Chris, Thanks for the info below. The problem I have is that the authentication is already being done on the apache side as my java/tomcat web application lives within an apache perl application. I'm just trying to prevent anyone from being able to deep dive directly to the java/tomcat application via the URL (i.e. http GET is the only issue). I was wondering if there is any way that tomcat can check a flag to see if the user is auth'd and if not redirect somewhere. Maybe I'm too narrowly focused here...
Christopher Schultz-2 wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Colin, > > On 1/13/2010 4:01 PM, cgswtsu78 wrote: >> I'm new to tomcat and apache and I've seen some of the tomcat basic auth >> examples on the web and all of them hardcode a user id/password for a >> role >> in the tomcat-users.xml file. > > Yuck! > >> What if there is a 1000 userid/pwd >> combinations for that role that are valid, how can the userid/pwd >> configuration be made dynamic? > > Remember that the authentication method is really two steps: > > 1. Credential gathering > 2. Authentication of credentials > > HTTP BASIC AUTH is your strategy for #1 (other spec-supported strategies > are FORM, DIGEST, and CLIENT-CERT). > > For the second of those steps, Tomcat uses "realms". The realm you > mention above is the UserDatabaseRealm and is configured by default like > this: > > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > > This realm is provided mostly to get people up-and-running with things > like the Tomcat manager app without forcing them to use a fully-fledged > database system for authentication. In your case, you actually want > something more robust than that flat-file-based authentication mechanism. > > Instead, you should probably use something like a real database. One > advantage to using a real database is that changes to the authentication > database are effective immediately, instead of having to restart Tomcat > for the tomcat-users.xml file to be reloaded. > > You should read the documentation for Realms on the Tomcat website, here: > http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html > > It describes each type of realm and how to setup each one. > > If you are going to use a RDBMS for your authentication database, I > highly recommend using DataSourceRealm which has a nice HOWTO here: > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm > >> What is the best approach when you have 1000s of userid/pwds that >> are verified by apache and you need to make sure that the user is >> auth'd when they get to the webapp in the tomcat container? > > I think it's best to have Tomcat handle the authentication for you. The > above information ought to get you started. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAktONsQACgkQ9CaO5/Lv0PAyegCfa+RzlKYGTzEGSPO879eAjOYp > qHwAoIBF4jIjEHmtFpGHuxXOusWIDul4 > =cDfv > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Best-Basic-Auth-Approach-tp27151922p27152143.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
