RE: Form-based authentication not working right

2001-02-06 Thread Marcel Schutte 

see inline

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald
 Gutierrez
 Sent: Tuesday, February 06, 2001 12:52 AM
 To: Orion-Interest
 Cc: [EMAIL PROTECTED]
 Subject: Form-based authentication not working right



 Recently I asked about form-based authentication. I
 appreciate the help
 several people gave, but from the responses I got it seems
 that I might
 have miscommunicated somehow. I'm going to try again, this
 time explaining
 myself better.

 I'm using Orion 1.4.5 on Windows 2000. The same thing happens
 on Orion 1.3.8.
 I have a number of JSP pages in the directory /app:

 MainMenu.jsp  -- the main menu
 SecuredPage.jsp   -- a secured page, see only when authenticated
 LoginForm.jsp -- form for logging in
 LoginError.jsp-- form displayed when there's an error

 The user goes to MainMenu.jsp, where there is a link to
 SecuredPage.jsp. To
 view this page, the user must be authenticated. The authenticated is
 form-based.

 This is what should (CORRECTLY) happen:

   1) User goes to MainMenu.jsp.
   2) User clicks on link to SecuredPage.jsp.
   3) User is presented with LoginForm.jsp.
   4) User types in username and password.
   5a) Login succeeds and SecuredPage.jsp is shown to user.
   5b) Login fails and LoginError.jsp is shown to user.

 HOWEVER, this is the (INCORRECT) sequence of events that I
 actually get:

   1) -- as before --
   2) -- as before --
   3) -- as before --
   4) -- as before --
   5a) Login succeeds and directory contents is shown to user.
   5b) Login fails and directory contents is shown to user.

 Note the same (WRONG) thing happens whether or not the user
 authenticates
 properly. The directory contents is the list of JSP files
 that I have in /app.


 So ... what's wrong here? It redirects to my login form
 correctly. It just
 doesn't behave properly when I actually do the login (hit
 "j_security_check" with "j_username" and "j_password"). This is the
 relevant section of my web.xml file:

  security-constraint
  web-resource-collection
  web-resource-nameLoginTrigger/web-resource-name
  descriptionLoginTrigger/description
  url-pattern/SecuredPage.jsp/url-pattern

According to the servlet spec (chapter 10) this should work as an exact
match. You could however try moving SecuredPage.jsp to a directory 'secure'
and use the pattern /secure/* this is what I use and it is certainly working
in 1.4.5

  http-methodGET/http-method
  http-methodPOST/http-method

While experimenting you could also try to leave out these http-method
definitions, so you fall back to the default which is all methods. Again
that is my setup. The rest looks very familiar so it should work.

  /web-resource-collection
  auth-constraint
  role-namemyuser/role-name
  /auth-constraint
  /security-constraint

  login-config
  auth-methodFORM/auth-method
  form-login-config
  form-login-pageLoginForm.jsp/form-login-page
  form-error-pageLoginError.jsp/form-error-page
  /form-login-config
  /login-config

  security-role
  role-namemyuser/role-name
  /security-role

RE: Form-based authentication not working right

2001-02-06 Thread Chris Bartling 

Gerald,

I've been working with Form-based authentication for the past several weeks
on iPlanet 6.0.  Looking at your web.xml deployment descriptor, it looks
like that's OK.  You aren't using a user-data-constraint, but it's not
required either.  Check out the J2EE specs and Blueprints for more
information.

I've used subdirectories for securing my pages, but your single JSP URL
should work fine in this situation.  It sounds like the form authentication
is being triggered properly and it presenting you the correct form.
However, the Orion form authentication impl. does not seem to forward you
onto the originally requested resource (/SecuredPage.jsp).  Is there any
sort of example provided by Orion for testing form-based authentication?  I
would try that if one exists.  Otherwise, I would submit a bug through the
Orion Bugzilla.

This form-based authentication seems to be a feature that is not well
supported at the moment by other EJB servers.  I've been fighting with it in
iPlanet for a while.  If I can get a chance some night this week, I'll
attempt to get my example of form-based authentication to work on Orion and
then send out the results to the list.


-- chris --



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gerald
Gutierrez
Sent: Monday, February 05, 2001 5:52 PM
To: Orion-Interest
Cc: [EMAIL PROTECTED]
Subject: Form-based authentication not working right



Recently I asked about form-based authentication. I appreciate the help
several people gave, but from the responses I got it seems that I might
have miscommunicated somehow. I'm going to try again, this time explaining
myself better.

I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion
1.3.8.
I have a number of JSP pages in the directory /app:

MainMenu.jsp-- the main menu
SecuredPage.jsp -- a secured page, see only when authenticated
LoginForm.jsp   -- form for logging in
LoginError.jsp  -- form displayed when there's an error

The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To
view this page, the user must be authenticated. The authenticated is
form-based.

This is what should (CORRECTLY) happen:

  1) User goes to MainMenu.jsp.
  2) User clicks on link to SecuredPage.jsp.
  3) User is presented with LoginForm.jsp.
  4) User types in username and password.
  5a) Login succeeds and SecuredPage.jsp is shown to user.
  5b) Login fails and LoginError.jsp is shown to user.

HOWEVER, this is the (INCORRECT) sequence of events that I actually get:

  1) -- as before --
  2) -- as before --
  3) -- as before --
  4) -- as before --
  5a) Login succeeds and directory contents is shown to user.
  5b) Login fails and directory contents is shown to user.

Note the same (WRONG) thing happens whether or not the user authenticates
properly. The directory contents is the list of JSP files that I have in
/app.


So ... what's wrong here? It redirects to my login form correctly. It just
doesn't behave properly when I actually do the login (hit
"j_security_check" with "j_username" and "j_password"). This is the
relevant section of my web.xml file:

 security-constraint
 web-resource-collection
 web-resource-nameLoginTrigger/web-resource-name
 descriptionLoginTrigger/description
 url-pattern/SecuredPage.jsp/url-pattern
 http-methodGET/http-method
 http-methodPOST/http-method
 /web-resource-collection
 auth-constraint
 role-namemyuser/role-name
 /auth-constraint
 /security-constraint

 login-config
 auth-methodFORM/auth-method
 form-login-config
 form-login-pageLoginForm.jsp/form-login-page
 form-error-pageLoginError.jsp/form-error-page
 /form-login-config
 /login-config

 security-role
 role-namemyuser/role-name
 /security-role

Re: Form-based authentication not working right

2001-02-06 Thread John Hogan 

Are you only specifing a partial path, relying on a default page name 
(index.jsp, default.jsp)?  If so, in your redirect code, be specific 
and specify the entire path, including the file name.  You should 
also be able to turn off directory browsing.  I don't know how to do 
this with Orion though.

JohnH

_

Get your free E-mail at http://www.ireland.com

Re: Form-based authentication not working right

2001-02-06 Thread Nick Newman 

Gerald,

I tried your exact example (see attached zipped up web app) and everything 
worked just as it should (using orion 1.4.5).  Once again I ask, what 
happens if you remove the security and simply request the secured page?

Nick

At 03:52 PM 2/5/01 -0800, you wrote:

Recently I asked about form-based authentication. I appreciate the help 
several people gave, but from the responses I got it seems that I might 
have miscommunicated somehow. I'm going to try again, this time explaining 
myself better.

snip
 FormLogin.zip

RE: Form-based authentication not working right

2001-02-06 Thread Juan Lorandi (Chile) 

gerald, I have a configuration matching yours and it's working;

May I suggest a test?
If you will, add a user called 'jlorandi' and make it part of group
'myuser', and add an user 'dummy' but DON'T make him part of group 'myuser'
,then, could you please edit SecuredPage.jsp so it executes these printouts:


System.out.println("User:" + request.getRemoteUser() );
System.out.println("Role OK:" + request.isUserInRole("myuser") );



then browse your app:
open browser, login as 'jlorandi', note results, close browser
open browser, login as 'dummy', note results, close browser
open browser, login INCORRECTLY, note results, close browser


JP
 -Original Message-
 From: Gerald Gutierrez [mailto:[EMAIL PROTECTED]]
 Sent: Lunes, 05 de Febrero de 2001 20:52
 To: Orion-Interest
 Cc: [EMAIL PROTECTED]
 Subject: Form-based authentication not working right
 
 
 
 Recently I asked about form-based authentication. I 
 appreciate the help 
 several people gave, but from the responses I got it seems 
 that I might 
 have miscommunicated somehow. I'm going to try again, this 
 time explaining 
 myself better.
 
 I'm using Orion 1.4.5 on Windows 2000. The same thing happens 
 on Orion 1.3.8.
 I have a number of JSP pages in the directory /app:
 
 MainMenu.jsp  -- the main menu
 SecuredPage.jsp   -- a secured page, see only when authenticated
 LoginForm.jsp -- form for logging in
 LoginError.jsp-- form displayed when there's an error
 
 The user goes to MainMenu.jsp, where there is a link to 
 SecuredPage.jsp. To 
 view this page, the user must be authenticated. The authenticated is 
 form-based.
 
 This is what should (CORRECTLY) happen:
 
   1) User goes to MainMenu.jsp.
   2) User clicks on link to SecuredPage.jsp.
   3) User is presented with LoginForm.jsp.
   4) User types in username and password.
   5a) Login succeeds and SecuredPage.jsp is shown to user.
   5b) Login fails and LoginError.jsp is shown to user.
 
 HOWEVER, this is the (INCORRECT) sequence of events that I 
 actually get:
 
   1) -- as before --
   2) -- as before --
   3) -- as before --
   4) -- as before --
   5a) Login succeeds and directory contents is shown to user.
   5b) Login fails and directory contents is shown to user.
 
 Note the same (WRONG) thing happens whether or not the user 
 authenticates 
 properly. The directory contents is the list of JSP files 
 that I have in /app.
 
 
 So ... what's wrong here? It redirects to my login form 
 correctly. It just 
 doesn't behave properly when I actually do the login (hit 
 "j_security_check" with "j_username" and "j_password"). This is the 
 relevant section of my web.xml file:
 
  security-constraint
  web-resource-collection
  web-resource-nameLoginTrigger/web-resource-name
  descriptionLoginTrigger/description
  url-pattern/SecuredPage.jsp/url-pattern
  http-methodGET/http-method
  http-methodPOST/http-method
  /web-resource-collection
  auth-constraint
  role-namemyuser/role-name
  /auth-constraint
  /security-constraint
 
  login-config
  auth-methodFORM/auth-method
  form-login-config
  form-login-pageLoginForm.jsp/form-login-page
  form-error-pageLoginError.jsp/form-error-page
  /form-login-config
  /login-config
 
  security-role
  role-namemyuser/role-name
  /security-role

Re: Form-based authentication not working right

2001-02-06 Thread Gerald Gutierrez 

At 09:07 AM 2/6/2001 -0700, you wrote:
Gerald,

I tried your exact example (see attached zipped up web app) and everything 
worked just as it should (using orion 1.4.5).  Once again I ask, what 
happens if you remove the security and simply request the secured page?

Then I get the secured page.

Thank you for the attachment. I'll have a look, and if I still cannot 
figure it out I'll come up with an EAR file of my own and post it. I might 
be just stupid, but perhaps there's an obscure bug somewhere.