subject:"\"RE\\\: UserManager \\\/ BASIC auth; orion caching username\\\/password \\\?\\\?\\\?\\\?\""

RE: UserManager / BASIC auth; orion caching username/password ????

2001-08-28 Thread Juan Lorandi (Chile)


inline

> -Original Message-
> From: Curt Smith [mailto:[EMAIL PROTECTED]]
> Sent: Martes, 28 de Agosto de 2001 18:04
> To: Orion-Interest
> Subject: UserManager / BASIC auth; orion caching 
> username/password 
> 
> 
> I've got a confusing issue that I'm observing:
> 
> I'm using BASIC authorization and installed my subclass of 
> AbstractUserManger into
> orion-application.xml.
> 
> I get the HTTP challeng login dialogue the first time, and 
> get into the protected site
> when my um.checkPassword ( user, pw ) returns true.
> 
> Problems are:
> 
> - After 3 failures I get sent to the 401 screen.   I'd like 
> to loop forever in the
>  login dialog.

non standard, check HTTP RFC
> 
>   ???
> 
> - The Security context seems to be cached and survives 
> re-starts of orion  ??

The browser does that; once a basic auth works, the same browser process
will keep
sending the same auth to the server for each auth challenge.

> 
>   I see the um.checkPassword () method being called with the 
> successful username
>   password in my log4j logs.  Is the container supplying the 
> user/passwd without challenging
>   client   This works for both IE and NS and I've turned 
> the auto-loggin features off for
>   IE.
> 
>On one hand this is great for resilience, especially if 
> the session object is serialized too.
>I haven't found any files that might be performing this 
> feature though???
> 
>On the down side, I can't force a session / Security 
> Context invalidation to force a new
>login for debugging purposes.   Stopping IE / NS and 
> restarting the client even jumps
>back into the session without a HTTP challeng ???   I've 
> never seen this before?
> 
> Why can't I find how to flush cookies in IE and NS...  ;< 
>  but this appears to be solely
> an orion behavior and not using cookies to persist the 
> Security context???
> 
> 
> Anybody have an explanation of what's going on with this appearance of
> auto-login behavior via my UserManager.checkPassword() method?
> 
> very confused,
> 
> curt
> 
> 
>

RE: UserManager / BASIC auth; orion caching username/password????

2001-08-28 Thread The elephantwalker


AFAIK, you don't have control over how Basic authentication is used (three
strikes and your out). If you want more control, use Form-based
authentication. Its easy enough to put a counter or no counter in the login
form.

This session state persistence should not work for the j2ee security. The
behaviour you are describing is not shown when Form-based authentication is
used. For example, if you drop in a new ear file during a security session,
and you only have one server running (load-balancing changes this
behaviour), your session is invalidated, and you must login again.

The same should be true for Basic authentication. If its not, its a bug.

Regards,

the elephantwalker

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Curt Smith
Sent: Tuesday, August 28, 2001 3:04 PM
To: Orion-Interest
Subject: UserManager / BASIC auth; orion caching username/password


I've got a confusing issue that I'm observing:

I'm using BASIC authorization and installed my subclass of
AbstractUserManger into
orion-application.xml.

I get the HTTP challeng login dialogue the first time, and get into the
protected site
when my um.checkPassword ( user, pw ) returns true.

Problems are:

- After 3 failures I get sent to the 401 screen.   I'd like to loop forever
in the
 login dialog.

  ???

- The Security context seems to be cached and survives re-starts of orion
??

  I see the um.checkPassword () method being called with the successful
username
  password in my log4j logs.  Is the container supplying the user/passwd
without challenging
  client   This works for both IE and NS and I've turned the auto-loggin
features off for
  IE.

   On one hand this is great for resilience, especially if the session
object is serialized too.
   I haven't found any files that might be performing this feature though???

   On the down side, I can't force a session / Security Context invalidation
to force a new
   login for debugging purposes.   Stopping IE / NS and restarting the
client even jumps
   back into the session without a HTTP challeng ???   I've never seen this
before?

Why can't I find how to flush cookies in IE and NS...  ;<  but this
appears to be solely
an orion behavior and not using cookies to persist the Security
context???


Anybody have an explanation of what's going on with this appearance of
auto-login behavior via my UserManager.checkPassword() method?

very confused,

curt

RE: UserManager / BASIC auth; orion caching username/password ????

RE: UserManager / BASIC auth; orion caching username/password????

2 matches

Site Navigation

Mail list logo

Footer information