Hello
> -Ursprüngliche Nachricht-
> Von: Kevin Edward
> Gesendet: Freitag, 7. April 2023 14:26
> An: users@tomcat.apache.org
> Betreff: Tomcat needs an authenticator valve for OpenID/MSAL!
>
> Tomcat community,
>
> We have been using keycloak tomcat valv
Tomcat community,
We have been using keycloak tomcat valves for SAML, but now we are moving
to OpenID.
Who in the tomcat community can create/support a tomcat authenticator valve
using the MSAL library?
I have the example authentication servlet working for MSAL below. Seems it
could be easily
Jerry,
On 10/6/21 15:09, Jerry Malcolm wrote:
Chris, thanks so much. But please bear with me. I'm in the slow
group I think I have a pretty good handle on creating the
authenticator. But take me from the top, using manager as an example.
In the web.xml file it has login auth-metho
Chris, thanks so much. But please bear with me. I'm in the slow
group I think I have a pretty good handle on creating the
authenticator. But take me from the top, using manager as an example.
In the web.xml file it has login auth-method set to BASIC. I'm assuming
th
er to tell TC if it finds an auth header with the
word "Malcolm" as the prefix instead of "Basic" that it should route to
my custom Authenticator class?
You'd have to install your own Authenticator (a Valve) in your
. markt posted how to do this on 10/2 in this thread.
ed header. I assume that if TC finds an Authorization header with
the word Basic, it will route to the standard BasicAuthenticator class.
What would I do in order to tell TC if it finds an auth header with the
word "Malcolm" as the prefix instead of "Basic" that it should route to
n: Basic [base64stuff]
Using "Bearer" might be a better choice, though that is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a cust
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but you will already
with it.
This is a very good point.
Instead of:
Authorization: Basic [base64stuff]
Using "Bearer" might be a better choice, though that is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
A
t is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but you will alread
a better choice, though that is also covered by
a specific RFC and might be confusing to overload that token ("Bearer")
for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need to
have a cus
Am 2021-10-02 um 02:48 schrieb Jerry Malcolm:
I need to write a custom BasicAuthenticator class to decode a
specialized encoding of the authToken. I have been scouring google for
info. I found one post where the answer included the statement:
This would clearly violate Basic auth scheme and
great idea, and you can avoid
Tomcat's standard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in
idea, and you can avoid
Tomcat's standard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in a
co
s standard authenticator by configuring your authenticator as a
in your application's META-INF/context.xml file."
That is precisely what I want to do. But I cannot find any
documentation on how to configure a different authenticator class in a
context.xml file. I'm sure I'm
Stefan,
On 1/25/21 17:19, Stefan Mayr wrote:
Am 25.01.2021 um 19:04 schrieb Christopher Schultz:
All,
On 1/25/21 11:10, Christopher Schultz wrote:
All,
Off-topic, but I know there are plenty of Spring users on this list
who can probably help me figure this out.
Recently, Let's Encrypt switc
Am 25.01.2021 um 19:04 schrieb Christopher Schultz:
> All,
>
> On 1/25/21 11:10, Christopher Schultz wrote:
>> All,
>>
>> Off-topic, but I know there are plenty of Spring users on this list
>> who can probably help me figure this out.
>>
>> Recently, Let's Encrypt switched from using their soon-to
All,
On 1/25/21 11:10, Christopher Schultz wrote:
All,
Off-topic, but I know there are plenty of Spring users on this list who
can probably help me figure this out.
Recently, Let's Encrypt switched from using their soon-to-be-expiring
intermediate certificate:
Owner: CN=Let's Encrypt Aut
Maybe try removing the old cert as its not expired yet?
On 25/01/2021 16:10, Christopher Schultz wrote:
Alias name: letsencrypt
Creation date: Dec 12, 2016
Entry type: trustedCertEntry
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature T
ight to
me, that's the only thing that looked off.
HTH
- Jim
-Original Message-
From: Christopher Schultz
Sent: Monday, January 25, 2021 11:11 AM
To: Tomcat Users List
Subject: [OT] Spring Security LDAPS authenticator won't trust TLS cert
CAUTION EXTERNAL EMAIL: This email origi
All,
Off-topic, but I know there are plenty of Spring users on this list who
can probably help me figure this out.
Recently, Let's Encrypt switched from using their soon-to-be-expiring
intermediate certificate:
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root
jet: Add custom Authenticator in context.xml
Date: Sat, 4 Jul 2020 20:54:17 +0200
Hi,
a while ago I did write a little POC of how to add a
customauthenticator scheme to tomcat.
this is what I did come up with:
https://github.com/thomasmey/BearerTokenAuthenticator
It's rather complicated solution!I
Am 6. Juli 2020 14:14:59 MESZ schrieb Mark Thomas :
>On 04/07/2020 19:54, Thomas Meyer wrote:
>> Hi,
>>
>> a while ago I did write a little POC of how to add a custom
>> authenticator scheme to tomcat.
>>
>> this is what I did come u
On 04/07/2020 19:54, Thomas Meyer wrote:
> Hi,
>
> a while ago I did write a little POC of how to add a custom
> authenticator scheme to tomcat.
>
> this is what I did come up with:
> https://github.com/thomasmey/BearerTokenAuthenticator
>
> It's rather complica
Hi,
a while ago I did write a little POC of how to add a custom
authenticator scheme to tomcat.
this is what I did come up with:
https://github.com/thomasmey/BearerTokenAuthenticator
It's rather complicated solution!
Is there an more easy solution to add a custom authenticator scheme
he.org/tomcat-8.0-doc/api/org/apache/catalina/st
> > art
> up/ContextConfig.html#setCustomAuthenticators(java.util.Map)
> >
> >
> >
> )
> >
> >
> > I want to add a custom mapping for lets say BEARER to a my
> > Authenticator. I sea
textConfig.html#setCustomAuthenticators(java.util.Map)
>
>
)
>
> I want to add a custom mapping for lets say BEARER to a my
> Authenticator. I searched the source code but nobody seems to call
> this method. So how and where should this map be configured?
Do you mean that you want to replace FO
Hi,
How do I get a custom mapping set in
ContextConfig.setCustomAuthenticators? (
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/startup/ContextConfig.html#setCustomAuthenticators(java.util.Map)
)
I want to add a custom mapping for lets say BEARER to a my Authenticator
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2013-2067 Session fixation with FORM authenticator
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.32
- - Tomcat 6.0.21 to 6.0.36
Description:
FORM authentication associates the most recent
first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a "Connection: close&q
apply to
> >>> connection or request level auth. We are just lucky that the first
> >>> gss_accept_sec_context makes the context complete in the SPNEGO
> >>> authenticator.
> >>>
> >>> Some clients maintain the state and rely on the server t
ristmas.
I'd certainly be prepared to look at it, both for SPNEGO and SPDY.
>>> I have no usecase for this at the moment :-(, I only provide patches for
>>> stuff I suffer from at work.
>>
>> The below looks like a use case to me.
>>
>>> As this [1]
On Sat, Oct 27, 2012 at 11:36 AM, ken dias wrote:
>
> Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get
> someone who can improve your stock price!
Que?
--
Hassan Schroeder hassan.schroe...@gmail.com
http://about.me/hassanschroeder
twitter: @hassa
Yes W8 is here but HPQ is still plummeting. Get rid of your CEO and get someone
who can improve your stock price!
> Date: Sat, 27 Oct 2012 19:57:30 +0200
> From: 1983-01...@gmx.net
> To: users@tomcat.apache.org
> Subject: Re: Detect in an authenticator whether a connection is p
.
The below looks like a use case to me.
As this [1] draft lays out Negotiate and Kerberos may apply to
connection or request level auth. We are just lucky that the first
gss_accept_sec_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and
ft lays out Negotiate and Kerberos may apply to
> connection or request level auth. We are just lucky that the first
> gss_accept_sec_context makes the context complete in the SPNEGO
> authenticator.
>
> Some clients maintain the state and rely on the server to maintain the
> con
c_context makes the context complete in the SPNEGO
authenticator.
Some clients maintain the state and rely on the server to maintain the
connection state too. Tomcat does not do that which means that the
current SPNEGO authenticator has to issue a "Connection: close" after
succe
y between the different connections but lets not complicate
>> things).
>>
>> Undoing this is the major internal surgery I was referring to. You might
>> be able to add an API to store/retrieve data to/from the connection
>> (similar to notes on the session, but at t
s not complicate things).
Undoing this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticator (that is a lot further up the
the different connections but lets not complicate things).
Undoing this is the major internal surgery I was referring to. You might
be able to add an API to store/retrieve data to/from the connection
(similar to notes on the session, but at the connection level) and
access this from the authenticato
patch our SPNEGO authenticator in Tomcat 6 to behave
stateful. I once contributed that code to Apache in bug 48465 [3] which
does not behave like that. I like to align both authenticators.
This issue initially popped up while fixing an issue in libserf [4] for
the upcoming Apache Subversion version
On 27/10/2012 14:50, Michael-O wrote:
> Hi,
>
> several authentication mechanisms require a session (*not* HTTP session)
> or connection being initiated when authentication is performed and
> principal cached for subsquent requests [1], [2].
>
> Now, I want to patch our SP
Hi,
several authentication mechanisms require a session (*not* HTTP session)
or connection being initiated when authentication is performed and
principal cached for subsquent requests [1], [2].
Now, I want to patch our SPNEGO authenticator in Tomcat 6 to behave
stateful. I once contributed
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Zoltán,
On 6/28/12 4:08 AM, Komáromi, Zoltán wrote:
> 1. Why not a Realm? Because the authentication depends on session
> attribute, and I want to bypass the form if user is logged in.
>
> So is this correct?
>
>
>
> The tomcat's doc says, that "J
;information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> Subject: Re: tomcat security authenticator
> F
> I think, if I replace the FormAuthenticator with an descendant, it'll
> solve the problem.
>
> To extend FormAuthenticator is simple, but how can I make Tomcat to use it?
I tested this out at one time but it was never placed in production. My
terse notes, which might be leaving something out,
2012/6/28 Komáromi, Zoltán :
> 1. Why not a Realm?
> Because the authentication depends on session attribute, and I want to
> bypass the form if user is logged in.
When I used Tomcat's realm to authenticate users , that was a issue
than I missed : to access to session enviroment or context envirom
be set to
org.apache.catalina.authenticator.FormAuthenticator."
Tnaks for help.
2012/6/28 Konstantin Kolinko :
> 2012/6/28 Komáromi, Zoltán :
>> Hi,
>>
>> I need to use custom authenticator, because a part of application is
>> using container authentication, and unfortunately the usersernames in
>> realm
2012/6/28 Komáromi, Zoltán :
> Hi,
>
> I need to use custom authenticator, because a part of application is
> using container authentication, and unfortunately the usersernames in
> realm conflicts with usernames in application database. :(
>
> So I need, that if anibo
2010/11/3 dB. :
> After some more code-reading I found the problem. Looking at the
> implementation of response.sendError in TC5, it's clear that it dumps
> whatever headers you added prior to the call. Changing this to setStatus
> fixed the problem. I assume this means that Tomcat doesn't get a
Original Message-
From: dB. [mailto:dbl...@dblock.org]
Sent: Tuesday, November 02, 2010 4:55 PM
To: Tomcat Users List
Subject: RE: Tomcat 5.5: how doesone configure an authenticator valve?
Thanks for your help. I should have done this (logging) in the first place,
sorry. The filter is invoke
#x27;re looking at some intermediate waffle check-in, the namespace was
renamed at some point, it's waffle.apache.
dB. @ dblock.org
Moscow|Geneva|Seattle|New York
-Original Message-
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Sent: Tuesday, November 02, 2010 8:39 AM
2010/11/2 dB. :
> I am trying to help someone with a Tomcat 5.5 implementation of waffle
> (waffle.codeplex.com). It has authenticator valve that works well with tc6.
> I declare a valve inside the web app:
>
> Context.xml
>
>
>
> principalFormat="fqn"
I am trying to help someone with a Tomcat 5.5 implementation of waffle
(waffle.codeplex.com). It has authenticator valve that works well with tc6.
I declare a valve inside the web app:
Context.xml
Web.xml
Waffle Security Constraint
Protected Area
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Daniel,
On 8/14/2009 2:24 PM, Daniel Stephens wrote:
> For Security reasons,
> We need to do logging for IP,username, etc(AUDIT).
> We need to log success and failed attempts.
> We don't want to modify the internal classes(unless it's impossible
Daniel Stephens wrote:
> Need some help or advice..
>
> For Security reasons,
> We need to do logging for IP,username, etc(AUDIT).
> We need to log success and failed attempts.
> We don't want to modify the internal classes(unless it's impossible).
>
> We are using the FORM auth-method, w
Need some help or advice..
For Security reasons,
We need to do logging for IP,username, etc(AUDIT).
We need to log success and failed attempts.
We don't want to modify the internal classes(unless it's impossible).
We are using the FORM auth-method, we POST to j_security_check. We have
our
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill,
Bill Barker wrote:
> Suggestions on how to improve the Authenticators that ship with TC are
> always welcome on [EMAIL PROTECTED] But help on
> rolling-your-own-Authenticator
> will likely get you pointed back to this list :).
"Christopher Schultz" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Bárbara,
>
> Bárbara Vieira wrote:
>> But if we have the Principal in cache, why we have to call the
>> auth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bárbara,
Bárbara Vieira wrote:
> But if we have the Principal in cache, why we have to call the
> authenticator method(FormAuthenticator)? That call doesn't provide any
> additional security, can you understand now?
That's a good
Principal in
cache, why we have to call the authenticator method(FormAuthenticator)? That
call doesn't provide any additional security, can you understand now?
-Original Message-
From: Christopher Schultz [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 28 de Novembro de 2007 17:09
Hi Carlo!!
In fact I have to develop a new one and at the same time study and analyze
Authenticator package code. Why are you asking?
-Original Message-
From: Carlo Politi [mailto:[EMAIL PROTECTED]
Sent: quarta-feira, 28 de Novembro de 2007 16:52
To: Tomcat Users List
Subject: Re
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Barbara,
Bárbara Vieira wrote:
> My question is: why we are putting the Principal in the Request?
So that request.getUserPrincipal() will return a value.
> Why we can’t just authenticate the user if there is a principal in
> internal Session?! Does
Only a question: what do you have to do with this auth? do you need to develope
a new one or simply study it?
___
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it
quarta-feira, 28 de Novembro de 2007 14:15
To: Bárbara Vieira
Subject: Re: Tomcat's container architecture - Authenticator
Hello :)
are you sure that invoke method of AuthenticatorBase is called inside
FormAuthenticator?
In my experience of these months of study, i have understood that the onl
CTED]
Subject: Re: Tomcat's container architecture - Authenticator
Hi Bárbara, i can help you because I'm doing a new authenticator as work of my
thesis. I have analyzed BasicAuthenticator and modified it; could you tell me
the right point of your problem?
- Messaggio ori
Hi there!
This question is about Authenticator package. I appreciate if anyone can
help me.
Im implementing a Valve and a Realm to provides authentication and
authorization using two authentications methods at the same time : FORM and
CERT-CLIENT. Obviously, Im looking to authenticator
Good day, where can i find a scheme of the life cycle of authenticator?
thanks...
___
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
http://it.docs.yahoo.com/nowyoucan.html
Carlo Politi wrote:
> Hello,
> does anybody know how I can contact some of Tomcat's team to be able to
> submit my new authenticator? Thanks...
>
Have you tried reading http://tomcat.apache.org ?
Mark
-
To
Hello,
does anybody know how I can contact some of Tomcat's team to be able to submit
my new authenticator? Thanks...
--
Carlo Politi
eMail: [EMAIL PROTECTED]
WebPage: http://politi.carlo.googlepages.com
This is why it is rare to write a custom Authenticator. More often you
write a custom Realm to do this sort of thing. You only need an
Authenticator if you have some non-standard way of extracting the user
credentials from the Request.
The problem with the code below is that it doesn't
Hi,
I need help to write my own custom Authenticator.
I wrote my own Authenticator and it's very simple and following is the
code:
public class SampleAuthenticator extends AuthenticatorBase {
public boolean authenticate(Request request,Response
response,LoginC
"Pid" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> Am thinking about implementing a custom Form authenticator, does anyone
> have any tips or links they can recommend before i get started?
>
> Particularly want to know if I can use it on one webapp, n
Pid,
> Am thinking about implementing a custom Form authenticator, does anyone
> have any tips or links they can recommend before i get started?
>
> Particularly want to know if I can use it on one webapp, not force all
> on the server to use it too.
http://securityfilter.sourc
Am thinking about implementing a custom Form authenticator, does anyone
have any tips or links they can recommend before i get started?
Particularly want to know if I can use it on one webapp, not force all
on the server to use it too.
cheers,
pid
omcat.apache.org/tomcat-5.5-doc/config/context.html for more
details.
>
>
> -Original Message-
> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
> Sent: Saturday, February 25, 2006 1:15 PM
> To: users@tomcat.apache.org
> Subject: Re: Adding a Customized
So where would this go? under ?? can you be more
specific.
-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Saturday, February 25, 2006 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Adding a Customized authenticator
"Alex Jalali&quo
"Alex Jalali" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hello,
>
> I would like to extend the DigestAuthenticator class or BaseAuthenticator
> and use that instead of the tomcat default. I have done that but I don't
> know how to have it referenced in web.xml under security-co
> Hello,
>
> I would like to extend the DigestAuthenticator class or BaseAuthenticator
> and use that instead of the tomcat default. I have done that but I don't
> know how to have it referenced in web.xml under security-constraint. Or
> maybe in server.xml similar to the way you can create a cus
Hello,
I would like to extend the DigestAuthenticator class or BaseAuthenticator
and use that instead of the tomcat default. I have done that but I don't
know how to have it referenced in web.xml under security-constraint. Or
maybe in server.xml similar to the way you can create a customized Ream
t.apache.org
> | Subject: Custom Authenticator
> |
> |
> | Hi,
> | I need to implement my custom authenticator to do some extra
> | comfig i user session beside the authentication. How can I
> | achive this? Is there a way to do authentication besides
> | rigid j_check_security?
&
@tomcat.apache.org
| Subject: Custom Authenticator
|
|
| Hi,
| I need to implement my custom authenticator to do some extra
| comfig i user session beside the authentication. How can I
| achive this? Is there a way to do authentication besides
| rigid j_check_security?
|
| --
| from debian manifesto
Hi,
Is it possible to have a custom Authenticator in tomcat 4.1? I can't find
any information about it, only for 5x. I have tried configuring a
WEB-INF/context.xml with a valve referencing my authenticator class, works
well in tomcat 5.5, but not in 4.1 (which is currently the version w
Have You thought about a request filter? All it has to do is watch for
authenticated sessions that are missing some critical session
attributes. Fill in the missing info as needed.
-David
Arash Bijanzadeh wrote:
Hi,
I need to implement my custom authenticator to do some extra comfig i user
Hi,
I need to implement my custom authenticator to do some extra comfig i user
session beside the authentication. How can I achive this? Is there a way to
do authentication besides rigid j_check_security?
--
from debian manifesto:
Debian Linux is a brand-new kind of Linux distribution.
Rather
85 matches
Mail list logo
