About the project Bioinformatics Data Tools News Links
Personal tools
You are here: Home Bioinformatics Tutorials Secure BioMoby web services Access control in Tomcat
Navigation
Log in


Forgot your password?
Solanaceae Photo
Lycianthes rantonnei
EUSOL random image
 
Document Actions

Access control in Tomcat

Describes how to setup the access control in Tomcat

Tomcat

If you are running Tomcat start with editing the /tomcat/conf/tomcat-users.xml file. There is already some information in this file:

<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>

As you can see there are users and roles. A user can 'play' several roles and one role can be 'played' by several users. Roles allow you to group users. In this example we will add a new user called Hans with the role 'web-service-user', who will have access to our restricted web service.

So add the following line to the tomcat-users.xml file

<user username="Hans" password="changeit" roles="web-service-user/>

Please note that currently Axis does not support HTTP1.1 Digest Authentication, so you have to enter the password as plain text. So make sure that no illegitimate people have access to it.

Now open the /tomcat/webapps/axis/WEB-INF/web.xml file. At the bottom of the file add:

  <security-constraint>
   <web-resource-collection>
    <web-resource-name>Web Service Authentication</web-resource-name>
    <url-pattern>/services/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
   <role-name>web-service-user</role-name>
  </auth-constraint>
 </security-constraint>

 <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Axis Basic Authentication Area</realm-name>
 </login-config>

 <security-role>
  <description>The web-service-user has full access to all web services
  </description>
  <role-name>web-service-user</role-name>
 </security-role>

<user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

The security-constraint element defines which role has access to which resource. You can have multiple security-constraint elements and each element can have multiple (but at least one) web-resource-collection elements. In this example we restricted all web services (as they are under /services/), but you can refine it more explicitly for a single web service of course.

A security-constraint can have none or one auth-constraint element and each auth-constraint element can have several role-name elements (more information about the format can be found here).

The login-config defines how the authentication is done. In our example we use the basic HTTP authentication. This does not become a problem as we are transmitting the information via SSL.

The security-role element can also exists multiple times and defines the roles (The description element is optional).

The user-data-constraint element forces the user to use SSL.

Now you can restart Tomcat and test your authentication by entering the path to your restricted resource in your browser. A authentication popup dialog should appear in which you can enter the user and his password.
« February 2012 »
Su Mo Tu We Th Fr Sa
1234
567891011
12131415161718
19202122232425
26272829
 
Powered by Plone, the Open Source Content Management System