Menu
I have configured tomcat for basic authentication. I do not want anyone to have access to my web application but the app is serving web services. So I want to bypass a specific ip address from basic authentication.( that ip should not require authentication.)
tomcat-users.xml :
<tomcat-users>
<user username="user" password="password" roles="user"/>
</tomcat-users>
web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>You must enter your login credentials to continue</realm-name>
</login-config>
<security-role>
<description>
The role that is required to log in to the Application
</description>
<role-name>user</role-name>
</security-role>
Thanks, Chetan.
706
Basic Authentication Notice the database configuration and details of the tables and columns used to identify authenticated users. Add the following to the "$CATALINA_BASE/conf/web. xml" file before the final "web-app" tag. With the config changes in place we need to restart Tomcat.
Definition: Tomcat Realms is an interface for connecting Catalina to a existing database of usernames, passwords and roles to handle application authentication. You can manage your user access and their roles. Roles are grouping of users based on permissions you wish to grant to any group of users.
MemoryRealm - Accesses authentication information stored in an in-memory object collection, which is initialized from an XML document ( conf/tomcat-users. xml ).
If you would like to allow just only a few IP addresses and disallow everybody else the Remote Address Filter Valve is what you need.
If you want that the clients from unknown IP addresses see the basic login dialog and could login you need a custom Valve. The source of the RemoteAddrValve (and it's parent class RequestFilterValve is a good starting point. Take a look my former answer too.
Anyway, below is a proof of concept code. It puts a filled Principal to the Request if the client is coming from a trusted IP so the login module will not ask for the password. Otherwise it does not touch the Request object and the user can log in as usual.
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;
public class AutoLoginValve extends ValveBase {
private String trustedIpAddress;
public AutoLoginValve() {
}
@Override
public void invoke(final Request request, final Response response)
throws IOException, ServletException {
final String remoteAddr = request.getRemoteAddr();
final boolean isTrustedIp = remoteAddr.equals(trustedIpAddress);
System.out.println("remoteAddr: " + remoteAddr + ", trusted ip: "
+ trustedIpAddress + ", isTrustedIp: " + isTrustedIp);
if (isTrustedIp) {
final String username = "myTrusedUser";
final String credentials = "credentials";
final List<String> roles = new ArrayList<String>();
roles.add("user");
roles.add("admin");
final Principal principal = new GenericPrincipal(username,
credentials, roles);
request.setUserPrincipal(principal);
}
getNext().invoke(request, response);
}
public void setTrustedIpAddress(final String trustedIpAddress) {
System.out.println("setTrusedIpAddress " + trustedIpAddress);
this.trustedIpAddress = trustedIpAddress;
}
}
And a config example for the server.xml:
<Valve className="autologinvalve.AutoLoginValve"
trustedIpAddress="127.0.0.1" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
