Out of the box - there is no Valve in Tomcat which requires
authentication without first consulting web.xml.
As a simple(?) kludge - you could write your own Valve which forces
authentication on anything executed by the Valve: - you'll need to fill
in isAuthenticated(...)
public class ProtectMeValve extends ValveBase implements Lifecycle {
...
public void invoke(Request request, Response response)
throws IOException, ServletException {
String authHeader = request.getHeader("Authorization");
if (authHeader!=null) {
if (isAuthenticated(request, authHeader)) {
getNext().invoke(request, response);
} else {
// may need setContentType(...)
response.setStatus(403);
response.getWriter().write("Go away - your not allowed!");
}
} else {
// may need setContentType(...)
response.setStatus(401);
response.addHeader("WWW-Authenticate",
"Basic realm=\"My Webapp\"");
response.getWriter().write("some message");
}
}
}
I would think the preceding should work.
-Tim
Johannes wrote:
With the lack of reply's I guess that Active directory connections are not used
by anyone here.
I'm making it a bit more simple then and in step one only protect this service
with a simple login / password protection.
Setup: One separate engine only accepting HTTPS connections that needs to be
protected.
I have set up a ""org.apache.catalina.realm.MemoryRealm" realm with a xml file
with one user, password and group in my server.xml section for the engine I'm protecting.
So far so good.
Then I got everything to work when editing <webapp>/WEB-INF/web.xml and added
the following:
<security-constraint>
<display-name>Security check</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>testgroup</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Security Check</realm-name>
</login-config>
That worked great, the login box appears and are not accessible without the
correct logon.
BUT the problem is that this webapp is delivered by a 3:rd party without the
above settings in there web.xml file.
We get regular updates and I would like to NOT be forced to remember to add the
above section every time we get a new release of the webapp.
So how can I make this Engine/webapp in the server.xml file be protected by one
simple login WITHOUT the need to modify the webapp itself every time we get a
new version of the webapp?
~Johannes
-----Originalmeddelande-----
From: Johannes [EMAIL PROTECTED]
Date: Thu, 02 Nov 2006 12:55:13 +0100
To: users@tomcat.apache.org
Subject: Tomcat authenticate with Active directory
I have a webapp that I want to protect the best way possible.
Our environment has previously been Windows and still are but our new system is
running tomcat 5.0.
Now I would like to protect one part of our setup with login from our Windows
2003 Active directory domain server when there is a lot of people that is going
to access this webapp. But still it need to be secure!
Found some some information here:
http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html
Section JNDIRealm
But without any previous experience with LDAP connections I have no clue how to
get this to work.
I'w tried searching for a good tutorial/guide how to make this happen step by
step but without success.
Have this been done by anyone here that could give me some help setting this
up. Or can direct me to a good step by step tutorial to get this up and running?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
