Concerning tomcat-user.xml versus database: The number of users has increased by an order of 2 magnitudes AND we don't know ahead of time who those users will be. The user count is an estimate of the number of companies (known) multiplied by the number of users at each company (unknown - we know it is greater than 1).
Concerning Basic Auth: Users are already signed on via SSO thru another application. And they cannot login directly to this application. A header is passed to my web app which has the static password (so I can't do much about that). (Yes, bad...bad...). Unfortunately, the header also has Basic Auth passed to my application. I need Tomcat to pass this request on through, ignoring the Basic Auth in the header. Tony -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, October 12, 2018 2:25 PM To: users@tomcat.apache.org Subject: Re: Tomcat 8 and authenticating Basic Auth users -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tony, On 10/12/18 14:45, Tony Esposito wrote: > Thank you André for this feedback. > > If I may, I wish to approach this from another angle. (The user > community is larger than at first anticipated). Since you are switching away from tomcat-users.xml to a real data store, why does a larger user community change things further? > If the header received has a certain password (which is static for all > users requesting access), then bypass Basic Auth and let the user > connect. > > (The application does more security checking and authentication on the > header.) > > So the question becomes: > > How to disable Basic Auth when the header contains a password which is > static for all users requesting access? This make zero sense. HTTP Basic authentication will require the user to enter their credentials. Once they enter their credentials, you'll inspect the password for some magic value and then you want to retroactively DISABLE HTTP Basic auth? I believe that requires timey-wimeyness. Why not simply always require username+password, and then opportunistically perform additional checks (as mentioned, but not described) above? Once the user has authenticated successfully, the browser will continue to send the username+password with each successive request and the user won't be asked again for their credentials. The definition of "authenticated successfully" from the browser's view is when the server stops sending the "WWW-Authenticate" response header. BTW static password == bad bad bad bad bad bad bad bad bad If you have a static password, why bother asking for it in the first place? It's like requiring a username + password for a terminal and then stamping the username and password on the monitor. You may as well remove the challenge. - -chris > -----Original Message----- From: André Warnier (tomcat) > [mailto:a...@ice-sa.com] Sent: Friday, October 12, 2018 11:29 AM To: > users@tomcat.apache.org Subject: Re: Tomcat 8 and authenticating Basic > Auth users > > Hi. > > On 12.10.2018 16:38, Tony Esposito wrote: >> Hello, Using Tomcat 8.0.22 on Linux CentOS 6.10: >> >> Trying to setup Tomcat to authenticate users that use Basic Auth. I >> could (possibly) enter these users into the tomcat-users.xml file but >> we are dealing with 1000 potential users. >> >> What happens instead is (of course) the users fail to authenticate >> and then subsequent attempts by the same user locks the user's >> account. >> >> 11-Oct-2018 16:21:37.970 WARNING [http-nio-8088-exec-25] >> org.apache.catalina.realm.LockOutRealm.authenticate An attempt was >> made to authenticate the locked user "myuser" >> >> This is 'normal' since after a failed attempt to log in, Tomcat >> suspects a 'brute force attack' and locks the account. I don't want >> to lose that security but (as mentioned above) I can't just enter all >> users into the tomcat-users.xml file >> >> So the basic question: How to do authentication of 1000 users >> that use Basic Auth? >> >> Thanks. >> >> Tony >> >> > > There are two separate parts to this (and it is not specific to > Tomcat) : > > - the "basic auth" part, is the way it talks to the browser, to get a > userid/pw (in this case, through a browser popup dialog) > > - the "realm", is the way that the server *verifies* the user-id/pw, > with some back-end "authority". In your case, you have specified that > this realm is a file. But it can be something else, like a database. > > The two are independent, and you can mix and match according to your > needs. The on-line Tomcat documentation helps, see : > http://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvA9ScACgkQHPApP6U8 pFizahAAk4TDR1Jo5+xTNzQaeJxji8mwRl7LHj0FbSz3vwFwf6QHpWJHgIjzAQEV EdOnjUN7jpX1ux4Ehnh6wriBvrxbONPJjNbpfyKakvpjbb16VGX9mStvu/UnmR0P cPAZUHKQL1iZrYjas7+wby77kb2BeeeIaN8F7cJd/73HPciE2CvsVEM3pElRY27n lCLmHmFMYtUJfkPwvONMdTVVcT5RJqODk0D9l0Kg6cC3R9UbVu+IOwVgNWpkCxEw Wzw8cgICNFhI+cm1l9GZ2t9YmA61rvjwARBpAoVJX114nfC5sGwElHzaX5x3JLkb h9w1DMrcAzDOENTlREOcj/PzWqynku7iKs6F5FOCC+3ao8SY1A+43uj8SBsT3myv H3BOQETayloExs0m85GgSOuOaQr5I1x+IciCVz/CsG939xqQRPxn+/Km+xqFfkeb KZ4DZNxnppaff6lTHHjjmbf619ncqF4i/86dwmeh9wkNAPeanKSP+ULGgmDVd8WL k2i3GJZWJ3ACh8Yrx0no3XPUQHo0xRzhid1MN10EVMGC+q8+e1m7G73RPURUTPYT uY3Ux58iNh0N4nIk32euSp6QAq9KBxHPz5ETeYkr2qCaev/7uzAZ/srcMZyZiFlJ y4BneoifV49+6uyor6DKosepnTcUj8uX/vZ1JKkj2ZyaYhNSL/Q= =aESq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
