RE: Security Constraints
Depends on what realm you are using. Assuming you are using the default MemoryRealm, users are defined in $TOMCAT_HOME/conf/tomcat-users.xml If you are using JDBCRealm then it is presumably assumed that there is an existing mechanism to manage users/passwords for your database. If you are usign another Realm, then the chances are you have written it yourself, so should know the answer ;-) Tim -Original Message- From: Martin Mauri [mailto:[EMAIL PROTECTED]] Sent: 28 March 2001 19:52 To: [EMAIL PROTECTED] Subject: Security Constraints Hi users! I'm trying to configure the security constraints with FORM login method. I've defined to name the rola as "role1" but where and how do I add users to that roles and where do I configure their passwords? regards. Martin Lic. Martin O. Mauri Profesion + Auge A.F.J.P Parana 666 - Cap. Federal TE: (011) 4373-7786/7 int: 422 [EMAIL PROTECTED] www.profesi.com.ar -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail.
single login form for single sign on
I want to use the single sign on capabilities of Tomcat4 with FORM based authentication. However it does not seem possible to define a single login and error page. Even though single sign on and a Realm are specified in $TOMCAT_HOME/conf/server.xml, and FORM authentication is specified in $TOMCAT_HOME/conf/web.xml (e.g. to use /login/login.html as the login page), when there is a need to authenticate from a particular webapp, the login page is referenced relative to the context (e.g $TOMCAT_HOME/webapps/myapp/login/login.html). This would involve copying the login pages into every webapp, which gives a maintenance problem. So in essense the question is: Is there a way to specify a "global" login and error page that will be used by all webapps? Many thanks Tim ---- Tim Dudgeon [EMAIL PROTECTED] -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail.
RE: Form based login: protected against password snooping?
I think your understanding is correct. BASIC, DIGEST and FORM are altenatives. You can't combine them. To use FORM or BASIC securely you need SSL. Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13 March 2001 17:42 To: [EMAIL PROTECTED] Subject: Form based login: protected against password snooping? Hi, As far I understand it, when using form based login, login and password are just posted in plain format and are therefore not protected against password snooping. Is that true? And if so, is the only way to use form based login safely, the use of SSL? Or does a sort of mixture between for instance DIGEST Form based login exist? Thanks, Wilko - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
form based auth broken - no cookie sent?
I can't get form based authentication working with the latest snapshots. Works fine with 4.0b1. Authentication is working, but the redirection back to the original page seems to fail, I think because no cookie is being sent. With 4.0b1 a cookie is sent along with the login page. With the latest snapshots it is not. On processing the login page a 400 error is returned. This also happens with 4.0-b1 if you refuse the cookie. The user is being authenticated succesfully (as seen in the access log). Any ideas? Tim - Tim Dudgeon [EMAIL PROTECTED] -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
MyRealm - cannot instantiate class exception
Although I've been using tomacat for sometime, I'm now needeing to start on some work to match up the authentication and authorisation within catalina to our enviroment. To do this I'm putting together a LDAPRealm. I have a rudimentary LDAPRealm that works fine on its own, but when I put it into tomcat I'm getting a cannott instantiate class exception from within my code. Could someone give me a guide into what I'm doing worong. It's probably pretty basic, but I'm new to this. What I did: created a org.apache.catalina.realm.MyRealm class that contains an authenticate() method that connects to the LDAP server as follows public Principal authenticate(String username, String credentials) { MyRealmPrincipal principal = new MyRealmPrincipal(username); Hashtable env = new Hashtable(11); env.put(Context.PROVIDER_URL, "ldap://localhost:389/dc=britbio,dc=co,dc=uk"); env.put(Context.SECURITY_PRINCIPAL, principal.getDistinguishedName()); env.put(Context.SECURITY_CREDENTIALS, credentials); try { // Create the initial directory context DirContext ctx = new InitialDirContext(env); // if we get here then we've bound OK System.out.println("Authenticated for " + principal.getDistinguishedName()); // get the groups from the JNDI context and define them as roles getRoles(ctx, principal); // unbind ctx.close(); return(principal); } catch (NamingException e) { // could not bind - wrong password? System.err.println("Failed to bind to directory for " + username); e.printStackTrace(); return(null); } this code works fine on its own (outside catalina). However when I try to run it within catalina (jar'd up the clases, put them in $CATLINA_ROOT/server), my code gets called, but the bind to the LDAP server fails with the following exception Failed to bind to directory for tom javax.naming.NoInitialContextException: Cannot instantiate class: com.sun.jndi.ldap.LdapCtxFactory. Root exception is java.lang.ClassCastException: com.sun.jndi.ldap.LdapCtxFactory at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:659) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:250) at javax.naming.InitialContext.init(InitialContext.java:226) at javax.naming.InitialContext.init(InitialContext.java:202) at javax.naming.directory.InitialDirContext.init(InitialDirContext.java:87) at org.apache.catalina.realm.TimsRealm.authenticate(TimsRealm.java:109) at org.apache.catalina.authenticator.BasicAuthenticator.findPrincipal(BasicAuth enticator.java:214) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthe nticator.java:160) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:481) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:975) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2041) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161 ) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:414) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:975) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :159) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java :215) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:975) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 818) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:897) at java.lang.Thread.run(Thread.java:484) Any ideas as to why this runs outside catalina and not inside it. The JVM, and everything else I can think of is the same. My setup: Tomcat-4.0-b1 JDK1.3 Linux many thanks Tim ----- Tim Dudgeon [EMAIL PROTECTED] -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy