Re: Can I chain authenticators?
From: Nikola Milutinovic [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: Can I chain authenticators?
Date: Wed, 18 Feb 2004 12:38:13 +0100
Ryan Rhodes wrote:
I have a portal project. I need to allow users to navigate seamlessly
from the portal to a commercial product thats based on Tomcat 4.1 and
uses Basic Authentication. To get around this, I hacked
BasicAuthenticator and added some code to get the credentials from the
request body:
if( hreq.getMethod().toUpperCase().equals(POST)
hreq.getParameter(username) != null
hreq.getParameter(password) != null ) {
username = hreq.getParameter(username);
password = hreq.getParameter(password);
principal =
context.getRealm().authenticate(username,password);
if (principal != null) {
register(request, response, principal,
Constants.BASIC_METHOD,
username, password);
return (true);
}
}
Why is this any better than Basic Authentication? If every request has to
be acompanied by user/pass in request, it can also be done via regular HTTP
headers. You are not gaining any additional security this way. As for
portals, the most important thing about them is not authentication (it is
left to the web server; be it Tomcat or Apache), but authorization and
presentation.
Authenticationg is easy, you can choose:
- HTTP Basic (totally unsafe, but if going over SSL it doesn't matter)
- HTTP Digest (there were client problems in the past)
- HTTP SPNEGO (Microsoft's implementation of GSS-API/Kerberos5 over HTTP)
Basic works with all browsers, but is unsecure, unless ran over HTTPS.
Digest had problems on the client side in the past and I don't know which
clients support it reliably. SPNEGO is great if you have Kerberos framework
in place (MIT or Heimdal on UNIX or Active Directory on Win2k/2003/XP).
Also only Mozilla 1.5/1.6 and IE6 support it on the client side. On the
server side, you need either IIS or Apache + mod_spnego/mod_gssapi as
front-end. Coyote connector doesn't have that feature yet.
Let me explain my situation a little more clearly. I don't have a lot of
control over the commercial product that I'm integrating with. It has it's
own access control system, and it uses Basic Auth. Thats just what I have
to work with. I'm not doing this to improve security. For one thing, this
is just a prototype. If it were rolled out company-wide or for internet use
then we would probably move to a centralized SSO solution. I just need to
allow users to click hyperlinks from the portal that pass the user through
to the commercial product without the Basic auth popup. I don't want to
augment the commercial product with my own authorization system. I just
want a valve to transfer the credentials from the body of a POST request to
the HTTP headers the commercial product expects. The commercial product is
based on Tomcat... so I can add valves if I need to, but I can't replace
it's internal authentication because then I would lose it's authorization.
I read in the lists somewhere that if I add a custom Authenticator it will
disable the Basic Authenticator. Can I separate this code out and chain
the Authenticators together? What level should I configure the Valve at
for the Authenticator?
Why would you chain authenticators?
Authentication is a go/no-go module. It either succeeds or fails. There is
no second try or auxiliary machanism. What would you do if the client
supplies both your custom user/pass and HTTP Basic user/pass (not
unthinkable)?
Save yourself a maintainance nightmare and think your security model
throughly, then implement what you feel is right for you.
Nixie.
You can call it chaining if you want, or you can call it a valve that preps
things for the real authenticator. If the user presents credentials as a
POST I take the post credentials. If they present Basic Auth creds I take
those. Simple as that. I'm not sure I understand the go/no-go concept for
Authenticators. With JAAS you can stack as many modules as you want. Any
one of them could be sufficient or required.
Ryan
_
Store more e-mails with MSN Hotmail Extra Storage 4 plans to choose from!
http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can I chain authenticators?
Ryan Rhodes wrote:
I have a portal project. I need to allow users to navigate seamlessly
from the portal to a commercial product thats based on Tomcat 4.1 and
uses Basic Authentication. To get around this, I hacked
BasicAuthenticator and added some code to get the credentials from the
request body:
if( hreq.getMethod().toUpperCase().equals(POST)
hreq.getParameter(username) != null
hreq.getParameter(password) != null ) {
username = hreq.getParameter(username);
password = hreq.getParameter(password);
principal = context.getRealm().authenticate(username,password);
if (principal != null) {
register(request, response, principal,
Constants.BASIC_METHOD,
username, password);
return (true);
}
}
Why is this any better than Basic Authentication? If every request has to be
acompanied by user/pass in request, it can also be done via regular HTTP
headers. You are not gaining any additional security this way. As for portals,
the most important thing about them is not authentication (it is left to the web
server; be it Tomcat or Apache), but authorization and presentation.
Authenticationg is easy, you can choose:
- HTTP Basic (totally unsafe, but if going over SSL it doesn't matter)
- HTTP Digest (there were client problems in the past)
- HTTP SPNEGO (Microsoft's implementation of GSS-API/Kerberos5 over HTTP)
Basic works with all browsers, but is unsecure, unless ran over HTTPS. Digest
had problems on the client side in the past and I don't know which clients
support it reliably. SPNEGO is great if you have Kerberos framework in place
(MIT or Heimdal on UNIX or Active Directory on Win2k/2003/XP). Also only Mozilla
1.5/1.6 and IE6 support it on the client side. On the server side, you need
either IIS or Apache + mod_spnego/mod_gssapi as front-end. Coyote connector
doesn't have that feature yet.
I read in the lists somewhere that if I add a custom Authenticator it
will disable the Basic Authenticator. Can I separate this code out and
chain the Authenticators together? What level should I configure the
Valve at for the Authenticator?
Why would you chain authenticators?
Authentication is a go/no-go module. It either succeeds or fails. There is no
second try or auxiliary machanism. What would you do if the client supplies
both your custom user/pass and HTTP Basic user/pass (not unthinkable)?
Save yourself a maintainance nightmare and think your security model throughly,
then implement what you feel is right for you.
Nixie.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can I chain authenticators?
Why would you chain authenticators? Well, i have chained SSL and BASIC authenticators. I the users have some well known certificate installed (checked agains LDAP) they do not have to enter some user/password, else a BASIC authenticator (via https) is presented. So it is possible to use the application from within the company or at home without login, if the user needs access to the application from some internet-cafe a login screen will be presented. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: Can I chain authenticators?
Why would you chain authenticators? Well, i have chained SSL and BASIC authenticators. That's not exactly chaining. In SASL, SSL is called EXTERNAL authentication. You just have two independant mechanisms, one of which is solely for authentication (HTTP Basic) and the other can authenticate, but doesn't have to (SSL). Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can I chain authenticators?
I have a portal project. I need to allow users to navigate seamlessly from
the portal to a commercial product thats based on Tomcat 4.1 and uses Basic
Authentication. To get around this, I hacked BasicAuthenticator and added
some code to get the credentials from the request body:
if( hreq.getMethod().toUpperCase().equals(POST)
hreq.getParameter(username) != null
hreq.getParameter(password) != null ) {
username = hreq.getParameter(username);
password = hreq.getParameter(password);
principal = context.getRealm().authenticate(username,password);
if (principal != null) {
register(request, response, principal,
Constants.BASIC_METHOD,
username, password);
return (true);
}
}
I read in the lists somewhere that if I add a custom Authenticator it will
disable the Basic Authenticator. Can I separate this code out and chain the
Authenticators together? What level should I configure the Valve at for the
Authenticator?
Incidentally, I tried like hell to do this with a Valve. It seems like no
matter which container you put the Valve in the Basic Authenticator always
runs first and causes the login dialog to popup in the browser. It would be
great if anyone could confirm this or explain the ordering of valves and
authenticators to me a little better. Here is the code I used for the valve
approach:
if( req.getMethod().equals(POST) ) {
if( req.getParameter(username) != null req.getParameter(password) !=
null ) {
String unencoded = req.getParameter(username) + : +
req.getParameter(password);
String encoded = new String(Base64.encode(unencoded.getBytes()));
HttpRequest hreq = (HttpRequest) request;
hreq.setMethod(GET);
hreq.addHeader(AUTHORIZATION, BASIC + encoded);
log(HTTP Basic Credentials: + unencoded );
} }
Thanks for any help,
Ryan Rhodes
_
Get fast, reliable access with MSN 9 Dial-up. Click here for Special Offer!
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can I chain authenticators?
Ryan Rhodes [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I have a portal project. I need to allow users to navigate seamlessly
from
the portal to a commercial product that's based on Tomcat 4.1 and uses
Basic
Authentication. To get around this, I hacked BasicAuthenticator and added
some code to get the credentials from the request body:
if( hreq.getMethod().toUpperCase().equals(POST)
hreq.getParameter(username) != null
hreq.getParameter(password) != null ) {
username = hreq.getParameter(username);
password = hreq.getParameter(password);
principal =
context.getRealm().authenticate(username,password);
if (principal != null) {
register(request, response, principal,
Constants.BASIC_METHOD,
username, password);
return (true);
}
}
I read in the lists somewhere that if I add a custom Authenticator it will
disable the Basic Authenticator. Can I separate this code out and chain
the
Authenticators together? What level should I configure the Valve at for
the
Authenticator?
It has to be configured at the Context level if it implement Authenticator.
The same is true for your code above, since the Context isn't known until
then. For what you want, you could probably also use a non-Authenticator
valve, and call request.setUserPrincipal with the Principal that is returned
by the Realm. Then BasicAuthenticator will think that you are already
authenticated, and let you through.
Incidentally, I tried like hell to do this with a Valve. It seems like no
matter which container you put the Valve in the Basic Authenticator always
runs first and causes the login dialog to popup in the browser. It would
be
great if anyone could confirm this or explain the ordering of valves and
authenticators to me a little better. Here is the code I used for the
valve
approach:
if( req.getMethod().equals(POST) ) {
if( req.getParameter(username) != null req.getParameter(password)
!=
null ) {
String unencoded = req.getParameter(username) + : +
req.getParameter(password);
String encoded = new String(Base64.encode(unencoded.getBytes()));
HttpRequest hreq = (HttpRequest) request;
hreq.setMethod(GET);
hreq.addHeader(AUTHORIZATION, BASIC + encoded);
log(HTTP Basic Credentials: + unencoded );
} }
Thanks for any help,
Ryan Rhodes
_
Get fast, reliable access with MSN 9 Dial-up. Click here for Special
Offer!
http://click.atdmt.com/AVE/go/onm00200361ave/direct/01/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
