Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Zemian,

On 8/8/17 9:36 AM, Zemian Deng wrote:
> Hi, how about extends the 
> "org.apache.catalina.authenticator.AuthenticatorBase"? or extends 
> "FormAuthenticator" if you are using form based. The base class is
> actually a Valve, thus provide the "Request" object access. And to
> use it, just simply add as a valve in your context xml file. If I
> understand it correctly, this will override the default one.

I'm trying to come up with a more pluggable solution, like I did with
the CredentialHandlers.

Obviously, I can simply write or extend whatever Valve I want and do
anything with it, but having to choose a single type of authenticator
isn't very flexible.

I'd prefer a solution that improves Tomcat for the whole community,
rather than one that merely meets my private needs.

- -chris

> On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomas 
> wrote:
> 
>> On 08/08/17 14:01, Christopher Schultz wrote:
>>> Mark,
>>> 
>>> On 8/8/17 8:49 AM, Mark Thomas wrote:
 On 08/08/17 13:44, Christopher Schultz wrote:
>>> 
 
>>> 
> I have no problem with Tomcat having access to the IP
> address. I just want Tomcat to make that IP address
> available to the authenticator component in some way.
>>> 
 https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
>>> 
 Implementing that in a way that is truly backwards
 compatible requires a little thought.
>>> 
>>> I agree that backward-compatibility is a significant issue,
>>> since the Realm interface hasn't changed since ... well, ever.
>>> 
>>> How about cheating and using a ThreadLocal?
>>> 
>>> try { tl.set(theRequest) 
>>> authenticator.authenticate(username,password); } finally { 
>>> tl.set(null); }
>>> 
>>> ??
>> 
>> Yuck.
>> 
>>> For SecurityFilter, we added a sub-interface that adds more
>>> methods, like this:
>>> 
>>> authenticate(String username, String password); 
>>> authenticate(String username, String password,
>>> HttpServletRequest req);
>>> 
>>> Then, the driver does this:
>>> 
>>> if(realm instanceof ExtendedRealm) 
>>> ((ExtendedRealm)realm).authenticate(username, password,
>>> theRequest); else realm.authenticate(username, password);
>> 
>> That could work for 8.5.x and earlier. We can use default methods
>> in Tomcat 9.
>> 
>> I was also thinking about the case where a custom component
>> called the Realm (e.g. custom nested Realms). I'm not sure there
>> is one solution that can cleanly handle all use cases. We
>> probably need to go with the majority.
>> 
>>> If using the HttpServletRequest itself is architecturally
>>> distasteful, we could use some other kind of data object, or
>>> simply java.lang.Object (which is a little distasteful
>>> itself).
>> 
>> I have no problem with using the HttpServletRequest.
>> 
>> Mark
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKD0AACgkQHPApP6U8
pFj78Q//UPwFI0H/Ixbix31lMcK819yiRxDMJJ5aMFkg/JchZJBm6eoJ3pJwP8nF
W9LD/x9qF3tNFc+N3fATUOKi9NWHEnMXxKqWm0OzSmGeM7V1XnaT8hUjA5Mm97He
Io4YSVncq4bG7rb5asyK0+p0zqLZGxPZMeAe+2tM0uvoy06YELJaV6Ra9is8tVtS
CncQYJlDTTHT0ecsbIBUQiC46daYEIbaF0yxU0z794cEN4yAd17jlFmFpQs+7eAT
wNy9eCAlG+Q7w15/rea50QniER+NDGdbXGz6Vpyp42MSy2Zr19cXZQMqlWVrQV3t
Od7C8pjzNIRUHFPFeFX21jfeLReFmTioDXlHrwnayy8WsecYHq2iVkMdEpm7NxY2
etGg26RKPypiLepA3cwj4tUR6lmgE9A7ydP7utY2IfOKU6QZ0vyCz5KITELq+yqf
XG2i/RvI/U7qutXqk5nbkkEH6UCsN9eQrCtKZ4r5tLxIJDlSLSsgsHrUKKdd1zJ8
ACHSKMEA1HyA8pbI7mdENeogNWz1dQ3J7JSpWjHmsEcPutn2dP4Q25+StjkuFAah
W1neqzXrT/Vt/K98Q3mS3YK8/x+X91TS46C2J6zut76KDRHqBAwiXDNq+KFzKePR
+SzBiHS6elz4tXz+zxRG+stmL96ooDMUMJMzDSPSCqGPzmC3jvQ=
=YgBR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Zemian Deng 
Hi, how about extends the
"org.apache.catalina.authenticator.AuthenticatorBase"? or extends
"FormAuthenticator" if you are using form based. The base class is actually
a Valve, thus provide the "Request" object access. And to use it, just
simply add as a valve in your context xml file. If I understand it
correctly, this will override the default one.

On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomas  wrote:

> On 08/08/17 14:01, Christopher Schultz wrote:
> > Mark,
> >
> > On 8/8/17 8:49 AM, Mark Thomas wrote:
> >> On 08/08/17 13:44, Christopher Schultz wrote:
> >
> >> 
> >
> >>> I have no problem with Tomcat having access to the IP address. I
> >>> just want Tomcat to make that IP address available to the
> >>> authenticator component in some way.
> >
> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> >
> >> Implementing that in a way that is truly backwards compatible
> >> requires a little thought.
> >
> > I agree that backward-compatibility is a significant issue, since the
> > Realm interface hasn't changed since ... well, ever.
> >
> > How about cheating and using a ThreadLocal?
> >
> > try {
> >   tl.set(theRequest)
> >   authenticator.authenticate(username,password);
> > } finally {
> >   tl.set(null);
> > }
> >
> > ??
>
> Yuck.
>
> > For SecurityFilter, we added a sub-interface that adds more methods,
> > like this:
> >
> > authenticate(String username, String password);
> > authenticate(String username, String password, HttpServletRequest req);
> >
> > Then, the driver does this:
> >
> > if(realm instanceof ExtendedRealm)
> >   ((ExtendedRealm)realm).authenticate(username, password, theRequest);
> > else
> >   realm.authenticate(username, password);
>
> That could work for 8.5.x and earlier. We can use default methods in
> Tomcat 9.
>
> I was also thinking about the case where a custom component called the
> Realm (e.g. custom nested Realms). I'm not sure there is one solution
> that can cleanly handle all use cases. We probably need to go with the
> majority.
>
> > If using the HttpServletRequest itself is architecturally distasteful,
> > we could use some other kind of data object, or simply
> > java.lang.Object (which is a little distasteful itself).
>
> I have no problem with using the HttpServletRequest.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Mark Thomas 
On 08/08/17 14:01, Christopher Schultz wrote:
> Mark,
> 
> On 8/8/17 8:49 AM, Mark Thomas wrote:
>> On 08/08/17 13:44, Christopher Schultz wrote:
> 
>> 
> 
>>> I have no problem with Tomcat having access to the IP address. I
>>> just want Tomcat to make that IP address available to the
>>> authenticator component in some way.
> 
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> 
>> Implementing that in a way that is truly backwards compatible
>> requires a little thought.
> 
> I agree that backward-compatibility is a significant issue, since the
> Realm interface hasn't changed since ... well, ever.
> 
> How about cheating and using a ThreadLocal?
> 
> try {
>   tl.set(theRequest)
>   authenticator.authenticate(username,password);
> } finally {
>   tl.set(null);
> }
> 
> ??

Yuck.

> For SecurityFilter, we added a sub-interface that adds more methods,
> like this:
> 
> authenticate(String username, String password);
> authenticate(String username, String password, HttpServletRequest req);
> 
> Then, the driver does this:
> 
> if(realm instanceof ExtendedRealm)
>   ((ExtendedRealm)realm).authenticate(username, password, theRequest);
> else
>   realm.authenticate(username, password);

That could work for 8.5.x and earlier. We can use default methods in
Tomcat 9.

I was also thinking about the case where a custom component called the
Realm (e.g. custom nested Realms). I'm not sure there is one solution
that can cleanly handle all use cases. We probably need to go with the
majority.

> If using the HttpServletRequest itself is architecturally distasteful,
> we could use some other kind of data object, or simply
> java.lang.Object (which is a little distasteful itself).

I have no problem with using the HttpServletRequest.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 8/8/17 8:49 AM, Mark Thomas wrote:
> On 08/08/17 13:44, Christopher Schultz wrote:
> 
> 
> 
>> I have no problem with Tomcat having access to the IP address. I
>> just want Tomcat to make that IP address available to the
>> authenticator component in some way.
> 
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750
> 
> Implementing that in a way that is truly backwards compatible
> requires a little thought.

I agree that backward-compatibility is a significant issue, since the
Realm interface hasn't changed since ... well, ever.

How about cheating and using a ThreadLocal?

try {
  tl.set(theRequest)
  authenticator.authenticate(username,password);
} finally {
  tl.set(null);
}

??

For SecurityFilter, we added a sub-interface that adds more methods,
like this:

authenticate(String username, String password);
authenticate(String username, String password, HttpServletRequest req);

Then, the driver does this:

if(realm instanceof ExtendedRealm)
  ((ExtendedRealm)realm).authenticate(username, password, theRequest);
else
  realm.authenticate(username, password);

If using the HttpServletRequest itself is architecturally distasteful,
we could use some other kind of data object, or simply
java.lang.Object (which is a little distasteful itself).

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJthYACgkQHPApP6U8
pFhwTw//ZjwS5MtDL7F18OWFrmtxvfyCDbnOiOgwyJxoCCn//xWjQC7sCmb8OZZd
PFnbbzRcU55Ws1+oDz+rZGoXTz8bOOaE0WXQ9r477ETryzjlTNarVgselgQUM24X
zl0cSAMJo4U/fabTrSupSOk1H6OJUwNRI0N4FNYsjpk+mXlScGcZsjycvB6CH5Bp
8ht3J222Q9hdBNatcpLzicfRW5t+smckA+1wxFWBye1gxnG9aaNakcXa/V7nQtoq
nZO636HIvK16LWoudBXUOfHqGTCBYTijfzD37v8LrIsYj6+yJ/ZetkF45tS4nWcF
Gl1vzQQCwY92xd9q6i6UBlnngI898Pp+vuld+mHHwM1nP2dvskO5A4VdYZ+dS4dp
QmMWYKhR4cr2TjOpDKy9hxzuRxeENt1Bnr3Jk2Qiy4o8e0a/e7ksB3JfXS99JfLt
uCprKNMkRG3Uc1+5vZXOQ1kk7Fz1Bryp7xrxgZjXdpHZ1R7GFIgPi6ohbA+GT4NV
dCgYWOPdh1TIcAgOP6dVgHc1H58BX2IjPl8AiKOKLZPKLv+3eWeA5XBz0D1LM0bm
CZ+EwFXCfIr5cFqabvbE99DdojhpT6NPmDjTmJznAV7f8AWHLnyr7eYMQY+pkHdF
GX3oOwzBlw46CVtMnkgu0OrLPnM/X8447RgMs1bJFJ1dpYO0rr8=
=d9LJ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Mark Thomas 
On 08/08/17 13:44, Christopher Schultz wrote:



> I have no problem with Tomcat having access to the IP address. I just
> want Tomcat to make that IP address available to the authenticator
> component in some way.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59750

Implementing that in a way that is truly backwards compatible requires a
little thought.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Markus,

On 8/8/17 8:21 AM, i...@flyingfischer.ch wrote:
> 
> Am 08.08.2017 um 14:05 schrieb Christopher Schultz:
>> All,
>> 
>> In spite of my (somewhat) recent work on the CredentialHandlers,
>> I haven't been using Tomcat's container-provider authentication
>> and authorization for over a decade. This is because I need
>> access to the user's source IP address for auditing where users
>> "are" when they login to my applications.
>> 
>> Is there any opportunity to obtain the user's IP address during
>> login? IIRC, the JASPIC scheme does allow this kind of
>> information, but I'm not sure if Tomcat actually supplies it.
>> JASPIC is a rather complicated solution when I am in fact
>> authenticating against a simple relational database.
>> 
>> What might be other ways to obtain the user's IP address during 
>> authentication?
>> 
>> Thanks, -chris
>> 
>> PS I don't use Spring, to "just use Spring security like
>> everyone else" isn't a great solution for me.
> 
> If you run Tomcat only you may use request.getRemoteAddr() in the
> logic and build IP based access management around this.

Have you noticed that Tomcat only passes two String values to the
authenticators? The IP address is not available.

> If you run Apache in front of Tomcat you may need to fiddle with 
> X-Forwarded-For header.

I have no problem with Tomcat having access to the IP address. I just
want Tomcat to make that IP address available to the authenticator
component in some way.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJskcACgkQHPApP6U8
pFivdA//XSyx5+ZszII0hxLjaeJi5+PHTOnbrzdcKLD+Q/6aDeFDbiECQItqAPZY
w30aEWsqEdXiXEiCoHqD7NrsxkL6cM01uPpLSHsISDnPxX69ogWGCZNmxduLUxr2
V3kTLn+s2fry2ZECZWW28KW3aKvs9EQ8bPrxQoPZFHWlXSloIy+ao4UlpxBuCQh2
CO1akIYcxiOXCb8Bq4zIk70/E6zTDnWrsXcu3voTcSV8xrScZxYmj3AKMWITICw8
owmwJ0aQfnnOCs1j7HDz9TEKjUa/Net+Z1d1ZlWlq7aq3xaTBLyDyZskE1FeZ6yK
pZPgveRdmlnReUJYHBfZqqUKT7iPRSoogcHdFZhVyI8JU2ega2nyI+uBDvc6fcPL
PAjBvmZ+FdIk9Plvptv0oc4BzZMd0401JPmuA02CtmqYxfVToJGYuqo4SYiVl5gG
mhCEY+VAIo5LWSRxM3scp/7fe9kj2c/Zn5AcYhNHIm16YEWYGe+FOKrPOMwK67e5
FWj0OxL0pSv9If7MRJ/xMXJyapH3KYkeNY2x5mdXpaueDmpDGb6Hvh9978q8P7wI
xXxfdocDCCFJOgsn7o+GZo4yqnWK177bmYXm2WxzW9AhTVqe285D0XK5OvL1EiAG
RzZqh3IgCNDgYoWzQjGtYO9q9FM4cu6REDBdmZOK8Kn2+fGaxC0=
=fAU7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread tomcat 

On 08.08.2017 14:21, i...@flyingfischer.ch wrote:


Am 08.08.2017 um 14:05 schrieb Christopher Schultz:

All,

In spite of my (somewhat) recent work on the CredentialHandlers, I
haven't been using Tomcat's container-provider authentication and
authorization for over a decade. This is because I need access to the
user's source IP address for auditing where users "are" when they
login to my applications.

Is there any opportunity to obtain the user's IP address during login?
IIRC, the JASPIC scheme does allow this kind of information, but I'm
not sure if Tomcat actually supplies it. JASPIC is a rather
complicated solution when I am in fact authenticating against a simple
relational database.

What might be other ways to obtain the user's IP address during
authentication?

Thanks,
-chris

PS I don't use Spring, to "just use Spring security like everyone
else" isn't a great solution for me.


If you run Tomcat only you may use request.getRemoteAddr() in the logic
and build IP based access management around this.

If you run Apache in front of Tomcat you may need to fiddle with
X-Forwarded-For header.

Markus



+1, I was just going to mention the same.
In case of any front-end proxy, getRemoteAddr() would probably give the IP of 
the proxy.
And to make matters a little bit more complicated, see this article :
https://github.com/eprints/eprints/issues/214
This is perl, not Java, but it provides some additional information which might be useful 
(about nginx and HTTPS e.g.)




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Access to source IP address during authentication and authorization

2017-08-08 Thread i...@flyingfischer.ch 

Am 08.08.2017 um 14:05 schrieb Christopher Schultz:
> All,
>
> In spite of my (somewhat) recent work on the CredentialHandlers, I
> haven't been using Tomcat's container-provider authentication and
> authorization for over a decade. This is because I need access to the
> user's source IP address for auditing where users "are" when they
> login to my applications.
>
> Is there any opportunity to obtain the user's IP address during login?
> IIRC, the JASPIC scheme does allow this kind of information, but I'm
> not sure if Tomcat actually supplies it. JASPIC is a rather
> complicated solution when I am in fact authenticating against a simple
> relational database.
>
> What might be other ways to obtain the user's IP address during
> authentication?
>
> Thanks,
> -chris
>
> PS I don't use Spring, to "just use Spring security like everyone
> else" isn't a great solution for me.

If you run Tomcat only you may use request.getRemoteAddr() in the logic
and build IP based access management around this.

If you run Apache in front of Tomcat you may need to fiddle with
X-Forwarded-For header.

Markus




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org