• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Integrating Tomcat security with servlet filter security

 
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have an application that users a filter and servlets to manage security. A logon page directs to a servlet. This servlet processes the user/pass and stores logon info in the session. A filter checks for that information and if it's not found, redirects the request back to the logon page.

This all works fine. However, I'm also hosting kml files for Google Earth. Apparently the only security Google Earth will handle is http authentication. However, I want to keep using my currently set up security system.

How can I configure things so that the authentication goes through a servlet? Or is there a better method?

TIA.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I can't say I fully understand what you're trying to do, but you can certainly add (or read) HTTP headers. Http Authentication works through an HTTP header called "Authorization"; its string value is

"Basic " + Base64Coder.encode(username + ":" + password);

The Base64Coder class can be found at http://www.source-code.biz/snippets/java/Base64Coder.java.txt, but there are many other packages that perform base64 encoding, including Jakarta Commons Codec: http://jakarta.apache.org/commons/codec/.

Does that answer your question?
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does your app return KML files directly to the user's browser, or does it pull KML internally and use that to construct responses?

If the KML URL is placed on the user's browser page, you have no control over it. The user's browser will contact Google directly, and any security arrangements are going to be between the user and Google, unless you can get Google to assign you some sort of security token to place in the client-side URL. But I don't recall Google securing their data - just their APIs.

If the server code is itself reading the KML data, then it has to negotiate security according to Google's requirements and that's completely separate from how you secure user access, since it's internal to the webapp. While you might take the user's identity into consideration before doing the KML fetch, the actual process is just like talking to a database via JDBC - the security access is for the webapp as a whole.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What I'm doing right now is generating a kml file and hosting it on my server. The user downloads that kml file into Google Earth. That kml has a NetworkLink which points it to a kml file on my server which has all of the actual data.

Now I got it to prompt for a password by creating my own realm and doing BASIC authentication. But that requires me to place code outside of the war and on the tomcat server itself.

So right now I'm trying to set my app to use tomcat's JAAS realm so that I don't have to deploy anything specific to the tomcat server and can keep everything in the war.

Oh, and nothing is going through Google's servers. Google Earth is a desktop application and the kml is hosted on my web server. I was just looking for a way to protect the kml with the same user database as my servlets.
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I may have to ponder that for a while. I'm not sure I have all my facts straight.

If you use a Realm, that means that you shouldn't have written your own login services, and, for that matter, it's fairly unlikely you should have needed a servlet filter. Managing the login process in a Realm is done by Tomcat itself, not your app, regardles of what type of Realm it is - JAAS, JDBC, or even Memory (XML file). And, conversely, Tomcat isn't going to prompt for security credentials when it knows you're already logged in, even if the resource being requested is itself pointed to by an external server.

The exception to this would be if you had 2 separate apps - one to generate the initial google KML reference and one to provide the KLML that the google-served KML referenced. But even that exception would only apply if the 2 apps weren't sharing a single sigon-on Realm.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:I may have to ponder that for a while. I'm not sure I have all my facts straight.

If you use a Realm, that means that you shouldn't have written your own login services, and, for that matter, it's fairly unlikely you should have needed a servlet filter. Managing the login process in a Realm is done by Tomcat itself, not your app, regardles of what type of Realm it is - JAAS, JDBC, or even Memory (XML file). And, conversely, Tomcat isn't going to prompt for security credentials when it knows you're already logged in, even if the resource being requested is itself pointed to by an external server.

The exception to this would be if you had 2 separate apps - one to generate the initial google KML reference and one to provide the KLML that the google-served KML referenced. But even that exception would only apply if the 2 apps weren't sharing a single sigon-on Realm.



Your exception is correct. The initial webapp was written to use a servlet filter as it's login mechanism. However, Google Earth doesn't support that. So the only way to secure the kml is to use a tomcat realm. Unfortunately, I don't have time atm to rewrite everything to use the realm.

So far I managed to get the JAASRealm to work. However, it seems to require a Role, and there is no RolePrincipal object. Right now, I don't need any roles, but the JAASRealm seems to require it, even though the Role class is option in the context.
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ALL Realms require roles It's part of the J2EE security architecture. You might have a user who participates in no roles, but the mechanism still needs to be there.

More commonly, you do assign roles. It's how you separate those who can look from those who can change data, for example, and there's usually an administrator role or 2 as well.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic