Re: Access to source IP address during authentication and authorization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zemian, On 8/8/17 9:36 AM, Zemian Deng wrote: > Hi, how about extends the > "org.apache.catalina.authenticator.AuthenticatorBase"? or extends > "FormAuthenticator" if you are using form based. The base class is > actually a Valve, thus provide the "Request" object access. And to > use it, just simply add as a valve in your context xml file. If I > understand it correctly, this will override the default one. I'm trying to come up with a more pluggable solution, like I did with the CredentialHandlers. Obviously, I can simply write or extend whatever Valve I want and do anything with it, but having to choose a single type of authenticator isn't very flexible. I'd prefer a solution that improves Tomcat for the whole community, rather than one that merely meets my private needs. - -chris > On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomas> wrote: > >> On 08/08/17 14:01, Christopher Schultz wrote: >>> Mark, >>> >>> On 8/8/17 8:49 AM, Mark Thomas wrote: On 08/08/17 13:44, Christopher Schultz wrote: >>> >>> > I have no problem with Tomcat having access to the IP > address. I just want Tomcat to make that IP address > available to the authenticator component in some way. >>> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 >>> Implementing that in a way that is truly backwards compatible requires a little thought. >>> >>> I agree that backward-compatibility is a significant issue, >>> since the Realm interface hasn't changed since ... well, ever. >>> >>> How about cheating and using a ThreadLocal? >>> >>> try { tl.set(theRequest) >>> authenticator.authenticate(username,password); } finally { >>> tl.set(null); } >>> >>> ?? >> >> Yuck. >> >>> For SecurityFilter, we added a sub-interface that adds more >>> methods, like this: >>> >>> authenticate(String username, String password); >>> authenticate(String username, String password, >>> HttpServletRequest req); >>> >>> Then, the driver does this: >>> >>> if(realm instanceof ExtendedRealm) >>> ((ExtendedRealm)realm).authenticate(username, password, >>> theRequest); else realm.authenticate(username, password); >> >> That could work for 8.5.x and earlier. We can use default methods >> in Tomcat 9. >> >> I was also thinking about the case where a custom component >> called the Realm (e.g. custom nested Realms). I'm not sure there >> is one solution that can cleanly handle all use cases. We >> probably need to go with the majority. >> >>> If using the HttpServletRequest itself is architecturally >>> distasteful, we could use some other kind of data object, or >>> simply java.lang.Object (which is a little distasteful >>> itself). >> >> I have no problem with using the HttpServletRequest. >> >> Mark >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKD0AACgkQHPApP6U8 pFj78Q//UPwFI0H/Ixbix31lMcK819yiRxDMJJ5aMFkg/JchZJBm6eoJ3pJwP8nF W9LD/x9qF3tNFc+N3fATUOKi9NWHEnMXxKqWm0OzSmGeM7V1XnaT8hUjA5Mm97He Io4YSVncq4bG7rb5asyK0+p0zqLZGxPZMeAe+2tM0uvoy06YELJaV6Ra9is8tVtS CncQYJlDTTHT0ecsbIBUQiC46daYEIbaF0yxU0z794cEN4yAd17jlFmFpQs+7eAT wNy9eCAlG+Q7w15/rea50QniER+NDGdbXGz6Vpyp42MSy2Zr19cXZQMqlWVrQV3t Od7C8pjzNIRUHFPFeFX21jfeLReFmTioDXlHrwnayy8WsecYHq2iVkMdEpm7NxY2 etGg26RKPypiLepA3cwj4tUR6lmgE9A7ydP7utY2IfOKU6QZ0vyCz5KITELq+yqf XG2i/RvI/U7qutXqk5nbkkEH6UCsN9eQrCtKZ4r5tLxIJDlSLSsgsHrUKKdd1zJ8 ACHSKMEA1HyA8pbI7mdENeogNWz1dQ3J7JSpWjHmsEcPutn2dP4Q25+StjkuFAah W1neqzXrT/Vt/K98Q3mS3YK8/x+X91TS46C2J6zut76KDRHqBAwiXDNq+KFzKePR +SzBiHS6elz4tXz+zxRG+stmL96ooDMUMJMzDSPSCqGPzmC3jvQ= =YgBR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
Hi, how about extends the "org.apache.catalina.authenticator.AuthenticatorBase"? or extends "FormAuthenticator" if you are using form based. The base class is actually a Valve, thus provide the "Request" object access. And to use it, just simply add as a valve in your context xml file. If I understand it correctly, this will override the default one. On Tue, Aug 8, 2017 at 9:09 AM, Mark Thomaswrote: > On 08/08/17 14:01, Christopher Schultz wrote: > > Mark, > > > > On 8/8/17 8:49 AM, Mark Thomas wrote: > >> On 08/08/17 13:44, Christopher Schultz wrote: > > > >> > > > >>> I have no problem with Tomcat having access to the IP address. I > >>> just want Tomcat to make that IP address available to the > >>> authenticator component in some way. > > > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 > > > >> Implementing that in a way that is truly backwards compatible > >> requires a little thought. > > > > I agree that backward-compatibility is a significant issue, since the > > Realm interface hasn't changed since ... well, ever. > > > > How about cheating and using a ThreadLocal? > > > > try { > > tl.set(theRequest) > > authenticator.authenticate(username,password); > > } finally { > > tl.set(null); > > } > > > > ?? > > Yuck. > > > For SecurityFilter, we added a sub-interface that adds more methods, > > like this: > > > > authenticate(String username, String password); > > authenticate(String username, String password, HttpServletRequest req); > > > > Then, the driver does this: > > > > if(realm instanceof ExtendedRealm) > > ((ExtendedRealm)realm).authenticate(username, password, theRequest); > > else > > realm.authenticate(username, password); > > That could work for 8.5.x and earlier. We can use default methods in > Tomcat 9. > > I was also thinking about the case where a custom component called the > Realm (e.g. custom nested Realms). I'm not sure there is one solution > that can cleanly handle all use cases. We probably need to go with the > majority. > > > If using the HttpServletRequest itself is architecturally distasteful, > > we could use some other kind of data object, or simply > > java.lang.Object (which is a little distasteful itself). > > I have no problem with using the HttpServletRequest. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Access to source IP address during authentication and authorization
On 08/08/17 14:01, Christopher Schultz wrote: > Mark, > > On 8/8/17 8:49 AM, Mark Thomas wrote: >> On 08/08/17 13:44, Christopher Schultz wrote: > >> > >>> I have no problem with Tomcat having access to the IP address. I >>> just want Tomcat to make that IP address available to the >>> authenticator component in some way. > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 > >> Implementing that in a way that is truly backwards compatible >> requires a little thought. > > I agree that backward-compatibility is a significant issue, since the > Realm interface hasn't changed since ... well, ever. > > How about cheating and using a ThreadLocal? > > try { > tl.set(theRequest) > authenticator.authenticate(username,password); > } finally { > tl.set(null); > } > > ?? Yuck. > For SecurityFilter, we added a sub-interface that adds more methods, > like this: > > authenticate(String username, String password); > authenticate(String username, String password, HttpServletRequest req); > > Then, the driver does this: > > if(realm instanceof ExtendedRealm) > ((ExtendedRealm)realm).authenticate(username, password, theRequest); > else > realm.authenticate(username, password); That could work for 8.5.x and earlier. We can use default methods in Tomcat 9. I was also thinking about the case where a custom component called the Realm (e.g. custom nested Realms). I'm not sure there is one solution that can cleanly handle all use cases. We probably need to go with the majority. > If using the HttpServletRequest itself is architecturally distasteful, > we could use some other kind of data object, or simply > java.lang.Object (which is a little distasteful itself). I have no problem with using the HttpServletRequest. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/8/17 8:49 AM, Mark Thomas wrote: > On 08/08/17 13:44, Christopher Schultz wrote: > > > >> I have no problem with Tomcat having access to the IP address. I >> just want Tomcat to make that IP address available to the >> authenticator component in some way. > > https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 > > Implementing that in a way that is truly backwards compatible > requires a little thought. I agree that backward-compatibility is a significant issue, since the Realm interface hasn't changed since ... well, ever. How about cheating and using a ThreadLocal? try { tl.set(theRequest) authenticator.authenticate(username,password); } finally { tl.set(null); } ?? For SecurityFilter, we added a sub-interface that adds more methods, like this: authenticate(String username, String password); authenticate(String username, String password, HttpServletRequest req); Then, the driver does this: if(realm instanceof ExtendedRealm) ((ExtendedRealm)realm).authenticate(username, password, theRequest); else realm.authenticate(username, password); If using the HttpServletRequest itself is architecturally distasteful, we could use some other kind of data object, or simply java.lang.Object (which is a little distasteful itself). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJthYACgkQHPApP6U8 pFhwTw//ZjwS5MtDL7F18OWFrmtxvfyCDbnOiOgwyJxoCCn//xWjQC7sCmb8OZZd PFnbbzRcU55Ws1+oDz+rZGoXTz8bOOaE0WXQ9r477ETryzjlTNarVgselgQUM24X zl0cSAMJo4U/fabTrSupSOk1H6OJUwNRI0N4FNYsjpk+mXlScGcZsjycvB6CH5Bp 8ht3J222Q9hdBNatcpLzicfRW5t+smckA+1wxFWBye1gxnG9aaNakcXa/V7nQtoq nZO636HIvK16LWoudBXUOfHqGTCBYTijfzD37v8LrIsYj6+yJ/ZetkF45tS4nWcF Gl1vzQQCwY92xd9q6i6UBlnngI898Pp+vuld+mHHwM1nP2dvskO5A4VdYZ+dS4dp QmMWYKhR4cr2TjOpDKy9hxzuRxeENt1Bnr3Jk2Qiy4o8e0a/e7ksB3JfXS99JfLt uCprKNMkRG3Uc1+5vZXOQ1kk7Fz1Bryp7xrxgZjXdpHZ1R7GFIgPi6ohbA+GT4NV dCgYWOPdh1TIcAgOP6dVgHc1H58BX2IjPl8AiKOKLZPKLv+3eWeA5XBz0D1LM0bm CZ+EwFXCfIr5cFqabvbE99DdojhpT6NPmDjTmJznAV7f8AWHLnyr7eYMQY+pkHdF GX3oOwzBlw46CVtMnkgu0OrLPnM/X8447RgMs1bJFJ1dpYO0rr8= =d9LJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
On 08/08/17 13:44, Christopher Schultz wrote: > I have no problem with Tomcat having access to the IP address. I just > want Tomcat to make that IP address available to the authenticator > component in some way. https://bz.apache.org/bugzilla/show_bug.cgi?id=59750 Implementing that in a way that is truly backwards compatible requires a little thought. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Markus, On 8/8/17 8:21 AM, i...@flyingfischer.ch wrote: > > Am 08.08.2017 um 14:05 schrieb Christopher Schultz: >> All, >> >> In spite of my (somewhat) recent work on the CredentialHandlers, >> I haven't been using Tomcat's container-provider authentication >> and authorization for over a decade. This is because I need >> access to the user's source IP address for auditing where users >> "are" when they login to my applications. >> >> Is there any opportunity to obtain the user's IP address during >> login? IIRC, the JASPIC scheme does allow this kind of >> information, but I'm not sure if Tomcat actually supplies it. >> JASPIC is a rather complicated solution when I am in fact >> authenticating against a simple relational database. >> >> What might be other ways to obtain the user's IP address during >> authentication? >> >> Thanks, -chris >> >> PS I don't use Spring, to "just use Spring security like >> everyone else" isn't a great solution for me. > > If you run Tomcat only you may use request.getRemoteAddr() in the > logic and build IP based access management around this. Have you noticed that Tomcat only passes two String values to the authenticators? The IP address is not available. > If you run Apache in front of Tomcat you may need to fiddle with > X-Forwarded-For header. I have no problem with Tomcat having access to the IP address. I just want Tomcat to make that IP address available to the authenticator component in some way. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmJskcACgkQHPApP6U8 pFivdA//XSyx5+ZszII0hxLjaeJi5+PHTOnbrzdcKLD+Q/6aDeFDbiECQItqAPZY w30aEWsqEdXiXEiCoHqD7NrsxkL6cM01uPpLSHsISDnPxX69ogWGCZNmxduLUxr2 V3kTLn+s2fry2ZECZWW28KW3aKvs9EQ8bPrxQoPZFHWlXSloIy+ao4UlpxBuCQh2 CO1akIYcxiOXCb8Bq4zIk70/E6zTDnWrsXcu3voTcSV8xrScZxYmj3AKMWITICw8 owmwJ0aQfnnOCs1j7HDz9TEKjUa/Net+Z1d1ZlWlq7aq3xaTBLyDyZskE1FeZ6yK pZPgveRdmlnReUJYHBfZqqUKT7iPRSoogcHdFZhVyI8JU2ega2nyI+uBDvc6fcPL PAjBvmZ+FdIk9Plvptv0oc4BzZMd0401JPmuA02CtmqYxfVToJGYuqo4SYiVl5gG mhCEY+VAIo5LWSRxM3scp/7fe9kj2c/Zn5AcYhNHIm16YEWYGe+FOKrPOMwK67e5 FWj0OxL0pSv9If7MRJ/xMXJyapH3KYkeNY2x5mdXpaueDmpDGb6Hvh9978q8P7wI xXxfdocDCCFJOgsn7o+GZo4yqnWK177bmYXm2WxzW9AhTVqe285D0XK5OvL1EiAG RzZqh3IgCNDgYoWzQjGtYO9q9FM4cu6REDBdmZOK8Kn2+fGaxC0= =fAU7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
On 08.08.2017 14:21, i...@flyingfischer.ch wrote: Am 08.08.2017 um 14:05 schrieb Christopher Schultz: All, In spite of my (somewhat) recent work on the CredentialHandlers, I haven't been using Tomcat's container-provider authentication and authorization for over a decade. This is because I need access to the user's source IP address for auditing where users "are" when they login to my applications. Is there any opportunity to obtain the user's IP address during login? IIRC, the JASPIC scheme does allow this kind of information, but I'm not sure if Tomcat actually supplies it. JASPIC is a rather complicated solution when I am in fact authenticating against a simple relational database. What might be other ways to obtain the user's IP address during authentication? Thanks, -chris PS I don't use Spring, to "just use Spring security like everyone else" isn't a great solution for me. If you run Tomcat only you may use request.getRemoteAddr() in the logic and build IP based access management around this. If you run Apache in front of Tomcat you may need to fiddle with X-Forwarded-For header. Markus +1, I was just going to mention the same. In case of any front-end proxy, getRemoteAddr() would probably give the IP of the proxy. And to make matters a little bit more complicated, see this article : https://github.com/eprints/eprints/issues/214 This is perl, not Java, but it provides some additional information which might be useful (about nginx and HTTPS e.g.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access to source IP address during authentication and authorization
Am 08.08.2017 um 14:05 schrieb Christopher Schultz: > All, > > In spite of my (somewhat) recent work on the CredentialHandlers, I > haven't been using Tomcat's container-provider authentication and > authorization for over a decade. This is because I need access to the > user's source IP address for auditing where users "are" when they > login to my applications. > > Is there any opportunity to obtain the user's IP address during login? > IIRC, the JASPIC scheme does allow this kind of information, but I'm > not sure if Tomcat actually supplies it. JASPIC is a rather > complicated solution when I am in fact authenticating against a simple > relational database. > > What might be other ways to obtain the user's IP address during > authentication? > > Thanks, > -chris > > PS I don't use Spring, to "just use Spring security like everyone > else" isn't a great solution for me. If you run Tomcat only you may use request.getRemoteAddr() in the logic and build IP based access management around this. If you run Apache in front of Tomcat you may need to fiddle with X-Forwarded-For header. Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org