 6.0.36 > OS : Red Hat Enterprise Linux 7.3 > > Hello, > > I have a question on how I am able to set the following, regarding the web > application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a > hostname for 'localhost:8080/grok', so when users try and access the page via > the hostname, they are prompted for authentication of their username and > password. > I have currently configured the server.xml to connect to LDAP. I have added > below the configuration on my server.xml. I am unsure as to where to go from > here, how I will be able to link the hostname. I have changed some values in > the information given for security purposes. > > > > resourceName="UserDatabase"/> > connectionURL="ldap:// " > connectionName="ldap@company " > connectionPassword="password" > referrals="follow" > userBase="DC=" > userSearch="(sAMAccountName={0})" > userSubtree="true" > roleBase="DC=" > roleName="cn" > roleSubtree="true" > roleSearch="(member={0})" > allRolesMode="strictAuthOnly" > /> > > > I have checked the web for blogs and asked other tomcat groups but was not > able to get any answers. > > I am aware that the version of Apache Tomcat I am using is outdated and has > reached its end of life. Though necessary, I cannot update to a newer version > of the application due to some issues. > > Hi. > > I believe that you are confused about 2 separate topics : "hostnames" and > "web application > security". > It is the web application which is "protected" by a userid/password login > requirement, not > the hostname. > This page of the on-line tomcat 6 documentation provides some hints : > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html > In the "Quick Start" section, you will see that in order to "force" someone > to > authenticate in order to use the application, you need to specify some things > in the > web.xml of the application. > And in the "Example Application" section, it points to an example application > that has > these things. > Maybe you can start from there ? > > And for the "host name" part, see this section : > http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html > But that is a different issue. > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Hi André, Thank you for the reply, I apologize for the unclear question, It is just one host instance. I meant that currently, I can access opengrok via localhost:8080/grok . I am planning on configuring a hostname called 'grok.company.com' which redirects to localhost:8080/grok. When they access grok using grok.company.com, they will be prompted with a userid and password using LDAP. I have configured the Realm element as stated on the previous message. Thank you, Alfie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: LDAP authentication for Tomcat's webapp 'Opengrok'
On 27.03.2017 11:01, Alfie Patolilic wrote: Tomcat Version : 6.0.36 OS : Red Hat Enterprise Linux 7.3 Hello, I have a question on how I am able to set the following, regarding the web application that runs under Apache Tomcat, 'Opengrok'. The idea is to set a hostname for 'localhost:8080/grok', so when users try and access the page via the hostname, they are prompted for authentication of their username and password. I have currently configured the server.xml to connect to LDAP. I have added below the configuration on my server.xml. I am unsure as to where to go from here, how I will be able to link the hostname. I have changed some values in the information given for security purposes. I have checked the web for blogs and asked other tomcat groups but was not able to get any answers. I am aware that the version of Apache Tomcat I am using is outdated and has reached its end of life. Though necessary, I cannot update to a newer version of the application due to some issues. Hi. I believe that you are confused about 2 separate topics : "hostnames" and "web application security". It is the web application which is "protected" by a userid/password login requirement, not the hostname. This page of the on-line tomcat 6 documentation provides some hints : http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html In the "Quick Start" section, you will see that in order to "force" someone to authenticate in order to use the application, you need to specify some things in the web.xml of the application. And in the "Example Application" section, it points to an example application that has these things. Maybe you can start from there ? And for the "host name" part, see this section : http://tomcat.apache.org/tomcat-6.0-doc/virtual-hosting-howto.html But that is a different issue. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org