This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes How to configure authentication without authorisation Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "How to configure authentication without authorisation " Watch "How to configure authentication without authorisation " New topic
Author

How to configure authentication without authorisation

Adam Kronicki
Ranch Hand

Joined: Sep 01, 2009
Posts: 68
I am trying to force tomcat Realm to do authentication but ignore roles authorization. So I only want the login/password mechanism and skip roles cheking. The reson is that the database can and will only have login/password - no role column or table. I tried use allRolesMode="authOnly" in <Realm> tag but it caused an error which I describe here:

http://www.coderanch.com/t/555620/Tomcat/Exception-performing-authentication-JDBC-Realm

Can anyone help me with a solution?
Vijitha Kumara
Bartender

Joined: Mar 24, 2008
Posts: 3817

JEE standard authentication/authorization is defined to work in that way. If you already have the code to set the roles perhaps its better to have your own authentication module...

Tomcat 5.5 Realm wrote:... It is legal for a user to have zero, one, or more than one valid role...

Even for this I think you need the table anyway...

SCJP 5 | SCWCD 5
[How to ask questions] [Twitter]
Adam Kronicki
Ranch Hand

Joined: Sep 01, 2009
Posts: 68
If it is legal to have zero role than how can I configure it? It doesn't work if I don't define userRoleTable="user_roles" roleNameCol="role_name". In my application I tried making auth constrains for '*' role name, but that also fails. As I wrote I tried using allRolesMode="authOnly", but that created an error when accessing the db. It seems ridiculous that such a simple thing can't be accomplished...
Vijitha Kumara
Bartender

Joined: Mar 24, 2008
Posts: 3817

If it is legal to have zero role than how can I configure it?

That would be the "user_roles" table with no records for the particular user I guess (I haven't tried it though)...
Adam Kronicki
Ranch Hand

Joined: Sep 01, 2009
Posts: 68
Vijitha Kumara wrote:
If it is legal to have zero role than how can I configure it?

That would be the "user_roles" table with no records for the particular user I guess (I haven't tried it though)...


This doesn't work. When I tried to use another table with some example column, tomcat throw an error that he can't find the column for user names. so the table role must have user_name col as well. I tried giving the password column as a role but that doesn't work either.
Adam Kronicki
Ranch Hand

Joined: Sep 01, 2009
Posts: 68
Ok for anybody else that has the same problem, I was given the solution on stackoverflow. Look here (hope it's ok to post so links here..):
http://stackoverflow.com/questions/7756048/authentication-without-authorization-on-tomcat-7
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

We're not proud, although we do like to think that we're the best place for Java-related questions overall. Those Other Guys are less focussed.

And, yes, for the record, it is perfectly valid to create a userid/password and assign no roles whatsoever to that user. I do this all the time for apps where the "grunt users" don't need a distinct role of their own. The main difference here is that (as I mentioned earlier), my apps tend to also have more restricted sections, such as the application administrator functions, so those users do have an assigned role.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to configure authentication without authorisation
 
Similar Threads
Using JDBCRealm in JSP application
IIS Integrated Authentication + Tomcat Form-based (or basic) Authentication
what is realm. ???
how to redirect to success page in tomcat using its lapd configuration
Using JDBCRealm in JSP application