[JBoss-user] Jetty and form based authentication
Hello, I'm (still) trying to implement a web application for my school project. The idea is that everybody is allowed to see e.g. the default page (news), but only authenticated users can e.g. access grades. So far, no problem. The web application builds up a menu based on the roles the user has. If the user isn't authenticated the menu won't display items for which the user has no privileges. On each page there is a login box with a target of j_security_check. Here I encountered the first problem. Jetty (and Tomcat) don't support direct requests to the login page (which I'm doing). Browsing through the sourcecode of jetty I found that jetty checks a session variabele called org.mortbay.jetty.URI to see where it should redirect the request after a succesfull login (see code below for snippet from FormAuthenticator). If I set this session variabele from my pages, all works fine. Except getUserPrincipal only returns the principal when accessing a protected resource. This is definitely not what I want. I want to be able to tell who is viewing a page even if no security restrictions apply. Does anyone know how to change this behavior ? Thx in advance. CODE FROM FormAuthenticator public UserPrincipal authenticated(UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse) throws IOException { HttpServletRequest request =(ServletHttpRequest)httpRequest.getWrapper(); HttpServletResponse response =(HttpServletResponse) httpResponse.getWrapper(); // Handle paths String uri = pathInContext; // Setup session HttpSession session=request.getSession(true); // Handle a request for authentication. if ( uri.substring(uri.lastIndexOf(/)+1).startsWith(__J_SECURITY_CHECK) ) { // Check the session object for login info. String username = request.getParameter(__J_USERNAME); String password = request.getParameter(__J_PASSWORD); UserPrincipal user = realm.authenticate(username,password,httpRequest); String nuri=(String)session.getAttribute(__J_URI); if (user!=null nuri!=null) { Code.debug(Form authentication OK for ,username); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(username); httpRequest.setUserPrincipal(user); session.setAttribute(__J_AUTHENTICATED,user); response.sendRedirect(response.encodeRedirectURL(nuri)); } else { Code.debug(Form authentication FAILED for ,username); if (_formErrorPage!=null) response.sendRedirect(response.encodeRedirectURL (URI.addPaths(request.getContextPath(), _formErrorPage))); else response.sendError(HttpResponse.__403_Forbidden); } // Security check is always false, only true after final redirection. return null; } // Check if the session is already authenticated. UserPrincipal user = (UserPrincipal) session.getAttribute(__J_AUTHENTICATED); if (user != null) { if (user.isAuthenticated()) { Code.debug(FORM Authenticated for ,user.getName()); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(user.getName()); httpRequest.setUserPrincipal(user); return user; } } // Don't authenticate authform or errorpage if (pathInContext!=null pathInContext.equals(_formErrorPage) || pathInContext.equals(_formLoginPage)) return SecurityConstraint.__NOBODY; // redirect to login page if (httpRequest.getQuery()!=null) uri+=?+httpRequest.getQuery(); session.setAttribute(__J_URI, URI.addPaths(request.getContextPath(),uri)); response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage))); return null; } --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Jetty and form based authentication
I just found my answer on the jboss forums. It seems jetty is supposed to return null in getUserPrincipal on unprotected pages. Solution seems to be to create a special guest role which is granted to all visitors by the login module and make every resources protected. Silvester citaat van=Silvester van der Bijl Hello, I'm (still) trying to implement a web application for my school project. The idea is that everybody is allowed to see e.g. the default page (news), but only authenticated users can e.g. access grades. So far, no problem. The web application builds up a menu based on the roles the user has. If the user isn't authenticated the menu won't display items for which the user has no privileges. On each page there is a login box with a target of j_security_check. Here I encountered the first problem. Jetty (and Tomcat) don't support direct requests to the login page (which I'm doing). Browsing through the sourcecode of jetty I found that jetty checks a session variabele called org.mortbay.jetty.URI to see where it should redirect the request after a succesfull login (see code below for snippet from FormAuthenticator). If I set this session variabele from my pages, all works fine. Except getUserPrincipal only returns the principal when accessing a protected resource. This is definitely not what I want. I want to be able to tell who is viewing a page even if no security restrictions apply. Does anyone know how to change this behavior ? Thx in advance. CODE FROM FormAuthenticator public UserPrincipal authenticated(UserRealm realm, String pathInContext, HttpRequest httpRequest, HttpResponse httpResponse) throws IOException { HttpServletRequest request =(ServletHttpRequest)httpRequest.getWrapper(); HttpServletResponse response =(HttpServletResponse) httpResponse.getWrapper(); // Handle paths String uri = pathInContext; // Setup session HttpSession session=request.getSession(true); // Handle a request for authentication. if ( uri.substring(uri.lastIndexOf(/)+1).startsWith(__J_SECURITY_CHECK) ) { // Check the session object for login info. String username = request.getParameter(__J_USERNAME); String password = request.getParameter(__J_PASSWORD); UserPrincipal user realm.authenticate(username,password,httpRequest); String nuri=(String)session.getAttribute(__J_URI); if (user!=null nuri!=null) { Code.debug(Form authentication OK for ,username); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(username); httpRequest.setUserPrincipal(user); session.setAttribute(__J_AUTHENTICATED,user); response.sendRedirect(response.encodeRedirectURL(nuri)); } else { Code.debug(Form authentication FAILED for ,username); if (_formErrorPage!=null) response.sendRedirect(response.encodeRedirectURL (URI.addPaths(request.getContextPath(), _formErrorPage))); else response.sendError(HttpResponse.__403_Forbidden); } // Security check is always false, only true after final redirection. return null; } // Check if the session is already authenticated. UserPrincipal user = (UserPrincipal) session.getAttribute(__J_AUTHENTICATED); if (user != null) { if (user.isAuthenticated()) { Code.debug(FORM Authenticated for ,user.getName()); httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH); httpRequest.setAuthUser(user.getName()); httpRequest.setUserPrincipal(user); return user; } } // Don't authenticate authform or errorpage if (pathInContext!=null pathInContext.equals(_formErrorPage) || pathInContext.equals(_formLoginPage)) return SecurityConstraint.__NOBODY; // redirect to login page if (httpRequest.getQuery()!=null) uri+=?+httpRequest.getQuery(); session.setAttribute(__J_URI, URI.addPaths(request.getContextPath(),uri)); response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(), _formLoginPage))); return null; } --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___
Re: [JBoss-user] Jetty and form based authentication
Not if understand the messages at the forum correctly. You can configure a role to be granted to unauthenticated users. Thanks for the input, Silvester citaat van=David Ward But then everyone would have to log in to access any of your pages. If you need to know who the user is on all pages (if they're logged in) why don't you just, on successful login (ie: there is a non-null Principal in the request), stuff it into the httpsession yourself, then access that variable from your pages? It gets cleared out on logout (ie: session.invalidate()). If you don't have a single servlet controller that fronts your app to put the Principal in the session, you could instead do it via a javax.servlet.Filter that is configured to intercept everything in your servlet context. Hope this helps, David -- Mensaje citado por Silvester van der Bijl [EMAIL PROTECTED]: I just found my answer on the jboss forums. It seems jetty is supposed to return null in getUserPrincipal on unprotected pages. Solution seems to be to create a special guest role which is granted to all visitors by the login module and make every resources protected. Silvester citaat van=Silvester van der Bijl Hello, I'm (still) trying to implement a web application for my school project. The idea is that everybody is allowed to see e.g. the default page (news), but only authenticated users can e.g. access grades. So far, no problem. The web application builds up a menu based on the roles the user has. If the user isn't authenticated the menu won't display items for which the user has no privileges. On each page there is a login box with a target of j_security_check. Here I encountered the first problem. Jetty (and Tomcat) don't support direct requests to the login page (which I'm doing). Browsing through the sourcecode of jetty I found that jetty checks a session variabele called org.mortbay.jetty.URI to see where it should redirect the request after a succesfull login (see code below for snippet from FormAuthenticator). If I set this session variabele from my pages, all works fine. Except getUserPrincipal only returns the principal when accessing a protected resource. This is definitely not what I want. I want to be able to tell who is viewing a page even if no security restrictions apply. Does anyone know how to change this behavior ? Thx in advance. --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user