Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to configure authentication without authorisation

 
Adam Kronicki
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to force tomcat Realm to do authentication but ignore roles authorization. So I only want the login/password mechanism and skip roles cheking. The reson is that the database can and will only have login/password - no role column or table. I tried use allRolesMode="authOnly" in <Realm> tag but it caused an error which I describe here:

http://www.coderanch.com/t/555620/Tomcat/Exception-performing-authentication-JDBC-Realm

Can anyone help me with a solution?
 
Vijitha Kumara
Bartender
Posts: 3913
9
Chrome Fedora Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JEE standard authentication/authorization is defined to work in that way. If you already have the code to set the roles perhaps its better to have your own authentication module...

Tomcat 5.5 Realm wrote:... It is legal for a user to have zero, one, or more than one valid role...

Even for this I think you need the table anyway...
 
Adam Kronicki
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it is legal to have zero role than how can I configure it? It doesn't work if I don't define userRoleTable="user_roles" roleNameCol="role_name". In my application I tried making auth constrains for '*' role name, but that also fails. As I wrote I tried using allRolesMode="authOnly", but that created an error when accessing the db. It seems ridiculous that such a simple thing can't be accomplished...
 
Vijitha Kumara
Bartender
Posts: 3913
9
Chrome Fedora Hibernate
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it is legal to have zero role than how can I configure it?

That would be the "user_roles" table with no records for the particular user I guess (I haven't tried it though)...
 
Adam Kronicki
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vijitha Kumara wrote:
If it is legal to have zero role than how can I configure it?

That would be the "user_roles" table with no records for the particular user I guess (I haven't tried it though)...


This doesn't work. When I tried to use another table with some example column, tomcat throw an error that he can't find the column for user names. so the table role must have user_name col as well. I tried giving the password column as a role but that doesn't work either.
 
Adam Kronicki
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok for anybody else that has the same problem, I was given the solution on stackoverflow. Look here (hope it's ok to post so links here..):
http://stackoverflow.com/questions/7756048/authentication-without-authorization-on-tomcat-7
 
Tim Holloway
Saloon Keeper
Pie
Posts: 18212
53
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We're not proud, although we do like to think that we're the best place for Java-related questions overall. Those Other Guys are less focussed.

And, yes, for the record, it is perfectly valid to create a userid/password and assign no roles whatsoever to that user. I do this all the time for apps where the "grunt users" don't need a distinct role of their own. The main difference here is that (as I mentioned earlier), my apps tend to also have more restricted sections, such as the application administrator functions, so those users do have an assigned role.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic