This week's book giveaway is in the Android forum.
We're giving away four copies of Head First Android and have Dawn & David Griffiths on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Tomcat security Problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat security Problem " Watch "Tomcat security Problem " New topic
Author

Tomcat security Problem

Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
I have 1 tomcat server (5.5) and i have deployed 2 independent applications on it.

Application 1 has security, which is implemented using BASIC AUTHENTICATION mode of tomcat. defining the username and password in conf/tomcat-users.xml file.

Application 2 has form based security and for some enhanced security i have added the "realm" for the database in conf/server.xml file.

Now, if add the realm thing in server.xml file my basic authentication stop working in application 1 (application 2 security still works) on the other hand if i remove this realm then my basic authentication work and ofcourse my application 2 will not be able to imply security. What to do? I can't use another tomcat for another application.


The difference between <b>failure</b> and <b>success</b> is often being <b>right</b> and being <b>exactly right</b>.
Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42956
    
  73
The Realm element is part of the Engine element, so only a single realm can be configured per Engine. If you set up a second Service element you can configure its Engine to use a different realm.
Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
Originally posted by Ulf Dittmer:
The Realm element is part of the Engine element, so only a single realm can be configured per Engine. If you set up a second Service element you can configure its Engine to use a different realm.


so what if i have to configure security for 2 applications on the same server? Need Basic Authentication for application 1 and Form Based Security for Application 2?

Can you elaborate for setting another engine?
Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42956
    
  73
so what if i have to configure security for 2 applications on the same server? Need Basic Authentication for application 1 and Form Based Security for Application 2?

That's no problem. Within a web app you can only use one or the other -not both-, but different web apps can use different forms of authantication.

What is not possible is to use different Realm implementations for the same Tomcat Service. That's a limitation of Tomcat, and has nothing to do with servlets per se. See below for how to get around this.

Can you elaborate for setting another engine?

Much more information about that can be found in the Tomcat docs. You could start by duplicating the Service element in the server.xml file, and then changing the Realm of the second one to suit your needs.
Em Aiy
Ranch Hand

Joined: May 11, 2006
Posts: 226
I have placed the following configuration in server.xml file after reading from tomcat site


But it is not working ... the way i want to.
Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42956
    
  73
That's interesting. So Tomcat does allow different realms for each web app by declaring them in the Context element. Note that it's "Context", not "context" - is that just a typo in the post?

What does "But it is not working" mean? How is or isn't it working? Is the web app itself working properly (apart from the authentication)?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat security Problem
 
It's not a secret anymore!