Security Configuration for Tomcat using Virtual Hosts and Aliases_问答_开发者

Security Configuration for Tomcat using Virtual Hosts and Aliases

开发者 https://www.devze.com 2023-01-10 02:43 出处：网络

We have a grails app that uses two domain names and Tomcat was configured to use Virtual hosts and Aliases.开发者_运维技巧 Here\'s the server.xml snippet:

相关专题：grails tomcat

We have a grails app that uses two domain names and Tomcat was configured to use Virtual hosts and Aliases.开发者_运维技巧 Here's the server.xml snippet:

<Host name="domain1.com"  appBase="myApp"
        unpackWARs="true" autoDeploy="true"
        xmlValidation="false" xmlNamespaceAware="false">
    <Alias>domain2.com</Alias>
</Host>

We also wanted to restrict access to the web app (different from the logins to use the site), so we made use of Tomcat security.

Here's what the security constraint snippet in the app's web.xml:

<security-constraint>
    <web-resource-collection>
      <web-resource-name>HTMLManger and Manager command</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <!-- NOTE:  This role is not present in the default users file -->
       <role-name>manager</role-name>
    </auth-constraint>
 </security-constraint>

<!-- Define the Login Configuration for this Application -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>My Realm</realm-name>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
    <description>
      The role that is required to log in to the Manager Application
    </description>
    <role-name>manager</role-name>
</security-role>

<error-page>
    <error-code>401</error-code>
    <location>/401.jsp</location>
</error-page>

So here's the scenario: When user browses to domain1.com, the basic authentication popup will be displayed. User then enters the username and password combination to enter the site. User then wishes to Sign In to the web app (to be able to use more features). The login mechanism (using acegi) also needs to log in to domain2.com. Now, before user can be logged in to domain2.com, he/she needs to enter the same credentials for the basic auth popup. So basically, the user needs to use the tomcat web security twice, which we need to avoid.

Question also is that since its the same web app, why does it need the user to login twice? Is it because tomcat web security is domain based? So even if the other domain is just an alias of the original domain?

Thanks!

I think the problem is that auth is based on sessions and sessions on domains. If you have a two level auth system you should really consider a SSO such CAS. Both the deprecated Acegi plugin and the new Spring Security Plugin for grails has CAS support. In a internet web site scenario OpenID could be an easy and cheap (free) option too. One level auth system with a more fine grain role modeling could be and option too