Re: TC security/impersonation question
On 27 May 2010, at 00:06, Timothy Taylor securityaddi...@hotmail.com wrote: Hi, Just a dumb question from a newbe but if I implement any type of security with TC then under what identity will the invoked WS stack object execute the request? Specifically, if I enable Kerberos authentication between the requesting application and TC does this guarantee the WS stack executes the requestor's request under the identity of the actual originating requestor? Much appreciated, Tim. Tomcat doesn't know what the app is doing. If you've implemented container based security then any client must authenticate via the relevant mechanism before requests are executed. If the web services stack uses the current user principal (and roles) somehow, then Tomcat will apply constraints accordingly. Tomcat does not propagate auth info on in-app filesystem access, for example. p The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TC security/impersonation question
Tomcat doesn't do this, but on Windows it would certainly be possible to emulate the behavior that IIS provides in a Tomcat security filter. Upon return from doFilter it would RevertToSelf. I don't know what it means to do this on unix. If you want to tell me more about your story/scenario and if it's worth it/interesting enough, I'd be glad to prototype something for Waffle (http://waffle.codeplex.com). cheers dB. dB. @ dblock.org Moscow|Geneva|Seattle|New York -Original Message- From: Timothy Taylor [mailto:securityaddi...@hotmail.com] Sent: Wednesday, May 26, 2010 7:06 PM To: users@tomcat.apache.org Subject: RE: TC security/impersonation question Hi, Just a dumb question from a newbe but if I implement any type of security with TC then under what identity will the invoked WS stack object execute the request? Specifically, if I enable Kerberos authentication between the requesting application and TC does this guarantee the WS stack executes the requestor's request under the identity of the actual originating requestor? Much appreciated, Tim. The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2899 - Release Date: 05/27/10 02:25:00 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: TC security/impersonation question
Hi, Just a dumb question from a newbe but if I implement any type of security with TC then under what identity will the invoked WS stack object execute the request? Specifically, if I enable Kerberos authentication between the requesting application and TC does this guarantee the WS stack executes the requestor's request under the identity of the actual originating requestor? Much appreciated, Tim. The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
