RE: FormAuthentication
Guys , I got past the 404 error.It was a mistake on my part by not mapping /ServletRedirectSecure to the ServletRedirectorSecure Alias of the ServletRedirector Servlet. Thanks again for your help and understanding. Pranab -Original Message- From: Dhar, Pranab [mailto:Pranab.Dhar;DFA.STATE.NY.US] Sent: Sunday, October 27, 2002 10:39 PM To: 'Cactus Users List' Subject: RE: FormAuthentication Hi Jason/Vincent, I checked out the code changes and as expected the first call gets the JSESSIONID from the Server to proceed with calling the servlet set by Webrequest.setURL() .The GET_RESULTS query now use the same redirector. I am having a little glitch with the test as I am getting a 404 return code for a valid servlet. ... -- To unsubscribe, e-mail: mailto:cactus-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:cactus-user-help;jakarta.apache.org
RE: FormAuthentication
-nameUnsecure Stateless SessionBean/container-name security-domain/ /container-configuration /container-configurations /jboss -- # A sample users.properties file for use with the UsersRolesLoginModule # user=password admin=admin pkdhar=pkdhar bob=bob -- # A sample roles.properties file for use with the UsersRolesLoginModule # user=role1,role2... admin=idsconf_admin,idsconf_user pkdhar=idsconf_user bob=idsconf_user -Original Message- From: Robertson, Jason [mailto:Jason.Robertson;acs-inc.com] Sent: Friday, October 25, 2002 11:21 AM To: 'Cactus Users List' Subject: RE: FormAuthentication Buried in the stack trace is Failed to authenticate the principal. If you try to log into the website normally using admin/admin does it work? What server are you using? We have test cases that work with Tomcat and WebLogic. Jason -Original Message- From: Dhar, Pranab [mailto:Pranab.Dhar;DFA.STATE.NY.US] Sent: Friday, October 25, 2002 10:10 AM To: '[EMAIL PROTECTED]' Subject: FormAuthentication Hi, I am in a situation where I have EJB's and servlets created with security roles defined.I need to test the Servlets and EJB's doing the authentication in the process.I am using FormAuthentication for the secured jsp/servlets/struts forms and actions. I installed cactus 1.4.1 and found out that it does'nt implement form authentication so I am now using the nightly build 20021022 after checking the mailing list that some gentlemen have been adding this new feature. My testcase is as follows:- public void beginBasicAuthentication(WebRequest theRequest) { theRequest.setURL(localhost:8080, /, /secure/idsconf, null, null); theRequest.addCookie( test, test ); theRequest.setRedirectorName(ServletRedirectorSecure); theRequest.setAuthentication(new FormAuthentication(admin, admin)); } public void testBasicAuthentication() { assertEquals(admin, request.getUserPrincipal().getName()); assertEquals(admin, request.getRemoteUser()); assertTrue(User not in 'admin' role, request.isUserInRole(admin)); } I am getting this error when I run the test in Log4J DEBUG mode - 18:00:12,899 [main] DEBUG ent.HttpClientConnectionHelper - getCookieString([simulation URL = [null], automatic session = [true], cookies = [], headers = [], GET parameters = [], POST parameters = []], [http://localhost:8080/ServletRedirector]) 18:00:12,899 [main] DEBUG ent.HttpClientConnectionHelper - getCookieString = [null] 18:00:13,891 [main] DEBUG ent.HttpClientConnectionHelper - connect = [org.apache.cactus.util.HttpURLConnection:http://localhost:8080/ServletRedir ector] 18:00:13,901 [main] DEBUG util.HttpURLConnection - getHeaderFieldKey([1]) 18:00:13,901 [main] DEBUG util.HttpURLConnection - getHeaderFieldKey = [Connection] 18:00:13,901 [main] DEBUG util.HttpURLConnection - getHeaderFieldKey([2]) 18:00:13,901 [main] DEBUG util.HttpURLConnection - getHeaderFieldKey = [null] 18:00:13,901 [main] DEBUG hentication.FormAuthentication - Using security check URL [http://localhost:8080/j_security_check] 18:00:13,901 [main] DEBUG client.ConnectionHelperFactory - getConnectionHelper([http://localhost:8080/j_security_check], [org.apache.cactus.util.ServletConfiguration@1dff3a2]) 18:00:13,901 [main] DEBUG client.ConnectionHelperFactory - getConnectionHelper = [org.apache.cactus.client.HttpClientConnectionHelper@1d9fd51] 18:00:13,901 [main] DEBUG cactus.WebRequest - addCookie([null], [null]) 18:00:13,901 [main] DEBUG cactus.WebRequest - addCookie([localhost], [null], [null]) 18:00:13,901 [main] DEBUG servlet.TestLoginServlet- Exception in test 18:00:13,901 [main] DEBUG util.ChainedRuntimeException- printStackTrace([org.apache.log4j.spi.VectorWriter@121f1d]) 18:00:13,971 [main] DEBUG util.ChainedRuntimeException- printStackTrace org.apache.cactus.util.ChainedRuntimeException: Failed to authenticate the principal at org.apache.cactus.client.authentication.FormAuthentication.authenticate(Form Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):288) at org.apache.cactus.client.authentication.FormAuthentication.configure$ajcPost Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj(1k) :147) at org.apache.cactus.client.authentication.FormAuthentication.configure$ajcPost Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/log/L ogAspect.aj(1k)) at org.apache.cactus.client.authentication.FormAuthentication.configure(FormAut hentication.java;org/apache/cactus/util/log
RE: FormAuthentication
Jason, I think the resource string should be the URL ( http://localhost:8080/ServletRedirectorSecure ) String resource = theRequest.getConfiguration().getContextURL()+/+theRequest.getRedirectorUR L(); Pranab -Original Message- From: Robertson, Jason [mailto:Jason.Robertson;acs-inc.com] Sent: Friday, October 25, 2002 1:47 PM To: 'Cactus Users List' Subject: RE: FormAuthentication I think you've found a problem! I was unaware that you could change the redirector name in the WebRequest so I didn't deal with that scenario. If you can, change the authenticate function to be this (add the WebRequest argument, and then use it to get the redirector name): public void authenticate(WebRequest theRequest) { //Note: This method needs refactoring. It is too complex. try { // Create a helper that will connect to a restricted resource. String resource = theRequest.getRedirectorName(); ... and pass theRequest to the authenticate function in configuration method: if (this.sessionId == null) { authenticate(theRequest); } and give it a try. If that fixes things I'll work up a proper patch and submit it. Good catch! Jason -Original Message- From: Dhar, Pranab [mailto:Pranab.Dhar;DFA.STATE.NY.US] Sent: Friday, October 25, 2002 1:32 PM To: 'Cactus Users List' Subject: RE: FormAuthentication Jason, The servlet mapping in WEB-INF/web.xml is !-- Cactus Servlet Redirectors -- servlet servlet-nameServletRedirector/servlet-name servlet-classorg.apache.cactus.server.ServletTestRedirector/servlet-class /servlet servlet servlet-nameServletRedirectorSecure/servlet-name servlet-classorg.apache.cactus.server.ServletTestRedirector/servlet-class /servlet two aliases for the same Redirector servlet and the security constraint is on the ServletRedirectorSecure alias. security-constraint web-resource-collection web-resource-nameSecurityRestriction/web-resource-name descriptionProtect the Cactus redirectorservlet./description url-pattern/ServletRedirectorSecure/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint descriptionAuthorized Users Group/description role-nameidsconf_admin/role-name role-nameidsconf_user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint cactus.properties contains :- cactus.contextURL = http://localhost:8080 only and the testcase sets the redirector by calling :- theRequest.setRedirectorName(ServletRedirectorSecure); As long as I set the redirector in the test case it will override the default redirector. Then the question is why the default redirector is being used after the override. [org.apache.cactus.util.HttpURLConnection:http://localhost:8080/ServletRedir ector] I think I found the problem in cactus code. I am setting redirector in the class WebRequest.redirectorName whereas the FormAuthentication is getting the redirector name from the WebConfiguration interface implemented by the ServletConfiguration class which reads the redirector name from cactus.properties and used the default ServletRedirector if not specified. The WebRequest wrapper should rather modify the stored configuration object to the new Redirector or the Servlet Configuration should check the request object to get the modified redirector. /** * @param theConfiguration the Cactus configuration */ public WebRequest(WebConfiguration theConfiguration) { this.configuration = theConfiguration; } /** * Override the redirector Name defined in codecactus.properties/code. * This is useful to define a per test case Name (for example, if some * test case need to have authentication turned on and not other tests, * etc). * * @param theRedirectorName the new redirector Name to use */ public void setRedirectorName(String theRedirectorName) { this.redirectorName = theRedirectorName; } Tell me what you think. Pranab -Original Message- From: Robertson, Jason [mailto:Jason.Robertson;acs-inc.com] Sent: Friday, October 25, 2002 12:44 PM To: 'Cactus Users List' Subject: RE: FormAuthentication One thing I notice is that cactus connects to http://localhost:8080/ServletRedirector but you have the Tomcat config url pattern as /ServletRedirectorSecure. Try removing the Secure from the end. Make the ServletRedirector servlet a secure resource. (Alternatively, you could add Secure to you cactus.properties file, but I'd say it would be better to remove it.) Let me know if that changes anything. Jason
RE: FormAuthentication
Jason, Sorry for the typo Error in my last post.it should be getConfiguration().getContextURL()+/+theRequest.getRedirectorName(); I just compiled the code and tested it. I am getting past the authentication now but getting stuck somewhere after that. Somewhere down the line the ServletRedirectorSecure is getting switched back to ServletRedirector even though I am setting the URL to a secured resource.I am getting a Error 404 instead of the regulars output from the servlet. Pranab I added the following in the test code public void beginBasicAuthentication(WebRequest theRequest) { theRequest.setURL(localhost:8080, /, /secure/idsconf, null, null); -- theRequest.addCookie( test, test ); theRequest.setRedirectorName(ServletRedirectorSecure); theRequest.setAuthentication( new FormAuthentication(admin, admin)); } public void testBasicAuthentication() { try { idsconfServlet servlet = new idsconfServlet();-- servlet.init(this.config);-- servlet.doGet(this.request,this.response);-- assertEquals(admin, request.getUserPrincipal().getName()); assertEquals(admin, request.getRemoteUser()); assertTrue(User not in 'admin' role, request.isUserInRole(admin)); } catch (ServletException e) { log.error(e); } catch (IOException e) { log.error(e); } } Debug LOG 15:25:40,563 [main] DEBUG util.UrlUtil- getPath([http://localhost:8080/ServletRedirectorSecure?Cactus_TestMethod=te stBasicAuthenticationCactus_URL_ContextPath=%2FCactus_URL_Server=localhost %3A8080Cactus_URL_ServletPath=%2Fsecure%2FidsconfCactus_TestClass=com.ids. servlet.TestLoginServletCactus_AutomaticSession=trueCactus_URL_Protocol=ht tpCactus_Service=CALL_TEST]) 15:25:40,563 [main] DEBUG util.UrlUtil- getPath = [/ServletRedirectorSecure] 15:25:40,563 [main] DEBUG util.UrlUtil- getQuery([http://localhost:8080/ServletRedirectorSecure?Cactus_TestMethod=t estBasicAuthenticationCactus_URL_ContextPath=%2FCactus_URL_Server=localhos t%3A8080Cactus_URL_ServletPath=%2Fsecure%2FidsconfCactus_TestClass=com.ids .servlet.TestLoginServletCactus_AutomaticSession=trueCactus_URL_Protocol=h ttpCactus_Service=CALL_TEST]) 15:25:40,563 [main] DEBUG util.UrlUtil- getQuery = [Cactus_TestMethod=testBasicAuthenticationCactus_URL_ContextPath=%2FCactus _URL_Server=localhost%3A8080Cactus_URL_ServletPath=%2Fsecure%2FidsconfCact us_TestClass=com.ids.servlet.TestLoginServletCactus_AutomaticSession=trueC actus_URL_Protocol=httpCactus_Service=CALL_TEST] 15:25:40,563 [main] DEBUG ent.HttpClientConnectionHelper - getCookieString([simulation URL = [protocol = [http], host name = [localhost], port = [8080], context path = [/], servlet path = [/secure/idsconf], path info = [null], query string = [null]], automatic session = [true], cookies = [[name = [test], value = [test], domain = [localhost], path = [null], isSecure = [false], comment = [null], expiryDate = [null]][name = [JSESSIONID], value = [B9D9DDE0DD962B211E36D92FBE854D67], domain = [localhost], path = [null], isSecure = [false], comment = [null], expiryDate = [null]]], headers = [], GET parameters = [[[Cactus_TestMethod] = [[testBasicAuthentication]]][[Cactus_URL_ContextPath] = [[/]]][[Cactus_URL_Server] = [[localhost:8080]]][[Cactus_URL_ServletPath] = [[/secure/idsconf]]][[Cactus_TestClass] = [[com.ids.servlet.TestLoginServlet]]][[Cactus_AutomaticSession] = [[true]]][[Cactus_URL_Protocol] = [[http]]][[Cactus_Service] = [[CALL_TEST, POST parameters = []], [http://localhost:8080/ServletRedirectorSecure?Cactus_TestMethod=testBasicAu thenticationCactus_URL_ContextPath=%2FCactus_URL_Server=localhost%3A8080C actus_URL_ServletPath=%2Fsecure%2FidsconfCactus_TestClass=com.ids.servlet.T estLoginServletCactus_AutomaticSession=trueCactus_URL_Protocol=httpCactus _Service=CALL_TEST]) 15:25:40,563 [main] DEBUG cactus.Cookie - getCookiePath([simulation URL = [protocol = [http], host name = [localhost], port = [8080], context path = [/], servlet path = [/secure/idsconf], path info = [null], query string = [null]], automatic session = [true], cookies = [[name = [test], value = [test], domain = [localhost], path = [null], isSecure = [false], comment = [null], expiryDate = [null]][name = [JSESSIONID], value = [B9D9DDE0DD962B211E36D92FBE854D67], domain = [localhost], path = [null], isSecure = [false], comment = [null], expiryDate = [null]]], headers = [], GET parameters = [[[Cactus_TestMethod] = [[testBasicAuthentication]]][[Cactus_URL_ContextPath] = [[/]]][[Cactus_URL_Server] = [[localhost:8080]]][[Cactus_URL_ServletPath] =
RE: FormAuthentication
Jason, I found the Redirector change happening at function (AbstractHttpClient.java) private WebTestResult callGetResult( AbstractAuthentication theAuthentication) throws Throwable { WebRequest resultsRequest = new WebRequest(this.configuration); --- here // Add authentication details if (theAuthentication != null) { resultsRequest.setAuthentication(theAuthentication); } // Open the second connection to get the test results ConnectionHelper helper = ConnectionHelperFactory.getConnectionHelper( getRedirectorURL(resultsRequest), this.configuration); The ServletConfiguration does not contain the redirector set in WebRequest object instead it loads it default redirector from the cactus.properties. this.configuration is coming from new Configuration being initialized in ServletTestCase class * see AbstractTestCase#createConfiguration() */ protected Configuration createConfiguration() { return new ServletConfiguration(); } When the user sets the redirector in Webrequest that never gets updated in the configuration. So when getRedirectorURL() gets called in AbstractHttpClient.java which is actually implemented in ServletHttpClient.java as protected String getRedirectorURL(WebRequest theRequest) { String url; // Check if user has overriden the servlet redirector if (theRequest.getRedirectorName() != null) { url = this.configuration.getContextURL() + / + theRequest.getRedirectorName(); } else { url = this.configuration.getRedirectorURL(); } return url; } The theRequest parameter being a newly intialized WebRequest object does not have the redirector set from the old request object used for Form Authentication. Hence callResult function never goes to the Secured Servlet Redirector used earlier to run the test. I am not too sure if the unsecured redirector will be able to return the results. Maybe cactus guru's will know the answer to this design. Pranab -Original Message- From: Robertson, Jason [mailto:Jason.Robertson;acs-inc.com] Sent: Friday, October 25, 2002 6:20 PM To: 'Cactus Users List' Subject: RE: FormAuthentication Yes, you're correct with the need to get the context URL as well. As for the rest of it, I'm not sure. I'll try looking at the log again, but there's a lot of information there! Jason -Original Message- From: Dhar, Pranab [mailto:Pranab.Dhar;DFA.STATE.NY.US] Sent: Friday, October 25, 2002 3:43 PM To: 'Cactus Users List' Subject: RE: FormAuthentication Jason, Sorry for the typo Error in my last post.it should be getConfiguration().getContextURL()+/+theRequest.getRedirectorName(); I just compiled the code and tested it. I am getting past the authentication now but getting stuck somewhere after that. Somewhere down the line the ServletRedirectorSecure is getting switched back to ServletRedirector even though I am setting the URL to a secured resource.I am getting a Error 404 instead of the regulars output from the servlet. Pranab I added the following in the test code public void beginBasicAuthentication(WebRequest theRequest) { theRequest.setURL(localhost:8080, /, /secure/idsconf, null, null); -- theRequest.addCookie( test, test ); theRequest.setRedirectorName(ServletRedirectorSecure); theRequest.setAuthentication( new FormAuthentication(admin, admin)); } public void testBasicAuthentication() { try { idsconfServlet servlet = new idsconfServlet();-- servlet.init(this.config);-- servlet.doGet(this.request,this.response);-- assertEquals(admin, request.getUserPrincipal().getName()); assertEquals(admin, request.getRemoteUser()); assertTrue(User not in 'admin' role, request.isUserInRole(admin)); } catch (ServletException e) { log.error(e); } catch (IOException e) { log.error(e); } } Debug LOG 15:25:40,563 [main] DEBUG util.UrlUtil- getPath([http://localhost:8080/ServletRedirectorSecure?Cactus_TestMethod=te stBasicAuthenticationCactus_URL_ContextPath=%2FCactus_URL_Server=localhost %3A8080Cactus_URL_ServletPath=%2Fsecure%2FidsconfCactus_TestClass=com.ids. servlet.TestLoginServletCactus_AutomaticSession=trueCactus_URL_Protocol=ht tpCactus_Service=CALL_TEST]) 15:25:40,563 [main] DEBUG util.UrlUtil- getPath = [/ServletRedirectorSecure] 15:25:40,563 [main] DEBUG util.UrlUtil- getQuery([http://localhost:8080/ServletRedirectorSecure