RE: UserManager / BASIC auth; orion caching username/password????

[The elephantwalker]

AFAIK, you don't have control over how Basic authentication is used (three
strikes and your out). If you want more control, use Form-based
authentication. Its easy enough to put a counter or no counter in the login
form.

This session state persistence should not work for the j2ee security. The
behaviour you are describing is not shown when Form-based authentication is
used. For example, if you drop in a new ear file during a security session,
and you only have one server running (load-balancing changes this
behaviour), your session is invalidated, and you must login again.

The same should be true for Basic authentication. If its not, its a bug.

Regards,

the elephantwalker

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Curt Smith
Sent: Tuesday, August 28, 2001 3:04 PM
To: Orion-Interest
Subject: UserManager / BASIC auth; orion caching username/password


I've got a confusing issue that I'm observing:

I'm using BASIC authorization and installed my subclass of
AbstractUserManger into
orion-application.xml.

I get the HTTP challeng login dialogue the first time, and get into the
protected site
when my um.checkPassword ( user, pw ) returns true.

Problems are:

- After 3 failures I get sent to the 401 screen.   I'd like to loop forever
in the
 login dialog.

  ???

- The Security context seems to be cached and survives re-starts of orion
??

  I see the um.checkPassword () method being called with the successful
username
  password in my log4j logs.  Is the container supplying the user/passwd
without challenging
  client   This works for both IE and NS and I've turned the auto-loggin
features off for
  IE.

   On one hand this is great for resilience, especially if the session
object is serialized too.
   I haven't found any files that might be performing this feature though???

   On the down side, I can't force a session / Security Context invalidation
to force a new
   login for debugging purposes.   Stopping IE / NS and restarting the
client even jumps
   back into the session without a HTTP challeng ???   I've never seen this
before?

Why can't I find how to flush cookies in IE and NS...  ;  but this
appears to be solely
an orion behavior and not using cookies to persist the Security
context???


Anybody have an explanation of what's going on with this appearance of
auto-login behavior via my UserManager.checkPassword() method?

very confused,

curt

RE: UserManager / BASIC auth; orion caching username/password ????

[Juan Lorandi (Chile)]

inline

 -Original Message-
 From: Curt Smith [mailto:[EMAIL PROTECTED]]
 Sent: Martes, 28 de Agosto de 2001 18:04
 To: Orion-Interest
 Subject: UserManager / BASIC auth; orion caching 
 username/password 
 
 
 I've got a confusing issue that I'm observing:
 
 I'm using BASIC authorization and installed my subclass of 
 AbstractUserManger into
 orion-application.xml.
 
 I get the HTTP challeng login dialogue the first time, and 
 get into the protected site
 when my um.checkPassword ( user, pw ) returns true.
 
 Problems are:
 
 - After 3 failures I get sent to the 401 screen.   I'd like 
 to loop forever in the
  login dialog.

non standard, check HTTP RFC
 
   ???
 
 - The Security context seems to be cached and survives 
 re-starts of orion  ??

The browser does that; once a basic auth works, the same browser process
will keep
sending the same auth to the server for each auth challenge.

 
   I see the um.checkPassword () method being called with the 
 successful username
   password in my log4j logs.  Is the container supplying the 
 user/passwd without challenging
   client   This works for both IE and NS and I've turned 
 the auto-loggin features off for
   IE.
 
On one hand this is great for resilience, especially if 
 the session object is serialized too.
I haven't found any files that might be performing this 
 feature though???
 
On the down side, I can't force a session / Security 
 Context invalidation to force a new
login for debugging purposes.   Stopping IE / NS and 
 restarting the client even jumps
back into the session without a HTTP challeng ???   I've 
 never seen this before?
 
 Why can't I find how to flush cookies in IE and NS...  ; 
  but this appears to be solely
 an orion behavior and not using cookies to persist the 
 Security context???
 
 
 Anybody have an explanation of what's going on with this appearance of
 auto-login behavior via my UserManager.checkPassword() method?
 
 very confused,
 
 curt