Doug, I have never tried this, so as usual, I guessing here.
I dont think you are going to come right with the standard valves, nor do I think you should try make a custom valve. Rather look at filters, they not much more difficult to make than a normal servlet, and you will find tons of stuff on the web, maybe the very thing you looking for. If you use netbeans, there is a standard project wizard that will get you going with a filter. The concept is interesting, and I'm thinking that you cant really protect the web pages with standard security, because if you do, I think that will kick in even before the filter gets a chance to look at it. Maybe other guys can think of another way, but I think that the pages will have to be protected by the filter, not by standard Web.xml configuration. So... luv this guessing stuff ;).... I think you effectively have to make one web page as your realm log on page, only this page you protect with the standard realm web.xml stuff. The rest are unprotected. Then your filter logic is something like this.... If the IP or Host name is allowed.... let it through If its not allowed.... check the username because if the user is authenticated, there will be one.... if username let it through.... else if user name is null, redirect to logon page. Filters are a really nice things to learn, and I dont think its too difficult.... but I just wanted to warn you, that the filter will not be able to intercept realm security, rather it has to take over that function. So if the access is simple.... like if they can get into that login page, then they can go anywhere.... its easy, but if you have a site where some people can go some places and not others, then you going to find yourself rebuilding tomcats realm security roles... a lot of work... or doing something like setting a session variable that a pages has to check.... ie A,B and C users are allowed in here... ie if you need to filter pages on roles, the fun really starts. So think about it, because I think the devil is in the details, and in the end it may be easier to just make everyone log on.
From a philosophical point of view... I dont think one should use ip filters
to allow access... its not good security. So if you have a lazy boss that doesn't want to type in a password, and his IP must go thru, tell him he's a security risk, on the other hand if its a customer that wants that, with a big wallet... its probably ok;) I think everyone should log on, and that getting too far away from the standard security could get very tricky.... I think those valves are more intended to simply ban people that have become a pain in the behind, never to let the privileged through. Have fun.... From: "Doug Black" <[EMAIL PROTECTED]>
How can I best pass ips allowed by a valve to pass through to my application while forcing ips that are denied to log in through a realm? The only possible behavior I can detect of either RemoteAddrValve or RemoteHostValve is to force requests through the IP or host filter and also through the user realm for the context. Do I have to write a custom valve java class? How hard is this for an intermediate Java writer? Any tips on how to do this? I apologize that I submitted essentially the same question a couple days ago, but I got no responses so I thought I'd try with a less verbose phrasing. Thanks, Doug --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]