wood burning stoves 2.0*
The moose likes Tomcat and the fly likes Integrating Tomcat security with servlet filter security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Integrating Tomcat security with servlet filter security" Watch "Integrating Tomcat security with servlet filter security" New topic
Author

Integrating Tomcat security with servlet filter security

Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
I have an application that users a filter and servlets to manage security. A logon page directs to a servlet. This servlet processes the user/pass and stores logon info in the session. A filter checks for that information and if it's not found, redirects the request back to the logon page.

This all works fine. However, I'm also hosting kml files for Google Earth. Apparently the only security Google Earth will handle is http authentication. However, I want to keep using my currently set up security system.

How can I configure things so that the authentication goes through a servlet? Or is there a better method?

TIA.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41182
    
  45
I can't say I fully understand what you're trying to do, but you can certainly add (or read) HTTP headers. Http Authentication works through an HTTP header called "Authorization"; its string value is

"Basic " + Base64Coder.encode(username + ":" + password);

The Base64Coder class can be found at http://www.source-code.biz/snippets/java/Base64Coder.java.txt, but there are many other packages that perform base64 encoding, including Jakarta Commons Codec: http://jakarta.apache.org/commons/codec/.

Does that answer your question?


Ping & DNS - my free Android networking tools app
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

Does your app return KML files directly to the user's browser, or does it pull KML internally and use that to construct responses?

If the KML URL is placed on the user's browser page, you have no control over it. The user's browser will contact Google directly, and any security arrangements are going to be between the user and Google, unless you can get Google to assign you some sort of security token to place in the client-side URL. But I don't recall Google securing their data - just their APIs.

If the server code is itself reading the KML data, then it has to negotiate security according to Google's requirements and that's completely separate from how you secure user access, since it's internal to the webapp. While you might take the user's identity into consideration before doing the KML fetch, the actual process is just like talking to a database via JDBC - the security access is for the webapp as a whole.


Customer surveys are for companies who didn't pay proper attention to begin with.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
What I'm doing right now is generating a kml file and hosting it on my server. The user downloads that kml file into Google Earth. That kml has a NetworkLink which points it to a kml file on my server which has all of the actual data.

Now I got it to prompt for a password by creating my own realm and doing BASIC authentication. But that requires me to place code outside of the war and on the tomcat server itself.

So right now I'm trying to set my app to use tomcat's JAAS realm so that I don't have to deploy anything specific to the tomcat server and can keep everything in the war.

Oh, and nothing is going through Google's servers. Google Earth is a desktop application and the kml is hosted on my web server. I was just looking for a way to protect the kml with the same user database as my servlets.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

I may have to ponder that for a while. I'm not sure I have all my facts straight.

If you use a Realm, that means that you shouldn't have written your own login services, and, for that matter, it's fairly unlikely you should have needed a servlet filter. Managing the login process in a Realm is done by Tomcat itself, not your app, regardles of what type of Realm it is - JAAS, JDBC, or even Memory (XML file). And, conversely, Tomcat isn't going to prompt for security credentials when it knows you're already logged in, even if the resource being requested is itself pointed to by an external server.

The exception to this would be if you had 2 separate apps - one to generate the initial google KML reference and one to provide the KLML that the google-served KML referenced. But even that exception would only apply if the 2 apps weren't sharing a single sigon-on Realm.
Bai Shen
Ranch Hand

Joined: Sep 24, 2008
Posts: 323
Tim Holloway wrote:I may have to ponder that for a while. I'm not sure I have all my facts straight.

If you use a Realm, that means that you shouldn't have written your own login services, and, for that matter, it's fairly unlikely you should have needed a servlet filter. Managing the login process in a Realm is done by Tomcat itself, not your app, regardles of what type of Realm it is - JAAS, JDBC, or even Memory (XML file). And, conversely, Tomcat isn't going to prompt for security credentials when it knows you're already logged in, even if the resource being requested is itself pointed to by an external server.

The exception to this would be if you had 2 separate apps - one to generate the initial google KML reference and one to provide the KLML that the google-served KML referenced. But even that exception would only apply if the 2 apps weren't sharing a single sigon-on Realm.


Your exception is correct. The initial webapp was written to use a servlet filter as it's login mechanism. However, Google Earth doesn't support that. So the only way to secure the kml is to use a tomcat realm. Unfortunately, I don't have time atm to rewrite everything to use the realm.

So far I managed to get the JAASRealm to work. However, it seems to require a Role, and there is no RolePrincipal object. Right now, I don't need any roles, but the JAASRealm seems to require it, even though the Role class is option in the context.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

ALL Realms require roles It's part of the J2EE security architecture. You might have a user who participates in no roles, but the mechanism still needs to be there.

More commonly, you do assign roles. It's how you separate those who can look from those who can change data, for example, and there's usually an administrator role or 2 as well.
 
 
subject: Integrating Tomcat security with servlet filter security
 
Similar Threads
best way to keep tracking of the user info?
Authentication in JSF
what is displaytag filter. How is it used ?
Conditional Welcome-Page
how to redirect to success page in tomcat using its lapd configuration