---- oh...@cox.net wrote: > > ---- "Caldarale wrote: > > > From: oh...@cox.net [mailto:oh...@cox.net] > > > Subject: Re: Do any of the Tomcat LDAP-type realms support "no password" > > > authentication? > > > > > In other words, even though my valve code can assert a user > > > into Tomcat, and even if that same user already exists in the > > > Tomcat realm, the asserted user seems to be 'disassociated' > > > from the same user in the Tomcat realm? > > > > Need to get some terminology correct here. A Realm does not normally > > contain users, roles, or any other authentication or authorization _data_; > > rather, it is a Java class that embodies rules for examining the > > credentials supplied by a login attempt and comparing them to credentials > > and roles stored in some external location. By default (and never meant to > > be used in production), the external location is the file tomcat-users.xml, > > and the Realm is UserDatabaseRealm (augmented by LockOutRealm to discourage > > probing). Several other Realm classes are supplied with Tomcat, to allow > > access to credentials from LDAP servers, relational databases, JAAS, etc. > > > > I think what you need is essentially a Realm that does no authentication of > > its own (trusting httpd to do that), but does perform the authorization > > function. It can then map the userid to whatever set of roles are > > appropriate for that user, and return the appropriate response when > > queried. See the doc for details: > > > > http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > > > > It would seem likely that someone out there has written a Realm that > > performs the above functions in conjunction with httpd authentication. > > (Note: you keep using the word "Apache" - which is a software organization > > with many products - when you're referring to httpd, a specific Apache > > product, as is Tomcat.) > > > > - Chuck > > > > > Hi Chuck, > > Corrections understood, and I'll try to be more careful. As you point out, > and as I mentioned earlier in the thread, it seems like I've come all the way > around to the original subject "...Tomcat LDAP-type realms support "no > password" authentication?". > > I've been and still am looking around for something like that, but haven't > found it yet. > > I'm still puzzled by something though. Even if I did find (or implement) a > realm that was a "no password realm", how do I tie the two pieces that I end > up with, the valve and the no-password realm, together? > > In other words, I can pull the userID from the incoming header in the valve, > but then I think that the valve code then needs to authenticate against the > no-password realm. Is that correct? > > And, if so, how to do that? > > I've been looking for a way (API?) to programmatically "authenticate the > user" against Tomcat, so that I could add that into my valve code, but > haven't been find anything yet. > > Thanks, > Jim > >
Hi, I've had some success, so I thought that some of you might be interested. After much more searching, I still haven't been to find anything like a "no password realm", so what I've been hacking around is to add an authenticate() method to my valve, where that calls an realm.authenticate(), then a register() method. This is more of an "experiment" than something realistic. Anyway, doing the above, I've been able to successfully authenticate the incoming userID "into the Tomcat realm". What I mean by "into the Tomcat realm" is that I get a MemoryUser object back, that has the roles (via MemoryUser.getRoles()) that are configured in the tomcat-users.xml. In other words, a header comes into Tomcat with, say, userID of "foobar". My valve code authenticates the user into the Tomcat realm, and then things like isInRole(), etc. seem to all work. What I'm still trying to figure out is that the realm.authenticate() is still requiring a password match. I thought that I could coerce the realm.authenticate() to do a cert authentication, because I've read that with that, it basically just tries to do a match of the user string in tomcat-users.xml, but I haven't been able to figure out how to do that (coerce the authentication method) yet. If anyone knows how to do that, please post back. Thanks, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
