[
https://issues.apache.org/jira/browse/JSPWIKI-464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660281#action_12660281
]
Harry Metske commented on JSPWIKI-464:
--------------------------------------
Andrew,
I haven't checked in which versions of Tomcat this works (I run 6.0.16).
I specified the following for the JAVA_OPTS:
export JAVA_OPTS="
-Dorg.apache.jasper.Constants.JSP_PACKAGE_NAME=org.apache.jzp
-Dlog4j.debug=false -Xmx256m -Dcom.sun.management.jmxremote.port=5001
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.authenticate=false"
It works, and if I look at the tomcat work directory I can see a directory
org/apache/jzp.
This is a code snippet from org.apache.jasper.Constants:
*
/**
* The default package name for compiled jsp pages.
*/
public static final String JSP_PACKAGE_NAME =
System.getProperty("org.apache.jasper.Constants.JSP_PACKAGE_NAME",
"org.apache.jsp");
*I will also file a separate JSPWIKI JIRA, so we can keep the progress, and
documentation together.
But first some ice skating with the kids :-)
regards,
Harry
2009/1/2 Andrew Jaquith (JIRA) <[email protected]>
> JSPWiki authentication support for TextOutputCallback (display login messages
> on Login.jsp)
> -------------------------------------------------------------------------------------------
>
> Key: JSPWIKI-464
> URL: https://issues.apache.org/jira/browse/JSPWIKI-464
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 3.0
> Environment: JSPWiki 3.0
> Reporter: Harry Metske
> Assignee: Harry Metske
> Priority: Minor
> Attachments: JSPWIKI-464.patch, jspwiki-login-3.0.patch
>
>
> The current version of the JSPWiki JAAS implementation does not support
> TextOutputCallback's.
> JAAS offers several types of Callbacks, JSPWiki's CallbackHandler currently
> only uses the NameCallback and PasswordCallback.
> As a result the following scenario:
> Users try to login, the login fails but the user is not told for what reason.
> I have had lots of complaints about this behavior, especially from users who
> do not login very often but use the wiki mostly for reading.
> When they try to login, it fails, but the Login.jsp does not tell anything at
> all, not even that is has failed (C.M.A.).
> In most cases because either the userid has become inactive, is revoked, or
> the password is expired. The net effect is that the wiki is often not usable
> for updates.
> Now I know that giving this information (the failure reason) to the user is
> often considered a security trade off.
> But in an intranet environment this is very acceptable.
> I will attach a patch that solves this in the following way :
> - AuthenticationManager keeps a Hashtable of last loginMessages for each user.
> - The WikiCallbackHandler now also handles TextOutputCallbacks and sets the
> login result
> - If the login fails, the LoginActionBean first reads the loginMessage for
> the user, if it is not null, it is displayed, else you get the old behavior.
> The exploitation of TextOutputCallbacks is optional, the default LoginModule
> (supplied with JSPWiki) does not use them, and therefore it's behavior is
> unchanged.
> The installer has to supply a LoginModule that uses the TextOutputCallback to
> store the loginResult. (And off course we have one that uses it).
> (Andrew), can we take this patch in the trunk ?
> regards,
> Harry
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
