Re: help with realm setup
Tony If you use the newly committed JNDIRealm, you can easily arrange that each user has a role whose name is the same as their username. Just set userRoleName to uid (or whatever attribute of the user's directory entry holds the username) and your security constraint below should work. Authorisation by username will is also possible with the original JNDIRealm, if you define a suitable role search, but you couldn't then use LDAP groups for authorisation as well. John. At 22:14 14/03/02, Tony Dahbura wrote: I would like to set up my realm to allow folks in by userid not by rolename. I do not know what the tag for the web.xml file should be The following is a sample security constraint. The role names are working fine, but I need to say if a user is tony or user is x then allow them in, but without the use of roles. security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/jsp/security/protected/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- !-- the following does not work because tony is a userid not a rolename -- !-- what tag should I use to get this to work so userid tony can access the application space? -- role-nametony/role-name role-namemarketing/role-name role-namerole1/role-name /auth-constraint /security-constraint Thanks, Tony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
Micael: Thanks for the data. The question I have though is that I am using the role-name but this only applies to roles that map (basically as groups) against a series of users that authenticate. I need to map directly against the user without having roles. So I need to be able to do a 1-1 mapping of access to a user without having roles/groups setup. Can this be done when I have no control over the jndi source to control it? Meaning I am trying to use a jndi or whatever source for authentication and say if the person passed in a valid userid and password of X how do I let them in? Thanks, Tony Micael Padraig Og mac Grene wrote: Just as a start, you need something more like the following. You need to look at how xml dtd are used. web-app security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/pigout.jsp/url-pattern /web-resource-collection auth-constraint role-namehungryman/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/grill.jsp/url-pattern /web-resource-collection auth-constraint role-nameeater/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/uploads/upload.jsp/url-pattern /web-resource-collection auth-constraint role-nameuploader/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJoes Grill/realm-name /login-config /web-app At 05:14 PM 3/14/02 -0500, you wrote: I would like to set up my realm to allow folks in by userid not by rolename. I do not know what the tag for the web.xml file should be The following is a sample security constraint. The role names are working fine, but I need to say if a user is tony or user is x then allow them in, but without the use of roles. security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/jsp/security/protected/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- !-- the following does not work because tony is a userid not a rolename -- !-- what tag should I use to get this to work so userid tony can access the application space? -- role-nametony/role-name role-namemarketing/role-name role-namerole1/role-name /auth-constraint /security-constraint Thanks, Tony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- Tony Dahbura Director Client Services East Loudcloud Inc. 4501 Singer Court Suite 200 Chantilly, VA 20151 voice: 703.653.6880 fax: 703.961.8268 [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
Sorry, Tony, I jumped in too fast there. If you want to do it without roles, then the manager is not the app for you. Why don't you make your own app for ids? There are many, many ways to do this. What you want to do depends on the number of users you are talking about, etc., etc. What you want to do is the first specification needed for anyone to give you advice. But, I would not even think of trying to tweek the manager application for this purpose. Build your own. It will be simpler and better for its own uses. Micael At 11:27 AM 3/15/02 -0500, you wrote: Micael: Thanks for the data. The question I have though is that I am using the role-name but this only applies to roles that map (basically as groups) against a series of users that authenticate. I need to map directly against the user without having roles. So I need to be able to do a 1-1 mapping of access to a user without having roles/groups setup. Can this be done when I have no control over the jndi source to control it? Meaning I am trying to use a jndi or whatever source for authentication and say if the person passed in a valid userid and password of X how do I let them in? Thanks, Tony Micael Padraig Og mac Grene wrote: Just as a start, you need something more like the following. You need to look at how xml dtd are used. web-app security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/pigout.jsp/url-pattern /web-resource-collection auth-constraint role-namehungryman/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/grill.jsp/url-pattern /web-resource-collection auth-constraint role-nameeater/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/uploads/upload.jsp/url-pattern /web-resource-collection auth-constraint role-nameuploader/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJoes Grill/realm-name /login-config /web-app At 05:14 PM 3/14/02 -0500, you wrote: I would like to set up my realm to allow folks in by userid not by rolename. I do not know what the tag for the web.xml file should be The following is a sample security constraint. The role names are working fine, but I need to say if a user is tony or user is x then allow them in, but without the use of roles. security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/jsp/security/protected/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- !-- the following does not work because tony is a userid not a rolename -- !-- what tag should I use to get this to work so userid tony can access the application space? -- role-nametony/role-name role-namemarketing/role-name role-namerole1/role-name /auth-constraint /security-constraint Thanks, Tony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- Tony Dahbura Director Client Services East Loudcloud Inc. 4501 Singer Court Suite 200 Chantilly, VA 20151 voice: 703.653.6880 fax: 703.961.8268 [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
On Fri, 15 Mar 2002, Tony Dahbura wrote: Date: Fri, 15 Mar 2002 11:27:40 -0500 From: Tony Dahbura [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: help with realm setup Micael: Thanks for the data. The question I have though is that I am using the role-name but this only applies to roles that map (basically as groups) against a series of users that authenticate. I need to map directly against the user without having roles. So I need to be able to do a 1-1 mapping of access to a user without having roles/groups setup. Can this be done when I have no control over the jndi source to control it? Meaning I am trying to use a jndi or whatever source for authentication and say if the person passed in a valid userid and password of X how do I let them in? Security constraints in web.xml are specified *only* in terms of roles, not usernames. Therefore, if you want a 1:1 mapping, you'll have to (somewhere on the line) convince whichever Realm you are using to look up usernames instead of rolenames when the request.isUserInRole() method is executed. That may or may not take a code change, depending on which realm you are using. Thanks, Tony Craig -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
Why don't you just call the role has_username? lol At 09:30 AM 3/15/02 -0800, you wrote: On Fri, 15 Mar 2002, Tony Dahbura wrote: Date: Fri, 15 Mar 2002 11:27:40 -0500 From: Tony Dahbura [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: help with realm setup Micael: Thanks for the data. The question I have though is that I am using the role-name but this only applies to roles that map (basically as groups) against a series of users that authenticate. I need to map directly against the user without having roles. So I need to be able to do a 1-1 mapping of access to a user without having roles/groups setup. Can this be done when I have no control over the jndi source to control it? Meaning I am trying to use a jndi or whatever source for authentication and say if the person passed in a valid userid and password of X how do I let them in? Security constraints in web.xml are specified *only* in terms of roles, not usernames. Therefore, if you want a 1:1 mapping, you'll have to (somewhere on the line) convince whichever Realm you are using to look up usernames instead of rolenames when the request.isUserInRole() method is executed. That may or may not take a code change, depending on which realm you are using. Thanks, Tony Craig -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
I was serious, you know. That works if all you want is to have it check whether or not the person is a user, and if you want to precode the users. At 12:20 PM 3/15/02 -0800, you wrote: Why don't you just call the role has_username? lol At 09:30 AM 3/15/02 -0800, you wrote: On Fri, 15 Mar 2002, Tony Dahbura wrote: Date: Fri, 15 Mar 2002 11:27:40 -0500 From: Tony Dahbura [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: help with realm setup Micael: Thanks for the data. The question I have though is that I am using the role-name but this only applies to roles that map (basically as groups) against a series of users that authenticate. I need to map directly against the user without having roles. So I need to be able to do a 1-1 mapping of access to a user without having roles/groups setup. Can this be done when I have no control over the jndi source to control it? Meaning I am trying to use a jndi or whatever source for authentication and say if the person passed in a valid userid and password of X how do I let them in? Security constraints in web.xml are specified *only* in terms of roles, not usernames. Therefore, if you want a 1:1 mapping, you'll have to (somewhere on the line) convince whichever Realm you are using to look up usernames instead of rolenames when the request.isUserInRole() method is executed. That may or may not take a code change, depending on which realm you are using. Thanks, Tony Craig -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: help with realm setup
Just as a start, you need something more like the following. You need to look at how xml dtd are used. web-app security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/pigout.jsp/url-pattern /web-resource-collection auth-constraint role-namehungryman/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/grill.jsp/url-pattern /web-resource-collection auth-constraint role-nameeater/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameJoes Grill/web-resource-name url-pattern/jsp/uploads/upload.jsp/url-pattern /web-resource-collection auth-constraint role-nameuploader/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJoes Grill/realm-name /login-config /web-app At 05:14 PM 3/14/02 -0500, you wrote: I would like to set up my realm to allow folks in by userid not by rolename. I do not know what the tag for the web.xml file should be The following is a sample security constraint. The role names are working fine, but I need to say if a user is tony or user is x then allow them in, but without the use of roles. security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/jsp/security/protected/*/url-pattern !-- If you list http methods, only those methods are protected -- http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- !-- the following does not work because tony is a userid not a rolename -- !-- what tag should I use to get this to work so userid tony can access the application space? -- role-nametony/role-name role-namemarketing/role-name role-namerole1/role-name /auth-constraint /security-constraint Thanks, Tony -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]