Anonymous access with Tomcat Authentication configured.
Hi, I'm developing servlet using servlet API 2.3 on Tomact application server, now my task is to implement path based authentication (pba) with the following Tomcat configuration: auth-method= BASIC Realm className=org.apache.catalina.realm.MemoryRealm But behavior I need is: 1. If Tomcat gets request with no user information data (username/password) it should pass it to servlet and then servlet after handling request's URI according to pba config file may send SC_UNAUTHORIZED (if it needs authenticated user) or SC_FORBIDDEN (if any access denied). 2. If Tomcat gets request with username and password it should check them according to conf/tomcat-users.xml and if user authenticated pass it to servlet. After some research I found that there is no way to pass request to servlet at 1clause using configuration I've pointed. So what should I do to get behaviour I need. All thoughts, advice and everything is welcome. Thanks! S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Christopher, thanks for reply. 2007/10/9, Christopher Schultz [EMAIL PROTECTED]: You cannot do this with Tomcat's authentication mechanism. You will have to provide an alternative implementation. I recommend looking st securityfilter ( http://securityfilter.sourceforge.net ). Well, securityfilter doesn't satisfy some servlet's requirements, so as you said I will have to provide my own low level authentication mechanism. It will be my first implementation, so any help will be appreciated. Thanks, S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Christopher, 2007/10/9, Christopher Schultz [EMAIL PROTECTED]: You cannot do this with Tomcat's authentication mechanism. You will have to provide an alternative implementation. I recommend looking st securityfilter ( http://securityfilter.sourceforge.net ). Well, securityfilter doesn't satisfy some servlet's requirements Like what? Sorry if I was wrong, but does security filter supports such auth-methods as BASIC, DIGEST, etc.? It was pointed that BASIC authentication will be supported in an upcoming 1.1 release at http://securityfilter.sourceforge.net . But at http://sourceforge.net/projects/securityfilter/ I found some newer release notes, but I found nothing about added support of other auth methods. so as you said I will have to provide my own low level authentication mechanism. You can use Tomcat's built-in Realm as a basis for the authentication -- so, for instance, you don't have to write your own SELECT query, etc. Thanks, I've got it. ...why you want your own servlets to do the authorization instead of the container (or securityfilter)? This is the main question. Today we decided to do nothing new with authentication and use special guest user in the first version of servlet. And only if users will ask for anonymous access I decribed earlier, we'll develop custom mechanism or maybe use security filter. As I understood you represents interests of security filter's developers (sorry if it's mistake) and it will be greate if you' ll look at servlet's code at http://svn.svnkit.com/repos/svnkit/trunk/ (svnkit-dav subdirectory) and give me a response of how to use security filter with our servlet. It will be my first implementation, so any help will be appreciated. First servlet implementation, or first authentication and authorization implementation? First authentication and authorization implementation. Thanks, S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Christopher, thank you for your great help, 2007/10/10, Christopher Schultz [EMAIL PROTECTED]: ...why you want your own servlets to do the authorization instead of the container (or securityfilter)? This is the main question. Today we decided to do nothing new with authentication and use special guest user in the first version of servlet. I'm not sure what that means. Well, have you ever configured path based authentication for Subversion Server? Pba config file contains a set of rules and they look like [/path/in/repos] *= user1=r So anonymous user has any read permisions but a user logged on as user1 may read from /path/in/repos. In our case, configuration above means that user logged on as a guest has no permissions and user1 has read permissions. And only if users will ask for anonymous access I described earlier, we'll develop custom mechanism or maybe use security filter. I'm not convinced you need either. You can use the built-in Tomcat authentication to do logins. It sounds interesting. So if there is no security-constraint element in web.xml, Tomcat doesn't provide authorization, right? And if web.xmlcontains login-config element and doesn't contain security-constraint element then servlet gets Principal object anyway (if client sent user/pass then request.getRemoteUser() returns user and if not request.getRemoteUser() returns null)? Well at least I will try to configure Tomcat this way. You can also use the built-in authorization, but it looks like you don't want authorization at all: you want a site that basically lets anyone use it, but also allows logins for other things (but you haven't mentioned any of them). There is no site and pages, we have servlet that handles requests via webDAV protocol (an extension of HTTP1.1). There are two types of requests we should handle in servlet: 1. Requests with no authentication data. If such request tries to access /some/path and pba config file contains rule : [/some/path] *=r then we do not send any error, handle request and normally send result , otherwise we send SC_UNAUTHORIZED error. 2. Requests with authentication data, for instance client sends to us usename/password and tries to access /some/path. So we want Tomcat to check if this pair username/password is valid (at this moment Tomcat looks at Realm class as I think), so if it's not valid, Tomcat should send SC_UNAUTHORIZED otherwise servlet checks request using pba and if pba config file has rule: [/some/path] username=r then we do not send any error and handle request normally, otherwise we send SC_FORBIDDEN error. So my question now is: If Tomcat configured to provide built-in authentication and do not provide built-in authorization can we get described behavior? Hope this explanation is more clear. Thanks, S. Vadishev.
Re: Anonymous access with Tomcat Authentication configured.
Christopher, 2007/10/10, Christopher Schultz [EMAIL PROTECTED]: Tomcat's built-in AA requires that an unauthenticated user request a protected resource (protected by a security-constraint). When this happens, Tomcat intercepts the request internally and issues the appropriate login request (HTTP AUTH, FORM, etc.). Upon successful authentication, Tomcat re-processes the original request. Tomcat authorization is done separately, though probably by the same component (Valve). [...] Don't worry: authentication is really easy. Authorization isn't that bad, either, especially since you will probably only have a single servlet that needs protecting. The problem with these things is usually making sure you didn't miss anything (like leaving a swath of URIs unprotected). Feel free to look at Tomcat's Realm implementations for coding inspiration. So implementing internal server component (probably valve) is the only solution, right? And is this container independent solution? Thanks, S. Vadishev.
