-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Semen,
Semen Vadishev wrote: > Well, have you ever configured path based authentication for Subversion > Server? Oh, you're using WebDAV. :( > So if there is no <security-constraint> element in > web.xml, Tomcat doesn't provide authorization, right? Correct. It will not perform authentication either. I think it's important to understand what's going on here: Tomcat's built-in A&A requires that an unauthenticated user request a protected resource (protected by a <security-constraint>). When this happens, Tomcat intercepts the request internally and issues the appropriate login request (HTTP AUTH, FORM, etc.). Upon successful authentication, Tomcat re-processes the original request. Tomcat authorization is done separately, though probably by the same component (Valve). You can require authentication but not enforce any specific role by using <role-name>*</role-name> in your <security-constraint>. Unfortunately for you, J2EE does not do user-based authorization; it will only do role-based authorization. I don't think you can use Tomcat's authorization at all. I don't know enough about the WebDAV/svn protocol to know whether it will work for authentication. > And if > web.xmlcontains <login-config> element and doesn't contain > <security-constraint> > element then servlet gets Principal object anyway (if client sent user/pass > then request.getRemoteUser() returns "user" and if not request.getRemoteUser() > returns null)? Well at least I will try to configure Tomcat this way. If you want Tomcat to do authentication and not authorization (which it sounds like is the case), then use <role-name>*</role-name> on whatever resource you are protecting and Tomcat will demand that the user authenticate in order to access the resource (but it won't care who the user is). Then, you should be able to get a Principal from the request object during a request. > 1. Requests with no authentication data. I'm pretty sure you're always going to want authentication data. To get Tomcat to work this way, you will need authentication data for pretty much every request. > 2. Requests with authentication data [...] so we want Tomcat to check > if this pair username/password is valid You can't have Tomcat do this kind of thing on demand. You can either use their authentication mechanism (with all the requirements above) or not. > So my question now is: If Tomcat configured to provide built-in > authentication and do not provide built-in authorization can we get > described behavior? You can try using <role-name>*</role-name> as described above, but it may not work the way you want it to work. For instance, if you want to allow completely anonymous access (i.e. not even requiring the use of a "guest" username and password), then you'll need to do everything yourself. Don't worry: authentication is really easy. Authorization isn't that bad, either, especially since you will probably only have a single servlet that needs protecting. The problem with these things is usually making sure you didn't miss anything (like leaving a swath of URIs unprotected). Feel free to look at Tomcat's Realm implementations for coding inspiration. > Hope this explanation is more clear. It is, thanks. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHC/uy9CaO5/Lv0PARAghHAKCVnSxdBUrmVruDS9rbq6qhKgZ2PgCfQMAU mQuDZdXT7R+mZsiEP8l/GmI= =4bmb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]