• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Bear Bibeault
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Jj Roberts
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Himai Minh
  • Carey Brown
  • salvin francis

Tomcat - Basic access authentication

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

I am trying to restrict access to Tomcat applications on a server to specific users, without being prompt for username and password.
However, all the attempts  using basic authentication led me to : 1 - either restrict the access not just to the applications, but to the manager page as well (when I made the amendment on server.xml); 2 - or restrict the applications (by amending the context.xml).
The first outcome is not ideal as I need only the applications to be restricted, the second outcome requires extra checks once a deployment happens as the context.xml is going to  be replaced as part of the process (and it is also not ideal to have credentials saved in the code).

Any suggestion on using a token authentication between the servers/users to access the applications running on a Tomcat server?

Thanks in advance.
 
Saloon Keeper
Posts: 22784
153
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch, Merlin!

How do you propose to limit access to "authorized users" if you do not know who the user (userid) is?  

There are a number of authentication mechanisms available, but knowing who is who is pretty much essential to all of them, and especially if different users have different privileges.
 
Merlin Jones
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello Tim,

Thanks a lot for the welcome greetings and for replying to my very first post!  

You are right, I should have explained better who the users are.
I want to limit access to specific servers, say only server A,B,C will have access granted to the web applications running on my Tomcat server.
The reason why I would like to avoid user/password prompt is because the request to access the content comes from a servers ('the users'), instead of a 'real user'.
So I have attempted to restrict the access by IP only, and got stuck on restrict access not just to the applications, but to the manager page as well.
I am searching now the possibility of passing the 'credentials/token' of the servers that I want to grant access to the applications via the https parameters, but still no success.  

Merlin
 
Marshal
Posts: 3258
487
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you strictly need to control access based on IP address, then I would use iptables or firewalld so that only authorized endpoints ever reach the server.

If you need control based on additional factors such as request URI, I would also/instead use nginx or httpd as a reverse proxy.  Using a reverse proxy can provide additional benefits such as:
  - security gateway to offload TLS processing from backend servers
  - load balancer to distribute to multiple server instances
  - rate limiter to help reduce DOS
  - in the case of a microservice architecture act as a service router to forward the requests to the responsible microservices

In addition, I would use JWT or some other token mechanism and use the roles/groups claims to control access to individual services/methods.
 
Tim Holloway
Saloon Keeper
Posts: 22784
153
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, let me second Ron's advocacy for fronting Tomcat with a reverse proxy. In addition to the reasons he gave, there's one more very important one: Tomcat cannot listen on ports 80 and 443 safely, but a reverse proxy can.

To filter requests based on whether they are internal or external, you have 2 options. One is to use a reverse proxy and forbid the internal URLs from external servers. You'd probably just want to forbid them entirely in the proxy and have the internal servers talk to Tomcat directly. Most firewalls cannot filter by URL, and as mentioned, a reverse proxy is a useful thing to have in general.

The other option does require assigning user IDs to the internal servers. I'm assuming based on what I've heard that all external users are going to be anonymous. To avoid a password challenge, however, you can configure Tomcat to authenticate via client certificate. This is a relatively rare but useful option where you create security certs for each client machine and pair them with credentials registered with Tomcat.Be warned, though, that if the client machine goes down and gets swapped out, the swapped-in machine is going to have to have a valid cert!

A further note when using user IDs. Don't log in the same user ID from multiple machines! Tomcat will not like it and you may have corruption in your session-scope variables if you have any, plus possible cookie conflicts. Give each client a unique ID.
 
what if we put solar panels on top of the semi truck trailer? That could power this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic