TIBCO Hawk HTTP Adapter relies upon declarative authentication. This requires no programming because authentication is declared with XML tags in the Web application’s deployment descriptor (
HAWK_HOME/webconsole/tomcat/webapps/http/xsl/http/WEB-INF/web.xml) and implemented by the Web server or application server.
Each TIBCO Hawk HTTP Adapter can use the most appropriate method for authenticating users. This section discusses implementing declarative authentication on the Tomcat Web server as an example. Refer to your Web server’s or application server’s documentation for more information.
Basic authentication is defined by the HTTP/1.1 specification. When a client attempts to access a protected resource, the server prompts for a username and password. If the server can authenticate the username and password, access is granted to the resource; otherwise, the process repeats a specific number of times. Although basic and form-based authentication is not secure, you can use in combination with SSL for secure transport.
The following code fragment from the web.xml file restricts access to the Web resources
/Agent and /
Alerts to members of the
HawkUser role. Access to
/Invoke and
/MicroAgents is restricted to members of the
HawkAdmin role.
The authentication mechanism is specified as basic. Passwords are transmitted with base64 encoding, which provides no encryption. A Web administrator can use digest authentication instead of basic authentication, in which a hash value of password is transmitted instead of base64 encoded format.
For the Tomcat Web server, usernames and passwords are associated with roles in $TOMCAT_HOME/conf/tomcat-users.xml. An excerpt from this configuration file is shown below.
Because of the role access privileges defined in the web.xml excerpt shown previously, the authenticated user
hawk can only access the
/Agent and
/Alerts Web resource. The authenticated user
hawk1 belongs to both roles and can access all four Web resources.
A realm is a group of usernames and passwords that identify valid users of Web applications (or set of Web applications), along with each user’s roles. Roles serve a similar purpose to
groups in UNIX, as access to specific Web application resources are granted to all users belonging to a particular role. A user can belongs to more than one role.
It is often desirable to link a Web server or application server to an existing authentication database or other mechanism. Although the servlet specification describes a portable mechanism for Web applications to declare their security requirements, there is no portable API interface defining the interface between the Web server or application server and the associated user and role information.
As a result, Tomcat Web server defines a Java interface, org.apache.Catalina.Realm, that can be implemented by plug-in components to establish this connection. Three standard plug-ins are provided with Tomcat4.x, supporting connections to three different sources of authentication information:
The $TOMCAT_HOME/conf/server.xml file specifies the default realm
org.apache.Catalina.realm.MemoryRealm in. This file is shared by all contexts (Web applications). If the Tomcat Web server administrator selects an authentication mechanism other than MemoryRealm, the corresponding change should be made in the
serverl.xml file.
