On 2013-11-20 williamissey...@tsys.com wrote:
> Is there any way to not have the password visible in the realm for
> example for active directory realm?
You can extend the default JNDIRealm:
import org.apache.catalina.realm.JNDIRealm;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class ADRealm extends JNDIRealm {
private static final Logger LOGGER =
LoggerFactory.getLogger(ADRealm.class.getName());
private static final String KEY_AD = "my.ldap";
public ADRealm() {
LOGGER.info("My Active Directory Realm initialized...");
Credentials credentials = new
CredentialsReader().getCredentials(KEY_AD);
connectionName = credentials.getUser();
connectionPassword = credentials.getPassword();
}
}
Credentials reader is another custom class for reading credentials from your
central storage.
You have to define a combined realm:
<Realm className="org.apache.catalina.realm.CombinedRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="my.realm.ADRealm"
debug="99"
connectionURL="..."
authentication="simple"
referrals="follow"
userBase="..."
userSearch="(mailNickname={0})"
userSubtree="true"
commonRole="Administrator"
/>
</Realm>
And place all libraries to tomcat/lib folder:
- realm-1.0.jar (this class)
- credentials-util-1.0.jar
- slf4j-api-1.6.6.jar
- slf4j-jdk14-1.6.6.jar
I've implemented it not because of safety, but for my convenience as the
password is expiring from time to time and thanks to this it is enough to
change it once in the central storage. From there it is used in all my tools
(I use it in a local network only).
Jan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
