Auto-login
Hello, I do not find if there is a way to auto-login in a protected directory by a simple URL like: http://host:8080/myapp/?user=toto&password=titi My issue is that a user who is authentificated under webmin (...) shall access to anoter module (written under tomcat) without been asked again for authentification. A smart solution would be to redirect this user to the auto-login URL. Any idea/solution. Stephane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Auto login using a cookie
Hi, I was wondering if there is a standard way of creating automatic login functionality in tomcat. What I mean is that a user can set a tik a box saying 'Automatically Log me in the next time I visit'. This is a common functionality on low security sites and improves user experience a lot. We now use the JDBC Realm for authentication of the users. Of course we can 9implement our own security filter checking for the necessary credentials, but it would be great if we could use the web.xml file to define the security constraints. Any suggestions or references? Regards, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto login using a cookie
I think you'd need to use a valve instead of a filter. The filters are invoked after any security check is done (i believe). As a starting reference, look at the SingleSignOn valve. -Tim Joël Wijngaarde [Us Media] wrote: Hi, I was wondering if there is a standard way of creating automatic login functionality in tomcat. What I mean is that a user can set a tik a box saying 'Automatically Log me in the next time I visit'. This is a common functionality on low security sites and improves user experience a lot. We now use the JDBC Realm for authentication of the users. Of course we can 9implement our own security filter checking for the necessary credentials, but it would be great if we could use the web.xml file to define the security constraints. Any suggestions or references? Regards, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto login using a cookie
Hi Tim, Thanks for the reply. I will take a lok at your suggestion, however using a valve would make the login structure Tomcat specific. Most Servlet-Containers supply someway of doing the authentication through LDAP / JDBC / FILE... and thus using this scheme is quite safe. But is there als a 'standard' way of using an auto login feature without breaking the Container independence. - Joel On Tue, 2003-06-03 at 13:38, Tim Funk wrote: > I think you'd need to use a valve instead of a filter. The filters are > invoked after any security check is done (i believe). > > As a starting reference, look at the SingleSignOn valve. > > -Tim > > Joël Wijngaarde [Us Media] wrote: > > Hi, > > > > I was wondering if there is a standard way of creating automatic login > > functionality in tomcat. > > > > What I mean is that a user can set a tik a box saying 'Automatically Log > > me in the next time I visit'. This is a common functionality on low > > security sites and improves user experience a lot. > > > > We now use the JDBC Realm for authentication of the users. Of course we > > can 9implement our own security filter checking for the necessary > > credentials, but it would be great if we could use the web.xml file to > > define the security constraints. > > > > Any suggestions or references? > > > > > > Regards, > > > > > > Joel > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Us Media Stadhouderskade 115 1073 AX Amsterdam t: +31 20 428 6868 f: +31 20 470 6905 w: http://www.usmedia.nl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto login using a cookie
Since you are Using JDBCRealm, you are already somewhat tomcat dependent. Even though switching realms is very easy. But the code to do the auto login needs to occur BEFORE the JDBCRealm code is excuted. That is the problem. Thats the bad news, you tomcat specific code should be easy to port to other containers if they provide that functionality. -Tim Joël Wijngaarde [Us Media] wrote: Hi Tim, Thanks for the reply. I will take a lok at your suggestion, however using a valve would make the login structure Tomcat specific. Most Servlet-Containers supply someway of doing the authentication through LDAP / JDBC / FILE... and thus using this scheme is quite safe. But is there als a 'standard' way of using an auto login feature without breaking the Container independence. - Joel On Tue, 2003-06-03 at 13:38, Tim Funk wrote: I think you'd need to use a valve instead of a filter. The filters are invoked after any security check is done (i believe). As a starting reference, look at the SingleSignOn valve. -Tim Joël Wijngaarde [Us Media] wrote: Hi, I was wondering if there is a standard way of creating automatic login functionality in tomcat. What I mean is that a user can set a tik a box saying 'Automatically Log me in the next time I visit'. This is a common functionality on low security sites and improves user experience a lot. We now use the JDBC Realm for authentication of the users. Of course we can 9implement our own security filter checking for the necessary credentials, but it would be great if we could use the web.xml file to define the security constraints. Any suggestions or references? Regards, Joel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Auto login using a cookie
I have a way that's been working for me - see it at: http://raibledesigns.com/training/index.jsp?topic=rememberMe HTH, Matt -Original Message- From: Joël "Wijngaarde [Us Media] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 6:14 AM To: Tomcat Users List Subject: Re: Auto login using a cookie Hi Tim, Thanks for the reply. I will take a lok at your suggestion, however using a valve would make the login structure Tomcat specific. Most Servlet-Containers supply someway of doing the authentication through LDAP / JDBC / FILE... and thus using this scheme is quite safe. But is there als a 'standard' way of using an auto login feature without breaking the Container independence. - Joel On Tue, 2003-06-03 at 13:38, Tim Funk wrote: > I think you'd need to use a valve instead of a filter. The filters are > invoked after any security check is done (i believe). > > As a starting reference, look at the SingleSignOn valve. > > -Tim > > Joël Wijngaarde [Us Media] wrote: > > Hi, > > > > I was wondering if there is a standard way of creating automatic login > > functionality in tomcat. > > > > What I mean is that a user can set a tik a box saying 'Automatically Log > > me in the next time I visit'. This is a common functionality on low > > security sites and improves user experience a lot. > > > > We now use the JDBC Realm for authentication of the users. Of course we > > can 9implement our own security filter checking for the necessary > > credentials, but it would be great if we could use the web.xml file to > > define the security constraints. > > > > Any suggestions or references? > > > > > > Regards, > > > > > > Joel > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Us Media Stadhouderskade 115 1073 AX Amsterdam t: +31 20 428 6868 f: +31 20 470 6905 w: http://www.usmedia.nl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto login using a cookie
This more or less works for TC 3.x (where j_security_check is a [psuedo-]Servlet). It won't work for TC 4.x and higher (basically the same as the recuring topic: "My users are bookmarking the login page"). As Tim mentioned, Filters are called after Container-Managed authentication is checked. Of course, there is nothing stopping you from implementing a Filter-Managed security scheme (where your Filter(s) do all the work of Tomcat's Authenticators and Realms). "Raible, Matt" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I have a way that's been working for me - see it at: http://raibledesigns.com/training/index.jsp?topic=rememberMe HTH, Matt -Original Message- From: Joël "Wijngaarde [Us Media] [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 03, 2003 6:14 AM To: Tomcat Users List Subject: Re: Auto login using a cookie Hi Tim, Thanks for the reply. I will take a lok at your suggestion, however using a valve would make the login structure Tomcat specific. Most Servlet-Containers supply someway of doing the authentication through LDAP / JDBC / FILE... and thus using this scheme is quite safe. But is there als a 'standard' way of using an auto login feature without breaking the Container independence. - Joel On Tue, 2003-06-03 at 13:38, Tim Funk wrote: > I think you'd need to use a valve instead of a filter. The filters are > invoked after any security check is done (i believe). > > As a starting reference, look at the SingleSignOn valve. > > -Tim > > Joël Wijngaarde [Us Media] wrote: > > Hi, > > > > I was wondering if there is a standard way of creating automatic login > > functionality in tomcat. > > > > What I mean is that a user can set a tik a box saying 'Automatically Log > > me in the next time I visit'. This is a common functionality on low > > security sites and improves user experience a lot. > > > > We now use the JDBC Realm for authentication of the users. Of course we > > can 9implement our own security filter checking for the necessary > > credentials, but it would be great if we could use the web.xml file to > > define the security constraints. > > > > Any suggestions or references? > > > > > > Regards, > > > > > > Joel > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Us Media Stadhouderskade 115 1073 AX Amsterdam t: +31 20 428 6868 f: +31 20 470 6905 w: http://www.usmedia.nl - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Auto Login Using Form Based Authentication
Hi, I have an atypical situation in that I am trying to auto login users from another system (a Lotus Domino system) when they connect to my JSP application. I am using Tomcat 4.1.18 and have form based authentication working on it. I would prefer if the users did not have to explicitly login, because, as far as they are concerned, it's all part of the same application. Here is what I was hoping to be able to do: The user, who is already logged in on the Domino system, clicks on the link to my application. The link contains the user's UserID, as a parameter. The page they are linking to is in a restricted area, so Tomcat serves up the login page, which takes the UID parameter, retrieves the related password from the database, and logs the user in onload. I have it all working beautifully, EXCEPT that I can't seem to be able to retrieve the parameter from the URL. I suspect that it is lost when, instead of serving up the destination page, Tomcat serves up the login page instead. Is there a way to pass a parameter to the login page? I think the issue is the fact that you can't just call the login page directly. Does anyone see a way around this? I was thinking that maybe I'd have to link to an index page first, and then write a cookie, which I'd have to access from the login page. That seems like such a round-about way to go, when it would be so much simpler to just grab a parameter from the URL. Thanks in advance for any advice. Val - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Auto Login Using Form Based Authentication
You could put a filter on /* in your app, and if the user is routed to the
login page (check the URL for an indexOf("login.jsp")) - then set a request
variable containing the parameter you want to save.
Matt
-Original Message-
From: Val T. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 12:46 PM
To: Tomcat Users List
Subject: Auto Login Using Form Based Authentication
Hi,
I have an atypical situation in that I am trying to auto login users from
another system (a Lotus Domino system) when they connect to my JSP
application. I am using Tomcat 4.1.18 and have form based authentication
working on it. I would prefer if the users did not have to explicitly
login, because, as far as they are concerned, it's all part of the same
application.
Here is what I was hoping to be able to do:
The user, who is already logged in on the Domino system, clicks on the link
to my application. The link contains the user's UserID, as a parameter.
The page they are linking to is in a restricted area, so Tomcat serves up
the login page, which takes the UID parameter, retrieves the related
password from the database, and logs the user in onload.
I have it all working beautifully, EXCEPT that I can't seem to be able to
retrieve the parameter from the URL. I suspect that it is lost when,
instead of serving up the destination page, Tomcat serves up the login page
instead. Is there a way to pass a parameter to the login page? I think the
issue is the fact that you can't just call the login page directly. Does
anyone see a way around this?
I was thinking that maybe I'd have to link to an index page first, and then
write a cookie, which I'd have to access from the login page. That seems
like such a round-about way to go, when it would be so much simpler to just
grab a parameter from the URL.
Thanks in advance for any advice.
Val
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto Login Using Form Based Authentication
There are two problems with this:
1) Your Filter will not get called, since authentication happens before
Filters (you'd need to use a Valve, but then you are locked into Tomcat).
2) Unless you are using Tomcat 5.x nightly, Request attibutes won't be
available to the login-page for the simple reason that that happens on a
different Request.
The simplest solution would be to use mod_jk to connect Domino & Tomcat and
set tomcatAuthentication="false". However, the Domino connector is probably
the least tested .
"Raible, Matt" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> You could put a filter on /* in your app, and if the user is routed to the
> login page (check the URL for an indexOf("login.jsp")) - then set a
request
> variable containing the parameter you want to save.
>
> Matt
>
> -Original Message-
> From: Val T. [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 10, 2003 12:46 PM
> To: Tomcat Users List
> Subject: Auto Login Using Form Based Authentication
>
>
> Hi,
>
> I have an atypical situation in that I am trying to auto login users from
> another system (a Lotus Domino system) when they connect to my JSP
> application. I am using Tomcat 4.1.18 and have form based authentication
> working on it. I would prefer if the users did not have to explicitly
> login, because, as far as they are concerned, it's all part of the same
> application.
>
> Here is what I was hoping to be able to do:
>
> The user, who is already logged in on the Domino system, clicks on the
link
> to my application. The link contains the user's UserID, as a parameter.
> The page they are linking to is in a restricted area, so Tomcat serves up
> the login page, which takes the UID parameter, retrieves the related
> password from the database, and logs the user in onload.
>
> I have it all working beautifully, EXCEPT that I can't seem to be able to
> retrieve the parameter from the URL. I suspect that it is lost when,
> instead of serving up the destination page, Tomcat serves up the login
page
> instead. Is there a way to pass a parameter to the login page? I think
the
> issue is the fact that you can't just call the login page directly. Does
> anyone see a way around this?
>
> I was thinking that maybe I'd have to link to an index page first, and
then
> write a cookie, which I'd have to access from the login page. That seems
> like such a round-about way to go, when it would be so much simpler to
just
> grab a parameter from the URL.
>
> Thanks in advance for any advice.
>
> Val
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Auto Login Using Form Based Authentication
> 1) Your Filter will not get called, since authentication happens before
> Filters (you'd need to use a Valve, but then you are locked into Tomcat).
In my experience, and my current working app, this is not the case. The
following code works for me in a filter (mapped to /*) to auto-login a user:
if ((request.getRequestURL().indexOf("login")) {
// Check to see if we should automatically login the user
// container is routing user to login page, check for remember me cookie
Cookie userCookie = RequestUtil.getCookie(request, "username");
String username =
(passCookie != null)
? URLDecoder.decode(userCookie.getValue(), "UTF-8") : null;
if ((rememberMe != null) && (password != null)) {
// authenticate user without displaying login page
String route = request.getContextPath() +
"/j_security_check?j_username=" + username
+ "&j_password=" + StringUtil.decodeString(password);
if (log.isDebugEnabled()) {
log.debug("I remember you '" + username
+ "', attempting authentication...");
}
response.sendRedirect(response.encodeRedirectURL(route));
return;
}
}
Matt
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto Login Using Form Based Authentication
Hi Bill and Matt,
> There are two problems with this:
> 1) Your Filter will not get called, since authentication happens before
> Filters (you'd need to use a Valve, but then you are locked into
> Tomcat). 2) Unless you are using Tomcat 5.x nightly, Request
> attibutes won't be available to the login-page for the simple reason
> that that happens on a different Request.
>
> The simplest solution would be to use mod_jk to connect Domino &
> Tomcat and set tomcatAuthentication="false". However, the Domino
> connector is probably the least tested .
>
> "Raible, Matt" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > You could put a filter on /* in your app, and if the user is routed to the
> > login page (check the URL for an indexOf("login.jsp")) - then set a
> request
> > variable containing the parameter you want to save.
> >
> > Matt
I'd like to thank you both for responding to my posting. I'm researching
your suggestions, though I guess I'll probably have to give up the idea of
using a filter based on Bill's information.
I'm looking up the info on mod_jk. That was a good lead, though the
particulars are still eluding me. I had always thought that mod_jk was
strictly for Apache and Tomcat, but if it'll work with Domino, that's great.
Val
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto Login Using Form Based Authentication
"mod_jk" is "strictly" for Apache, since the "mod" typically means "Apache
module".
But JK (AJP13) is a protocol. It can be implemented however you like.
There are JK connectors for Apache and IIS, for example.
John
On Wed, 11 Jun 2003 10:53:37 -0400, vtobin <[EMAIL PROTECTED]> wrote:
Hi Bill and Matt,
There are two problems with this:
1) Your Filter will not get called, since authentication happens before
Filters (you'd need to use a Valve, but then you are locked into Tomcat)
. 2) Unless you are using Tomcat 5.x nightly, Request attibutes won't be
available to the login-page for the simple reason that that happens on a
different Request.
The simplest solution would be to use mod_jk to connect Domino & Tomcat
and set tomcatAuthentication="false". However, the Domino connector is
probably the least tested .
"Raible, Matt" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> You could put a filter on /* in your app, and if the user is routed to
the
> login page (check the URL for an indexOf("login.jsp")) - then set a
request
> variable containing the parameter you want to save.
>
> Matt
I'd like to thank you both for responding to my posting. I'm researching
your suggestions, though I guess I'll probably have to give up the idea
of using a filter based on Bill's information.
I'm looking up the info on mod_jk. That was a good lead, though the
particulars are still eluding me. I had always thought that mod_jk was
strictly for Apache and Tomcat, but if it'll work with Domino, that's
great.
Val
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto Login Using Form Based Authentication
I was using "mod_jk" as a short-hand for the entire server-suite. There is
a Domino connector, but I don't believe that there is a binary for it. You
can get the source and compile it from
http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4
/src/. Documentation is at
http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4
/doc/jk/domhowto.html.
"John Turner" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> "mod_jk" is "strictly" for Apache, since the "mod" typically means "Apache
> module".
>
> But JK (AJP13) is a protocol. It can be implemented however you like.
> There are JK connectors for Apache and IIS, for example.
>
> John
>
> On Wed, 11 Jun 2003 10:53:37 -0400, vtobin <[EMAIL PROTECTED]>
wrote:
>
> > Hi Bill and Matt,
> >
> >> There are two problems with this:
> >> 1) Your Filter will not get called, since authentication happens before
> >> Filters (you'd need to use a Valve, but then you are locked into
Tomcat)
> >> . 2) Unless you are using Tomcat 5.x nightly, Request attibutes won't
be
> >> available to the login-page for the simple reason that that happens on
a
> >> different Request.
> >>
> >> The simplest solution would be to use mod_jk to connect Domino & Tomcat
> >> and set tomcatAuthentication="false". However, the Domino connector is
> >> probably the least tested .
> >>
> >> "Raible, Matt" <[EMAIL PROTECTED]> wrote in message
> >> news:[EMAIL PROTECTED]
> >> > You could put a filter on /* in your app, and if the user is routed
to
> >> the
> >> > login page (check the URL for an indexOf("login.jsp")) - then set a
> >> request
> >> > variable containing the parameter you want to save.
> >> >
> >> > Matt
> >
> > I'd like to thank you both for responding to my posting. I'm
researching
> > your suggestions, though I guess I'll probably have to give up the idea
> > of using a filter based on Bill's information.
> >
> > I'm looking up the info on mod_jk. That was a good lead, though the
> > particulars are still eluding me. I had always thought that mod_jk was
> > strictly for Apache and Tomcat, but if it'll work with Domino, that's
> > great.
> >
> > Val
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> --
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
