-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Colin,
On 1/13/2010 4:01 PM, cgswtsu78 wrote:
> I'm new to tomcat and apache and I've seen some of the tomcat basic auth
> examples on the web and all of them hardcode a user id/password for a role
> in the tomcat-users.xml file.
Yuck!
> What if there is a 1000 userid/pwd
> combinations for that role that are valid, how can the userid/pwd
> configuration be made dynamic?
Remember that the authentication method is really two steps:
1. Credential gathering
2. Authentication of credentials
HTTP BASIC AUTH is your strategy for #1 (other spec-supported strategies
are FORM, DIGEST, and CLIENT-CERT).
For the second of those steps, Tomcat uses "realms". The realm you
mention above is the UserDatabaseRealm and is configured by default like
this:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
This realm is provided mostly to get people up-and-running with things
like the Tomcat manager app without forcing them to use a fully-fledged
database system for authentication. In your case, you actually want
something more robust than that flat-file-based authentication mechanism.
Instead, you should probably use something like a real database. One
advantage to using a real database is that changes to the authentication
database are effective immediately, instead of having to restart Tomcat
for the tomcat-users.xml file to be reloaded.
You should read the documentation for Realms on the Tomcat website, here:
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
It describes each type of realm and how to setup each one.
If you are going to use a RDBMS for your authentication database, I
highly recommend using DataSourceRealm which has a nice HOWTO here:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm
> What is the best approach when you have 1000s of userid/pwds that
> are verified by apache and you need to make sure that the user is
> auth'd when they get to the webapp in the tomcat container?
I think it's best to have Tomcat handle the authentication for you. The
above information ought to get you started.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktONsQACgkQ9CaO5/Lv0PAyegCfa+RzlKYGTzEGSPO879eAjOYp
qHwAoIBF4jIjEHmtFpGHuxXOusWIDul4
=cDfv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
