File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Integrating Custom Authentication with Tomcat Authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Integrating Custom Authentication with Tomcat Authorization" Watch "Integrating Custom Authentication with Tomcat Authorization" New topic
Author

Integrating Custom Authentication with Tomcat Authorization

Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

What I am wanting to do is create my own authentication mechanism, but allow Tomcat to control Authorization.
So basically, I need to manually fill the UserPrincipal, UserRoles and anything else that gets populated by using j_security_check but then allow Tomcat to actually handle whether or not I am able to view a page or not.
Thanks.


GenRocket - Experts at Building Test Data
Carl Trusiak
Sheriff

Joined: Jun 13, 2000
Posts: 3340
Hum, need to define Authorization and Authentication.
Authentication establishes Who you are.
Authorization establishes What you can do.
Any container can do Authentication using Realms and HTTP Authentication headers. And I guess minor Authorization to a specific area. However, if you have any type of complex Authorization (User can do A but not B) within that specific area, you have to handle that your self.
If you want to establish the Authentication Headers yourself, it's relatively simple. Any thing you want to protect, you first see if the Request Header "Authorization" is set. The type will tell you how this is encoded. The value of the header is <TYPE> <Encoded Value of username assword> BASIC uses Base64 Encoding. If the header is set, you need to check against the User and Password against the persistance you are using (If you are using Memory Realm, this is quite difficult. Memory Realm uses an XML file in the Servers Config directory which is difficult to get to). If you are using the JDBC Realm, you can read and compare the info from the tables.
If the user is authorized, you don't need to do anything else. If the user isn't, you need to set the response header "WWW-Authenticate" the value of this is the Realm name you give in your web.xml to be protected.
That's about it to work with Tomcat's Autherization mechanism.
To do finer grain Authorization, you establish Roles which are permitted so, if anyone logged in can do A. Nothing more is needed. To do B however, you establish a Role such as Admin and assign users who are allowed, that role. Then prior to any where B is performed you check request.isUserInRole(String rileName).


I Hope This Helps
Carl Trusiak, SCJP2, SCWCD
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

Hmm, either I am not understanding you, or you may have misunderstood me. Let me see if I can clarify what I am wanting to do.
I want to manually authenticate to Tomcat. Meaning, I will write the LoginServlet that checks the DB to see if the user has entered a valid username and password. I will then also fetch any role(s) the user is in.
However, I don't want to do the logic in my Servlets/JSP files to determine if a user has the correct privileges to view specific pages/information based on role(s). So I want Tomcat to handle the authorization.
So what I need to do is manually do what happens when you submit the login form to "j_security_check". After that, Tomcat should see me as logged in and then Tomcat should handle the athorization using the <security-constraint> attribute in the web.xml file.
I hope that makes more sense now.
Carl Trusiak
Sheriff

Joined: Jun 13, 2000
Posts: 3340
Yes, it makes sense Again, tomcat will only provide authorization to the path someone requests. You define that in your web.xml. Infact between the server.xml and the web.xml, it'll do most of what you want. Now, once you read the fields from the j_security_check form an verify a user is in the data base and the password is correct, all you need to do is set the http header "Authorization" to a value of "BASIC <username assword>" The user and password need to be Base64 encoded. The Codex project on Jakarta Commons has the class for Base64.
When they try and access the resource you have protected, Tomcat will verify they have permission and the role to access it.
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15299
    
    6

Originally posted by Carl Trusiak:
Yes, it makes sense Again, tomcat will only provide authorization to the path someone requests. You define that in your web.xml. Infact between the server.xml and the web.xml, it'll do most of what you want. Now, once you read the fields from the j_security_check form an verify a user is in the data base and the password is correct, all you need to do is set the http header "Authorization" to a value of "BASIC <username assword>" The user and password need to be Base64 encoded. The Codex project on Jakarta Commons has the class for Base64.
When they try and access the resource you have protected, Tomcat will verify they have permission and the role to access it.

Great! Thanks.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Integrating Custom Authentication with Tomcat Authorization