Re: single login form for single sign on
I am new to servlets and Tomcat and I was looking at how to authenticate
users with my webapps. Is this JDBCRealm the best way to do this or is
there a better way anybody suggest. If so where can I get info and samples
on this.
Thanks in advance,
Kevin
- Original Message -
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 01, 2001 1:36 AM
Subject: Re: single login form for single sign on
>
>
> On Thu, 22 Mar 2001, Manish wrote:
>
> > Also can someone explain me when my authentication is successful using
> > JDBCRealm , how do I get the role information, cause only two attributes
> > are set for the session (username and password). Do I have to go back in
> > the roles table to get the role info or they are stored in someway in
> > the session.
> >
>
> This answer is late, but I'm assuming "better late than never" ...
>
> If a user has been successfully authenticated, then you can access role
> information in one of two ways:
>
> * You can define a security constraint that requires a certain role
> before the request URI will be processed for this user. If the user
> tries to access a prohibited page, they will receive a 501 error
> ("forbidden").
>
> * You can programmatically ask if the currently authenticated user
> has a certain role by saying something like:
>
> if (request.isUserInRole("manager")) {
> ... this user is a manager ...
> }
>
> The JDBCRealm implementation takes care of reading the required
> information from the roles table in the database for you. There is
> nothing your application needs to worry about for this.
>
> > TIA
> >
> > --
> > Manish Poddar
> > Paycom.net
> > 310-827-5880 x 327
> > 818-415-7447 (m)
> >
> >
>
> Craig McClanahan
>
>
Re: single login form for single sign on
On Thu, 22 Mar 2001, Manish wrote:
> Also can someone explain me when my authentication is successful using
> JDBCRealm , how do I get the role information, cause only two attributes
> are set for the session (username and password). Do I have to go back in
> the roles table to get the role info or they are stored in someway in
> the session.
>
This answer is late, but I'm assuming "better late than never" ...
If a user has been successfully authenticated, then you can access role
information in one of two ways:
* You can define a security constraint that requires a certain role
before the request URI will be processed for this user. If the user
tries to access a prohibited page, they will receive a 501 error
("forbidden").
* You can programmatically ask if the currently authenticated user
has a certain role by saying something like:
if (request.isUserInRole("manager")) {
... this user is a manager ...
}
The JDBCRealm implementation takes care of reading the required
information from the roles table in the database for you. There is
nothing your application needs to worry about for this.
> TIA
>
> --
> Manish Poddar
> Paycom.net
> 310-827-5880 x 327
> 818-415-7447 (m)
>
>
Craig McClanahan
Re: single login form for single sign on
On Thu, 22 Mar 2001, Manish wrote:
>
> Also can someone explain me when my authentication is successful using
> JDBCRealm , how do I get the role information, cause only two attributes
> are set for the session (username and password). Do I have to go back in
> the roles table to get the role info or they are stored in someway in
> the session.
>
There is no API to say "show me the roles this user is in", but you can
ask if they are in a specific role by calling
if (request.isUserInRole("manager")) {
... this user is a manager ...
}
Internally, JDBCRealm reads the roles assigned to this user once they have
been successfully authenticated, and caches that info away so it can
answer the isUserInRole() question. The rest of Tomcat also uses this
information to decide whether this user is allowed to request protected
resources.
> TIA
>
> --
> Manish Poddar
Craig McClanahan
Re: single login form for single sign on
Craig R. McClanahan wrote: > > On Thu, 22 Mar 2001 [EMAIL PROTECTED] wrote: > So in essense the question is: Is there a way to specify a >>> >>> "global" login >>> and error page that will be used by all webapps? >>> No. Each web application is still a stand-alone entity. >>> >>> What single sign on support does for you is remember that >>> you've signed on >>> already. You are still using whatever login mechanism is >>> defined for each >>> individual web app. They don't even have to all use the same approach >>> (some could be BASIC, some could be FORM, for example). >>> >> What's the thinking behind this? Single sign on would imply having, at least >> the option of having a single login page, even if an individual web >> application could override the default and provide its own (for instance I >> guess webdav can't use FORM, so would have to override a FORM default to use >> BASIC/DIGEST). >> > > The primary thinking behind this is to obey the servlet specification's > requirements :-). > > The typical use case is a "portal" site (say, like Yahoo) where there are > a variety of applications that require you to log on before use, mixed in > with a ton of stuff that is available to everyone. Each of the > applications has it's own individual look-and-feel (within the broad UI of > the entire site), and doesn't necessarily *want* to have to share a page. > > Now, I can go browse around Yahoo to my heart's content. As soon as I > access an app that needs a login, I'm asked to do so (within the context > of that app). To avoid making me unhappy, the site remembers who I am so > that when I switch to a different application that needs login, I go > straight to what I asked for without having to identify myself again. > >> Having to define login for each we application: >> 1. provides a maintenance problem if you do want a common login page across >> all webapps > > > Seems like a simple problem to solve in your build scripts. Copying > commonly used components from a single source repository is quite > straightforward. > >> 2. begins to enter into "using my password for something I haven't approved >> it to be used for" teritory. i.e. the login page says you are logging into >> webapp1, but in fact your login will be used for webapp2. A single login >> page would tell you you are logging into both. >> > > So, all you have to do is say so on the login page, and this confusion > cannot happen, right? If you follow the suggestion above and copy the > common login page to each app you will have certainly done this. > >> Hence my initial question - is this just the way it has been done, or does >> the Spec say it must be done that way etc.? >> > > http://java.sun.com/products/servlet/download.html > > See the "Security" chapter in the Servlet 2.2 spec. You will also want to > review the requirements on servlet contexts (i.e. web applications) and > sessions (scoped to a single web app) that affect application design for > environments like the one discussed above. > >> Many thanks >> >> Tim > > > Craig McClanahan Also can someone explain me when my authentication is successful using JDBCRealm , how do I get the role information, cause only two attributes are set for the session (username and password). Do I have to go back in the roles table to get the role info or they are stored in someway in the session. TIA -- Manish Poddar Paycom.net 310-827-5880 x 327 818-415-7447 (m)
RE: single login form for single sign on
On Thu, 22 Mar 2001 [EMAIL PROTECTED] wrote: > > > So in essense the question is: Is there a way to specify a > > "global" login > > > and error page that will be used by all webapps? > > > > > > > No. Each web application is still a stand-alone entity. > > > > What single sign on support does for you is remember that > > you've signed on > > already. You are still using whatever login mechanism is > > defined for each > > individual web app. They don't even have to all use the same approach > > (some could be BASIC, some could be FORM, for example). > > > > What's the thinking behind this? Single sign on would imply having, at least > the option of having a single login page, even if an individual web > application could override the default and provide its own (for instance I > guess webdav can't use FORM, so would have to override a FORM default to use > BASIC/DIGEST). > The primary thinking behind this is to obey the servlet specification's requirements :-). The typical use case is a "portal" site (say, like Yahoo) where there are a variety of applications that require you to log on before use, mixed in with a ton of stuff that is available to everyone. Each of the applications has it's own individual look-and-feel (within the broad UI of the entire site), and doesn't necessarily *want* to have to share a page. Now, I can go browse around Yahoo to my heart's content. As soon as I access an app that needs a login, I'm asked to do so (within the context of that app). To avoid making me unhappy, the site remembers who I am so that when I switch to a different application that needs login, I go straight to what I asked for without having to identify myself again. > Having to define login for each we application: > 1. provides a maintenance problem if you do want a common login page across > all webapps Seems like a simple problem to solve in your build scripts. Copying commonly used components from a single source repository is quite straightforward. > 2. begins to enter into "using my password for something I haven't approved > it to be used for" teritory. i.e. the login page says you are logging into > webapp1, but in fact your login will be used for webapp2. A single login > page would tell you you are logging into both. > So, all you have to do is say so on the login page, and this confusion cannot happen, right? If you follow the suggestion above and copy the common login page to each app you will have certainly done this. > Hence my initial question - is this just the way it has been done, or does > the Spec say it must be done that way etc.? > http://java.sun.com/products/servlet/download.html See the "Security" chapter in the Servlet 2.2 spec. You will also want to review the requirements on servlet contexts (i.e. web applications) and sessions (scoped to a single web app) that affect application design for environments like the one discussed above. > Many thanks > > Tim Craig McClanahan
RE: single login form for single sign on
Guys, I haven't followed your discussion, so if I'm out of line here don't shoot me. I'm using Apache 1.3.19 together with Tomcat 3.2.1 . The website I'm using is secured with a single login. The configuration to do this looks like: # # secure the site # deny from all AuthType Basic AuthUserFile "/a path/http-passwd" AuthName "/" require valid-user satisfy any So, if any user browses to http://myhost/ a loging pops up and the user has to provide a name and password. I hope this helps anyone. regards, Kenneth Westelinck >From: <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: RE: single login form for single sign on >Date: Thu, 22 Mar 2001 08:34:26 - > > > > So in essense the question is: Is there a way to specify a > > "global" login > > > and error page that will be used by all webapps? > > > > > > > No. Each web application is still a stand-alone entity. > > > > What single sign on support does for you is remember that > > you've signed on > > already. You are still using whatever login mechanism is > > defined for each > > individual web app. They don't even have to all use the same approach > > (some could be BASIC, some could be FORM, for example). > > > >What's the thinking behind this? Single sign on would imply having, at >least >the option of having a single login page, even if an individual web >application could override the default and provide its own (for instance I >guess webdav can't use FORM, so would have to override a FORM default to >use >BASIC/DIGEST). > >Having to define login for each we application: >1. provides a maintenance problem if you do want a common login page across >all webapps >2. begins to enter into "using my password for something I haven't approved >it to be used for" teritory. i.e. the login page says you are logging into >webapp1, but in fact your login will be used for webapp2. A single login >page would tell you you are logging into both. > >Hence my initial question - is this just the way it has been done, or does >the Spec say it must be done that way etc.? > >Many thanks > >Tim > > >Tim Dudgeon <[EMAIL PROTECTED]> > > > >-- >DISCLAIMER: This message contains proprietary >information some or all of which may be >confidential and/or legally privileged. It is for >the intended recipient only who may use and apply >the information only for the intended purpose. >Internet communications are not secure and >therefore the British Biotech group does not >accept legal responsibility for the contents of >this message. Any views or opinions presented are >only those of the author and not those of the >British Biotech group. If you are not the intended >recipient please delete this e-mail and notify the >author immediately by calling ++44 (0)1865 748747; >do not use, disclose, distribute, copy, print or >rely on this e-mail. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
RE: single login form for single sign on
> > So in essense the question is: Is there a way to specify a > "global" login > > and error page that will be used by all webapps? > > > > No. Each web application is still a stand-alone entity. > > What single sign on support does for you is remember that > you've signed on > already. You are still using whatever login mechanism is > defined for each > individual web app. They don't even have to all use the same approach > (some could be BASIC, some could be FORM, for example). > What's the thinking behind this? Single sign on would imply having, at least the option of having a single login page, even if an individual web application could override the default and provide its own (for instance I guess webdav can't use FORM, so would have to override a FORM default to use BASIC/DIGEST). Having to define login for each we application: 1. provides a maintenance problem if you do want a common login page across all webapps 2. begins to enter into "using my password for something I haven't approved it to be used for" teritory. i.e. the login page says you are logging into webapp1, but in fact your login will be used for webapp2. A single login page would tell you you are logging into both. Hence my initial question - is this just the way it has been done, or does the Spec say it must be done that way etc.? Many thanks Tim Tim Dudgeon <[EMAIL PROTECTED]> -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail.
Re: single login form for single sign on
On Wed, 21 Mar 2001 [EMAIL PROTECTED] wrote: > I want to use the single sign on capabilities of Tomcat4 with FORM based > authentication. However it does not seem possible to define a single login > and error page. Even though single sign on and a Realm are specified in > $TOMCAT_HOME/conf/server.xml, and FORM authentication is specified in > $TOMCAT_HOME/conf/web.xml (e.g. to use /login/login.html as the login page), > when there is a need to authenticate from a particular webapp, the login > page is referenced relative to the context (e.g > $TOMCAT_HOME/webapps/myapp/login/login.html). This would involve copying the > login pages into every webapp, which gives a maintenance problem. > > So in essense the question is: Is there a way to specify a "global" login > and error page that will be used by all webapps? > No. Each web application is still a stand-alone entity. What single sign on support does for you is remember that you've signed on already. You are still using whatever login mechanism is defined for each individual web app. They don't even have to all use the same approach (some could be BASIC, some could be FORM, for example). > Many thanks > > Tim > Craig McClanahan
single login form for single sign on
I want to use the single sign on capabilities of Tomcat4 with FORM based authentication. However it does not seem possible to define a single login and error page. Even though single sign on and a Realm are specified in $TOMCAT_HOME/conf/server.xml, and FORM authentication is specified in $TOMCAT_HOME/conf/web.xml (e.g. to use /login/login.html as the login page), when there is a need to authenticate from a particular webapp, the login page is referenced relative to the context (e.g $TOMCAT_HOME/webapps/myapp/login/login.html). This would involve copying the login pages into every webapp, which gives a maintenance problem. So in essense the question is: Is there a way to specify a "global" login and error page that will be used by all webapps? Many thanks Tim Tim Dudgeon <[EMAIL PROTECTED]> -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail.
