Re: Tomcat Authentication with Realms

From: "Daniel Rohe" <daniel.rohe@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Jul 2005 21:51:46 +0200

Doesn't provide the realm that feature per default. I thought the Tomcat
documentation states that you have to create two tables for user
authentication and authorization.

Table User with Username and Password where Username is the primary key
and
table User_Role with Username and Rolename where (Username, Rolename) is the
primary key.

When you use your realm and have for example two users Jon and Jane and in
the User_Role table the entries (Jon, Admin), (Jon, User) and (Jane, Guest).
Then you can check for example the Admin role in your servlet with
request.isUserInRole("Admin"). This method returns only true when the
request was made from user Jon. For user Jane the same check will return
false. The check for role User will return also true for user Jon and false
for user Jane.

Kind Regards,
Daniel

<roberto.riggio@xxxxxxxxx> schrieb im Newsbeitrag
news:1121851059.548571.124450@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> I've successfull configurated tomcat (5.0) to use the realms for
> authenticating user.
>
> Basically I have a set of roles and some security constraints for
> limiting the access to some pages.
>
> In my system the user must choose one role among all the roles
> associated to him in the database.

Why do you restrict the access to specific web pages under one role from a
user that can access these web pages under another role?

>
> I would like to know if this can be done by using the tomat
> authenitication facility.
>
> e.g. by adding a drop list roles in the authentication form.
>
> At the present moment the user choose the role after the login and the
> system mantains a session variable with this role.
>
> Do you have any suggestions???
>

.

Follow-Ups:
- Re: Tomcat Authentication with Realms
  - From: Hamvil

References:
- Tomcat Authentication with Realms
  - From: roberto . riggio

Prev by Date: Re: Convert double to String - with only 3 decimal places
Next by Date: Re: Application deployment with Tomcat
Previous by thread: Re: Tomcat Authentication with Realms
Next by thread: Re: Tomcat Authentication with Realms
Index(es):
- Date
- Thread

Relevant Pages

[SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability
... Apache Tomcat information disclosure vulnerability ... The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be ... The "WWW-Authenticate" header for BASIC and DIGEST authentication ... includes a realm name. ...
(Bugtraq)
Re: Windows Authentication method on IIS6
... The microsoft.public.windows.server.* groups deal with Windows 2003 ... The microsoft.public.inetserver.* groups deal with IIS ... > the authentication button, ... You can configure either one or multiple realm names on a server running IIS ...
(microsoft.public.win2000.security)
RE: Web Forms Auth fails when rfValidator triggered
... © 2002 Microsoft Corporation. ... | Content-Type: text/plain ... | | basically has a username field, ... | | If I enter garbage text in BOTH fields, the authentication ...
(microsoft.public.dotnet.framework.aspnet.security)
Kerberos and AAA stds
... I think that authentication operations should be centralized. ... a single entity to obtain authentication for users from local realm and roaming ... AS to perform a DNS lookup to contact a remote realm's KDC. ... EAP protocol and deliver the EAP packets to the local AAA server using an AAA ...
(comp.protocols.kerberos)
RE: Adding a virtual FTP folder to IIS
... I think we can follow the Form Authentication modal. ... application will use the ASPNET account. ... If we change the username ... Windows identity different from that of the default process identity. ...
(microsoft.public.dotnet.framework)