RE: Logout in a container-managed security environment -- Follow-up
All: I made the original post in this thread, and thanks to the replies I received, was able to implement FORM-based CMA in my application. As you can see in the message below, I was left with one residual problem: Although FORM-based CMA worked fine in a standalone Tomcat environment, when I switched to an integrated Apache-Tomcat environment, I got a 404 not-found error from Apache for j_security_check; in other words, Apache never passed this request through to Tomcat. Again thanks to several replies I received, I've been able to resolve this problem. Eddie Bush, in particular, was helpful and asked me to post the solution on this list when I found it. So here goes. Bear in mind that, in the example below, ebps is the name of my application domain. The solution involved modifying Tomcat's mod_jk.conf file. The original set of mappings in mod_jk.conf for my application context was: JkMount /ebps/servlet/* ajp13 JkMount /ebps/*.jsp ajp13 JkMount /ebps/ ajp13 JkMount /ebps/*.do ajp13 On spec, I tried adding various mappings that assigned j_security_check to the ajp13 worker. The mapping that worked is: JkMount /ebps/* ajp13 .which in effect maps ALL requests to the ajp13 worker. I've done some light testing, and there do not seem to be any adverse side effects to including this mapping, but I do have to caution everyone that I haven't yet done through testing. -Original Message- From: Charles McClain [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 8:18 AM To: 'Struts Users Mailing List' Subject: RE: Logout in a container-managed security environment -- Follow-up All: Just to close the loop: The 404 not-found error I was receiving was coming from the Apache webserver; when I switched to using the Tomcat servlet container standalone, FORM-based authentication -- set up as per the advice of those of you who replied -- worked properly. I *thought* that I had Apache configured to pass everything through to Tomcat, but obviously, I have something wrong in my Apache configuration. I'll take a look at that in the near future. Thanks again, -- Charlie -Original Message- From: Charles McClain [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:10 PM To: Struts User Mailing List Subject: Logout in a container-managed security environment -- Follow-up All: I received several replies to my original question, all of which indicated that, in order to do a forceful logout, I needed to use FORM-based CMA rather than BASIC. One of the replies recommended an article on the topic, which I downloaded and read. I implemented FORM-based authentication, making the changes to my web.xml, indicating the login form and error page, etc. The container (Tomcat 4.0) seems to know that I want FORM-based authentication, since it pops up my login page. I did, by the way, include the fields j_username and j_password, and my form action is j_security_check, as per the instructions. However, when I press the submit button, my browser gives me a 404 not-found error on the (nonexistent, of course) page j_security_check. I've checked the Apache and Tomcat logs, and one of the Tomcat logs tells me that it has Configured an authenticator for method FORM, but it still seems to be looking for a page by that name rather than invoking the method. Anyone have any ideas? Charles McClain Phone: 603.659.2046 email:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Logout in a container-managed security environment -- Follow-up
The only drawback I see to this approach is that static content will be served by Tomcat. Typically, a person uses Tomcat in conjunction with Apache in order to allow Apache to serve the static content. Thank you for the update :-) I'm nearly certain there has to be a better way -- although I'm not 100% sure. Maybe Craig will spot this and have something to chip-in. Thanks for you kind words, and I'm glad to hear you managed to get it working (acceptably, I hope). Charles McClain wrote: All: I made the original post in this thread, and thanks to the replies I received, was able to implement FORM-based CMA in my application. As you can see in the message below, I was left with one residual problem: Although FORM-based CMA worked fine in a standalone Tomcat environment, when I switched to an integrated Apache-Tomcat environment, I got a 404 not-found error from Apache for j_security_check; in other words, Apache never passed this request through to Tomcat. Again thanks to several replies I received, I've been able to resolve this problem. Eddie Bush, in particular, was helpful and asked me to post the solution on this list when I found it. So here goes. Bear in mind that, in the example below, ebps is the name of my application domain. The solution involved modifying Tomcat's mod_jk.conf file. The original set of mappings in mod_jk.conf for my application context was: JkMount /ebps/servlet/* ajp13 JkMount /ebps/*.jsp ajp13 JkMount /ebps/ ajp13 JkMount /ebps/*.do ajp13 On spec, I tried adding various mappings that assigned j_security_check to the ajp13 worker. The mapping that worked is: JkMount /ebps/* ajp13 .which in effect maps ALL requests to the ajp13 worker. I've done some light testing, and there do not seem to be any adverse side effects to including this mapping, but I do have to caution everyone that I haven't yet done through testing. -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Logout in a container-managed security environment -- Follow-up
Eddie: Yes, I'm aware of the drawback of having Tomcat service static content; however, somewhere (perhaps in the Tomcat documentation, although since the Tomcat documentation changed format with the release of Tomcat 4.0, I could never find it again) I recall seeing a strong recommendation to pass everything through to Tomcat in an Apache/Tomcat environment -- the reason being that only in that way could you be sure that all of your mappings and other servlet configurations were being enforced. I'm trying to learn all of this stuff in such a short period of time, and have read so much in a short period of time, that I've filed away all of these kernels in my mind, having no idea where they came from. Dangerous, I know. But in any event, I do understand that total pass-through is a two-edged sword. -Original Message- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 5:17 PM To: Struts Users Mailing List Subject: Re: Logout in a container-managed security environment -- Follow-up The only drawback I see to this approach is that static content will be served by Tomcat. Typically, a person uses Tomcat in conjunction with Apache in order to allow Apache to serve the static content. Thank you for the update :-) I'm nearly certain there has to be a better way -- although I'm not 100% sure. Maybe Craig will spot this and have something to chip-in. Thanks for you kind words, and I'm glad to hear you managed to get it working (acceptably, I hope). Charles McClain wrote: All: I made the original post in this thread, and thanks to the replies I received, was able to implement FORM-based CMA in my application. As you can see in the message below, I was left with one residual problem: Although FORM-based CMA worked fine in a standalone Tomcat environment, when I switched to an integrated Apache-Tomcat environment, I got a 404 not-found error from Apache for j_security_check; in other words, Apache never passed this request through to Tomcat. Again thanks to several replies I received, I've been able to resolve this problem. Eddie Bush, in particular, was helpful and asked me to post the solution on this list when I found it. So here goes. Bear in mind that, in the example below, ebps is the name of my application domain. The solution involved modifying Tomcat's mod_jk.conf file. The original set of mappings in mod_jk.conf for my application context was: JkMount /ebps/servlet/* ajp13 JkMount /ebps/*.jsp ajp13 JkMount /ebps/ ajp13 JkMount /ebps/*.do ajp13 On spec, I tried adding various mappings that assigned j_security_check to the ajp13 worker. The mapping that worked is: JkMount /ebps/* ajp13 .which in effect maps ALL requests to the ajp13 worker. I've done some light testing, and there do not seem to be any adverse side effects to including this mapping, but I do have to caution everyone that I haven't yet done through testing. -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Logout in a container-managed security environment -- Follow-up
All: Just to close the loop: The 404 not-found error I was receiving was coming from the Apache webserver; when I switched to using the Tomcat servlet container standalone, FORM-based authentication -- set up as per the advice of those of you who replied -- worked properly. I *thought* that I had Apache configured to pass everything through to Tomcat, but obviously, I have something wrong in my Apache configuration. I'll take a look at that in the near future. Thanks again, -- Charlie -Original Message- From: Charles McClain [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:10 PM To: Struts User Mailing List Subject: Logout in a container-managed security environment -- Follow-up All: I received several replies to my original question, all of which indicated that, in order to do a forceful logout, I needed to use FORM-based CMA rather than BASIC. One of the replies recommended an article on the topic, which I downloaded and read. I implemented FORM-based authentication, making the changes to my web.xml, indicating the login form and error page, etc. The container (Tomcat 4.0) seems to know that I want FORM-based authentication, since it pops up my login page. I did, by the way, include the fields j_username and j_password, and my form action is j_security_check, as per the instructions. However, when I press the submit button, my browser gives me a 404 not-found error on the (nonexistent, of course) page j_security_check. I've checked the Apache and Tomcat logs, and one of the Tomcat logs tells me that it has Configured an authenticator for method FORM, but it still seems to be looking for a page by that name rather than invoking the method. Anyone have any ideas? Charles McClain Phone: 603.659.2046 email:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Logout in a container-managed security environment -- Follow-up
Charles, The thing to keep in mind is that you cannot call the login page directly. Rather, you have to call a protected page, which will trigger the login page, then will post to the j_security_check, and the container will then forward to the protected page if the user authenticated correctly. It seems that most containers do not register the j_security_check directly, but rather look for it once a protected resource has been requested. HTH, James -Original Message- From: Charles McClain [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 6:10 PM To: Struts User Mailing List Subject: Logout in a container-managed security environment -- Follow-up All: I received several replies to my original question, all of which indicated that, in order to do a forceful logout, I needed to use FORM-based CMA rather than BASIC. One of the replies recommended an article on the topic, which I downloaded and read. I implemented FORM-based authentication, making the changes to my web.xml, indicating the login form and error page, etc. The container (Tomcat 4.0) seems to know that I want FORM-based authentication, since it pops up my login page. I did, by the way, include the fields j_username and j_password, and my form action is j_security_check, as per the instructions. However, when I press the submit button, my browser gives me a 404 not-found error on the (nonexistent, of course) page j_security_check. I've checked the Apache and Tomcat logs, and one of the Tomcat logs tells me that it has Configured an authenticator for method FORM, but it still seems to be looking for a page by that name rather than invoking the method. Anyone have any ideas? Charles McClain Phone: 603.659.2046 email:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:struts-user- [EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Logout in a container-managed security environment -- Follow-up
Yeah, that's right, but I think there is something special to to be done so that you get j_security_check to be recognized by Apache as something it needs to send to Tomcat. James Higginbotham wrote: Charles, The thing to keep in mind is that you cannot call the login page directly. Rather, you have to call a protected page, which will trigger the login page, then will post to the j_security_check, and the container will then forward to the protected page if the user authenticated correctly. It seems that most containers do not register the j_security_check directly, but rather look for it once a protected resource has been requested. HTH, James -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Logout in a container-managed security environment -- Follow-up
I had the same problem and did the following .. form method=POST action='%= response.encodeURL(j_security_check) %' trtd colspan=2/td/tr trtdbean:message key=login.page.form.email.label//tdtdinput type=text name=j_username/td/tr trtdbean:message key=login.page.form.password.label//tdtdinput type=password name=j_password/td/tr trtd colspan=2html:submitbean:message key=login.page.form.submit.label//html:submit/td/tr /form -Original Message- From: Eddie Bush [mailto:[EMAIL PROTECTED]] Sent: September 25, 2002 11:03 AM To: Struts Users Mailing List Subject: Re: Logout in a container-managed security environment -- Follow-up Charles, I don't remember the solution to this. The guys on tomcat-user will probably tell you to search the archive. The issue that arises (using Apache/TC) is that you have to map things you want the servlet container to be responsible for (unless you use mod_webapp; I do not recommend this approach - stick with jk). Play around with adding a mapping for j_security_check. When you figure it out, please post it here or directly to me :-) I'll squirrel it off somewhere so I have it for reference the next time someone asks. You might *try* looking through the TC docs before you start aimlessly trying different mappings. I seem to recall Remmy changed the docs up a bit, and they looked much better - but I honestly do not recall if the solution to this problem is included nowadays. Sorry I wasn't more help. Charles McClain wrote: All: I received several replies to my original question, all of which indicated that, in order to do a forceful logout, I needed to use FORM-based CMA rather than BASIC. One of the replies recommended an article on the topic, which I downloaded and read. I implemented FORM-based authentication, making the changes to my web.xml, indicating the login form and error page, etc. The container (Tomcat 4.0) seems to know that I want FORM-based authentication, since it pops up my login page. I did, by the way, include the fields j_username and j_password, and my form action is j_security_check, as per the instructions. However, when I press the submit button, my browser gives me a 404 not-found error on the (nonexistent, of course) page j_security_check. I've checked the Apache and Tomcat logs, and one of the Tomcat logs tells me that it has Configured an authenticator for method FORM, but it still seems to be looking for a page by that name rather than invoking the method. Anyone have any ideas? Charles McClain Phone: 603.659.2046 email:[EMAIL PROTECTED] -- Eddie Bush -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Logout in a container-managed security environment -- Follow-up
There are some examples which come with JSP PRO second edition which shows FORM and BASIC type login boxes. In the download zip file you have complete war files. Simply deploy and run. I was informed by one of the authors of the book that the examples are tried and tested. You can download the zip file from www.wrox.com The zip file is called 4958-war.zip - Original Message - From: Charles McClain [EMAIL PROTECTED] To: Struts User Mailing List [EMAIL PROTECTED] Sent: Wednesday, September 25, 2002 12:09 AM Subject: Logout in a container-managed security environment -- Follow-up All: I received several replies to my original question, all of which indicated that, in order to do a forceful logout, I needed to use FORM-based CMA rather than BASIC. One of the replies recommended an article on the topic, which I downloaded and read. I implemented FORM-based authentication, making the changes to my web.xml, indicating the login form and error page, etc. The container (Tomcat 4.0) seems to know that I want FORM-based authentication, since it pops up my login page. I did, by the way, include the fields j_username and j_password, and my form action is j_security_check, as per the instructions. However, when I press the submit button, my browser gives me a 404 not-found error on the (nonexistent, of course) page j_security_check. I've checked the Apache and Tomcat logs, and one of the Tomcat logs tells me that it has Configured an authenticator for method FORM, but it still seems to be looking for a page by that name rather than invoking the method. Anyone have any ideas? Charles McClain Phone: 603.659.2046 email:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
