Re: Tomcat Manager WebApp authentication
On November 21, 2011 14:49 , Mark Montague m...@catseye.org wrote: I need Tomcat 6 to use the authentication performed by the front-end webserver without breaking the roles required by the Tomcat Manager webapp. I'm replying to myself to document what I did in case it helps other people. Feedback and criticism are welcome, since I'm new to both Tomcat and Java. André's suggestion, to move authorization into Apache HTTPD along with authentication and then delete the servlet's security constraints, is much simpler and more practical than the method I describe here. In a default installation of Tomcat 6, the Tomcat Manager web application is configured to use the UserDatabaseRealm for authentication and authorization. When authentication is moved to the front-end web server by setting the tomcatAuthentication=false attribute for the connector, authorization breaks because the servlet request object now contains principals of class CoyotePrincipal, which do not contain role information, instead of principals of class GenericPrincipal, which do contain role information. My solution (which appears to work, although it is inefficient) is to create a new realm named CoyoteUserDatabaseRealm that extends UserDatabaseRealm. CoyoteUserDatabaseRealm overrides the hasrole() method in order to convert the principal of class CoyotePrincipal into a principal of class GenericPrincipal and then invoking the hasRole() method of UserDatabaseRealm. Instructions for a Unix-based system: # Download, unpack, and build the Tomcat source code into the directory # apache-tomcat-6.0.33-src # Copy and save CoyoteUserDatabaseRealm.java from this email (below). mkdir -p org/apache/catalina/realm/ # Copy and save org/apache/catalina/realm/mbeans-descriptors.xml from this email (below). # Compile the class and move it into place. javac -sourcepath ./apache-tomcat-6.0.33-src/java CoyoteUserDatabaseRealm.java mv CoyoteUserDatabaseRealm.class org/apache/catalina/realm/ # Create a .jar file: jar cf coyote-realm.jar org/ # Install the jar file: cp coyote-realm.jar $CATALINA_HOME/lib chcon system_u:object_r:usr_t:s0 $CATALINA_HOME/lib/coyote-realm.jar # for SELinux users only # Edit $CATALINA_HOME/conf/server.xml # Change the lines Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ # to Realm className=org.apache.catalina.realm.CoyoteUserDatabaseRealm resourceName=UserDatabase/ # restart Tomcat so the changes take effect: service tomcat6 restart I hope this helps. -- Mark Montague m...@catseye.org start file CoyoteUserDatabaeRealm.java -- package org.apache.catalina.realm; import java.security.Principal; import org.apache.catalina.Role; import org.apache.catalina.User; import org.apache.catalina.UserDatabase; import org.apache.catalina.Realm; import org.apache.catalina.realm.UserDatabaseRealm; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.realm.RealmBase; import org.apache.catalina.util.StringManager; import org.apache.catalina.connector.CoyotePrincipal; public class CoyoteUserDatabaseRealm extends UserDatabaseRealm implements Realm { protected final String info = org.apache.catalina.realm.CoyoteUserDatabaseRealm/1.0; protected static final String name = CoyoteUserDatabaseRealm; private static StringManager sm = StringManager.getManager(Constants.Package); public String getInfo() { return info; } protected String getName() { return name; } public boolean hasRole(Principal principal, String role) { if (principal instanceof CoyotePrincipal) { // Look up this user in the UserDatabaseRealm. The new // principal will contain UserDatabaseRealm role info. Principal p = super.getPrincipal(principal.getName()); if (p != null) { principal = p; } } return super.hasRole(principal, role); } } end file CoyoteUserDatabaeRealm.java start file org/apache/catalina/realm/mbeans-descriptors.xml - ?xml version=1.0? mbeans-descriptors mbean name=CoyoteUserDatabaseRealm description=Realm using CoyotePrincipal connected to a UserDatabase as a global JNDI resource domain=Catalina group=Realm type=org.apache.catalina.realm.CoyoteUserDatabaseRealm attribute name=className description=Fully qualified class name of the managed object type=java.lang.String writeable=false/ attribute name=resourceName description=The global JNDI name of the UserDatabase resource to use type=java.lang.String/ /mbean /mbeans-descriptors end file org/apache/catalina/realm/mbeans-descriptors.xml ---
Re: Tomcat Manager WebApp authentication
On November 18, 2011 16:17 , Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov wrote: Is is possible to ... or some other independent source for role information? A sample using JNDI and active directory in the archives. http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html And a SQL server DataSource Realm example also: http://www.mail-archive.com/users@tomcat.apache.org/msg75265.html Last post. The solutions at those links perform both authentication and role-based authorization. I need just the ability to perform role-based authorization when tomcatAuthentication=false for a connector. Am I missing something described in one of the messages linked above? I turned on all logging for catalina realms and authenticators and found that when tomcatAuthentication=true then in org.apache.catalina.realm.RealmBase hasResourcePermission(), request.getPrincipal() returns an object of class GenericPrincipal, but when tomcatAuthentication=false it returns an object of class CoyotePrincipal. And the CoyotePrincipal class does not support roles. Any advice on how to solve this problem? I need Tomcat 6 to use the authentication performed by the front-end webserver without breaking the roles required by the Tomcat Manager webapp. Here is what happens when tomcatAuthentication=true and the Tomcat Manager webapp works: Nov 21, 2011 1:35:08 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling authenticate() Nov 21, 2011 1:35:08 PM org.apache.catalina.authenticator.AuthenticatorBase register FINE: Authenticated 'markmont' with type 'BASIC' Nov 21, 2011 1:35:08 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling accessControl() Nov 21, 2011 1:35:08 PM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Checking roles GenericPrincipal[markmont(admin,manager,)] Nov 21, 2011 1:35:08 PM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Role found: manager And here is what happens when tomcatAuthentication=false and the Tomcat Manager webapp breaks: Nov 21, 2011 1:27:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling authenticate() Nov 21, 2011 1:27:49 PM org.apache.catalina.authenticator.BasicAuthenticator authenticate FINE: Already authenticated 'markmont' Nov 21, 2011 1:27:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Calling accessControl() Nov 21, 2011 1:27:49 PM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: Checking roles CoyotePrincipal[markmont] Nov 21, 2011 1:27:49 PM org.apache.catalina.realm.RealmBase hasResourcePermission FINE: No role found: manager Nov 21, 2011 1:27:49 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Failed accessControl() test -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Manager WebApp authentication
Mark Montague wrote: ... Any advice on how to solve this problem? I need Tomcat 6 to use the authentication performed by the front-end webserver without breaking the roles required by the Tomcat Manager webapp. I know that it does not answer your question, but may I ask why ? If you already do the user authentication in the front-end Apache httpd, can you not do a role-equivalent check there too, before you proxy the call to Tomcat ? Like Location /manager Require group manager ProxyPass ajp://tomcat:8009 /Location (and remove the Tomcat auth constraints) (Not sure it's so easy, but may be worth a try) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat Manager WebApp authentication
On November 21, 2011 17:35 , André Warnier a...@ice-sa.com wrote: Mark Montague wrote: Any advice on how to solve this problem? I need Tomcat 6 to use the authentication performed by the front-end webserver without breaking the roles required by the Tomcat Manager webapp. I know that it does not answer your question, but may I ask why ? If you already do the user authentication in the front-end Apache httpd, can you not do a role-equivalent check there too, before you proxy the call to Tomcat ? Like Location /manager Require group manager ProxyPass ajp://tomcat:8009 /Location (and remove the Tomcat auth constraints) I have not tried your suggestion, but I think it will work. The reason why I have not done that is because I was looking at the general case of other applications that may have auth constraints, not just Tomcat Manager. Especially if the auth constraints are more complex than the ones Tomcat Manager has. Plus, by understanding what is happening and why, I learn more about Tomcat. Right now, I am experimenting with implementing my own realm; I think it may be possible to get the desired functionality under Tomcat that way. If this does not work or if it is too hard for me, I will use your suggestion. But I am new to both Java and Tomcat, and so I wonder if there is yet another way of which I am ignorant. Thank you for your help! -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat Manager WebApp authentication
I'm running Tomcat 6.0.24 behind Apache HTTP Server 2.2.15 with mod_proxy_ajp. I edited tomcat-users.xml and the Tomcat Manager WebApp works fine. I then configure Tomcat to use the authentication done by the front-end web server, by setting the tomcatAuthentication=false attribute for the AJP connector. This works fine with a simple servlet I wrote that just displays request.getRemoteUser(), but it causes the Tomcat Manager WebApp to stop working with the error HTTP Status 403 - Access to the requested resource has been denied. Is is possible to configure the Tomcat Manager WebApp to rely on the front-end web server for authentication but use tomcat-users.xml or some other independent source for role information? I've read the documentation on realms and security constraints, and googled, but the solution is not obvious to me. Thanks. -- Mark Montague m...@catseye.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat Manager WebApp authentication
-Original Message- From: Mark Montague [mailto:m...@catseye.org] Subject: Tomcat Manager WebApp authentication Is is possible to ... or some other independent source for role information? I've read the documentation on realms and security constraints, and googled, but the solution is not obvious to me. Thanks. -- Mark Montague m...@catseye.org A sample using JNDI and active directory in the archives. http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html Leo
RE: Tomcat Manager WebApp authentication
-Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Subject: RE: Tomcat Manager WebApp authentication -Original Message- From: Mark Montague [mailto:m...@catseye.org] Subject: Tomcat Manager WebApp authentication Is is possible to ... or some other independent source for role information? I've read the documentation on realms and security constraints, and googled, but the solution is not obvious to me. Thanks. -- Mark Montague m...@catseye.org A sample using JNDI and active directory in the archives. http://www.mail-archive.com/users@tomcat.apache.org/msg74641.html Leo And a SQL server DataSource Realm example also: http://www.mail-archive.com/users@tomcat.apache.org/msg75265.html Last post.