Re: How to authenticate our webapp against our own relm only
Felix Schumacher felix.schumacher at internetallee.de writes: I think tomcat will always inject a realm into to host when it finds none. But that realm should not interfere with your requests to your webapp. You are right, and I see, that I have misinterpreted my debugger sessions. Our realm contains an additinal class, that contain the access methods to our server against we have to authenticate. So the realm does a lot of things what are not neccessary on the webserver side at the moment. So I have written now my own small method, what only make the autentification and all things was ok afterwards. By the way, what I haven't realy understood, is how and when this realm is called, after a request reached the connector. What I didn't understand also is what actions or what content of the request triggers the realm to do anything. Perhaps you have a hint or a link for me, where I can see which control flow a request have, before he arrived my first filter. I haven't found the right documents for this til now. kind regards Arno - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Arno, On 7/21/15 10:05 AM, Arno wrote: Felix Schumacher felix.schumacher at internetallee.de writes: I think tomcat will always inject a realm into to host when it finds none. But that realm should not interfere with your requests to your webapp. You are right, and I see, that I have misinterpreted my debugger sessions. Our realm contains an additinal class, that contain the access methods to our server against we have to authenticate. So the realm does a lot of things what are not neccessary on the webserver side at the moment. So I have written now my own small method, what only make the autentification and all things was ok afterwards. By the way, what I haven't realy understood, is how and when this realm is called, after a request reached the connector. What I didn't understand also is what actions or what content of the request triggers the realm to do anything. Accessing a protected resource triggers an authorization check, which also required authentication. Some realms cache authentication information while others do not. The authenticator is a Valve which uses the Realm to perform the authentication and gather authorization information (e.g. roles). If the user isn't authenticated, then they are challenged for credentials (login form, SSL client certificate, HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then fed back into the realm to authenticate the user. Then the roles are checked for authorization. Perhaps you have a hint or a link for me, where I can see which control flow a request have, before he arrived my first filter. I haven't found the right documents for this til now. The Filter stage is too late, because all of this is done in Valves before any webapp-specific code is invoked. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVrmOxAAoJEBzwKT+lPKRYxucP+gJnYSOUdbmUjgLTRfx6Z8RJ 0L3EyQBqDJL+9/Jv6a+dxiQmLLUN+2Xl1vSsQVpKtqcr20CssDspDGjmL6lOewr7 9cd/YzxiSeTNz+MbB7wfziWfW3qyK15w/gEuOShvfdDBD3U/NcGsL6WtN+ydQYDp kFWR7VbW1GuprjY+4fsNq/xPo8HxxD9KuC+GwoV+0p4NtgNkLxesXIUIz4QVriPn TTy3EPwIMVKzDsMH+aMBbJ78x0aWik4j6PKFoXLTEzAT4KGMS2+w7TQ3+CkjUOtX Hgi5bAF1hQ1/PKSALs2QiLzBTxDOkv725SqXiW7d0nwcoH+bT3O4hqSZzWlQYG3r 3OyoYVb+3jX6gJNfh3zvU5aPADL1jzhad1Mcn6FhE32MvKMihhJ0j96tKqleznje EKjFYI5ULURQIZzbcQtaZY+/L2vUfk4Bt/bZhSeBQbSwPCyTiiUH8FVB8BPMGLmI eaF4nBuQEuHh9jI9MslDfYEM7HLiYltAFlWJsU39h5Wnx/64b6yH7/L+TokgbwqD NrJfvk8Lwk4q+6XPgWcB9HiUPU88ByjkrZ/YaKhAoIH1yI0XDViUQwmlJvbfIxk4 SbCOEKXdxaec6G1vjmc1RqUTSaSaJ47R9D1WBKMw5oRvEtrJvS3s7fpgXp/T7GpZ LB6V01Eu5sIjCj2ZVL5P =FoC0 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Christopher Schultz chris at christopherschultz.net writes: Accessing a protected resource triggers an authorization check, which also required authentication. Some realms cache authentication information while others do not. The authenticator is a Valve which uses the Realm to perform the authentication and gather authorization information (e.g. roles). If the user isn't authenticated, then they are challenged for credentials (login form, SSL client certificate, HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then fed back into the realm to authenticate the user. Then the roles are checked for authorization. ok, thanks for this explanation, that's makes it more clear for me. One more question about ...Accessing a protected resource... Which resources are protected is decided by what kind of configuration? Because I do nothing special for this, I think that my configuration is using the normal defaults for BASIC authentification. Perhaps there is some potential space to increase performance by disable this authentification for a lot of request types. Because I will have some issues with the administration of my session handling, can I also influence the JSESSION generation with such kind of configuration or is this done by the used browser only? Background for this question: Now I recognize, when I open a new instance of f.e. an IExplorer with my home url, this new instance use the same JSESSION id, what the parallel running instance is also using. Is it possible to configure this in the tomcat instance or couldn't I influence this behaviour? kind regards Arno - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno arno.schae...@sqs.com: Christopher Schultz chris at christopherschultz.net writes: Accessing a protected resource triggers an authorization check, which also required authentication. Some realms cache authentication information while others do not. The authenticator is a Valve which uses the Realm to perform the authentication and gather authorization information (e.g. roles). If the user isn't authenticated, then they are challenged for credentials (login form, SSL client certificate, HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then fed back into the realm to authenticate the user. Then the roles are checked for authorization. ok, thanks for this explanation, that's makes it more clear for me. One more question about ...Accessing a protected resource... Which resources are protected is decided by what kind of configuration? Because I do nothing special for this, I think that my configuration is using the normal defaults for BASIC authentification. Perhaps there is some potential space to increase performance by disable this authentification for a lot of request types. You have to look in the web.xml of your webapp. Google for security-constraints. Newer servlet api versions are able to set those through annotation also. Because I will have some issues with the administration of my session handling, can I also influence the JSESSION generation with such kind of configuration or is this done by the used browser only? Background for this question: Now I recognize, when I open a new instance of f.e. an IExplorer with my home url, this new instance use the same JSESSION id, what the parallel running instance is also using. Is it possible to configure this in the tomcat instance or couldn't I influence this behaviour? That is a feature of ie. It will share is cookies with all windows. If you don't want to use cookies for the authentication (session), you can use the cookies attribute on the context of your webapp. See http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Attributes. Alternatively you can use different browsers, different instances of browsers that don't share their jar of cookies or use different dns names or ip's and this creating different cookie domains. Regards, Felix PS. If you have new questions, you should open new discussions by sending new mails with new titles. kind regards Arno - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Mark Eggers its_toasted at yahoo.com.INVALID writes: It looks like one of the prior developers wrote a custom Realm. Was this application written to run on a prior version of Tomcat (Tomcat 6, for example)? If so, the custom Realm may not work with Tomcat 7. You would have to look at the javadoc for Thanks Mark for this hint, it leads me to the problem, what we have had in our realm and after rewritting some older stuff I have had corrected the behaviour of our webapp and all the misinterpreted debugging stuff was away kind regards Arno - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Felix, On 7/21/15 11:13 AM, Felix Schumacher wrote: Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno arno.schae...@sqs.com: Christopher Schultz chris at christopherschultz.net writes: Accessing a protected resource triggers an authorization check, which also required authentication. Some realms cache authentication information while others do not. The authenticator is a Valve which uses the Realm to perform the authentication and gather authorization information (e.g. roles). If the user isn't authenticated, then they are challenged for credentials (login form, SSL client certificate, HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then fed back into the realm to authenticate the user. Then the roles are checked for authorization. ok, thanks for this explanation, that's makes it more clear for me. One more question about ...Accessing a protected resource... Which resources are protected is decided by what kind of configuration? Because I do nothing special for this, I think that my configuration is using the normal defaults for BASIC authentification. Perhaps there is some potential space to increase performance by disable this authentification for a lot of request types. You have to look in the web.xml of your webapp. Google for security-constraints. Newer servlet api versions are able to set those through annotation also. Because I will have some issues with the administration of my session handling, can I also influence the JSESSION generation with such kind of configuration or is this done by the used browser only? Background for this question: Now I recognize, when I open a new instance of f.e. an IExplorer with my home url, this new instance use the same JSESSION id, what the parallel running instance is also using. Is it possible to configure this in the tomcat instance or couldn't I influence this behaviour? That is a feature of ie. It will share is cookies with all windows. If you don't want to use cookies for the authentication (session), you can use the cookies attribute on the context of your webapp. See http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Attributes . Alternatively you can use different browsers, different instances of browsers that don't share their jar of cookies or use different dns names or ip's and this creating different cookie domains. +1 Also, some browsers have modes where they don't share cookies, etc. with other windows. Google Chrome for example calls this Incognito and it can run a normal window next to an incognito one. Mozilla Firefox has a mode that doesn't persist anything to the disk, but you can't run it side-by-side with another normal window, you have to quit and re-start ff to switch modes. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVroBYAAoJEBzwKT+lPKRY3gsQAJf7Y/m363962K/DRmCM2vkv k21yy8uxBfLmGr16V5aAoONjAZIQYyJQ1gU1XIoKi70m4aefVz6gCTiV/eSG45wM gWmQBptjr2XEmR+PED3N9PBlHhnoUML4czUMZzPfZGpFEbiv3/W0eDitO8EHaw7Z BgGOUwVcdZFq/3lBZA3bahOKF00e3jVhcJIwup23mcfm+SN0anvNUqD46ptqguZ5 YH5daTM1iovTDIOYD1tMSpGBXkCBR9jqP7kAjz88THJbSXdCELjqOosHIhndVnnz jYFDS1C8MKSNXvilMNr4yJAFjgQtUAENvZlcxbvHQYmb7OO8R2Sh8PbIf/jGb2p1 e+8Tilpn1nJ4+gTVlbZ/5ohcwgUsjZc+O5kgEbjCCQ9Ox1GpYF0m2SXTcbUjbRmR 4Ffbh8bbAaUEP/ABh0vt0pDGVpkUZr+SOyNhgXQhuOJy4hCZ/QZK4e9Kal4e9odP mxSw8jdpF2pSP/HtYGAFVopz9/zzGyQE30likBOa6/MUyN6pveWaK6D6wVBWo7PR aUt7tQ/mhgN/HQu2mhCduBHxnzcbXyrx0vsAsC4y4unpvF/98XLxE17h0lDVseTD BQaHkaYvYdw9k9654TZ6pedlJMAF4eHVPLqrQznvvG0pU/im5b0emfHdrvFMev33 mT6vupZqoSU/aztzWGOT =OvvC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
2015-07-17 20:03 GMT+03:00 Arno Schäfer arno.schae...@sqs.com: Hi all, I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp with around 1000 JSP pages and I am NOT a web developer. I have inherited this application and all of the previous owners are no longer available. So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code and I think, that I have a basic understanding what the software is doing and how it is implemented at least. The last days I found a lot of configuration issues and I was able to get the whole stuff running in a very downsized environment build on a standard tomcat Installation. I got rid of all special configuration inside the server.xml, so that I was able to fix some things and do it, like it was described in the beautiful tomcat documentation and available wiki's. That's only for some explanations, before the stupid questions may follow: I have to use basic authentication without an own login form. The behavior I see, is that if the webapp is starting a realm instance is correctly created and initialized in my webapp, but if the first request arrive, also the tomcat itself instantiate one object of this class and took the credentials from the automatically upcoming login form (here IExplorer 11). My understanding from reading the documentation is, that, if I configure my own realm in my context.xml (what I have done), that the webapp will use it. That seems to be ok, but why also tomcat itself instantiate an object of my custom realm and take the first request when I want to access my webapp. Therefore I have no own control about my JSessions and so my session management leaks, because I didn't got the info's from the logins, what the tomcat is doing now. What is wrong in my configuration or in my understanding? I want be the only one, that got the requests for the authentication for my webapp. Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section (I strip the comments and the header lines, which are unchanged): [] Several comments: 1) Authentication is performed by an Auntenticator (a kind of Valve), not by a Realm. Realm is essentially just a user/password database interface used by an authenticator. There is one Realm per container (exposed as Container.getRealm()). If none is configured then default implementation returns the one from parent Container. Normally there is at most one authenticator. If there is no Authenticator valve in your context, but your webapp's web.xml declares that an authentication is needed, Tomcat creates an authenticator and inserts it into chain (pipeline) of valves in your context. If by some mistake there are several authenticators in a pipeline, all of them will be active, just like any other valves. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Authentication http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html 2) What context.xml file have you edited? A usual mistake is to edit the global conf/context.xml file. That file provides defaults for all web applications deployed on Tomcat. You need to edit the file for your own web application. http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Defining_a_context Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to authenticate our webapp against our own relm only
Am 17. Juli 2015 19:03:58 MESZ, schrieb Arno Schäfer arno.schae...@sqs.com: Hi all, I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp with around 1000 JSP pages and I am NOT a web developer. I have inherited this application and all of the previous owners are no longer available. So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code and I think, that I have a basic understanding what the software is doing and how it is implemented at least. The last days I found a lot of configuration issues and I was able to get the whole stuff running in a very downsized environment build on a standard tomcat Installation. I got rid of all special configuration inside the server.xml, so that I was able to fix some things and do it, like it was described in the beautiful tomcat documentation and available wiki's. That's only for some explanations, before the stupid questions may follow: I have to use basic authentication without an own login form. The behavior I see, is that if the webapp is starting a realm instance is correctly created and initialized in my webapp, but if the first request arrive, also the tomcat itself instantiate one object of this class and took the credentials from the automatically upcoming login form (here IExplorer 11). I think tomcat will always inject a realm into to host when it finds none. But that realm should not interfere with your requests to your webapp. Where have you defined your own realm? How many andwhich webapps do you have? Have you looked at the access logs to see whether the requests all are directed entirely at your webapp and not some other? Regards, Felix My understanding from reading the documentation is, that, if I configure my own realm in my context.xml (what I have done), that the webapp will use it. That seems to be ok, but why also tomcat itself instantiate an object of my custom realm and take the first request when I want to access my webapp. Therefore I have no own control about my JSessions and so my session management leaks, because I didn't got the info's from the logins, what the tomcat is doing now. What is wrong in my configuration or in my understanding? I want be the only one, that got the requests for the authentication for my webapp. Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section (I strip the comments and the header lines, which are unchanged): GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml/ /GlobalNamingResources Service name=Catalina Connector acceptCount=100 connectionTimeout=20 maxThreads=150 port=9150 protocol=HTTP/1.1 redirectPort=8443/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina [Realm className=org.apache.catalina.realm.UserDatabaseRealm/] Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false [Realm className=de.myproject.tomcat.realm.BITRealm domainName=dom1 .../] /Host /Engine /Service The lines in brackets I have switched on and off in several attempts without the wished result. Without a realm definition in server.xml and only in the context.xml I have had equal results and one combination I have had one time, was that I have to authenticate twice and the first time with the data of tomcat-users.xml and the second time with my own one. Is it possible that there is some more configured in some of the web.xml's or other directories in WEB-INF, what cause this behavior? I have searched there for some words like security, realm, userdatabase and so on, but have found nothing. Hopefully I have explained my problem as good as I know and somebody see my point :) Thanks in advance, best regards, mit freundlichen Grüßen Arno _ SQS hat bei den AIM Awards 2014 zum zweiten Mal die begehrte Auszeichnung International Company of the Year erhalten. http://www.sqs.com/portal/news/de/pressemitteilungen-aim-awards-international-company-of-the-year.php Vorsitzender des Aufsichtsrats: David Bellin Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO) SQS AG ? Stollwerckstraße 11 ? 51149 Köln Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly
Re: How to authenticate our webapp against our own relm only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Arno, Welcome to Tomcat! First of all, thanks for providing all of the background. Second of all, thanks for doing all of this hard work. Third of all, I'm probably not going to be as much help as many other people here will be, but I'll give it a shot. Comments are inline. On 7/17/2015 10:03 AM, Arno Schäfer wrote: Hi all, I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp with around 1000 JSP pages and I am NOT a web developer. I have inherited this application and all of the previous owners are no longer available. So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code and I think, that I have a basic understanding what the software is doing and how it is implemented at least. The last days I found a lot of configuration issues and I was able to get the whole stuff running in a very downsized environment build on a standard tomcat Installation. I got rid of all special configuration inside the server.xml, so that I was able to fix some things and do it, like it was described in the beautiful tomcat documentation and available wiki's. That's only for some explanations, before the stupid questions may follow: I have to use basic authentication without an own login form. The behavior I see, is that if the webapp is starting a realm instance is correctly created and initialized in my webapp, but if the first request arrive, also the tomcat itself instantiate one object of this class and took the credentials from the automatically upcoming login form (here IExplorer 11). My understanding from reading the documentation is, that, if I configure my own realm in my context.xml (what I have done), that the webapp will use it. Yes, if you place the Realm definition in context.xml, then only that particular web application will use it. If you place the Realm definition in a Host element, then all applications for that host will use it. Finally, if you place the Realm definition inside the Engine element, all virtual hosts inside that Engine will use it. That seems to be ok, but why also tomcat itself instantiate an object of my custom realm and take the first request when I want to access my webapp. Therefore I have no own control about my JSessions and so my session management leaks, because I didn't got the info's from the logins, what the tomcat is doing now. What is wrong in my configuration or in my understanding? I want be the only one, that got the requests for the authentication for my webapp. Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section (I strip the comments and the header lines, which are unchanged): I am going to assume that you have all of the Service and Valve elements that come with the stock server.xml in your file. GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml/ /GlobalNamingResources Service name=Catalina Connector acceptCount=100 connectionTimeout=20 maxThreads=150 port=9150 protocol=HTTP/1.1 redirectPort=8443/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ Engine defaultHost=localhost name=Catalina [Realm className=org.apache.catalina.realm.UserDatabaseRealm/] Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false [Realm className=de.myproject.tomcat.realm.BITRealm domainName=dom1 .../] /Host /Engine /Service The lines in brackets I have switched on and off in several attempts without the wished result. Without a realm definition in server.xml and only in the context.xml I have had equal results and one combination I have had one time, was that I have to authenticate twice and the first time with the data of tomcat-users.xml and the second time with my own one. It looks like one of the prior developers wrote a custom Realm. Was this application written to run on a prior version of Tomcat (Tomcat 6, for example)? If so, the custom Realm may not work with Tomcat 7. You would have to look at the javadoc for https://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/catalina/Realm.h tml And compare it to: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/Realm.h tml In order for a custom Realm to work, you have to place the JAR file containing that implementation in %CATALINA_HOME%\lib. My first reaction is that this has not been done, but you said that you were able to authenticate at least once. Is it possible that there is some more configured in some of the web.xml's or other directories in WEB-INF, what cause this behavior? I have searched there for some words like security, realm, userdatabase and so on,