Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
Johnny Kewl wrote: - Original Message - From: Alex Mestiashvili [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, June 13, 2008 9:56 PM Subject: allow access without auth to app from several ip ranges , but leave auth from any other hosts HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . Would have to be different pages... /webapp/servlet /webapp/servletip TC security checks everything before you can get at it if the page is protected, its protected ;) Another way is with programmatic authentication... ie do the BASIC auth in a servlet yourself... then you can do anything. Have fun.. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Great thanks to everyone , but I've found another way . I've created to directories myapp1 and myapp with appropriate web.xml s I've put reverse proxy with rewrite engine between clients and tomcat NameVirtualHost * VirtualHost * ProxyRequests Off Proxy * AddDefaultCharset off Order allow,deny Allow from all /Proxy ProxyPass / http://localhost:8080/ CustomLog /var/log/apache2/proxy_log common ProxyPassReverse / http://localhost:8080/ RewriteEngine on RewriteCond %{REMOTE_ADDR} !((192\.168\.194\..*$)|(14\.5\..*$)|(14\.30\..*$)) RewriteRule ^(.*)$ - [C] RewriteRule ^/myapp1(.*)$ /$1 [F,L] #forbidden for people who tries use directly /myapp1 # this rules are important because otherwise any host can connect to myapp1 , because request goes through proxy and tomcat gets connections from localhost . RewriteCond %{REMOTE_ADDR} ^((192\.168\.194\..*$)|(14\.5\..*$)) RewriteRule ^/myapp(.*)$ /myapp1$1 [R,L] RewriteRule ^/(.*) http://localhost:8080/$1; [P] # main rule everything goes via PROXY RewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 9 /VirtualHost - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
- Original Message - From: Alex Mestiashvili [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, June 16, 2008 1:36 PM Subject: Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts Johnny Kewl wrote: - Original Message - From: Alex Mestiashvili [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, June 13, 2008 9:56 PM Subject: allow access without auth to app from several ip ranges , but leave auth from any other hosts HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . Would have to be different pages... /webapp/servlet /webapp/servletip TC security checks everything before you can get at it if the page is protected, its protected ;) Another way is with programmatic authentication... ie do the BASIC auth in a servlet yourself... then you can do anything. Have fun.. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Great thanks to everyone , but I've found another way . I've created to directories myapp1 and myapp with appropriate web.xml s I've put reverse proxy with rewrite engine between clients and tomcat NameVirtualHost * VirtualHost * ProxyRequests Off Proxy * AddDefaultCharset off Order allow,deny Allow from all /Proxy ProxyPass / http://localhost:8080/ CustomLog /var/log/apache2/proxy_log common ProxyPassReverse / http://localhost:8080/ RewriteEngine on RewriteCond %{REMOTE_ADDR} !((192\.168\.194\..*$)|(14\.5\..*$)|(14\.30\..*$)) RewriteRule ^(.*)$ - [C] RewriteRule ^/myapp1(.*)$ /$1 [F,L] #forbidden for people who tries use directly /myapp1 # this rules are important because otherwise any host can connect to myapp1 , because request goes through proxy and tomcat gets connections from localhost . RewriteCond %{REMOTE_ADDR} ^((192\.168\.194\..*$)|(14\.5\..*$)) RewriteRule ^/myapp(.*)$ /myapp1$1 [R,L] RewriteRule ^/(.*) http://localhost:8080/$1; [P] # main rule everything goes via PROXY RewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 9 /VirtualHost Cool! Got you in my Apache Guru book ;) --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
- Original Message - From: Alex Mestiashvili [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Friday, June 13, 2008 9:56 PM Subject: allow access without auth to app from several ip ranges , but leave auth from any other hosts HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . Would have to be different pages... /webapp/servlet /webapp/servletip TC security checks everything before you can get at it if the page is protected, its protected ;) Another way is with programmatic authentication... ie do the BASIC auth in a servlet yourself... then you can do anything. Have fun.. --- HARBOR : http://www.kewlstuff.co.za/index.htm The most powerful application server on earth. The only real POJO Application Server. See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm --- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
allow access without auth to app from several ip ranges , but leave auth from any other hosts
HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
hi Alex, that is an interesting use case. I don't think there is away to do this without doing some customization to the tomcat code base, such as implementing your own realm Filip Alex Mestiashvili wrote: HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
Alex Mestiashvili wrote: HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? Not with Tomcat out of the box. Take a look at http://securityfilter.sourceforge.net/ If it can't do it out of the box (I haven't checked) then it is probably only a small amount of code. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: allow access without auth to app from several ip ranges , but leave auth from any other hosts
If it may help : I have implemented a mechanism as described below, in Apache using mod_perl. I don't know how to do it under Tomcat, or if it is even possible without rewriting some basic Tomcat code, but maybe the following gives someone an idea. (Of course, if you are running Tomcat with an Apache front-end and mod_jk, you could do it in Apache, and pass the user-id to Tomcat. That's in fact what I am doing.). In Apache/mod_perl, it relies on the fact that there are three consecutive phases in request processing, with possible mod_perl hooks, and they run in this order : - an access control phase This phase is supposed to grant or deny access based on some request characteristic other than the user-id (e.g. the time of day, or the IP range the request is coming from). In standard Apache config, this is the equivalent of an Allow from ..(IP range).. directive. In Tomcat, it would probably be an Access-control Valve. There is an example somewhere in the Tomcat on-line documentation. - an authentication phase where the request is authenticated (gets a user-id if it doesn't have one yet) - an authorisation phase where the request is allowed or not to proceed, depending on whether or not it has a user-id, and this user-id is supposed to be able to access this resource. Basically, I hijack the access-control phase, to compare the origin IP of the request with a table containing IP addresses and corresponding group user-id's. If the origin IP matches one of the table entries, it gets the associated user-id. Otherwise it does not get a user-id. Anyway, the request is allowed to proceed. In the authentication phase, it is checked whether the request is already authenticated. If yes (for example it got a user-id during the access-control phase), it is allowed to proceed. If not, it gets a login page. And finally in the authorisation phase, the request is rejected if it does not have a user-id. Now the questions are, in Tomcat, 1) if an Access-control Valve runs before an application (webapp) is invoked. I believe it should, since it is (can be) defined at a higher level than a webapp. 2) if one could, within such a Valve, attribute a user-id to the session. That I really don't know, because I have never actually seen a method allowing to /set/ a user-id. (But I was probably looking in the wrong places). 3) how one could write a custom Valve, and how difficult that would be. Considering that Tomcat is open-source, one could always take the standard IP-based Valve and modify it for the purpose. Alternatively, maybe it is possible to do this IP-based authentication in a servlet filter wrapped around the webapp. But I have a feeling that under Tomcat the authentication/authorization phase runs before even a servlet filter runs, and in that case it might not work. I am interested also to learn if the above kind of thing is possible, and if that would be a good way of doing this under Tomcat. Filip Hanik - Dev Lists wrote: hi Alex, that is an interesting use case. I don't think there is away to do this without doing some customization to the tomcat code base, such as implementing your own realm Filip Alex Mestiashvili wrote: HI ALL . I have basic authentication for my tomcat application . Now I want , allow access without authentication to this app from several ip ranges , but leave auth from any other hosts . I did not find any solution in google Is it possible ? tomcat version is 6.0.16 Thanks in advance . - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]