Ankur Jain Kothari wrote:Tomcat provides this xml but how does it work? it contains some names and password....but i have never them being asked or something?
i also want this but one of that bartender told me that its not for exam and he is author of Examlab
It doesn't matter if you win by an inch or a mile; winning's winning.
Ankur Jain Kothari wrote:Tomcat provides this xml but how does it work? it contains some names and password....but i have never them being asked or something?
That file contains the user name and the roles assigned to those users. Tomcat provides some default web-applications like the "manager" application (not sure if it's available in the usual download) which use this file for authorization. So if this file does not set the right roles for a user, then that user will not be able to access the secured "manager" web application.
i also want this but one of that bartender told me that its not for exam and he is author of Examlab
That file is specific to Tomcat server. So unless the exam is about Tomcat administration, it doesn't make sense to ask about that file in the exam.
Ankur Jain Kothari wrote:hey but we are curious to know what it means.....
I already explained what that file is meant for.
Ankur Jain Kothari
Ranch Hand
Joined: Feb 08, 2010
Posts: 152
posted
0
when designing the security of an app do we have to make changes to this file ? when we want to defnie a new role..do we make changes to this file or the web.xml....i think here...maybe
You'll have to make changes to that file if you introduce new roles to the security configuration of your application. But in real life applications, that kind of authentication/authorization is not used very often as it needs making changes to an xml file each time a user is added. There are other realms available which lets you do authorization/authentication using a database (this one is file realm as it lets you authenticate/authorize a request based on a file)...
vinit sharma wrote:please can you explain more these lines.....
How these days authentication/authorization are done in real life?
vinit
It's called "login". Authentication is the login, authorization is the process of determining whether a given user should have a given capability. If you want to use tomcat-users.xml file, you have to use container-managed security with the MemoryRealm security module activated. That's because MemoryRealm is designed specifically to read the tomcat-users.xml file. There's also a new realm for Tomcat 6 that expands on the MemoryRealm, but I don't remember its name.
In container-managed A&A, you have the userid, password, and zero or more roles assigned to each user. When a need for authentication (login) is detected, the container (Tomcat) places the http request on hold and activates whichever login process was configured in the app's web.xml file.
You can find a much more detailed description of all this in any good book on J2EE. In Tomcat's case, the A&A process is done via a Realm, and a Realm is just a class that provides the needed security interfaces. Realms come in many flavours, including the ability to use databases, LDAP, web services, Single-Signon providers and more. The MemoryRealm is really mostly just to allow for testing and demo applications. Since Realms are plug-replaceable, you can test using a MemoryRealm, then deploy to a production server that uses a more powerful authentication system.
One of the most odious afflictions that Business has inflicted on the modern English language is "pro-active". Most of the time it's simply redundantly used in place of the simple old word "active". And a good deal of the rest of the time it means "You're not overworked enough yet, so go out and find more!"
thanks Tim Holloway
tomcat-users.xml file is used for authentication of web server or web application???
can you give some link where i can find more about it beacuse HF servlet and JSP has few pages only..........
vinit
Ulf Dittmer
Marshal
Joined: Mar 22, 2005
Posts: 32768
posted
0
That file is Tomcat-specific, so you wouldn't find anything about it in generic servlet/JSP literature. But the Tomcat documentation talks about under the concept of "Realms".
vinit sharma wrote:thanks Tim Holloway
tomcat-users.xml file is used for authentication of web server or web application???
can you give some link where i can find more about it beacuse HF servlet and JSP has few pages only..........
vinit
Each web application may have its own A&A configuration. You don't log into servers, just applications.
tomcat-users.xml is just a simple XML data file. The comments in it are all the documentation there is about the file itself.
The Tomcat MemoryRealm is documented in the Realms section of the Tomcat documentation at tomcat.apache.org. One of its optional properties is to allow you to use a different file instead of TOMCAT_HOME/conf/tomcat-users.xml, but whatever file you use and whatever its name is, the internal format remains the same. It defines authorized users, their passwords, and security roles (if any). Any userid not in that file is not permitted to logon to any webapp that uses a MemoryRealm configured to read that file.
You won't find anything in most books on tomcat-users.xml because it's not part of J2EE. It's just a file that that particular security manager for that particular server (Tomcat) uses to read the collection of authorized user credentials and security roles.
Tomcat-users.xml isn't really that important to understand. It's not a complicated file. What's important to understand is how J2EE users authenticate and authorize. The actual Realm being used is a black box to the webapp, which doesn't know which realm is being used, much less whether tomcat-users.xml is being used as its credentials and roles database.
0
