Hi Les,
I hope not to be a strain on your nerves but my problem deals with
container security. With standard wicket technology I couldn't solve my
problem so I thought Shiro would be an alternative.
My standard security settings for the application are set in the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>PTSAARWEB</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JKNZL01</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>JKNZL01</role-name>
</security-role>
In my understanding this will cause the application server to start
login.jsp to get username and password.
<html>
<head>
<title>Login</title>
</head>
<body bgcolor="white">
<div class="title">Please Login</div>
<form action="j_security_check" method="post">
<table>
<tr>
<td align="right">Username:</td>
<td><input name="j_username"></td>
</tr>
<tr>
<td align="right">Password:</td>
<td>
<input type="password" name="j_password">
</td>
</tr>
</table>
<input type="submit" value="Login">
</form>
</body>
</html>
The j_security_check method checks username and password against the user
realm (i.e. tomcat-users.xml) and allows or denies access to my
application.
But in my testing environment with a tomcat application server everybody
with the right password can start the application even with the wrong role.
In our customer environment with a BEA application server it's the same
problem.
A JSF based application works fine in both environments with the same
security settings.
So my question: Is it possible to use container security settings with
shiro? Are custom realms the solution - but how to access the conatainer
security settings?
Thanks for your patience.
Best regards, Peter
From: "Les Hazlewood-2 [via Shiro User]"
<[email protected]>
To: Peter Diefenthaeler/DEU/c...@csc
Date: 21.06.2010 18:05
Subject: Re: Basic authentication with tomcat
Hi Peter,
Absolutely. Â Please readÂ
http://incubator.apache.org/shiro/configuration.html  Sections 1.2.2 and
1.2.3 are how you define static users, roles and permissions.
Cheers,
Les
On Mon, Jun 21, 2010 at 1:06 AM, PDiefent <[hidden email]> wrote:
Hi Les,
thanks for your detailed answer. The only thing I don't unsterstand
is how
to use permissions and passwords from the tomcat realm?
In my tomcat/conf folder I have a tomcat-users.xml with users and
roles:
<tomcat-users>
    <user name="admin" password="admin"
roles="admin,manager" />
 <user username="eoe1" password="eoe1" roles="AarWeb"/>
 <user username="eoe" password="zorro" roles="AarWeb"/>
 <user username="admin" password="admin" roles="admin,manager"/>
 <role rolename="AarWeb"/>
 <role rolename="manager"/>
 <role rolename="admin"/>
</tomcat-users>
How can this be matched with shiro security?
Thanks, Peter
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5203301.html
Sent from the Shiro User mailing list archive at Nabble.com.
View message @
http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5204949.html
To unsubscribe from Re: Basic authentication with tomcat, click here.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Basic-authentication-with-tomcat-tp5120604p5212036.html
Sent from the Shiro User mailing list archive at Nabble.com.
