RE: Security constraint/login form
Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file
RE: Security constraint/login form
never mind...sorry, I did see it in the web.xml file under the role-name element. Sorry about that! -Original Message- From: Propes, Barry L Sent: Monday, August 21, 2006 10:43 AM To: Tomcat Users List Subject: RE: Security constraint/login form Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject
Re: Security constraint/login form
Could you post some relevant sections of your webapp? I'm thinking the security constraint section of your web.xml, a representative segment of your user database table, and the logs where a request is made to login. Something just seems off here. As a test a few days ago, I changed the role name of the users that could get into the manager app -- both in manager webapp's web.xml and in tomcat-users.xml and it worked without a hitch. --David Propes, Barry L wrote: Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint
RE: Security constraint/login form
Thanks, David. Yeah, I replied back to it a minute ago...I had the role-name elements in the (web)XML file askew from what was in the DB. Got it working now. And, one more thing. I should be able to add a third column to the role_name db table, shouldn't I? If so, do I need to add a matching third col to the users table as well? Or is that immaterial? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 10:51 AM To: Tomcat Users List Subject: Re: Security constraint/login form Could you post some relevant sections of your webapp? I'm thinking the security constraint section of your web.xml, a representative segment of your user database table, and the logs where a request is made to login. Something just seems off here. As a test a few days ago, I changed the role name of the users that could get into the manager app -- both in manager webapp's web.xml and in tomcat-users.xml and it worked without a hitch. --David Propes, Barry L wrote: Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I
Re: Security constraint/login form
If username has admin,manager roles asssigned you shouldnt have access problems Sounds as if you may have a security Valve installed? http://tomcat.apache.org/tomcat-4.1-doc/catalina/docs/api/org/apache/catalina/authenticator/SingleSignOn.html either that or someone disabled .htaccess for that folder for that username..? Anyone else? M- * This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: David Smith [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, August 21, 2006 11:51 AM Subject: Re: Security constraint/login form Could you post some relevant sections of your webapp? I'm thinking the security constraint section of your web.xml, a representative segment of your user database table, and the logs where a request is made to login. Something just seems off here. As a test a few days ago, I changed the role name of the users that could get into the manager app -- both in manager webapp's web.xml and in tomcat-users.xml and it worked without a hitch. --David Propes, Barry L wrote: Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth
Re: Security constraint/login form
Looking at the source for org.apache.catalina.JDBCRealm, the queries on the database are confined to the rows/columns required for authentication. Other columns could be present in both users and roles without any impact. Prepared statement for fetching credentials: select userCredCol from userTable where userNameCol = ? Prepared statement for fetching roles: select roleNameCol from userRoleTable where userNameCol = ? --David Propes, Barry L wrote: Thanks, David. Yeah, I replied back to it a minute ago...I had the role-name elements in the (web)XML file askew from what was in the DB. Got it working now. And, one more thing. I should be able to add a third column to the role_name db table, shouldn't I? If so, do I need to add a matching third col to the users table as well? Or is that immaterial? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 10:51 AM To: Tomcat Users List Subject: Re: Security constraint/login form Could you post some relevant sections of your webapp? I'm thinking the security constraint section of your web.xml, a representative segment of your user database table, and the logs where a request is made to login. Something just seems off here. As a test a few days ago, I changed the role name of the users that could get into the manager app -- both in manager webapp's web.xml and in tomcat-users.xml and it worked without a hitch. --David Propes, Barry L wrote: Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict
RE: Security constraint/login form
ok, thanks, David! -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 11:48 AM To: Tomcat Users List Subject: Re: Security constraint/login form Looking at the source for org.apache.catalina.JDBCRealm, the queries on the database are confined to the rows/columns required for authentication. Other columns could be present in both users and roles without any impact. Prepared statement for fetching credentials: select userCredCol from userTable where userNameCol = ? Prepared statement for fetching roles: select roleNameCol from userRoleTable where userNameCol = ? --David Propes, Barry L wrote: Thanks, David. Yeah, I replied back to it a minute ago...I had the role-name elements in the (web)XML file askew from what was in the DB. Got it working now. And, one more thing. I should be able to add a third column to the role_name db table, shouldn't I? If so, do I need to add a matching third col to the users table as well? Or is that immaterial? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 10:51 AM To: Tomcat Users List Subject: Re: Security constraint/login form Could you post some relevant sections of your webapp? I'm thinking the security constraint section of your web.xml, a representative segment of your user database table, and the logs where a request is made to login. Something just seems off here. As a test a few days ago, I changed the role name of the users that could get into the manager app -- both in manager webapp's web.xml and in tomcat-users.xml and it worked without a hitch. --David Propes, Barry L wrote: Ok, I'm finding that the names are somewhat relevant. For instance, if I assign a user the role service, or admin, it works with no problems. If I assign another name -- say senior, or legal or business -- it does not work. Any ideas why? And, if it's limited to this by Tomcat's default security constraint class files, can I individually edit and recompile them, and then it will redeploy in the war file upon restart? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web
Re: Security constraint/login form
Over an hour? Not even ODBC has that kind of latency. Could you be looking at a caching issue? --David Propes, Barry L wrote: ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns
Re: Security constraint/login form
The role names can be anything you want. The 'admin' and 'manager' roles are only meaningful to the admin and manager webapps respectively. They aren't special to tomcat itself. Propes, Barry L wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security constraint/login form
Not sureit could be. I'll look into that a little more deeply. It probably is a caching issue OR our IT group who actually hosts the servers could have that DB that I have access to as a staging server, and then it replicates over later on to a different db. Doesn't seem too likely, but I don't know how they have everything configured. On a slightly different note, regarding my question below about about role names in the user_roles table. Everybody that I have set to service or admin works fine when attempting a login under the security constraint. I have two people with role_names that differ from these (service or admin) and that are in uppercase. It seems to have quite an apparent effect saying access denied. So it's sounding like I can't just add whichever type of role_name I prefer. It has to be service or admin? If anyone knows, please clarify. In the tomcat-users.xml file, that has role mappings for manager, tomcat, role1, etc. But that doesn't relate to the security-constraint element in the web.xml at all does it? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 6:26 AM To: Tomcat Users List Subject: Re: Security constraint/login form Over an hour? Not even ODBC has that kind of latency. Could you be looking at a caching issue? --David Propes, Barry L wrote: ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED
RE: Security constraint/login form
Looking at the 4.1 doco, it states about the JDBC Realm and user tables configuration: Role name of a valid role associated with this user So then I ask, what's a valid role? What are the choices? Is valid ONLY service or admin? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 6:26 AM To: Tomcat Users List Subject: Re: Security constraint/login form Over an hour? Not even ODBC has that kind of latency. Could you be looking at a caching issue? --David Propes, Barry L wrote: ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM
Re: Security constraint/login form
Valid roles are whatever are defined to be valid. The specific name does not matter. But if you are using a Database for validation, then the roles are pulled from the database column that you have associated as the roles. Depending on your database, they may or may not be case-sensitive (the values that is). On 8/18/06, Propes, Barry L [EMAIL PROTECTED] wrote: Looking at the 4.1 doco, it states about the JDBC Realm and user tables configuration: Role name of a valid role associated with this user So then I ask, what's a valid role? What are the choices? Is valid ONLY service or admin? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 6:26 AM To: Tomcat Users List Subject: Re: Security constraint/login form Over an hour? Not even ODBC has that kind of latency. Could you be looking at a caching issue? --David Propes, Barry L wrote: ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say
RE: Security constraint/login form
OK, thanks, Marc. I'm using Oracle, and it inded does seem to be case-sensitive. I've added a role_name of the word risk, rather than RISK. Anything I had in caps like SENIOR or MGMT seemed to really throw a wrench in the login attempt. When entering this new account created, I currently am only getting an incorrect login, meaning that the db table hasn't immediately recognized the account yet, or maybe the caching is holding it up, which may be a pretty safe bet. Thanks, guys! -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 9:27 AM To: Tomcat Users List Subject: Re: Security constraint/login form Valid roles are whatever are defined to be valid. The specific name does not matter. But if you are using a Database for validation, then the roles are pulled from the database column that you have associated as the roles. Depending on your database, they may or may not be case-sensitive (the values that is). On 8/18/06, Propes, Barry L [EMAIL PROTECTED] wrote: Looking at the 4.1 doco, it states about the JDBC Realm and user tables configuration: Role name of a valid role associated with this user So then I ask, what's a valid role? What are the choices? Is valid ONLY service or admin? -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 6:26 AM To: Tomcat Users List Subject: Re: Security constraint/login form Over an hour? Not even ODBC has that kind of latency. Could you be looking at a caching issue? --David Propes, Barry L wrote: ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern
RE: Security constraint/login form
to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security constraint/login form
Getting the remote user would be request.getRemoteUser() ; I would imagine other fields could be added to the database table, but the webapp would be responsible for loading the remaining data into a session or whatever is needed. Tomcat will only offer the username and an accurate response to request.isUserInRole( rolename ) ; --David Propes, Barry L wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security constraint/login form
ok, well that certainly helps and gives very good direction! Thank you, David! -Original Message- From: David Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:02 PM To: Tomcat Users List Subject: Re: Security constraint/login form Getting the remote user would be request.getRemoteUser() ; I would imagine other fields could be added to the database table, but the webapp would be responsible for loading the remaining data into a session or whatever is needed. Tomcat will only offer the username and an accurate response to request.isUserInRole( rolename ) ; --David Propes, Barry L wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security constraint/login form
Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow
RE: Security constraint/login form
Marc, I was actually talking about server.xml in the conf dir and then web.xml where the security constraint is configured, but this is good to know. That is more for authentication to get to a certain portion -- the manager section isn't it? On that topic, I added the role of manager and configured the simple username = admin, pwd = and that doesn't seem to authenticate me when I attempt to enter it. in the basic http://192.168.2.13:8080/manager/ URL... it prompts me with the dialog box to enter credentials but never accepts successfully. I haven't really needed to get to that anyway too much as it is, but what David said is what I was looking for. I restructured my DB tables to match up the role_name values and I think I'm on my way to getting that to work. I successfully retrieved the remote user, so now I should just be able to run a simple select query to get the values I need to return the proper info per each user's roles and credentials. Thanks, both of you guys! -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow
RE: Security constraint/login form
I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow
Re: Security constraint/login form
Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow -- Marc Farrow
RE: Security constraint/login form
quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow -- Marc Farrow
Re: Security constraint/login form
The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another table as to further enhance security? If so, what is involved, and how involved is it? Thanks! Barry - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Marc Farrow -- Marc Farrow -- Marc Farrow
RE: Security constraint/login form
ok, thanks..I think there's a fair amount of latency between my database query info and what's actually updated in there. Something I'd changed over an hour ago was still showing the old value, and could have been causing some of the problems. -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 4:03 PM To: Tomcat Users List Subject: Re: Security constraint/login form The names are irrelevant. They just have to match between implementation and setup. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: quick answer is yes to they have to be service or admin or yes to I can declare them anything that matches the column in another DB table I've created or yest to my last question about the values being what I want? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 3:38 PM To: Tomcat Users List Subject: Re: Security constraint/login form Quick answer is yes. On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: I wonder though...do the role_names have to be service or admin or something like that? Can they be anything I declare them to be that matches the column in another DB table? i.e. I've got user_name and role_name as columns in the user_roles table. Can I make a 3rd table also having a column called role_name, but with a value such as RISK, author, legaldept, etc.? -Original Message- From: Marc Farrow [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 2:11 PM To: Tomcat Users List Subject: Re: Security constraint/login form Are you talking about the tomcat-users.xml file and the roles defined in there? The security-contraints are pretty flexible and you can use any number of ways to define your realms. If you look at the web.xml for the manager application (that is shipped with Tomcat), you can see how that realm is defined and used. You can even use encrypting on the passwords in that file. If you don't mind maintaing that file for roles and users, then just modify it to fit your needs and change your security contraint for your web application to match those roles. Below is a quick example. If you are wanting something for flexible, then you can research and use your favorite database for authentication or even your favorite LDAP. Below is a quick example of how to use a user-defined role in the tomcat-users.xml file and how to match it to two different URLS in one web app. Please understand, this is just a quick example and I do not dare declare that this will work. Just a springboard to help you get your feet wet. tomcat-users.xml: tomcat-users role rolename=role1/ role rolename=role2/ user username=user1 password=userpass1 roles=role1,role2/ user username=user2 password=userpass2 roles=role2/ /tomcat-users application's web.xml: security-constraint web-resource-collection web-resource-nameRestrict to role1 and role2/ url-pattern/welcome.jsp/url-pattern /web-resource-collection auth-contraint role-namerole1/role-name role-namerole2/role-name /auth-contraint /security-contraint security-constraint web-resource-collection web-resource-nameRestrict to role2 only/ url-pattern/other.jsp/url-pattern /web-resource-collection auth-contraint role-namerole2/role-name /auth-contraint /security-contraint security-role descriptionsome descr/description role-namerole1/role-name role-namerole2/role-name /security-role On 8/17/06, Propes, Barry L [EMAIL PROTECTED] wrote: to add to my question earlier below, would it be something as simple as? String juser= (String) request.getAttribute(j_username); Granted I have no idea what the session attribute is under the hood, only know that j_username is the input name for the user_name. I was thinking with that info, I could then run a select query to extract the role_name from an additional joined table to authenticate a step further. Does what I am explaining make sense? Forgive me if not. When I say additional table, I mean one in addition to the user_name and user_roles table that Tomcat requires for the form login security constraint to work. -Original Message- From: Propes, Barry L Sent: Thursday, August 17, 2006 11:13 AM To: Tomcat Users List Subject: Security constraint/login form I realize that in Tomcat (I'm using 4.1.3 and 4.0.1 by the way -- a version on a prod. server and one ony my desktop) that you can create the simple table titled users and configure it in the server.xml file and then likewise configure the web.xml file's security constraint properties. My question is, can you add other columns to the table and then do a join on another