-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jan,
On 5/26/14, 2:58 AM, Jan Vávra wrote: > Hello. >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> Mark, >> >> On 5/20/14, 4:28 AM, Mark Thomas wrote: >>> On 20/05/2014 09:11, Jan Vávra wrote: >>>> Hello. >>>> >>>> I write my own realm implementation for Tomcat 7.x. In the >>>> method Principal authenticate(X509Certificate[] certs) I'd >>>> like to read request headers. My authentication would be >>>> based on client certificate + custom http request value. Is >>>> it possible? >>> In Tomcat, the Authenticator is responsible for gathering the >>> credentials. This often requires interaction with the Request >>> and related objects. >>> >>> The Realm is responsible for validating credentials. Therefore >>> the Realm does not need access to the Request and related >>> objects. >> This is something that securityfilter supports using a >> sub-interface of the Realm (analog) interface that has the >> ability to access the request directly. It's a bad architecture, >> but very useful for doing things such as recording login failures >> and their source IP addresses, etc. >> >> Is there some way that additional information (e.g. source IP >> address) could be provided to the Realm for things such as this? >> It's one of the reasons we still use sf instead of Tomcat's >> built-in realms. (Another is the lack of decent password-checking >> algorithms, but I'm working on that: >> https://issues.apache.org/bugzilla/show_bug.cgi?id=56403). > Well, I looked at Chris's SecurityFilter and I'll go the same way. > I'll get rid of realm and write my own simple security filter. We > also plan to support OAuth 2.0 authentication where is transferred > auth. header in form Authorization: Bearer xxxxx. And in other > cases I need to combine clicert auth with basic auth. In the other > project we' re also behind an authentication system that sends my > tomcat X-Authorized-As header. > > So I have many reasons to access the Request object and writing > the filter seems me as the only way how to authenticate web service > method (server side). You haven't done your homework. Read about CombinedRealm. I thought someone contributed an OAuth provider at some point, but I can't find that reference, so you might need to do that outside of Tomcat anyway. But since you can use ServletRequest.login(), you can probably make it work as long as the user always uses OAuth to authenticate (which is pretty much the whole point). But re-writing the whole authentication and authorization system is a big task if all you want to do is add OAuth to the things that Tomcat can already do. You should try to find a way to get ServletRequest.login() to do what you need so that you don't have to write your own URL pattern handler, session management code, etc. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTg4pEAAoJEBzwKT+lPKRYwOEP/iOMSS0zoOM0NtlUckkAsaiS 4J8US8L4eeJHXm+YRoo6mEJMn4jgfzy8/E9Htj8zayX66rbZ8E0v0zhj50jSu9hh 44Eo+DNHPQFYv5QvcHjr99SWliB1sTakVX7cUo2XJt6dLRaYHk5iMs7vrcAOy9qE BonA+Niqb5UuoIPC5WHc7ykMOKq0Px4xj3VvXWjuNCOVob5I9nBeRKRG99GaaXgQ CK+0iE94kpOHWW33XkNAIpRIFsBajO2zsh8jaNRntfHVOb4hU/Fw7n+Yh14P2Zlr uGJhsSWenQfSDyOL0oxm7mmoOJcY1rRg9UO0a1yDoOzDa+CZli5W4MESorJ8BQBv eHcMmw/Cfcs0a/OUkJsMkV3M3RvVP2s8oQoEAmMIZBAcIFu2wyn01zV9epWB77ma /esqvhBVce/V3L168X/HqI1eQC8op2ZabXU9RJINLxqkzjZikFfe1BN/nBTCUswf 87muowpF8zOfcz4zstoFf70N6ptCPkv85NL6An6BF+SwDiQIwVu4nOB8Z/VXdlAC K//K47LLqNHtjT5dT18D9TnUsl94JuwK3IvioMmN1iTpIw65/cxuUhN4C4HWGqgR nRhY9fsOcg5TDI+Ir4wUz3qqXttKg6M/J5KBYqFxiZok9P+6B3GIB1B9SHISZSQk rcYMz1/IttWrKapOnQxV =lxbP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
