You may be able to use the following from HttpServletRequest if
REMOTE_USER is passed to Tomcat:
getRemoteUser
public java.lang.String *getRemoteUser*()
Returns the login of the user making this request, if the user has
been authenticated, or |null| if the user has not been
authenticated. Whether the user name is sent with each subsequent
request depends on the browser and type of authentication. Same as
the value of the CGI variable REMOTE_USER.
*Returns:*
a |String| specifying the login of the user making this request,
or |null|
-Terence Bandoian
cgswtsu78 wrote:
Chris,
Thanks for the info below. The problem I have is that the authentication is
already being done on the apache side as my java/tomcat web application
lives within an apache perl application. I'm just trying to prevent anyone
from being able to deep dive directly to the java/tomcat application via the
URL (i.e. http GET is the only issue). I was wondering if there is any way
that tomcat can check a flag to see if the user is auth'd and if not
redirect somewhere. Maybe I'm too narrowly focused here...
Christopher Schultz-2 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Colin,
On 1/13/2010 4:01 PM, cgswtsu78 wrote:
I'm new to tomcat and apache and I've seen some of the tomcat basic auth
examples on the web and all of them hardcode a user id/password for a
role
in the tomcat-users.xml file.
Yuck!
What if there is a 1000 userid/pwd
combinations for that role that are valid, how can the userid/pwd
configuration be made dynamic?
Remember that the authentication method is really two steps:
1. Credential gathering
2. Authentication of credentials
HTTP BASIC AUTH is your strategy for #1 (other spec-supported strategies
are FORM, DIGEST, and CLIENT-CERT).
For the second of those steps, Tomcat uses "realms". The realm you
mention above is the UserDatabaseRealm and is configured by default like
this:
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
This realm is provided mostly to get people up-and-running with things
like the Tomcat manager app without forcing them to use a fully-fledged
database system for authentication. In your case, you actually want
something more robust than that flat-file-based authentication mechanism.
Instead, you should probably use something like a real database. One
advantage to using a real database is that changes to the authentication
database are effective immediately, instead of having to restart Tomcat
for the tomcat-users.xml file to be reloaded.
You should read the documentation for Realms on the Tomcat website, here:
http://tomcat.apache.org/tomcat-6.0-doc/config/realm.html
It describes each type of realm and how to setup each one.
If you are going to use a RDBMS for your authentication database, I
highly recommend using DataSourceRealm which has a nice HOWTO here:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#DataSourceRealm
What is the best approach when you have 1000s of userid/pwds that
are verified by apache and you need to make sure that the user is
auth'd when they get to the webapp in the tomcat container?
I think it's best to have Tomcat handle the authentication for you. The
above information ought to get you started.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktONsQACgkQ9CaO5/Lv0PAyegCfa+RzlKYGTzEGSPO879eAjOYp
qHwAoIBF4jIjEHmtFpGHuxXOusWIDul4
=cDfv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
