• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Integrating Custom Authentication with Tomcat Authorization

 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What I am wanting to do is create my own authentication mechanism, but allow Tomcat to control Authorization.
So basically, I need to manually fill the UserPrincipal, UserRoles and anything else that gets populated by using j_security_check but then allow Tomcat to actually handle whether or not I am able to view a page or not.
Thanks.
 
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hum, need to define Authorization and Authentication.
Authentication establishes Who you are.
Authorization establishes What you can do.
Any container can do Authentication using Realms and HTTP Authentication headers. And I guess minor Authorization to a specific area. However, if you have any type of complex Authorization (User can do A but not B) within that specific area, you have to handle that your self.
If you want to establish the Authentication Headers yourself, it's relatively simple. Any thing you want to protect, you first see if the Request Header "Authorization" is set. The type will tell you how this is encoded. The value of the header is <TYPE> <Encoded Value of username assword> BASIC uses Base64 Encoding. If the header is set, you need to check against the User and Password against the persistance you are using (If you are using Memory Realm, this is quite difficult. Memory Realm uses an XML file in the Servers Config directory which is difficult to get to). If you are using the JDBC Realm, you can read and compare the info from the tables.
If the user is authorized, you don't need to do anything else. If the user isn't, you need to set the response header "WWW-Authenticate" the value of this is the Realm name you give in your web.xml to be protected.
That's about it to work with Tomcat's Autherization mechanism.
To do finer grain Authorization, you establish Roles which are permitted so, if anyone logged in can do A. Nothing more is needed. To do B however, you establish a Role such as Admin and assign users who are allowed, that role. Then prior to any where B is performed you check request.isUserInRole(String rileName).
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hmm, either I am not understanding you, or you may have misunderstood me. Let me see if I can clarify what I am wanting to do.
I want to manually authenticate to Tomcat. Meaning, I will write the LoginServlet that checks the DB to see if the user has entered a valid username and password. I will then also fetch any role(s) the user is in.
However, I don't want to do the logic in my Servlets/JSP files to determine if a user has the correct privileges to view specific pages/information based on role(s). So I want Tomcat to handle the authorization.
So what I need to do is manually do what happens when you submit the login form to "j_security_check". After that, Tomcat should see me as logged in and then Tomcat should handle the athorization using the <security-constraint> attribute in the web.xml file.
I hope that makes more sense now.
 
Carl Trusiak
Sheriff
Posts: 3341
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, it makes sense Again, tomcat will only provide authorization to the path someone requests. You define that in your web.xml. Infact between the server.xml and the web.xml, it'll do most of what you want. Now, once you read the fields from the j_security_check form an verify a user is in the data base and the password is correct, all you need to do is set the http header "Authorization" to a value of "BASIC <username assword>" The user and password need to be Base64 encoded. The Codex project on Jakarta Commons has the class for Base64.
When they try and access the resource you have protected, Tomcat will verify they have permission and the role to access it.
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Carl Trusiak:
Yes, it makes sense Again, tomcat will only provide authorization to the path someone requests. You define that in your web.xml. Infact between the server.xml and the web.xml, it'll do most of what you want. Now, once you read the fields from the j_security_check form an verify a user is in the data base and the password is correct, all you need to do is set the http header "Authorization" to a value of "BASIC <username assword>" The user and password need to be Base64 encoded. The Codex project on Jakarta Commons has the class for Base64.
When they try and access the resource you have protected, Tomcat will verify they have permission and the role to access it.


Great! Thanks.
reply
    Bookmark Topic Watch Topic
  • New Topic