aspose file tools*
The moose likes Tomcat and the fly likes Tomcat security Problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat security Problem " Watch "Tomcat security Problem " New topic
Author

Tomcat security Problem

Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
I have 1 tomcat server (5.5) and i have deployed 2 independent applications on it.

Application 1 has security, which is implemented using BASIC AUTHENTICATION mode of tomcat. defining the username and password in conf/tomcat-users.xml file.

Application 2 has form based security and for some enhanced security i have added the "realm" for the database in conf/server.xml file.

Now, if add the realm thing in server.xml file my basic authentication stop working in application 1 (application 2 security still works) on the other hand if i remove this realm then my basic authentication work and ofcourse my application 2 will not be able to imply security. What to do? I can't use another tomcat for another application.


The difference between <b>failure</b> and <b>success</b> is often being <b>right</b> and being <b>exactly right</b>.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42277
    
  64
The Realm element is part of the Engine element, so only a single realm can be configured per Engine. If you set up a second Service element you can configure its Engine to use a different realm.


Ping & DNS - my free Android networking tools app
Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
Originally posted by Ulf Dittmer:
The Realm element is part of the Engine element, so only a single realm can be configured per Engine. If you set up a second Service element you can configure its Engine to use a different realm.


so what if i have to configure security for 2 applications on the same server? Need Basic Authentication for application 1 and Form Based Security for Application 2?

Can you elaborate for setting another engine?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42277
    
  64
so what if i have to configure security for 2 applications on the same server? Need Basic Authentication for application 1 and Form Based Security for Application 2?

That's no problem. Within a web app you can only use one or the other -not both-, but different web apps can use different forms of authantication.

What is not possible is to use different Realm implementations for the same Tomcat Service. That's a limitation of Tomcat, and has nothing to do with servlets per se. See below for how to get around this.

Can you elaborate for setting another engine?

Much more information about that can be found in the Tomcat docs. You could start by duplicating the Service element in the server.xml file, and then changing the Realm of the second one to suit your needs.
Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
I have placed the following configuration in server.xml file after reading from tomcat site


But it is not working ... the way i want to.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42277
    
  64
That's interesting. So Tomcat does allow different realms for each web app by declaring them in the Context element. Note that it's "Context", not "context" - is that just a typo in the post?

What does "But it is not working" mean? How is or isn't it working? Is the web app itself working properly (apart from the authentication)?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat security Problem