Software
 » 
Apache
 » 
Tomcat
 » 
Tomcat - User

Multiple Authentication Methods?

View: New views
5 Messages — Rating Filter:   Alert me  

Multiple Authentication Methods?

by Robinson, Eric :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

How would be go about implementing the following kind of access scheme?
 
1. If the user's IP address is in an approved range, let them connect to
tomcat anonymously.
2. If the IP address is not in an approved range, authenticate them
through Active Directory.
 
Is that even possible?
 

--
Eric Robinson


 


Disclaimer - May 13, 2008
This email and any files transmitted with it are confidential and intended solely for users@.... If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management (PSM) or Physician's Managed Care (PMC). Warning: Although the message sender has taken reasonable precautions to ensure no viruses are present in this email, neither PSM nor PMC can accept responsibility for any loss or damage arising from the use of this email or attachments.

Re: Multiple Authentication Methods?

by markt-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Robinson, Eric wrote:
> How would be go about implementing the following kind of access scheme?
>  
> 1. If the user's IP address is in an approved range, let them connect to
> tomcat anonymously.
> 2. If the IP address is not in an approved range, authenticate them
> through Active Directory.
>  
> Is that even possible?

Painful but probably possible with a fair amount of work in Tomcat.

http://securityfilter.sourceforge.net is probably an easier place to start.

Mark


---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...


Re: Multiple Authentication Methods?

by Christopher Schultz-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

Mark Thomas wrote:
| Painful but probably possible with a fair amount of work in Tomcat.
|
| http://securityfilter.sourceforge.net is probably an easier place to
start.

With sf, you still have to do a fair amount of work. You'll have to
write your own Realm in either case, but sf's dev version (in cvs) has
an interface called FlexibleRealmInterface that you can implement and
get access to the HttpServletRequest (which is otherwise unavailable in
Tomcat's Realm implementations).

Other than it actually being possible in sf, you also have the added
benefit of not being stuck on one version of Tomcat if you write your
own Realm.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgqLvIACgkQ9CaO5/Lv0PBcPQCfXmiwIxnvPPIR0ptgcbiOiUdo
2+cAoIurG8kjjSeJGvaJT5dNLltnVQ0V
=/D7o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...


Parent Message unknown RE: Multiple Authentication Methods?

by Robinson, Eric :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

I'm too lazy for all that. I was hoping it would amount a few extra
lines in some configuration file. Now I'm thinking I'll figure out a way
to lock it down in group policy or with some changes to the proxy
server.

--
Eric Robinson




Disclaimer - May 13, 2008
This email and any files transmitted with it are confidential and intended solely for Tomcat Users List. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management (PSM) or Physician's Managed Care (PMC). Warning: Although the message sender has taken reasonable precautions to ensure no viruses are present in this email, neither PSM nor PMC can accept responsibility for any loss or damage arising from the use of this email or attachments.-----Original Message-----
From: Christopher Schultz [mailto:chris@...]
Sent: Tuesday, May 13, 2008 5:15 PM
To: Tomcat Users List
Subject: Re: Multiple Authentication Methods?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

Mark Thomas wrote:
| Painful but probably possible with a fair amount of work in Tomcat.
|
| http://securityfilter.sourceforge.net is probably an easier place to
start.

With sf, you still have to do a fair amount of work. You'll have to
write your own Realm in either case, but sf's dev version (in cvs) has
an interface called FlexibleRealmInterface that you can implement and
get access to the HttpServletRequest (which is otherwise unavailable in
Tomcat's Realm implementations).

Other than it actually being possible in sf, you also have the added
benefit of not being stuck on one version of Tomcat if you write your
own Realm.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgqLvIACgkQ9CaO5/Lv0PBcPQCfXmiwIxnvPPIR0ptgcbiOiUdo
2+cAoIurG8kjjSeJGvaJT5dNLltnVQ0V
=/D7o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@... To unsubscribe,
e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...


---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...


Re: Multiple Authentication Methods?

by Christopher Schultz-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric,

Robinson, Eric wrote:
| I'm too lazy for all that.

:)

Laziness and authentication are never a good combination.

| I was hoping it would amount a few extra lines in some configuration
| file. Now I'm thinking I'll figure out a way to lock it down in group
| policy or with some changes to the proxy server.

If it's acceptable to have different URLs for the "special" IP-only
users, then you could simply map different URLs to certain resources (or
all of them) and then apply security constraints differently to each set
of URL mappings.

If you're willing to have different URLs, you could also just deploy two
separate copies of your webapp -- one with authentication turned on and
the other disabled, but with a RemoteAddressFilter on all URLs.

Just a few ideas...

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgq8+MACgkQ9CaO5/Lv0PCFtACgg5aPqwrmdAc0vvBon8oEKFvA
oIsAoMA9kRHduwcADZh/axCVWpdRora9
=DNNH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@...
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Free Forum Powered by Nabble Forum Help