This week's giveaway is in the Spring forum.
We're giving away four copies of REST with Spring (video course) and have Eugen Paraschiv on-line!
See this thread for details.
The moose likes Security and the fly likes  Container Managed Security on Tomcat - configuring different auth-methods Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark " Container Managed Security on Tomcat - configuring different auth-methods" Watch " Container Managed Security on Tomcat - configuring different auth-methods" New topic

Container Managed Security on Tomcat - configuring different auth-methods

Jim Yingst

Joined: Jan 30, 2000
Posts: 18671
This was posted a short time ago by Rachel Wilson. Due to a ssytem error the post became corrupted and inaccessible, so I deleted the corrupted thread and am reposting Rachel's original text here:

I am trying to configure the container managed security on tomcat4. Or rather I am trying to add a further dimension to the configuration that already exists.

At the moment the entire application uses LDAP authentication and I would like to separate an area that requires further authentication. That is to say I would like everyone using the web application to authenticate using the existing Form-Based LDAP authentication but I would like only certain users to be able to use the data upload facility (whose code is stored in it's own directory).

This is the authentication bit of my web.xml:


<realm-name>Form-Based Authentication Area</realm-name>

My first hurdle is in understanding exactly how the application knows where to go for its authentication.

I had guessed that the realm-name would map "areas" of my application to realm configuration defined in my application's context area in Tomcat's web.xml but this doesnt seem to be the case. In fact I have read conflicting explanations as to what the realm-name is for. One source has said that this is only used for BASIC authentication as a way of naming the resulting pop up window - many others say it maps the login-config to the web-resource-name. However the latter doesnt make sense because the authentication *works* in my application at the moment even though those values are completely different (and indeed are different in most of the examples i've read on the web). Furthermore I can find any other mention of the defined realm-name in any other file (which of course be because i'm looking in the wrong place).

I was prepared to accept that the realm-name might not actually do anything and so I've been looking for examples of defining a different auth-method for different url-patterns but i've had no luck.

I know a user can have one or more roles but I dont have access to the LDAP server to set these up and haven't found anything about defining different auth-methods other than one thread in this forum suggesting that is wasnt possible on AIS.

This thread suggests that you can have more than one security-constraint but again i'm not sure about the auth methods and how you map an auth method to a security-constraint

To summarise my questions:
1) What are the functions of the realm-name and web-resource-name? Are they related?
2) Is it possible to configure different areas of an application to use different authentication methods? and if so, could you point me in the direction of relevant documentation
3) If (2) is not possible and I have to assign a new role to the privileged LDAP users, is it enough to define a new security-constraint? Could you describe the behaviour I could expect for users that have authenticated once and try to access this super-security area, will they be shown another login form or will it just let them in because the container is already aware of their permissions.

Many thanks for your attention,

"I'm not back." - Bill Harding, Twister
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42959
Several points in no particular order.

1) The realm name is indeed only important for basic authentication.

2) How to set up a realm in Tomcat is described in the docs. For LDAP you need a JNDIRealm.

3) What good is an LDAP server if it doesn't let you assign multiple roles to a user? I'd suggest rechecking that with the admin and making clear that that is a requirement.

4) It is possible to have multiple security-constraints, but I don't think you can have more than one login-config. So there wouldn't be a need to associate a login-config to a security-constraint, because there can only ever be a single one.

5) If setting up LDAP properly isn't possible, you could roll your own Realm, which accesses both LDAP and some other source where you define any additional roles. On the above-linked page, the last paragraph of the "What is a Realm" section briefly outlines how to go about that, and of course the source code for all Tomcat realms is available for study.
[ October 20, 2005: Message edited by: Ulf Dittmer ]
Rachel Wilson

Joined: May 20, 2005
Posts: 3
Thank you for your reply.

I think my original question might have been a bit too long winded

in reply to your numbered points, not my original numbered questions...

2 and 5) I have already read the documents about security realms and how to set them up. In fact we have the LDAP realm up and running. what i would like to do is set up two different realms that may use different authentication within the same application.

1) when you say that realm-name is only used in BASIC authentication - exactly *how* - is it just a title for the pop up box or does it tie in with the web-resource name?

3) I wasnt suggesting it wasnt possible to assign multiple roles to an LDAP user, I meant I am not responsible for the LDAP server which is used throughout my organisation and so i am trying to investigate other methods such as BASIC authentication so i dont have to fight to get a change made to the LDAP entries.

4) Are you saying it is *not* possible to define more than one auth-method per application. So I cant have an initial application login that uses LDAP and then another section that uses BASIC

Thanks again,
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42959
to #1) It's just a description, with no further meaning.

to #4) Only a single login-config is possible.
[ October 20, 2005: Message edited by: Ulf Dittmer ]
I agree. Here's the link:
subject: Container Managed Security on Tomcat - configuring different auth-methods
jQuery in Action, 3rd edition