RE: Form-based authentication not working right
see inline -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Gutierrez Sent: Tuesday, February 06, 2001 12:52 AM To: Orion-Interest Cc: [EMAIL PROTECTED] Subject: Form-based authentication not working right Recently I asked about form-based authentication. I appreciate the help several people gave, but from the responses I got it seems that I might have miscommunicated somehow. I'm going to try again, this time explaining myself better. I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion 1.3.8. I have a number of JSP pages in the directory /app: MainMenu.jsp -- the main menu SecuredPage.jsp -- a secured page, see only when authenticated LoginForm.jsp -- form for logging in LoginError.jsp-- form displayed when there's an error The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To view this page, the user must be authenticated. The authenticated is form-based. This is what should (CORRECTLY) happen: 1) User goes to MainMenu.jsp. 2) User clicks on link to SecuredPage.jsp. 3) User is presented with LoginForm.jsp. 4) User types in username and password. 5a) Login succeeds and SecuredPage.jsp is shown to user. 5b) Login fails and LoginError.jsp is shown to user. HOWEVER, this is the (INCORRECT) sequence of events that I actually get: 1) -- as before -- 2) -- as before -- 3) -- as before -- 4) -- as before -- 5a) Login succeeds and directory contents is shown to user. 5b) Login fails and directory contents is shown to user. Note the same (WRONG) thing happens whether or not the user authenticates properly. The directory contents is the list of JSP files that I have in /app. So ... what's wrong here? It redirects to my login form correctly. It just doesn't behave properly when I actually do the login (hit "j_security_check" with "j_username" and "j_password"). This is the relevant section of my web.xml file: security-constraint web-resource-collection web-resource-nameLoginTrigger/web-resource-name descriptionLoginTrigger/description url-pattern/SecuredPage.jsp/url-pattern According to the servlet spec (chapter 10) this should work as an exact match. You could however try moving SecuredPage.jsp to a directory 'secure' and use the pattern /secure/* this is what I use and it is certainly working in 1.4.5 http-methodGET/http-method http-methodPOST/http-method While experimenting you could also try to leave out these http-method definitions, so you fall back to the default which is all methods. Again that is my setup. The rest looks very familiar so it should work. /web-resource-collection auth-constraint role-namemyuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-pageLoginForm.jsp/form-login-page form-error-pageLoginError.jsp/form-error-page /form-login-config /login-config security-role role-namemyuser/role-name /security-role
RE: Form-based authentication not working right
Gerald, I've been working with Form-based authentication for the past several weeks on iPlanet 6.0. Looking at your web.xml deployment descriptor, it looks like that's OK. You aren't using a user-data-constraint, but it's not required either. Check out the J2EE specs and Blueprints for more information. I've used subdirectories for securing my pages, but your single JSP URL should work fine in this situation. It sounds like the form authentication is being triggered properly and it presenting you the correct form. However, the Orion form authentication impl. does not seem to forward you onto the originally requested resource (/SecuredPage.jsp). Is there any sort of example provided by Orion for testing form-based authentication? I would try that if one exists. Otherwise, I would submit a bug through the Orion Bugzilla. This form-based authentication seems to be a feature that is not well supported at the moment by other EJB servers. I've been fighting with it in iPlanet for a while. If I can get a chance some night this week, I'll attempt to get my example of form-based authentication to work on Orion and then send out the results to the list. -- chris -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gerald Gutierrez Sent: Monday, February 05, 2001 5:52 PM To: Orion-Interest Cc: [EMAIL PROTECTED] Subject: Form-based authentication not working right Recently I asked about form-based authentication. I appreciate the help several people gave, but from the responses I got it seems that I might have miscommunicated somehow. I'm going to try again, this time explaining myself better. I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion 1.3.8. I have a number of JSP pages in the directory /app: MainMenu.jsp-- the main menu SecuredPage.jsp -- a secured page, see only when authenticated LoginForm.jsp -- form for logging in LoginError.jsp -- form displayed when there's an error The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To view this page, the user must be authenticated. The authenticated is form-based. This is what should (CORRECTLY) happen: 1) User goes to MainMenu.jsp. 2) User clicks on link to SecuredPage.jsp. 3) User is presented with LoginForm.jsp. 4) User types in username and password. 5a) Login succeeds and SecuredPage.jsp is shown to user. 5b) Login fails and LoginError.jsp is shown to user. HOWEVER, this is the (INCORRECT) sequence of events that I actually get: 1) -- as before -- 2) -- as before -- 3) -- as before -- 4) -- as before -- 5a) Login succeeds and directory contents is shown to user. 5b) Login fails and directory contents is shown to user. Note the same (WRONG) thing happens whether or not the user authenticates properly. The directory contents is the list of JSP files that I have in /app. So ... what's wrong here? It redirects to my login form correctly. It just doesn't behave properly when I actually do the login (hit "j_security_check" with "j_username" and "j_password"). This is the relevant section of my web.xml file: security-constraint web-resource-collection web-resource-nameLoginTrigger/web-resource-name descriptionLoginTrigger/description url-pattern/SecuredPage.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemyuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-pageLoginForm.jsp/form-login-page form-error-pageLoginError.jsp/form-error-page /form-login-config /login-config security-role role-namemyuser/role-name /security-role
Re: Form-based authentication not working right
Are you only specifing a partial path, relying on a default page name (index.jsp, default.jsp)? If so, in your redirect code, be specific and specify the entire path, including the file name. You should also be able to turn off directory browsing. I don't know how to do this with Orion though. JohnH _ Get your free E-mail at http://www.ireland.com
Re: Form-based authentication not working right
Gerald, I tried your exact example (see attached zipped up web app) and everything worked just as it should (using orion 1.4.5). Once again I ask, what happens if you remove the security and simply request the secured page? Nick At 03:52 PM 2/5/01 -0800, you wrote: Recently I asked about form-based authentication. I appreciate the help several people gave, but from the responses I got it seems that I might have miscommunicated somehow. I'm going to try again, this time explaining myself better. snip FormLogin.zip
RE: Form-based authentication not working right
gerald, I have a configuration matching yours and it's working; May I suggest a test? If you will, add a user called 'jlorandi' and make it part of group 'myuser', and add an user 'dummy' but DON'T make him part of group 'myuser' ,then, could you please edit SecuredPage.jsp so it executes these printouts: System.out.println("User:" + request.getRemoteUser() ); System.out.println("Role OK:" + request.isUserInRole("myuser") ); then browse your app: open browser, login as 'jlorandi', note results, close browser open browser, login as 'dummy', note results, close browser open browser, login INCORRECTLY, note results, close browser JP -Original Message- From: Gerald Gutierrez [mailto:[EMAIL PROTECTED]] Sent: Lunes, 05 de Febrero de 2001 20:52 To: Orion-Interest Cc: [EMAIL PROTECTED] Subject: Form-based authentication not working right Recently I asked about form-based authentication. I appreciate the help several people gave, but from the responses I got it seems that I might have miscommunicated somehow. I'm going to try again, this time explaining myself better. I'm using Orion 1.4.5 on Windows 2000. The same thing happens on Orion 1.3.8. I have a number of JSP pages in the directory /app: MainMenu.jsp -- the main menu SecuredPage.jsp -- a secured page, see only when authenticated LoginForm.jsp -- form for logging in LoginError.jsp-- form displayed when there's an error The user goes to MainMenu.jsp, where there is a link to SecuredPage.jsp. To view this page, the user must be authenticated. The authenticated is form-based. This is what should (CORRECTLY) happen: 1) User goes to MainMenu.jsp. 2) User clicks on link to SecuredPage.jsp. 3) User is presented with LoginForm.jsp. 4) User types in username and password. 5a) Login succeeds and SecuredPage.jsp is shown to user. 5b) Login fails and LoginError.jsp is shown to user. HOWEVER, this is the (INCORRECT) sequence of events that I actually get: 1) -- as before -- 2) -- as before -- 3) -- as before -- 4) -- as before -- 5a) Login succeeds and directory contents is shown to user. 5b) Login fails and directory contents is shown to user. Note the same (WRONG) thing happens whether or not the user authenticates properly. The directory contents is the list of JSP files that I have in /app. So ... what's wrong here? It redirects to my login form correctly. It just doesn't behave properly when I actually do the login (hit "j_security_check" with "j_username" and "j_password"). This is the relevant section of my web.xml file: security-constraint web-resource-collection web-resource-nameLoginTrigger/web-resource-name descriptionLoginTrigger/description url-pattern/SecuredPage.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemyuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-pageLoginForm.jsp/form-login-page form-error-pageLoginError.jsp/form-error-page /form-login-config /login-config security-role role-namemyuser/role-name /security-role
Re: Form-based authentication not working right
At 09:07 AM 2/6/2001 -0700, you wrote: Gerald, I tried your exact example (see attached zipped up web app) and everything worked just as it should (using orion 1.4.5). Once again I ask, what happens if you remove the security and simply request the secured page? Then I get the secured page. Thank you for the attachment. I'll have a look, and if I still cannot figure it out I'll come up with an EAR file of my own and post it. I might be just stupid, but perhaps there's an obscure bug somewhere.