Force auth contraint on SSL connector
Hello, we are planning to activate our intranet with ssl. Along with this, we would like to make this intranet available to our employees from their home. Insite, without ssl, there is no need to identify our user. Anonymous browsing is to be allowed. From outside however, we want to force authentification on all the webapp. So we would like to have a security-constraint on / that applies *only* when webapp is reached using SSL connector. The standard web.xml, afaik, does not support separating constraint depending on http connector. We thought about using some valve that would force users to a specific login url if their are not yet authenticated. Does this somehow already exist in tomcat. Below is a short description of aimed configuration: http://server/webapp -- no auth constraint http://server/webapp/admin -- auth-constraint, role admin http://server/webapp/edit -- auth-constraint, role admin or publisher https://server/webapp -- auth contraint, no specific role (or role user is needed) https://server/webapp/admin -- auth-constraint, role admin https://server/webapp/edit -- auth-constraint, role admin or publisher -- http://www.noooxml.org/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Force auth contraint on SSL connector
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, From outside however, we want to force authentification on all the webapp. So we would like to have a security-constraint on / that applies *only* when webapp is reached using SSL connector. You might be able to avoid the entire problem by using a VPN. Is that an acceptable change in strategy? What about client certificates? I think you're going to seriously complicate your application to add this requirement. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGzZxA9CaO5/Lv0PARAvOuAKCo7gSdhMUdvtdLcWrvT4EsR7ZhyQCfaQcG Qowp91xWkZYt1Gs4CtT8SNw= =kq0I -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Force auth contraint on SSL connector
Christopher Schultz a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David, From outside however, we want to force authentification on all the webapp. So we would like to have a security-constraint on / that applies *only* when webapp is reached using SSL connector. You might be able to avoid the entire problem by using a VPN. Is that an acceptable change in strategy? H no :) VPN means installing and maintaing a vpn server + installing vpn on clients at their home. This is a bit annoying when what you want is make available to users general documents they might need when not at office. And i know the answer would be like No need, there is already the absolutely unfriendly ssh connection + port forwarding + point your browser to 127.0.0.1 What about client certificates? I think you're going to seriously complicate your application to add this requirement. Cleint certificates means managing those certificate, that is something to avoid considering its along the lines of maintaining a set of authentification token seperated from the general authentification database already in use by other non-java applications Thanks for suggestions but it's not applicable easily in our environment. - -chris - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]