If it may help :
I have implemented a mechanism as described below, in Apache using
mod_perl. I don't know how to do it under Tomcat, or if it is even
possible without rewriting some basic Tomcat code, but maybe the
following gives someone an idea.
(Of course, if you are running Tomcat with an Apache front-end and
mod_jk, you could do it in Apache, and pass the user-id to Tomcat.
That's in fact what I am doing.).
In Apache/mod_perl, it relies on the fact that there are three
consecutive phases in request processing, with possible mod_perl hooks,
and they run in this order :
- an "access control" phase
This phase is supposed to grant or deny access based on some request
characteristic other than the user-id (e.g. the time of day, or the IP
range the request is coming from).
In standard Apache config, this is the equivalent of an "Allow from
..(IP range).." directive. In Tomcat, it would probably be an
"Access-control Valve". There is an example somewhere in the Tomcat
on-line documentation.
- an "authentication phase"
where the request is authenticated (gets a user-id if it doesn't have
one yet)
- an "authorisation phase"
where the request is allowed or not to proceed, depending on whether or
not it has a user-id, and this user-id is supposed to be able to access
this resource.
Basically, I "hijack" the access-control phase, to compare the origin IP
of the request with a table containing IP addresses and corresponding
"group user-id's". If the origin IP matches one of the table entries,
it gets the associated user-id. Otherwise it does not get a user-id.
Anyway, the request is allowed to proceed.
In the authentication phase, it is checked whether the request is
already authenticated. If yes (for example it got a user-id during the
access-control phase), it is allowed to proceed. If not, it gets a
login page.
And finally in the authorisation phase, the request is rejected if it
does not have a user-id.
Now the questions are, in Tomcat,
1) if an "Access-control Valve" runs before an application (webapp) is
invoked. I believe it should, since it is (can be) defined at a higher
level than a webapp.
2) if one could, within such a Valve, attribute a user-id to the
session. That I really don't know, because I have never actually seen a
method allowing to /set/ a user-id. (But I was probably looking in the
wrong places).
3) how one could write a custom Valve, and how difficult that would be.
Considering that Tomcat is open-source, one could always take the
standard IP-based Valve and modify it for the purpose.
Alternatively, maybe it is possible to do this IP-based authentication
in a servlet filter wrapped around the webapp. But I have a feeling
that under Tomcat the authentication/authorization phase runs before
even a servlet filter runs, and in that case it might not work.
I am interested also to learn if the above kind of thing is possible,
and if that would be a good way of doing this under Tomcat.
Filip Hanik - Dev Lists wrote:
hi Alex, that is an interesting use case. I don't think there is away to
do this without doing some customization to the tomcat code base, such
as implementing your own realm
Filip
Alex Mestiashvili wrote:
HI ALL .
I have basic authentication for my tomcat application .
Now I want , allow access without authentication to this app from
several ip ranges , but leave auth from any other hosts .
I did not find any solution in google
Is it possible ?
tomcat version is 6.0.16
Thanks in advance .
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]