[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
regarding the window.location-trick:
=
j_exception issue
=
first of all, it's much nicer to use response.sendRedirect() instead of any
javascript.
The only trick here is, that the Valve will fire afterwards the error.jsp gets
invoked!! Thus, to grab the exception in j_exception, you have to redirect to
the error.jsp or to another jsp once again.
(I've used a separate servlet for the whole login process, which makes
everything much more flexible and allows for multiple pages for the whole login
process).
=
org.jboss.web.tomcat.security.FormAuthValve
=
Secondly, you don't have to code your own FormAuthValve.
Everything you need is to activate the FormAuthValve delivered right with the
jboss classes.
|
|
|
|
|
The FormAuthValve will automatically retrieve an exception thrown in your
LoginModule and store it using HttpSession.setAttribute("j_exception",
throwable)
If you want to recode FormAuthValve, you'll have to deploy it right where the
catalina-libs are (server/default/deploy/jbossweb-tomcat50.sar) and make sure
it uses the package org.jboss.web.tomcat.security, because
SecurityAssociationActions.getAuthException() is protected.
That's all - after that displaying LoginExceptions in the UI is a breeze.
regards,
Johannes
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3876936#3876936
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3876936
---
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
If you want to throw custom LoginExceptions you should code your LoginModule to extend org.jboss.security.auth.spi.AbstractServerLoginModule instead of using the org.jboss.security.auth.spi.UsernamePasswordLoginModule. Use the UsernamePasswordLoginModule as an example of how to code your LoginModule. Get the source code from the CVS and read it. Ricardo View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3867976#3867976 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3867976 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
Where in your Custom Login module can/should you throw the exception? I see that getRoleSet throws a LoginException, but not validatePassword... RMC View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3867972#3867972 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3867972 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
The window.location trick worked!
I only had to define the error page as "not protected".
This is my web.xml:
|
|
| http://java.sun.com/dtd/web-app_2_3.dtd";>
|
|
|
|
|All the application
|/*
|GET
|POST
|
|
|admin
|
|
|
|
|
|Error Page
|/login-error.jsp
|GET
|POST
|
|
|
|
| FORM
|
| /login.jsp
| /login-error-redirect.jsp
|
|
|
|
| admin
|
|
|
My login-error-redirect.jsp:
| <%-- do an extra request/response roundtrip --%>
|
|
An example login-error.jsp:
| Login failed!
| Exception: <%= session.getAttribute("j_exception") %>
|
In real life your LoginModule could throw a LoginException subtype (ie
AccountExpiredException or CredentialExpiredException) and you could display a
different message for each case in login-error.jsp, using instanceof.
Ricardo
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865631#3865631
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865631
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
___
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
It can be overriden at the web app using a WEB-INF/context.xml that specifies the valve implementing the Authenticator interface: | | | | The Authenticators.properties is loaded using the class path, so a conf/org/apache/catalina/startup/Authenticators.properties may work as an override but I have not tested it. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865404#3865404 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865404 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
The problem with that aproach is that ALL my application is protected: /* /login-error.jsp wont be displayed since it is protected also. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865389#3865389 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865389 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
most likely you will have to patch JBOSS_HOME/server/instance/deploy/jbossweb-tomcat50.sar/catalina.jar with a patched Authenticators.properties to point out the new FormAuthenticator subclass. I dislike the idea of overriding the FormAuthenticator class, much nicer to hook into the request pipeline with an independant valve such as the FormAuthValve. For my needs it suffice to: 1. In web.xml set form-error-page to login-error-client-redirect.jsp that does | <%-- do an extra request/response roundtrip --%> | | . 2. Have login-error.jsp format the LoginException that was set in the session by Scott's FormAuthValve. /niklas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865387#3865387 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865387 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
Scott, I found all the needed code in Apache's CVS. It looks like we have to copy-paste the org/apache/catalina/authenticator/FormAuthenticator.java code into a new Authenticator, and then configure Tomcat to use it. It looks like this is done in the org/apache/catalina/startup/Authenticators.properties file. How can the Authenticators.properties file be overrided in the embedded Tomcat? Thanks, Ricardo View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865317#3865317 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865317 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
Then you need to replace the org.apache.catalina.authenticator.FormAuthenticator with your subclass that attaches this info for use in the error page. A valve that implements the org.apache.catalina.Authenticator tagging interface is used as the authenticator for the associated web app. Dig into it and create a jira feature request issue and whatever solution comes up can be integrated into jboss as an ease of use authenticator for future releases. http://jira.jboss.com/jira/browse/JBAS View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865300#3865300 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865300 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
Since the Valve executes around the" j_security_check" page it cannot have acces to the Throwable before the j_security_check page is invoked. I was also looking for a solution, since I'd like to present the error mesage in the error page, not in another page linked from the error page. Any ideas? Ricardo View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865274#3865274 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865274 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
The FormAuthValve does exactly what you suggest - puts a message (a Throwable) in the session that the error page may render. The problem is that the error page is processed before the Throwable has been put in the session. If I put a link on the error-page to an error-info-page and if the user then clicks on the link then the error-info-page successfully presents the Throwable. /niklas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865161#3865161 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865161 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [HTTPD, Servlets & JSP] - Re: FormAuthValve
Update the FormAuthValve to associate the error message the error page should render with the request or session. A valve should not be concerned about rendering. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3865059#3865059 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3865059 --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
