Re: Windows Local user Login
No, I'm not sure what I want...the only things sure is my mandatory (and optional) rules...but I don't know how I will make this... I ask for the windows local user while for me is more simple to create local user that install a new server with active directory...but if is necessary (or best) I can install it. Now, I am writing to understand wich solution I must to take... So: - the webapp running in a Microsoft Windows 2003 Server environment. Active directory is NOT use in this server. - I don't know what I do...but nobody here can do thisI must learn it.. - Actually the users authenticate with a user/passwords/roles in a SQL 2000 Database. I use Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=net.sourceforge.jtds.jdbc.Driver connectionURL=jdbc:jtds:sqlserver://acer1/ServiceCenter;user=sa;password=sa;namedPipe=true userTable=Users userNameCol=UserId userCredCol=Password userRoleTable=UsersFeatures roleNameCol=FeatureID / like standard tomcat authentication. But, I need to change to implement my goal.. a) Do you have AD already? No b) Do you have to authenticate against local Microsoft Windows User DB? not mandatory c) Can you use your own database? Yes (but I must to be implement complex authentication) Thank you very much Christopher for your help! Stéphanie 2010/3/31 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stéphanie, It sounds to me like you're not sure what you want. Your original message was asking about how to authentication against a local Microsoft Windows user database (that is, NOT ActiveDirectory, which should be trivial). Now it sounds like you want to enforce all kinds of constraints on passwords, etc. Let's solve one problem at a time. On 3/31/2010 11:25 AM, Stéphanie Cettou wrote: I have a JSP application and tomcat 5.5. my goal it to implement a login for this application with this mandatory rules: You can deal with password complexity once you've decided how your passwords will be stored and how they will be set. For example, typically when authenticating against ActiveDirectory, the webapp itself does not provide a way to change an AD password. When passwords are set is the appropriate time to check for required complexity. Password expiration should also be done by some other means: Authentication just checks credentials. The user must can connect from more pc, the finally application is in a Windows 2003 server. So, you have the webapp running in a Microsoft Windows 2003 Server environment: good to know. Is ActiveDirectory being used in this environment? If so, use it. If not, don't set up AD just for your webapp. I don't know if I can use active directory (create a new active directory only for this application = install a new server), or others things... I don't know if I need to implement this in java, or a existing solution is ready... An existing solution is probably already available... in Java. I don't have a lot of knowledge in active directory, tomcat, NTLM or Kerberos, If you don't know what you're doing, I highly recommend that you find someone who does and make this their job to do. I need to be sure to choise the good solution for all point of my goal while I can't spent a lot of time, and I can't change my solution later... Do you have a user database against which you'd like to authenticate users? If that database is separate from Microsoft Windows (say, a RDBMS), then you don't have to mess with AD/NTLM/whatever: just use one of the standard Tomcat realms to do authentication for you. If you *must* use the Microsoft Windows user database, then you should look for a Java product that can authenticate against such a database. So, which is it: a) Do you have AD already? b) Do you have to authenticate against local Microsoft Windows User DB? c) Can you use your own database? I'm still not really clear on what your situation is. can you give me more informations, please? I don't have enough knowledge to choise the the simplest and best solution now... You are asking about implementing user authentication, which is typically an integral part of your security policy. If you don't understand what you are doing, anyone could give you horrible advice. My advice is to make sure you understand what you're doing before you do it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuzkiEACgkQ9CaO5/Lv0PCU3ACfd2wX88utKny/EEDEFxROcFl+ W6gAnAktwUL/CWvTW8C3+4jocKqCnl5d =fRvV -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Local user Login
Thanks!!! Now, I have a best idea. I will analyse all this for the next week. A very big Thanks! Stéphanie 2010/4/1 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stéphanie, On 4/1/2010 3:12 AM, Stéphanie Cettou wrote: - the webapp running in a Microsoft Windows 2003 Server environment. Active directory is NOT use in this server. Got it. - Actually the users authenticate with a user/passwords/roles in a SQL 2000 Database. Perfect! There's no reason to mess around with AD/NTLM/Kerberos or any of that stuff: just use a standard Realm that ships with Tomcat to authenticate against a JDBC user database. Uh, does SQL 2000 Database really mean Microsoft SQL Server 2000? Realm className=org.apache.catalina.realm.JDBCRealm I highly recommend that you do *not* use JDBCRealm, as this realm is effectively single-threaded according to the Tomcat developers. Consider using DataSourceRealm instead, which uses a pool of JDBC connections to perform authentication. driverName=net.sourceforge.jtds.jdbc.Driver If you're running Microsoft SQL Server, you should probably be using the Microsoft JDBC driver. Although, I did look up jTDS and it looks like it's a decent driver. userTable=Users userNameCol=UserId userCredCol=Password userRoleTable=UsersFeatures roleNameCol=FeatureID / like standard tomcat authentication. Okay, great. It wasn't clear that you had an acceptable authentication solution already implemented. But, I need to change to implement my goal... c) Can you use your own database? Yes (but I must to be implement complex authentication) I see. Let's go to your previous message: - Check type of password (more that 8 char, special char,...) Tomcat does not provide any way to change passwords, so you'll have to implement these items yourself in your password-change code. - Ask new password every month (from the web site) Again, you'll have to implement this yourself. - Block the user after 3 failed login Tomcat does not implement this until recent versions of Tomcat 6.x. Are you able to upgrade to the latest Tomcat 6.x? You can use LockOutRealm to do /some/ kind of blocking (I'm not sure exactly what your requirements are, and I'm not sure exactly what the LockOutRealm does to enforce the locking). - Block inactive user (ex after 90 days) Tomcat does not do this, either: you'll have to either use your own authentication system (such as securityfilter http://securityfilter.sourceforge.net along with your own Realm implementation that includes additional data-checking during the login) or in some other way. We implement features like the above in our project by using securityfilter with a custom Realm, plus a credential Filter which checks password age and user status, and then does things like redirect all requests to the change password page if you need to change your password, etc. Perhaps something like that would work for you. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku0oRYACgkQ9CaO5/Lv0PComwCfb/JwX0d2yDh8SvUVoteSh+lM d4QAoJLrIaWZCzFApoB9uHS/G//4i+K4 =cSNG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat login
Thank you very much, I will learn more for this solution. But all points of my issue list must be covered... And the other problem is that the user should be access everywhere (not only from their pc). And I have an other question, how I can get more roles at an user? A tomcat solution exist? Or I must in java programming? Or an other ready solution exist? Thanks Stéphanie 2010/3/30 André Warnier a...@ice-sa.com: Stéphanie, I don't want to interfere with the other people here who are trying to help you in the direction of a pure Tomcat solution. I am incompetent in that area, while they are, and their recommendations may in the end be better than mine. So let's say that there are alternative ways in which your basic issue could be solved, and what I am suggesting is one of these possible alternatives. The solution I am suggesting consists of separating the user management business from the Tomcat application business. My first premise is that managing users, passwords, rules for these passwords, aging, people coming and going etc.. is a complicated and time-consuming task and, if there already exists an AD infrastructure (or 3) that does this and people who manage it, maybe you do not want to create and manage a 4th system. (For example, if you create a mechanism based on a database, then you will probably have to synchronise that database with the 3 existing AD databases; and you will probably never obtain from the separate admins of the 3 AD domains, that they send you every day a new list of their users and passwords). My second premise is that users, in general, do not like to have to login several times, and remember different user-id's and/or passwords for different things. So if you can propose a solution which requires less additional programming and setup, and less management hassle later on, that may be to your own and to the users' advantage. Based on your previous explanations, I will imagine that there are 3 locations from where users can access your Tomcat system; that at each of those locations, there is a Windows domain based on an AD system; and that the users in each of those locations already login to their local domain before they access your Tomcat applications; and that these systems already manage the business of password rules and aging, and the day-to-day business of people coming and going. If it is so, you can set up a system whereby the local login which each user has already done once when they started their workstation, can be used by your Tomcat application(s). Your Tomcat application(s) will automatically receive, for each access, a unique and pre-authenticated user-id for each user, just as if you had done the authentication yourself at the Tomcat level. This user-id can include the original domain name of the user (iow the location), so that if two users john.smith exist in two separate AD domains, they will not be confused. This method does not necessarily cover all your needs, and it may still require some user data and some management at the Tomcat level, but it may also avoid having to re-implement and manage stuff that is already being done elsewhere. If you are still interested, then go have a look here : http://www.ioplex.com/ I am not saying that this is necessarily the solution for you, but it is maybe worth having a look at it. (and no, I am not an employee of that company; it is just something I use myself with Tomcat, in contexts apparently similar to yours.) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windows Local user Login
Hi, it is possible to do a windows authentication using local window xp users and Tomcat? I have Tomcat 5.5 and I will make a login to a jsp web site. I tested with Realm className=org.apache.catalina.realm.JDBCRealm and Realm className=org.apache.catalina.realm.JNDIRealm for Active directory users. It is possible to use the local windows users? If yes, how? Thanks! Stéphanie - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Local user Login
I am confusing... I have a JSP application and tomcat 5.5. my goal it to implement a login for this application with this mandatory rules: - Check type of password (more that 8 char, special char,...) - Ask new password every month (from the web site) - Block the user after 3 failed login - Block inactive user (ex after 90 days) and not Mandatory: - Single-Sing-On for some users - Add/modify/delete user from web site - Get more roles at an user (my Java code is ready for a JDBCRealm login) * read/modify pages and objects The user must can connect from more pc, the finally application is in a Windows 2003 server. I don't know if I can use active directory (create a new active directory only for this application = install a new server), or others things... I don't know if I need to implement this in java, or a existing solution is ready... I don't have a lot of knowledge in active directory, tomcat, NTLM or Kerberos, I need to be sure to choise the good solution for all point of my goal while I can't spent a lot of time, and I can't change my solution later... can you give me more informations, please? I don't have enough knowledge to choise the the simplest and best solution now... thank you Stéphanie 2010/3/31 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stéphanie, On 3/31/2010 10:08 AM, Stéphanie Cettou wrote: it is possible to do a windows authentication using local window xp users and Tomcat? Do you happen to be using ActiveDirectory? Realm className=org.apache.catalina.realm.JNDIRealm for Active directory users. It is possible to use the local windows users? If yes, how? Try googling for tomcat windows authentication: there's some stuff out there. A couple of things I found before I decided I was getting-in over my head (are you using NTLM or Kerberos, etc.?), I found these: http://spnego.sourceforge.net/ http://wiki.apache.org/tomcat/FAQ/Windows#Q4 I'm sure there are others. Another possibility (I suspect, though I don't know) is to use IIS out in front of Tomcat, and have IIS perform the local authentication for you, then pass that information through to Tomcat using AJP. This might be an easier path for you to follow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuzW74ACgkQ9CaO5/Lv0PCWjgCghZXSFIO8/W/vrYJRdJ8JFJ9n O/cAnjZaOXhzbp/06cHf6NReLYW/9VOB =NQ3t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Local user Login
I have SQL server 2000... If I decide to use active directory I need to write my code to catch exceptions when user logs in with expired, inactive, etc. passwords? It is possible to catch this exceptions from active directory to java? Thanks! 2010/3/31 Leo Donahue - PLANDEVX leodona...@mail.maricopa.gov: What database are you using? SQL Server 2005 and later allows you to use windows password policy and password expiration. You can enable that when you create your sql login. You create your windows password policy outside of Tomcat in active directory. However, as David pointed out to you in your other thread, you have write your own code to catch sql exceptions when user logs in with expired, inactive, etc. passwords. Leo -Original Message- From: Stéphanie Cettou [mailto:s.cet...@gmail.com] Sent: Wednesday, March 31, 2010 8:25 AM To: Tomcat Users List Subject: Re: Windows Local user Login I am confusing... I have a JSP application and tomcat 5.5. my goal it to implement a login for this application with this mandatory rules: - Check type of password (more that 8 char, special char,...) - Ask new password every month (from the web site) - Block the user after 3 failed login - Block inactive user (ex after 90 days) and not Mandatory: - Single-Sing-On for some users - Add/modify/delete user from web site - Get more roles at an user (my Java code is ready for a JDBCRealm login) * read/modify pages and objects The user must can connect from more pc, the finally application is in a Windows 2003 server. I don't know if I can use active directory (create a new active directory only for this application = install a new server), or others things... I don't know if I need to implement this in java, or a existing solution is ready... I don't have a lot of knowledge in active directory, tomcat, NTLM or Kerberos, I need to be sure to choise the good solution for all point of my goal while I can't spent a lot of time, and I can't change my solution later... can you give me more informations, please? I don't have enough knowledge to choise the the simplest and best solution now... thank you Stéphanie 2010/3/31 Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stéphanie, On 3/31/2010 10:08 AM, Stéphanie Cettou wrote: it is possible to do a windows authentication using local window xp users and Tomcat? Do you happen to be using ActiveDirectory? Realm className=org.apache.catalina.realm.JNDIRealm for Active directory users. It is possible to use the local windows users? If yes, how? Try googling for tomcat windows authentication: there's some stuff out there. A couple of things I found before I decided I was getting-in over my head (are you using NTLM or Kerberos, etc.?), I found these: http://spnego.sourceforge.net/ http://wiki.apache.org/tomcat/FAQ/Windows#Q4 I'm sure there are others. Another possibility (I suspect, though I don't know) is to use IIS out in front of Tomcat, and have IIS perform the local authentication for you, then pass that information through to Tomcat using AJP. This might be an easier path for you to follow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuzW74ACgkQ9CaO5/Lv0PCWjgCghZXSFIO8/W/vrYJRdJ8JFJ9n O/cAnjZaOXhzbp/06cHf6NReLYW/9VOB =NQ3t -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat login
Hi André, thank you very much for your fast answer. No, not all user have an active directory account (or yes but in 3 different emplacement...). And the web site must to be accessible everytime from anywhere... My idea is to use a new active directory only to manage user and password...the problem is to manage it from the web site... But, if there are an alternative, for me is ok. There are an other solution? Thanks, Stéphanie 2010/3/30 André Warnier a...@ice-sa.com: Stéphanie Cettou wrote: Hi, I use Tomcat 5.5. I have a JSP application. The login is implemented with database. Realm className=org.apache.catalina.realm.JDBCRealm . I need to increase the security. I want that the user have only 3 retry for the login, the user must change the password every months, I need a password policy (8 char, Maj and min,...). How I can implement this? I think to use active directory, but I can't manage user and passwords directly with tomcat, or yes? Hi Stéphanie. Maybe as an alternative.. If you mention Active Directory, does that mean that all your Tomcat users are working on MS Windows workstations, and login to a Windows domain before they call up the browser and access your Tomcat-based applications ? I am asking because if that is the case, then there exist solutions which would allow your users to not even have to login (to your Tomcat applications), and will automatically use their Windows domain user-id for Tomcat. And the management of users and passwords is then left to the AD system, and you get a Single-Sign-On solution at the same time. This scenario may or may not fit your needs, but if it does, it may be a big simplification for you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat login
I will get the issue list, because I think that with Tomcat 6 I can't do all..(But I don't know Tomcat) - Get more roles at an user (my code is ready for a JDBCRealm login) * read/modify pages and object - Check type of password (more that 8 char, special char,...) - Ask new password every month (from the web site) - Block the user after 3 failed login - Block inactive user (ex after 90 days) - (ev. Single-Sing-On for some users, but I think not possible with more active directory) not Mandatory - Add/modify/delete user from web site I can do it with Tomcat 6 update? how? Or it exist others solution / applications? thanks, Stéphanie 2010/3/30 Caldarale, Charles R chuck.caldar...@unisys.com: From: Stéphanie Cettou [mailto:s.cet...@gmail.com] Subject: Re: Tomcat login There are an other solution? Best if you can upgrade to Tomcat 6 (usually very easy to do from 5.5), and then use the CombinedRealm in conjunction with the JNDIRealm and LockOutRealm: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#CombinedRealm http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#LockOutRealm You always create a custom Realm to extend the capabilities of the above. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat login
Hi, I found: http://jeftek.com/222/using-java-code-with-active-directory/ I think I will use this exemples to manage the users via java. Or I found Spring Security framework..but I don't understand if it doe's all of my issues or not... thank you very much for all answer! Stéphanie 2010/3/30 David kerber dcker...@verizon.net: On 3/30/2010 12:04 PM, Stéphanie Cettou wrote: I will get the issue list, because I think that with Tomcat 6 I can't do all..(But I don't know Tomcat) - Get more roles at an user (my code is ready for a JDBCRealm login) * read/modify pages and object - Check type of password (more that 8 char, special char,...) - Ask new password every month (from the web site) - Block the user after 3 failed login - Block inactive user (ex after 90 days) - (ev. Single-Sing-On for some users, but I think not possible with more active directory) not Mandatory - Add/modify/delete user from web site I can do it with Tomcat 6 update? how? Write a webapp (program) to do all of the above. Or it exist others solution / applications? I don't know of any, but they may exist. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
