Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/29/13 12:30 PM, Martin O'Shea wrote: Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate? Just read the whole page: Container-provided authentication can be done without writing any code at all: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html If you don't understand, come back and ask more specific questions. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR989xAAoJEBzwKT+lPKRY8VUP/1DQKKTOcQCfMOBjg408Ow5T aryNprNv6d6FoOfgYkc1NSkjzhkEp9JTkcplHT+EpIAL1m7VSrP+3zWZYvdhypEN 2lOCbYO6QYnYJVkX2NUuKwU4f7jpQbiPkSC0Hl2BSz4JKJaC2OMUsPe38hsedGLY 8exZ8VntTUmmvYhKBB3On0Gm2ckSnsWwsLWlOEDFPXgA9856c6Bgy8EFlF7Cws3d 0FxIUBA3YP2SZ2Iz9n4bxSA96Bu1geh2+/lHav01I6+GSXVPDXyYk0o7N40arPQ3 88jBghVR4Z6GoqeMlj+1cDC1W/2BiAatRhzQrBIt38pv4xEkM4E/njxnDxEm/VMI RHp57d2NHm39C/Qymrs4hWtn4llHvs5TIkFzk6cTV0bIWJIbPLyjU+6m4J6zSYto qaw/t5qeXziElZBCY/W3RkPmenEPdgVFyaZisretiCcTmaM3M3LHGU4K8XFfJWC5 R0xsf+smPNJn7dl/BvI+9sugGTfznraJnUJTUc11O2u9HAjy7RIH4GxEcsOqgfqp IJnCktp4lGJxA2icM4i+jYtqYOeHz8bKatkqy+TESrbZI0DdVi/cadHNky0DcMO2 5MdMKkUU/LaKNRaUmgRl94v2jdEbXlry22ZW0kltdkj3iahxH4hHfMCp69kVqmH8 3scrp+O5WeSMaUIuFrLc =8GgT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/28/13 10:40 AM, Martin O'Shea wrote: Have you an example at all? At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one? Container-provided authentication can be done without writing any code at all: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR 2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5 a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF +iXZF8ULpPyc+HzisZUF =eqkF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 29 Jul 2013 17 21 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/28/13 10:40 AM, Martin O'Shea wrote: Have you an example at all? At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one? Container-provided authentication can be done without writing any code at all: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR 2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5 a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF +iXZF8ULpPyc+HzisZUF =eqkF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Authentication from a REST service Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate? Don't top-post; it makes the conversation impossible to follow. Step 1: read the security section of the Servlet spec. Step 2: read the Tomcat doc Chris pointed out to you. Step 3: look at the WEB-INF/web.xml settings in the relevant examples that come with Tomcat, including the manager and host-manager webapps. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/27/13 12:00 PM, Martin O'Shea wrote: Are there any suggestions if I'm not using servlet 3? Any reason the container-provided authentication system (e.g. HTTP BASIC) isn't acceptable? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4 tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74 7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3 jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk AE+WCdC4cDVn9G58vo7l =Na0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris Have you an example at all? At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one? Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 28 Jul 2013 15 37 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/27/13 12:00 PM, Martin O'Shea wrote: Are there any suggestions if I'm not using servlet 3? Any reason the container-provided authentication system (e.g. HTTP BASIC) isn't acceptable? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4 tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74 7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3 jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk AE+WCdC4cDVn9G58vo7l =Na0c -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Are there any suggestions if I'm not using servlet 3? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 18 52 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 1:08 PM, Martin O'Shea wrote: OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S 5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ /2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1 jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi t7VKPMLheCZvqZXO4AXa =O44G -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Authentication from a REST service
Hello I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. Can anyone suggest anything? Thanks Martin O'Shea.
Re: Authentication from a REST service
Martin O'Shea wrote: Hello I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. Can anyone suggest anything? It may be better to ask this on the Jersey user's list. I would imagine that Jersey provides a way to force the client to be authenticated. This would work via a session, and there is probably a way to set the session timeout. After the last interaction + the timeout, the session will expire, and this should automatically force the client to re-authenticate at the next access. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Thanks Andre. I have already done so. I thought to ask it on both just in case. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 18 Jul 2013 14 16 To: Tomcat Users List Subject: Re: Authentication from a REST service Martin O'Shea wrote: Hello I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. Can anyone suggest anything? It may be better to ask this on the Jersey user's list. I would imagine that Jersey provides a way to force the client to be authenticated. This would work via a session, and there is probably a way to set the session timeout. After the last interaction + the timeout, the session will expire, and this should automatically force the client to re-authenticate at the next access. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 5:34 AM, Martin O'Shea wrote: I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. If you are using Servlet 3.0, you can use HttpServletRequest.login to authenticate the user using a realm configured for the context. If you use FORM authentication, then the session's expiration time becomes the duration of the login (a caveat being that the timeout is reset for every request the client makes). If you want fixed-login times (like 30-minutes max regardless of how many requests are made), then stuff your own expiration date into the user's session and then check that timeout with each request. This could all be done in a Filter to keep things orthogonal to your servlet code. Or were you looking for something more elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY 6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y 2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+ +G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3 LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9 JFMNdCl4mZQF7yt17yh1 =i2aK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 debug = 99 dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? And would a servlet be required to handle authentication? Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 15 05 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 5:34 AM, Martin O'Shea wrote: I am in the process of setting up a web service between an android app and Tomcat 6.0.26 implemented with Jersey. I already have client and server communicating with each other by sending XML requests. But I would like the user of the client to be authenticated by the server for a set period of time and then have to re-authenticate after that time has expired. If you are using Servlet 3.0, you can use HttpServletRequest.login to authenticate the user using a realm configured for the context. If you use FORM authentication, then the session's expiration time becomes the duration of the login (a caveat being that the timeout is reset for every request the client makes). If you want fixed-login times (like 30-minutes max regardless of how many requests are made), then stuff your own expiration date into the user's session and then check that timeout with each request. This could all be done in a Filter to keep things orthogonal to your servlet code. Or were you looking for something more elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY 6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y 2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+ +G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3 LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9 JFMNdCl4mZQF7yt17yh1 =i2aK -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 10:32 AM, Martin O'Shea wrote: It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 FWIW, MD5 is basically deprecated at this point. I would use at least SHA-256 for password-hashing. Honestly, I'd use a password-mangling algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.). (I've been toying-around with modifications to Tomcat's Realms and underlying code to help support such things, but I haven't come up with a good patch, yet). debug = 99 This should be removed: it must have come from an old configuration. dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? You can use it for anything you'd like. And would a servlet be required to handle authentication? No, you can use a Filter. I'm not sure how Jersey is implemented, but I suspect that you configured either a Servlet or a Filter at some point in WEB-INF/web.xml. Just make sure that your own Filter performs whatever is necessary to authenticate (e.g. calling HttpServletRequest.login) and then sets-up the request so that Jersey knows that the user has been successfully authenticated (it probably just checks ServletRequest.getPrincipal, which will be set up correctly after a successful call to HttpServletRequest.login). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/ 126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s 3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99 PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw o7zzBwgHpk4/Ec8raBXT =i5Uc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
Martin O'Shea wrote: Chris It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 debug = 99 dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? And would a servlet be required to handle authentication? Well, apart from the layers of obfuscation added by Jersey, fundamentally the REST service is still a webapp, composed of servlets. So it is more a case of does Jersey provide an authentication servlet (or filter) ? and what can it do ?. No ? Or does Jersey rely on container-based authentication ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 15 39 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 10:32 AM, Martin O'Shea wrote: It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in: Realm className = org.apache.catalina.realm.DataSourceRealm digest=MD5 FWIW, MD5 is basically deprecated at this point. I would use at least SHA-256 for password-hashing. Honestly, I'd use a password-mangling algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.). (I've been toying-around with modifications to Tomcat's Realms and underlying code to help support such things, but I haven't come up with a good patch, yet). debug = 99 This should be removed: it must have come from an old configuration. dataSourceName = jdbc/MyApp localDataSource = true userTable = User userNameCol = UserName userCredCol = Password userRoleTable = User roleNameCol = RoleName / Could it be used also for the REST service? You can use it for anything you'd like. And would a servlet be required to handle authentication? No, you can use a Filter. I'm not sure how Jersey is implemented, but I suspect that you configured either a Servlet or a Filter at some point in WEB-INF/web.xml. Just make sure that your own Filter performs whatever is necessary to authenticate (e.g. calling HttpServletRequest.login) and then sets-up the request so that Jersey knows that the user has been successfully authenticated (it probably just checks ServletRequest.getPrincipal, which will be set up correctly after a successful call to HttpServletRequest.login). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/ 126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s 3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99 PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw o7zzBwgHpk4/Ec8raBXT =i5Uc -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Authentication from a REST service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 1:08 PM, Martin O'Shea wrote: OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S 5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ /2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1 jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi t7VKPMLheCZvqZXO4AXa =O44G -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Authentication from a REST service
Chris I'm checking this with Jersey. Thanks Martin O'Shea. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 18 52 To: Tomcat Users List Subject: Re: Authentication from a REST service -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 7/18/13 1:08 PM, Martin O'Shea wrote: OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml. So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? Yes, this is exactly what I'm suggesting. I'm sure there are other ways to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal to get authentication information from the caller (which is a reasonable assumption IMO). If it's being done in some other way, then this technique may not work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S 5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ /2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1 jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi t7VKPMLheCZvqZXO4AXa =O44G -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org