Remon Sadikni wrote:
Dear Tomcat developers and users,
I managed to restrict a web application by IP-adress with
RemoteAddrValve and to restrict another one by basic authentication. Now
I would like to restrict the same web application by both methods:
- If the user is inside a specific network (e.g. 134.134.*.*), then he
should get direct access to the web application (without login window).
- If he is outside this network he has to authenticate via username /
password.
I tried to combine RemoteAddrValve und basic authentication, but I only
managed an "AND" conjunction. What I want is a disjunctive combination
("OR") of these 2 methods . How can I do that?
Hi.
Those 2 things do not happen at the same time.
The Valve executes first, and it either blocks the request totally, or lets it through
unchanged.
Then, if the Valve let the request pass through, comes the
authentication/authorization logic.
But by then of course it is too late, because if the request was blocked by the Valve, it
will not even make it to the AA stage.
What you could do, is write a custom Valve. This Valve would have to check the client IP
address, and if it matches the "specific network", it should "pre-authenticate" the
request, using some dummy user-id (like "internal_user") before it forwards the request.
I am not sure how easy that is however, since I do not know if Tomcat's Basic
Authentication mechanism /always/ checks the "Authorization:" header first, or if it first
checks if the request has already a UserPrincipal assigned to it.
(Gurus, please fill in here : ........ )
If the Valve needs to add an "Authorization:" header to the request, then you are in for a
bit more complexity.
This would be a case where I would handle the problem at the level of a front-end Apache
httpd, where such things are easier (for me) by an order of magnitude.
I even happen to have written an Apache/mod_perl module which does exactly what you want,
and more.
You may also want to have a look at SecurityFilter, which could well be an easier way for
you (http://securityfilter.sourceforge.net/)
I do not think that it has provisions for "automatically" authenticating a user based on
his client IP address, but it may be easier to just add the required code there.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
