Matt Raible wrote:
-Original Message-
From: Josh Rehman [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 10, 2004 5:49 PM
Thanks. You bring up an interesting aspect of container
configuration:
database drivers. It would be interesting to extend the
META-INF/context.xml tomcat
Krause
auth-constraint
role-name*/role-name
/auth-constraint
Will require authentication but not authorisation.
John.
Krause Karin wrote:
Hi all,
I've got a question regarding authentication. I wish to do
authentication without authorisation. So this means everybody
should
Using tomcat 4.1.18, I can deploy an application by copying a context
configuration file (CCF) to the webapps directory. I can also make
changes to the WAR file referenced in the CCF, and Tomcat will notice
provided I stop the application first using Tomcat manager and start if
afterwards.
situation the extra costs of
requiring SSL for non-sensitive pages are negligible so everything
involving a user authentication is done under SSL. But that may not be
true for everyone.
John
Craig R. McClanahan wrote:
On Thu, 9 Jan 2003, John Holman wrote:
Date: Thu, 09 Jan 2003 12:56:16 +
My understanding (at the moment) is that there are two scenarios where
sesssion id reuse might be safe:
a) (the scenario I suggested) the *only* secure page requiring https is
the login page. Accessing that using the sniffed session id will only
let the bad guy login - which gains him nothing.
Message-
From: John Holman [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be
the login page that collects the username and password.
(That could be either a dedicated
If the Solaris usernames and passwords are held in an LDAP directory you
should be able to use the JNDI Realm. You would need to supplement the
Solaris user info with role information in the same directory.
I don't know of a documented method for connecting to other approaches
(e.g. local
Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack
a session. He just has to create a request with the
same sessionid (either as cookie or in the url).
So after you go back from https to http you open
the session to an attacker.
The risks that are involved with that,
Yes, that is clearly a risk. The *whole* web application needs have no
risks in order to allow http access to any of it - any sensitive link
and it must all be https. (And of course if SSO is enabled *all* web
applications for the virtual host must be considered safe).
Otherwise I'm not
Gil
Check whether the directory server is configured to time out idle
connections. If so, the first attempt made by Tomcat to authenticate
after a long enough period of inactivity will fail in the manner you
describe. If this is the problem, you should find that after a second
login attempt
Stephan
I answered this a couple of days ago ... did it not reach the list?
You need to use curly brackets {} for the substitions, not parentheses ()
e.g.
userPattern=uid={0},ou=people,dc=yikester,dc=net
not
userPattern=uid=(0),ou=people,dc=yikester,dc=net
John
You need to use curly brackets {} for the substitions, not parentheses ()
e.g.
userPattern=uid={0},ou=people,dc=yikester,dc=net
not
userPattern=uid=(0),ou=people,dc=yikester,dc=net
John.
Stephan Schwab wrote:
Hi,
I want to secure a webapp with the JNDI
Should be possible using JNDIRealm. See the realm how-to.
John.
Nicholas Orr wrote:
Hi,
Has anyone tried using a Novel or Active Directory for a Realm. Would this
even be possible?
Nicholas Orr
**
The information
The patch is included in tomcat 4.1.10
John.
Vincent Stoessel wrote:
Vincent Stoessel wrote:
I was thinking about trying to create a JNDIRealm
inside of Tomcat 4.0.4 (java 1.4se) , I've already written
a cool little bean to that allows me to autheticate
against our ldap/nds server, but I
Providing a connectionName and connectionPassword does *not* cause
JNDIRealm to lookup the password. It will still authenticate by binding
as the user unless you specify the userPassword configuration attribute.
Looking up roles as the administrator (or anonymously if connectionName
and
Mark
Looking up roles as the administrator (or anonymously if
connectionName and connectionPassword are not specified) is a
deliberate design decision.
John.
?? But, if you've already established a connection with the users
principle and credentials, why would ever want to convert
Tim Funk wrote:
To use JNDIRealm with Netscape Directory server you need the 4.1.X
series of tomcat and you need to bind as the user. So do not provide
connectionName and connection password.
Actually it's userPassword that should not be provided if you want
JNDIRealm to bind as the
Hi Jeremy.
For the JNDI realm to connect to the directory server with administrator
privileges it needs to know the plaintext password. Having a digest in
the config file isn't possible because the realm can't reconstruct the
plaintext password from it. I suppose some other encryption would
Tony
If you use the newly committed JNDIRealm, you can easily arrange that each
user has a role whose name is the
same as their username. Just set userRoleName to uid (or whatever
attribute of the user's directory entry holds
the username) and your security constraint below should work.
Frederic
# Define an entry to base role searches on
dn: dc=roles,dc=mycompany,dc=com
cn: roles
objectClass: person
sn: Roles Entry
This entry has the wrong object class - should be dcObject. Probably it has
not been created in the directory, so the role search is failing
Dirk
This isn''t possible with the current JNDIRealm in Tomcat 4, though you
could probably specify the appropriate digest algorithm and
hack the Tomcat code to disregard the {crypt} prefix returned from OpenLDAP.
A much cleaner solution is to have the JNDIRealm to authenticate by binding
to
Fredrik
At 15:06 29/01/02, you wrote:
John Holman wrote:
JNDIRealm works by retrieving the password from the directory server and
comparing it explicitly with the value given by
the user. Unfortunately AFAIK this mode of operation will not work with
eDirectory.
Reading the Realm
JNDIRealm works by retrieving the password from the directory server and
comparing it explicitly with the value given by
the user. Unfortunately AFAIK this mode of operation will not work with
eDirectory.
There have been proposals (e.g. from me) to enhance JNDIRealm to allow it
to
Can anyone explain the purpose of the worker.tomcat_home, worker.java_home
and ps entries in mod_jk's workers.properties file?
My understanding is that workers.properties is used only to configure the
mod_jk webserver plugin, and I'm at a loss to see why that would need to
know anything about
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, May 15, 2001 12:54 PM
Subject: Session Question
I am currently writing a pretty complex data entry HTML page for an
application. The HTML has 7 different frames where data is input, one
represents the
?
John Holman
j.g.holman@qTo:
[EMAIL PROTECTED]
mw.ac.ukcc:
Subject: Re: Session Question
05/15/01
07:15 AM
Please
26 matches
Mail list logo