---- "Caldarale wrote: > > From: oh...@cox.net [mailto:oh...@cox.net] > > Subject: Re: Do any of the Tomcat LDAP-type realms support "no password" > > authentication? > > > In other words, even though my valve code can assert a user > > into Tomcat, and even if that same user already exists in the > > Tomcat realm, the asserted user seems to be 'disassociated' > > from the same user in the Tomcat realm? > > Need to get some terminology correct here. A Realm does not normally contain > users, roles, or any other authentication or authorization _data_; rather, it > is a Java class that embodies rules for examining the credentials supplied by > a login attempt and comparing them to credentials and roles stored in some > external location. By default (and never meant to be used in production), > the external location is the file tomcat-users.xml, and the Realm is > UserDatabaseRealm (augmented by LockOutRealm to discourage probing). Several > other Realm classes are supplied with Tomcat, to allow access to credentials > from LDAP servers, relational databases, JAAS, etc. > > I think what you need is essentially a Realm that does no authentication of > its own (trusting httpd to do that), but does perform the authorization > function. It can then map the userid to whatever set of roles are > appropriate for that user, and return the appropriate response when queried. > See the doc for details: > > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > > It would seem likely that someone out there has written a Realm that performs > the above functions in conjunction with httpd authentication. (Note: you > keep using the word "Apache" - which is a software organization with many > products - when you're referring to httpd, a specific Apache product, as is > Tomcat.) > > - Chuck >
Hi Chuck, Corrections understood, and I'll try to be more careful. As you point out, and as I mentioned earlier in the thread, it seems like I've come all the way around to the original subject "...Tomcat LDAP-type realms support "no password" authentication?". I've been and still am looking around for something like that, but haven't found it yet. I'm still puzzled by something though. Even if I did find (or implement) a realm that was a "no password realm", how do I tie the two pieces that I end up with, the valve and the no-password realm, together? In other words, I can pull the userID from the incoming header in the valve, but then I think that the valve code then needs to authenticate against the no-password realm. Is that correct? And, if so, how to do that? I've been looking for a way (API?) to programmatically "authenticate the user" against Tomcat, so that I could add that into my valve code, but haven't been find anything yet. Thanks, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org