Recently the RTO (Regional Transport Office) of India has unveiled a new and scary SMS service. With this service, you just need to send an SMS to 56006 along with the vehicle number (RTO XXXX-XX-XXXX ) and you get back an SMS with complete address of the vehicle owner. I fail to understand the value of this service. This is a great tool for stalkers though. Anybody can now just SMS my vehicle number and voila, they have my private details with them in seconds. I am not sure what the officials at RTO were thinking of as a use case for such a service? is it to enable somebody to pin down hit-and-run cases? isn’t it prudent to approach the police with the vehicle number instead of confronting the culprit at his residence. What else could be the RTO thinking with such a service? is this kind of service even legal? Hope somebody drives some sense into these guys, and fast.
Archive for May, 2009
Custom Realm in Tomcat
If you want to define your own mechanisms to retrieve and check credentails instead of using the standard Realms available in Tomcat, you can extend org.apache.catalina.realm.RealmBase and overide the following methods
public class CustomRealm extends RealmBase {
@Override
protected String getName() {
return this.getClass().getSimpleName();
}
@Override
protected String getPassword(final String username) {
//myDao is your DataAccessObject
return myDao.getPasswordForUser(username);
}
@Override
protected Principal getPrincipal(final String username) {
final List<String> roles = myDao.getRolesForUser(username);
return new GenericPrincipal(this, username, getPassword(username), roles);
}
@Override
public Principal authenticate(String username, String credentials) {
String serverCredentials = getPassword(username);
//credential encrypt
boolean validated;
if (serverCredentials == null){
validated = false;
}else if (hasMessageDigest()){
validated = serverCredentials.equalsIgnoreCase(digest(credentials));
}else{
validated = serverCredentials.equals(credentials);
}
if (!validated) {
return null;
}
return getPrincipal(username);
}
}
In the above class, you can define your own mechanism to retrieve user credentials from a database or any other data source as required. Once you have defined your own custom realm, you need to tell tomcat about it. You do that by specifying the following in server.xml (within the <Engine> element) of the tomcat server.
<Realm className=”com.test.tomcat.authentication.CustomRealm” debug=”0″/>
You can also one step further and provide your own Authenticator by extending BasicAuthenticator/DigestAuthenticator etc.. as shown below.
public class CustomAuthenticator extends DigestAuthenticator {
@Override
public boolean authenticate(HttpRequest req, HttpResponse res,
LoginConfig lcfg) throws IOException {
//perform pre processing here
boolean success = super.authenticate(req, res, lcfg);
if (success) {
//perform post processing here
}
return success;
}
}
You need to define a Valve under tomcat to ensure this class is looked up instead of the default. You do this by specifying the following in the server.xml file.
<Context docBase=”authentication” path=”/auth” reloadable=”true”>
<Valve className=”com.tomcat.authentication.CustomAuthenticator” debug=”0″/>
</Context>
I found that you need to define the Valve in an explicit Context (<Context/> for this to work.
Both custom realm and custom authenticator classes need to be in the Tomcat classpath (not in web app classpath). For adding classes to tomcat classpath, you can jar the class files and place it under the lib folder. i.e TOMCAT_HOME/server/lib for apache-tomcat-4.1.39 and TOMCAT_HOME/lib for apache-tomcat-6.0.18.
Setting up HTTP DIGEST authentication in Tomcat
In the previous post, I showed how to configure BASIC authentication in Tomcat. For DIGEST, follow the similar approach except replace BASIC as DIGEST in <auth-method> as shown below:
<login-config>
<!–DIGEST for HTTP Digest authentication–>
<auth-method>DIGEST</auth-method>
<!–Any name here, this is the string that will be displayed when the browser prompts the user for credentials–>
<realm-name>Admin</realm-name>
</login-config>
Note: The above doesn’t seem to work on apache-tomcat-6.0.18. I couldn’t find any bug reports or any kind of help to get it working on Tomcat 6.x. However, the above works on tomcat 4.x. I have tested it on apache-tomcat-4.1.39 version.
With this in place, when you try to access any protected area in your web application, the browser brings up a Digest authentication popup which is quite different from the one for Basic.
