Re: Client Authentication
Hi All Nothing seems to work out for me whith client auth. Here is what 've done CA and Certificates 1) perl CA.pl -newca 2) perl CA.pl -newreq 3) perl CA.pl -sign 4) openssl rsa newreq.pem server_key.pem 5) mv newcert.pem server_cert.pem 6) mv newreq.pem server_req.pem 7) perl CA.pl -newreq 8) perl CA.pl -sign 9) mv newreq.pem client_req.pem 10) mv newcert.pem client_cert.pem 11) openssl rsa client_req.pem client_key.pem 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 13) openssl x509 -in server_cert.pem -out server.x509 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 15) keytool -genkey -alias tomcat -storepass changeit 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem I then import the CA's self signed certificate to the clients machine along with the p12 certficicate My Tomcat-users.xml file tomcat-users role rolename=tomcat/ role rolename=role1/ role rolename=manager/ role rolename=certs/ role rolename=admin/ user username=mahesh password=mahesh roles=admin,manager/ user username=CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN password= roles=tomcat,certs/ user username=tomcat password=tomcat roles=tomcat/ user username=role1 password=tomcat roles=role1/ user username=both password=tomcat roles=tomcat,role1/ /tomcat-users Where am i going wrong? Even if the certificates are in the client's mcahine the certificates identity windows alowys pop's up Regards Thanks Mahesh S Kudva -Original Message- From: Mark Thomas [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Tue, 03 May 2005 23:00:57 +0100 Subject: Re: Client Authentication The CN for your server cert can be anything you like but you will get a warning in your browser if the CN differs from how you express it in the URL. The user needs to look something like this user username=CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB password=null roles=tomcat,certs/ in tomcat-users. It must be the full DN of the user certificate. HTH, Mark Mahesh S Kudva wrote: Hi It seems like a silly question. But I am new to SSL and Certificates as well as Tomcat. If my machines IP is 192.168.0.1 then I access tomcat as https://192.168.0.1:8443. Keeping this mind should I give the Common Name as 192.168.0.1 ??? How do I specify the client info in the tomcat-users.xml? user name=mahesh password=kudva role=admin This is how my tomcat-users.xml file looks like. Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Tue, 3 May 2005 14:33:46 +0200 Subject: Re: Client Authentication CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, May 03, 2005 1:41 PM Subject: Re: Client Authentication Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5
Form Based Authentication
I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authentication
Wade Chandler wrote: I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ok, So I think I should be able to do this with a filter, but I need some help. Basically it looks like I should be able to use a filter to some how get the original target before the authentication form is displayedis this correct? Basically I need to some how know when a particular URL pattern is being displayed or is attempted to be accessed...before the login form is displayed. When it is displayed I'll set an attribute in the request in the filters doFilter method. However, now I need to know how I can access the Request before the authentication mechanism takes over I suppose because from my login form accessing the getPathInfo() method is returning the login form information when I really need to know the actual path the user was attempting to access. So, can I use a filter to do this, and if so how do I make sure my filter is called in time to give me the information I need? Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
forms authentication in cluster
Hi I have two tomcat servers 4.0.x with apache 1.3.x to load balance the requests. Now when a new browser is opened and i used forms based authentication it takes me to the correct page but when i submit that page the servlet gets executed which takes me to the login page instead of the next page it has to. Now i again login and it takes me to that next page and logoff and then login again and it behaves fine and i do this many times in the same browser it is fine. This happens only when a new browser is opened and it makes me authenticate twice with the authentication. I wanted to know if there is any modification to the login configuration is required if it is a clustered tomcat server. Please let me know. Thank you for your time Bharan - Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.
Fwd: forms authentication in cluster
Note: forwarded message attached. Yahoo! Mail Stay connected, organized, and protected. Take the tour---BeginMessage--- Hi I have two tomcat servers 4.0.x with apache 1.3.x to load balance the requests. Now when a new browser is opened and i used forms based authentication it takes me to the correct page but when i submit that page the servlet gets executed which takes me to the login page instead of the next page it has to. Now i again login and it takes me to that next page and logoff and then login again and it behaves fine and i do this many times in the same browser it is fine. This happens only when a new browser is opened and it makes me authenticate twice with the authentication. I wanted to know if there is any modification to the login configuration is required if it is a clustered tomcat server. Please let me know. Thank you for your time Bharan - Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses.---End Message--- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL, Form Authentication 408 error
I have resolved this problem, and as is so often is the case (certainly with me anyway) the cause of this wasn't what it initially appeared. Anyway I thought I'd share my findings in case anyone else came across this problem. This is an IE specific problem relating to IFRAMES and nothing to do with Tomcat. A look at the AuthenticatorBase code lead me to believe the only thing that could actually cause the 408 is if the session could not be located. This is looked up from the session id in the request. It was a fair guess that something was happening to the session id cookie when the request came as the result of an IFRAME. A little investigation with the Privacy controls in IE fixed the problem. It seems the cookie settings are different to pages in IFRAMES than top level pages. In order to get this working the global privacy level must be dropped (specifically to Always allow session cookies) or (probably more advisable) add the app url to the Manged Sites from the Advanced tab with Always Allow -Original Message- From: Andrew Chapman [mailto:[EMAIL PROTECTED] Sent: 03 May 2005 10:29 To: tomcat-user@jakarta.apache.org Subject: SSL, Form Authentication 408 error If I set the src of an IFRAME to my web application, which uses Form Authentication and SSL, the server consistently throws back a 408 error in IE when attempting to log in. The same scenario consistently works with Firefox. I suspect there are timing issues with IE, IFRAMEs and Form Authentication causing the 408. I have searched the archives without success and a more general search seems to indicate that there are issues with IFRAMEs and SSL in IE but no specifics. My question is: Does anyone know of a way to configure Tomcat (5.0.28) to be more resilient/permissive i.e. to increase the timeout for Form Authentication before a 408 error is thrown? Thanks in advance Andy Chapman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL, Form Authentication 408 error
If I set the src of an IFRAME to my web application, which uses Form Authentication and SSL, the server consistently throws back a 408 error in IE when attempting to log in. The same scenario consistently works with Firefox. I suspect there are timing issues with IE, IFRAMEs and Form Authentication causing the 408. I have searched the archives without success and a more general search seems to indicate that there are issues with IFRAMEs and SSL in IE but no specifics. My question is: Does anyone know of a way to configure Tomcat (5.0.28) to be more resilient/permissive i.e. to increase the timeout for Form Authentication before a 408 error is thrown? Thanks in advance Andy Chapman - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, May 03, 2005 1:41 PM Subject: Re: Client Authentication Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
Hi It seems like a silly question. But I am new to SSL and Certificates as well as Tomcat. If my machines IP is 192.168.0.1 then I access tomcat as https://192.168.0.1:8443. Keeping this mind should I give the Common Name as 192.168.0.1 ??? How do I specify the client info in the tomcat-users.xml? user name=mahesh password=kudva role=admin This is how my tomcat-users.xml file looks like. Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Tue, 3 May 2005 14:33:46 +0200 Subject: Re: Client Authentication CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, May 03, 2005 1:41 PM Subject: Re: Client Authentication Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development
Re: Client Authentication
The CN for your server cert can be anything you like but you will get a warning in your browser if the CN differs from how you express it in the URL. The user needs to look something like this user username=CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB password=null roles=tomcat,certs/ in tomcat-users. It must be the full DN of the user certificate. HTH, Mark Mahesh S Kudva wrote: Hi It seems like a silly question. But I am new to SSL and Certificates as well as Tomcat. If my machines IP is 192.168.0.1 then I access tomcat as https://192.168.0.1:8443. Keeping this mind should I give the Common Name as 192.168.0.1 ??? How do I specify the client info in the tomcat-users.xml? user name=mahesh password=kudva role=admin This is how my tomcat-users.xml file looks like. Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Tue, 3 May 2005 14:33:46 +0200 Subject: Re: Client Authentication CA and Tomcat common name should be the same (localhost or better your DNS). First and Last Name of client sould the name of a Tomcat user declared in tomcat-users.xml. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Tuesday, May 03, 2005 1:41 PM Subject: Re: Client Authentication Hi What kind of information do i need to put in the fields of First and Last name and Common name. Will any information do or is it required that I need to put in the server address in the client.p12 certificate.. Regards Thanks Mahesh S Kudva -Original Message- From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 02 May 2005 23:04:50 +0530 Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Client Authentication
Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
Dear Sir or Madam: I am Judge Dean M. Trafelet. Your emails are improperly being sent to my email address. Please remove me from you list immediately. DMT - Original Message - From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 10:31 AM Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Authentication
You have reached Judge Dean M. Trafelet without authorization. Remove me from your email list immediately. - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 12:34 PM Subject: Re: Client Authentication Hi I tried with client.p12 first, when i failed I went on with client_cert.x509. I placed it in the personal folder ... Regards Thanks Mahesh S Kudva -Original Message- From: lercoli [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Date: Mon, 2 May 2005 17:31:54 +0200 Subject: Re: Client Authentication You should import only client.p12 certificate in IE browser and when IE asks you in which folder you want to put it select Personal Folder. I hope it helps you. Luca Ercoli - Original Message - From: Mahesh S Kudva [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, May 02, 2005 5:08 PM Subject: Client Authentication Dear All I've been able to setup Tomcat 5.0.30 successfully on port 8443. I want to use client authentication. Hence i've enabled clientAuth=true in server.xml Running on Mac OS X these were the commands to create a CA and sign a certificate using this CA. Creating a new CA: 1) perl CA.pl -newca Certificate request using openssl: 1) perl CA.pl -newreq 2) perl CA.pl -sign 3) mv newreq.pem client_req.pem 4) mv newcert.pem client_cert.pem 5) openssl rsa client_req.pem client_key.pem 6) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 For Tomcat using Java keytool to request certificate: 1) openssl x509 -in server_cert.pem -out server.x509 2) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 3) keytool -genkey -alias meAsClient -storepass changeit 4) keytool -certreq -alias measclient -file client.csr -storepass changeit 5) openssl x509 -req -CA demoCA/cacert.pem -CAkey demoCA/private/cakey.pem -extensions v3_ca -in client.csr -inform DER -out client_cert.x509 -CAcreateserial 6) keytool -import -alias butterflyCA -keystore /Syst.. ..urity/cacerts -file ../CA/demoCA/cacert.pem 7) keytool -import -alias measclient -keystore clientstore -trustcacerts -file client_cert.x509 Following these commands I dont get any errors. I then import the cacert.pem, the ROOT CA certificate and the client.p12 and client_cert.x509 to the browser I.E 6.0. But still there is a popup requesting for the clients identity and it asks me to select a certificate and no certificates are displayed. How can I go about this? All suggestion and ideas are welcome. Regards Thanks Mahesh S Kudva --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Robosoft Technologies - Partners in Product Development - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Encoding problem during authentication
Hello, I have a problem under following environment: - Windows XP SP2 - JDK 1.4.2_04 - Tomcat 5.5.9 - Struts 1.2.4 I use characterEncodingFilter to setup UTF-8 encoding into request before using the content of the request. When I submit form with POST method it works well. I use FORM based authentication. However if I perform the following steps I have the problems with encoding: 1. Open JSP with HTML form which submit some UTF-8 string data using POST method. 2. Waiting when the HTTP session is invalidated (session timeout). 3. Submit the form. 4. Because session is invalidated I need to re-authenticate myself. 5. After success authentication The processing of the original request is continued. 6. The data of the form (from first step) is saved in incorrect encoding. I suppose that Valve (FormAuthenticator) which responsible for authentication is processed earlier then characterEncodingFilter and the parameters from POST request are parsed using DEFAULT_CHARACTER_ENCODING=ISO-8859-1 when the original request information is saved into session. I have tried to specify enctype=application/x-www-form-urlencoded; charset=utf-8 attribute for my FORM tag. But e.g. Mozilla browser specify only Content-Type: application/x-www-form-urlencoded header and cut out specified charset. Any ideas? -- Best regards, Andrey Grebnev ! - 30% 1:00 9:00. 600- - 1.75, - 1.89, - 1.96, 5- - 2,03, - 2,10 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing the role after authentication
I am not well versed in this area of application development, so please bear with me. Our application has a requirement where user can change the role after authentication. So, a user can be associated multiple roles, but at any given time will act as one role. I understand these are not really roles, they are more of a community or user classes, but client wants to maintain the same set of tables and since this is working in their client-server version (where obviously they do not have to authenticate on each window), they want to continue doing it the same way. One idea is to update the selected role in a table and point tomcat to that table (we are using JDBC realm) - not the best of course. I would appreciate if anyone can share ideas on how we can implement this requirement. Thanks, -- Rahul Jain - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL Client Authentication
Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli
Re: Tomcat SSL Client Authentication
Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi, Sorry if that didn't help. Here's what I have in server.xml (I don't remember if I had to change anything outside of server.xml to enable client authentication): !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 className=org.apache.coyote.tomcat5.CoyoteConnector maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=e:\tomcat\jakart~1.27\ssl\servercertificate.keystore keystoreType=PKCS12 truststoreFile=C:\Documents and Settings\Administrator\.keystore truststorePass=XXX truststoreType=JKS / Jim P.S. When I was doing this (which was awhile ago), I didn't find any way to get Tomcat to check for client cert revocations (i.e., CRL checking). I don't know if that has changed at all since then. lercoli wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
client authentication dont work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I try to authentificate to a web App by Client.Cert. I get these error message: HTTP Status 401 - Cannot authenticate with the provided credentials Here are my settings: web.xml: security-constraint web-resource-collection web-resource-namecertLogin.jsp/web-resource-name url-pattern/idp/certLogin.jsp/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-nameSourceIDuser/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSourceID/realm-name /login-config security-role description![CDATA[SourceID Authenticated User]]/description role-nameSourceIDuser/role-name /security-role tomcat.users: tomcat-users role rolename=SourceIDuser/ user username=[EMAIL PROTECTED] password=null roles=SourceIDuser/ user username=markus password=test roles=SourceIDuser/ /tomcat-users It works fine with Basic authentication! And it works fine with only set clientAuth=true. But I only want to secure a part of my WebApp, so clientAuth=true is not helpful. Any help would be greatly appreciated. Markus - -- Markus Linnemann ifis - Institut fr Internet-Sicherheit, FH Gelsenkirchen Tel.: 0209 9596 797 www.internet-sicherheit.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L rg0SJ+M1jyRtex9YDP9DBIM= =5CuL -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional). Client certificate username is a tomcat user (with which I've already successfully tested in DIGEST authentication). The strange thing is that when I set authClient to true I never see the the alert window of the server certificate (while instead appears with clientAuth = false). - Original Message - From: Darryl Wilburn [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 3:55 PM Subject: Re: Tomcat SSL Client Authentication What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: client authentication dont work
Your user entry in tomcat-users.xml needs to look something like this: user username=CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB password=null roles=tomcat,certs/ Basically, the user name needs to be the CN on the user's cert. Mark Markus Linnemann wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I try to authentificate to a web App by Client.Cert. I get these error message: HTTP Status 401 - Cannot authenticate with the provided credentials Here are my settings: web.xml: security-constraint web-resource-collection web-resource-namecertLogin.jsp/web-resource-name url-pattern/idp/certLogin.jsp/url-pattern http-methodPOST/http-method /web-resource-collection auth-constraint role-nameSourceIDuser/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method realm-nameSourceID/realm-name /login-config security-role description![CDATA[SourceID Authenticated User]]/description role-nameSourceIDuser/role-name /security-role tomcat.users: tomcat-users role rolename=SourceIDuser/ user username=[EMAIL PROTECTED] password=null roles=SourceIDuser/ user username=markus password=test roles=SourceIDuser/ /tomcat-users It works fine with Basic authentication! And it works fine with only set clientAuth=true. But I only want to secure a part of my WebApp, so clientAuth=true is not helpful. Any help would be greatly appreciated. Markus - -- Markus Linnemann ifis - Institut fr Internet-Sicherheit, FH Gelsenkirchen Tel.: 0209 9596 797 www.internet-sicherheit.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCb5VohyPbXYfivmMRAurbAJ9SQAqlK+3SXqsYaIx9NsSBjcR6xACcCs+L rg0SJ+M1jyRtex9YDP9DBIM= =5CuL -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SingleSignOn and Form Authentication
On 4/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: After the authetication and login I want to redirect to a Menu Page not to any page requested earlier. Using default form authentication tomcat redirects to the page requested not to the page I want (e.g Menu Page). That's the behavior that I want ... so I'have never looked further ... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
authentication
Hi, I'd like to exclude a few actions from authentication. Is there a simple way to do this without having to put those actions in a new namespace. Here is a sample of my web.xml, security-constraint web-resource-collection web-resource-namefoodorigins/web-resource-name url-pattern*.jsp/url-pattern url-pattern*.action/url-pattern /web-resource-collection auth-constraint role-nameFlowers User/role-name role-nameMill User/role-name /auth-constraint /security-constraint - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SingleSignOn and Form Authentication
Hello ! I'm using SSO and Form authentication. Most of it works just fine. The only problem I have, is that I have to have the login form in both apps. Every time I change it, I have to update it in two places. I use the following code in web.xml : login-config auth-methodFORM/auth-method realm-nameSIEMS-ds/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config I'd like to use something like : form-login-page../otherServlet/login.jsp/form-login-page Or any other way to have the login form only in one place. Is there a possibility ? Thanks for your help ! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SingleSignOn and Form Authentication
Hi, are you able to redirect after login. ? Shalu Rajkumar Gupta Tata Consultancy Services Limited Ph:- 020 4042631 Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Guillaume Lederrey [EMAIL PROTECTED] 04/20/2005 02:58 PM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject SingleSignOn and Form Authentication Hello ! I'm using SSO and Form authentication. Most of it works just fine. The only problem I have, is that I have to have the login form in both apps. Every time I change it, I have to update it in two places. I use the following code in web.xml : login-config auth-methodFORM/auth-method realm-nameSIEMS-ds/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config I'd like to use something like : form-login-page../otherServlet/login.jsp/form-login-page Or any other way to have the login form only in one place. Is there a possibility ? Thanks for your help ! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ForwardSourceID:NTD0CE Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Re: SingleSignOn and Form Authentication
On 4/20/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, are you able to redirect after login. ? I'm not sure I understand the question ... The default FORM authentication redirects after the login to the page initially requested. I think I would more need to redirect BEFORE login to get to the right login page ... Sorry if I understood your question completely wrong ... it's not on purpose ! Guillaume - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Can't do logout in basic authentication
If you read the docs on BASIC authentication, you will find that the browser caches the login information and will provide it every time you return to that site. The way to log out is to close the browser. Apparently this has been a problem for web developers for some time. Browser developers have not seen this as a problem. Instead they seem to feel that the caching is a benefit to the user by not requiring them to renter the same information. Robert S. Harper 801.265.8800 ext. 255 [EMAIL PROTECTED] -Original Message- From: Robert r. Sanders [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:07 AM To: Tomcat Users List Subject: Re: Can't do logout in basic authentication You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
In most applications this is one of those *perceived* problems that corporate users get uptight about. The best way to prevent abuse of an idle authenticated browser window is a screensaver with password lock -- as it protects the rest of the computer, the documents thereon, etc. The only really good case for a logout is where you have a shared computer with many different users coming and going -- and all using a single guest account on the client itself rather than separate logins. In this case a logoff button that closed down the browser would not be a half bad idea :-) -- Jess Holle P.S. Yes, I know transfering the name/password only on initial authentication and using a session key of some sort from thereon out is fractionally more secure -- but you still need HTTPS to really be secure in either case. Robert Harper wrote: If you read the docs on BASIC authentication, you will find that the browser caches the login information and will provide it every time you return to that site. The way to log out is to close the browser. Apparently this has been a problem for web developers for some time. Browser developers have not seen this as a problem. Instead they seem to feel that the caching is a benefit to the user by not requiring them to renter the same information. Robert S. Harper 801.265.8800 ext. 255 [EMAIL PROTECTED] -Original Message- From: Robert r. Sanders [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:07 AM To: Tomcat Users List Subject: Re: Can't do logout in basic authentication You can try google: http://www.modpython.org/pipermail/mod_python/2001-August/012120.html Otgonbayar wrote: I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
you cannot do that in basic .. you need to do a form based one ... - Original Message - From: Otgonbayar [EMAIL PROTECTED] To: 'Tomcat Users List' tomcat-user@jakarta.apache.org Sent: Wednesday, April 20, 2005 4:28 AM Subject: Can't do logout in basic authentication I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can't do logout in basic authentication
P.S. Freeing one's *session* on leaving works with any type of authentication and makes sense in many cases -- it's just harder to communicate this concept to the user... Jess Holle wrote: In most applications this is one of those *perceived* problems that corporate users get uptight about. The best way to prevent abuse of an idle authenticated browser window is a screensaver with password lock -- as it protects the rest of the computer, the documents thereon, etc. The only really good case for a logout is where you have a shared computer with many different users coming and going -- and all using a single guest account on the client itself rather than separate logins. In this case a logoff button that closed down the browser would not be a half bad idea :-) -- Jess Holle P.S. Yes, I know transfering the name/password only on initial authentication and using a session key of some sort from thereon out is fractionally more secure -- but you still need HTTPS to really be secure in either case.
Re: SingleSignOn and Form Authentication
After the authetication and login I want to redirect to a Menu Page not to any page requested earlier. Using default form authentication tomcat redirects to the page requested not to the page I want (e.g Menu Page). Shalu Rajkumar Gupta Tata Consultancy Services Limited Ph:- 020 4042631 Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Guillaume Lederrey [EMAIL PROTECTED] 04/20/2005 05:26 PM Please respond to Tomcat Users List tomcat-user@jakarta.apache.org To Tomcat Users List tomcat-user@jakarta.apache.org cc Subject Re: SingleSignOn and Form Authentication On 4/20/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, are you able to redirect after login. ? I'm not sure I understand the question ... The default FORM authentication redirects after the login to the page initially requested. I think I would more need to redirect BEFORE login to get to the right login page ... Sorry if I understood your question completely wrong ... it's not on purpose ! Guillaume - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ForwardSourceID:NTD1EA Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Can't do logout in basic authentication
I am using basic authentication in my application and I need to create logout link in my JSP that does LOGOUT. It seems session.invalidate() doesn't work. How can I do this? Please help me! Thanks Otgo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Apache2 Authentication with Coyote Connector
Hi list, We have a site where Apache is authenticating the users, thus setting the REMOTE_USER variable and then forwarding the request to Tomcat 5.0.30 via mod_jk 1.2.6. The application deployed on tomcat is configured (in web.xml) to require BASIC authentication for users who connect directly to tomcat via the HTTP connector. We have set the attribute tomcatAuthentication=false, but this seems to have no effect on the Coyote Connector. As a result, the users are prompted twice for their credentials when they go via the Apache/Ajp route. Previously, using Tomcat4 and Ajp13Connector, this worked and Tomcat accepted Apache's authentication. Now the Ajp13Connector seems to no longer be supported and the CoyoteConnector, with seemingly identical settings, behaves differently. Because of the system architecture, we need to allow both authentication via Apache and also internally through Tomcat. Best, Seth - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AUTO {IDBIBank#482-427}Apache2 Authentication with Coyote Connector
Dear Customer, Thank you for writing to us. This auto-acknowledgement confirms the receipt of your e-mail. If you have posted a query, we will revert to you shortly on same. If you are an existing customer, and have not mentioned your correct Account Number or Customer Identification Number in your e-mail, please mail us the same, to enable us assist you faster. Best regards, IDBI Bank Ltd.
Changing from BASIC authentication to FORM-based
I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing from BASIC authentication to FORM-based
Did you restart Tomcat after making the web.xml change? It's been my experience that authentication method changes like this actually get handled from deeper within Tomcat's internal code, not just the application, and the only way to register the change is by a full restart. Brent Sims Systems Analyst 2 KC Human Services - Road rage, air rage. Why should I be forced to divide my rage into separate categories? To me, it's just one big, all-round, everyday rage. I don't have time for fine distinctions. I'm too busy screaming at people. - George Carlin [EMAIL PROTECTED] 04/09/05 11:00 AM I have Tomcat 5.5.4 running on WindowsXP with BASIC authentication working via the Memory Realm and it works fine. I want to change to FORM-based authentication. I've 'BASIC' to 'FORM' in web.xml and have a logon.html page with a form action=j_security_check (but it gives a HTTP 408 timeout error immediately... any ideas? Are there any online tutorials to help configure this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication problems with tomcat clustering.
That was exactly it! Thank you. I had changed the configs, but had not commented in that section. All is well now. Thank you very much! |)ave -Original Message- From: David Rees [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 6:51 PM To: Tomcat Users List Subject: Re: Authentication problems with tomcat clustering. On Apr 5, 2005 3:13 PM, David Owens [EMAIL PROTECTED] wrote: After further debug, I see this is happening because mod_jk is ignoring the sticky sessions, and continuing to lb back and forth. After looking at the mod_jk code, I see it is looking for something after the '.' character in the JSESSIONID to tell it where the session should stick. How do I setup tomcat (or is it httpd) to provide this piece of information? The name of your worker in the mod_jk config must match the value in each Tomcat instance's server.xml. For example (abbreviated configs) in tomcat-workers.properties: worker.list=tomcat1,tomcat2 And in tomcat1's server.xml: Engine jvmRoute=tomcat1/ And in tomcat2's server.xml: Engine jvmRoute=tomcat2/ Hope this helps... -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
New Session on Authentication?
Is there a configuration setting to force Tomcat to expire the old session and put the user in a new one when they log in using any of the Realm's? For example, this is a problem: - User tries to access a restricted page - no session set up - Tomcat redirects to the login page, appends ;jsessionid=id to the URL - User successfully authenticates Now, a URL with a valid session ID is in the user's history, might be logged, and an unknowing user could copy/paste that URL to somebody say in a newsgroup or something. I'm using mod-rewrite on an Apache server in front of Tomcat to fix the jsessionid going in the URL, but is there any way to force Tomcat to make a new session upon authentication? I know that this is not always desirable - a user may have preferences in their session before they authenticate, so I think it should be optional. Thanks for any help. Will Stranathn - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication problems with tomcat clustering.
You can find jakarta tomcat connector 1.2.10 Apache website http://jakarta.apache.org/tomcat/connectors-doc/ Have fun. Im still struggling with mod_jk :) Need to change, restart and la la la Vaneet -Original Message- From: David Owens [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 7:25 PM To: Tomcat Users List Subject: RE: Authentication problems with tomcat clustering. Are your servlets in the /servlet/ directory? Or some other name? You have only redirected /servet/*, /*.vm and /therestaurant/servlet/ControllerServlet/* You may want to try just /therestaurant/* And you may want to do this JkMount / therestaurant /* loadbalancer On my problem: So I did some more investigation, and have found that I am authenticating against one tomcat, and then being balanced over to the other tomcat. This is presumably happening before the session is replicated... still looking for a solution... perhaps synchronous replication... I am also trying to find the 1.2.10 mod_jk for my system. (linux) -Original Message- From: Vaneet Sharma [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 10:09 AM To: Tomcat Users List Subject: RE: Authentication problems with tomcat clustering. Your Apache and Tomcat configuration is exactly like me.. However today I installed connector mod_jk.. Connector 1.2.10... And ... Though apache and tomcat are talking .. I cannot run my servlet page. Pls have a look below to see the configuration Thankx The connector is not loading my servlets? I am writing down my httpd.conf and workers.properties Httpd.conf LoadModule jk_module modules/mod_jk.so ifModule mod_jk.c JkWorkersFile /usr/local/jakarta-tomcat-5.5.4/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel info JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkAutoAlias /usr/local/jakarta-tomcat-5.5.4/webapps JkShmFile /etc/httpd/logs/mod_jk.shm JkMount /servlet/* ajp13Worker JkMount /*.vm ajp13Worker JkMount /therestaurant/servlet/ControllerServlet/* ajp13Worker /ifModule NameVirtualHost xxx.xxx.xxx.xxx:80 VirtualHost xxx.xxx.xxx.xxx:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/jakarta-tomcat-x.x.x/webapps/therestaurant ServerName www.therestaurant.name /VirtualHost And below is workers.properties file worker.ajp13Worker.port=8009 worker.ajp13Worker.host=xxx.xxx.xxx.xxx worker.ajp13Worker.type=ajp13 worker.ajp13Worker.lbfactor=50 worker.ajp13Worker.cachesize=10 worker.ajp13Worker.cache_timeout=600 -Original Message- From: David Owens [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 6:04 PM To: tomcat-user@jakarta.apache.org Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave Vaneet Sharma executive manager iDeasTank Limited an iwg business dolphins' court po 388 valletta, m-malta/europe mobile: +356 9943 8263 skype: CALLVANEET fax: +356 9952 phone: +356 9942 [EMAIL PROTECTED] call me on www.skype.com - my ID is CALLVANEET Want a signature like this? - www.plaxo.com\signature iwg is a global e-mobile company creating, building and growing new businesses. iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. www.iWG.info www.countryprofiler.com/iWG www.visitmalta.com www.mfc.com.mt Privileged/Confidential
RE: Authentication problems with tomcat clustering.
I have done some further testing and have found what I think the problem is, but I still do not know the solution. What is happening is that the first time I access the webapp through httpd, I am getting the first tomcat server. I then type in my username and password and hit submit. I see in the logs of the first tomcat server log the authentication happening successfully, however, I am then redirected to the second tomcat server where my session is not available. I am using a 'lb' type load balancer, and by default it has sticky sessions, so I wonder why I am being balanced over to the other tomcat. Is this, perhaps, a question for the mod_jk team? Is there such a mailing list? |)ave -Original Message- From: David Owens Sent: Monday, April 04, 2005 10:04 AM To: 'tomcat-user@jakarta.apache.org' Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave
RE: Authentication problems with tomcat clustering.
Okay, not quite right... I first hit tomcat1 though httpd. When I submit I see successful authentication in the log for tomcat2. I then get the Invalid direct reference... message. I am now using mod_jk 1.2.10. Still no idea why this is happening... |)ave -Original Message- From: David Owens Sent: Tuesday, April 05, 2005 7:11 AM To: tomcat-user@jakarta.apache.org Subject: RE: Authentication problems with tomcat clustering. I have done some further testing and have found what I think the problem is, but I still do not know the solution. What is happening is that the first time I access the webapp through httpd, I am getting the first tomcat server. I then type in my username and password and hit submit. I see in the logs of the first tomcat server log the authentication happening successfully, however, I am then redirected to the second tomcat server where my session is not available. I am using a 'lb' type load balancer, and by default it has sticky sessions, so I wonder why I am being balanced over to the other tomcat. Is this, perhaps, a question for the mod_jk team? Is there such a mailing list? |)ave -Original Message- From: David Owens Sent: Monday, April 04, 2005 10:04 AM To: 'tomcat-user@jakarta.apache.org' Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication problems with tomcat clustering.
I suggest u do step by step again You will find the bug. Start from basic . First run one ... And then try loadbalancer.. Later on Vaneet -Original Message- From: David Owens [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 3:11 PM To: tomcat-user@jakarta.apache.org Subject: RE: Authentication problems with tomcat clustering. I have done some further testing and have found what I think the problem is, but I still do not know the solution. What is happening is that the first time I access the webapp through httpd, I am getting the first tomcat server. I then type in my username and password and hit submit. I see in the logs of the first tomcat server log the authentication happening successfully, however, I am then redirected to the second tomcat server where my session is not available. I am using a 'lb' type load balancer, and by default it has sticky sessions, so I wonder why I am being balanced over to the other tomcat. Is this, perhaps, a question for the mod_jk team? Is there such a mailing list? |)ave -Original Message- From: David Owens Sent: Monday, April 04, 2005 10:04 AM To: 'tomcat-user@jakarta.apache.org' Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave Vaneet Sharma executive manager iDeasTank Limited an iwg business dolphins' court po 388 valletta, m-malta/europe mobile: +356 9943 8263 skype: CALLVANEET fax: +356 9952 phone: +356 9942 [EMAIL PROTECTED] call me on www.skype.com - my ID is CALLVANEET Want a signature like this? - www.plaxo.com\signature iwg is a global e-mobile company creating, building and growing new businesses. iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. www.iWG.info www.countryprofiler.com/iWG www.visitmalta.com www.mfc.com.mt Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication problems with tomcat clustering.
After further debug, I see this is happening because mod_jk is ignoring the sticky sessions, and continuing to lb back and forth. After looking at the mod_jk code, I see it is looking for something after the '.' character in the JSESSIONID to tell it where the session should stick. How do I setup tomcat (or is it httpd) to provide this piece of information? Thanks! |)ave -Original Message- From: David Owens Sent: Tuesday, April 05, 2005 7:11 AM To: tomcat-user@jakarta.apache.org Subject: RE: Authentication problems with tomcat clustering. I have done some further testing and have found what I think the problem is, but I still do not know the solution. What is happening is that the first time I access the webapp through httpd, I am getting the first tomcat server. I then type in my username and password and hit submit. I see in the logs of the first tomcat server log the authentication happening successfully, however, I am then redirected to the second tomcat server where my session is not available. I am using a 'lb' type load balancer, and by default it has sticky sessions, so I wonder why I am being balanced over to the other tomcat. Is this, perhaps, a question for the mod_jk team? Is there such a mailing list? |)ave -Original Message- From: David Owens Sent: Monday, April 04, 2005 10:04 AM To: 'tomcat-user@jakarta.apache.org' Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication problems with tomcat clustering.
On Apr 5, 2005 3:13 PM, David Owens [EMAIL PROTECTED] wrote: After further debug, I see this is happening because mod_jk is ignoring the sticky sessions, and continuing to lb back and forth. After looking at the mod_jk code, I see it is looking for something after the '.' character in the JSESSIONID to tell it where the session should stick. How do I setup tomcat (or is it httpd) to provide this piece of information? The name of your worker in the mod_jk config must match the value in each Tomcat instance's server.xml. For example (abbreviated configs) in tomcat-workers.properties: worker.list=tomcat1,tomcat2 And in tomcat1's server.xml: Engine jvmRoute=tomcat1/ And in tomcat2's server.xml: Engine jvmRoute=tomcat2/ Hope this helps... -Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS authentication and global realms
Once more, could you send those mails to the tomcat mailing-list and not directly to me ? It helps me to sort my mails and it can profit to more people ... On Friday 01 April 2005 18.26, you wrote: My problem is I am not able to understand how to assign roles to a particular user. For example ..After the user is authenticated in the commit() I try to add principal to the subject with the set for roles as.. subject.getPrincipals().add((principal)); That should be correct. Though the role shows up under principals for the subject, he fails to be authenticated. Can you please help me. it's a bit urgent. Hope the problem was clear enough) Ops I am trying to use JAAS in Borland Enterprise Server. How do you check that the roles shows up in the principal ? Do you have an authentication or an authorization problem ? What implementation of Principal are you using ? Could you send the relevant java code ? Sorry that I'm not able to help you more right now ... Guillaume -- Guillaume Lederrey Rte des Arsenaux 15 1700 Fribourg +41 76 / 573 32 40 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication problems with tomcat clustering.
I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave
RE: Authentication problems with tomcat clustering.
Your Apache and Tomcat configuration is exactly like me.. However today I installed connector mod_jk.. Connector 1.2.10... And ... Though apache and tomcat are talking .. I cannot run my servlet page. Pls have a look below to see the configuration Thankx The connector is not loading my servlets? I am writing down my httpd.conf and workers.properties Httpd.conf LoadModule jk_module modules/mod_jk.so ifModule mod_jk.c JkWorkersFile /usr/local/jakarta-tomcat-5.5.4/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel info JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkAutoAlias /usr/local/jakarta-tomcat-5.5.4/webapps JkShmFile /etc/httpd/logs/mod_jk.shm JkMount /servlet/* ajp13Worker JkMount /*.vm ajp13Worker JkMount /therestaurant/servlet/ControllerServlet/* ajp13Worker /ifModule NameVirtualHost xxx.xxx.xxx.xxx:80 VirtualHost xxx.xxx.xxx.xxx:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/jakarta-tomcat-x.x.x/webapps/therestaurant ServerName www.therestaurant.name /VirtualHost And below is workers.properties file worker.ajp13Worker.port=8009 worker.ajp13Worker.host=xxx.xxx.xxx.xxx worker.ajp13Worker.type=ajp13 worker.ajp13Worker.lbfactor=50 worker.ajp13Worker.cachesize=10 worker.ajp13Worker.cache_timeout=600 -Original Message- From: David Owens [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 6:04 PM To: tomcat-user@jakarta.apache.org Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave Vaneet Sharma executive manager iDeasTank Limited an iwg business dolphins' court po 388 valletta, m-malta/europe mobile: +356 9943 8263 skype: CALLVANEET fax: +356 9952 phone: +356 9942 [EMAIL PROTECTED] call me on www.skype.com - my ID is CALLVANEET Want a signature like this? - www.plaxo.com\signature iwg is a global e-mobile company creating, building and growing new businesses. iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. www.iWG.info www.countryprofiler.com/iWG www.visitmalta.com www.mfc.com.mt Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication problems with tomcat clustering.
Are your servlets in the /servlet/ directory? Or some other name? You have only redirected /servet/*, /*.vm and /therestaurant/servlet/ControllerServlet/* You may want to try just /therestaurant/* And you may want to do this JkMount / therestaurant /* loadbalancer On my problem: So I did some more investigation, and have found that I am authenticating against one tomcat, and then being balanced over to the other tomcat. This is presumably happening before the session is replicated... still looking for a solution... perhaps synchronous replication... I am also trying to find the 1.2.10 mod_jk for my system. (linux) -Original Message- From: Vaneet Sharma [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 10:09 AM To: Tomcat Users List Subject: RE: Authentication problems with tomcat clustering. Your Apache and Tomcat configuration is exactly like me.. However today I installed connector mod_jk.. Connector 1.2.10... And ... Though apache and tomcat are talking .. I cannot run my servlet page. Pls have a look below to see the configuration Thankx The connector is not loading my servlets? I am writing down my httpd.conf and workers.properties Httpd.conf LoadModule jk_module modules/mod_jk.so ifModule mod_jk.c JkWorkersFile /usr/local/jakarta-tomcat-5.5.4/conf/workers.properties JkLogFile /etc/httpd/logs/mod_jk.log JkLogLevel info JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkLogStampFormat [%a %b %d %H:%M:%S %Y] JkAutoAlias /usr/local/jakarta-tomcat-5.5.4/webapps JkShmFile /etc/httpd/logs/mod_jk.shm JkMount /servlet/* ajp13Worker JkMount /*.vm ajp13Worker JkMount /therestaurant/servlet/ControllerServlet/* ajp13Worker /ifModule NameVirtualHost xxx.xxx.xxx.xxx:80 VirtualHost xxx.xxx.xxx.xxx:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/jakarta-tomcat-x.x.x/webapps/therestaurant ServerName www.therestaurant.name /VirtualHost And below is workers.properties file worker.ajp13Worker.port=8009 worker.ajp13Worker.host=xxx.xxx.xxx.xxx worker.ajp13Worker.type=ajp13 worker.ajp13Worker.lbfactor=50 worker.ajp13Worker.cachesize=10 worker.ajp13Worker.cache_timeout=600 -Original Message- From: David Owens [mailto:[EMAIL PROTECTED] Sent: Monday, April 04, 2005 6:04 PM To: tomcat-user@jakarta.apache.org Subject: Authentication problems with tomcat clustering. I have setup load balancing and clustering between two Tomcat 5.5.7 instances and Apache 2.0.50 with mod_jk. Almost everything works great. I can fail back and forth between the 2 tomcat instances with no trouble. However, I am having problems with the form based authentication. I have an index.html file which redirects the user to a secured resource. When the user hits this file through Apache, it works like normal, directing them to the login page. However, when I attempt to login I get Invalid direct reference to form login page. When I look in the logs, I see the user is being authenticated, and the correct roles are being found. If I continually try logging in, and hitting the secure page, eventually I get in. Then, if I bounce apache, the problem starts again. If I login in the exact same manner directly against one of the tomcat instances, everything works, and I continue to the secure resource. In addition, I have found that if I stop one tomcat instance, I can login on the first try even when going through apache. It's worth noting, once I get successfully logged in once through apache (after many tries), I can logout/in repeatedly with no problem. Once I bounce apache, the problem starts again. I think something strange is happening with the login stuff when tomcat is clustered... Maybe I'm logging into 1 tomcat successfully, but being load balanced over to the other one, and the session has not been completely replicated yet? Any one else out there have this issue, or have any ideas? Thanks in advance! |)ave Vaneet Sharma executive manager iDeasTank Limited an iwg business dolphins' court po 388 valletta, m-malta/europe mobile: +356 9943 8263 skype: CALLVANEET fax: +356 9952 phone: +356 9942 [EMAIL PROTECTED] call me on www.skype.com - my ID is CALLVANEET Want a signature like this? - www.plaxo.com\signature iwg is a global e-mobile company creating, building and growing new businesses. iwg founders are pioneers in creating multi-billion dollar mobile and Internet businesses in Europe, Asia and the US. www.iWG.info www.countryprofiler.com/iWG www.visitmalta.com www.mfc.com.mt Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. - To unsubscribe, e-mail
Re: BASIC Authentication for Custom Realm
Based on my own experience, the quickest way to work out what is happening will be to debug your way through it. See the FAQ for how to set this up: http://jakarta.apache.org/tomcat/faq/development.html Mark Mudumbai, Kalyan wrote: Hi All, I am trying to write a custom realm for my web application. I have added the realm in the sever.xml file as below: Realm className=com.web.tomcat.security.CustomRealm debug=0/ and I had the following entries in my web.xml file. security-constraint web-resource-collection web-resource-namewebfiles/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameeveryone/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCustomRealm/realm-name /login-config security-role role-nameeveryone/role-name /security-role When I access a page in my app, I'm expecting to get a Login Dialog box that's provided by the web browser. But it doesn't happen, when I try to access a web page. If I remove my custom realm entry in the server.xml, the login dialog appears. Has the appearance of the Login Dialog got to do anything with the Realm? Can someone please let me know what's going wrong here? Thanks, Kalyan. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
BASIC Authentication for Custom Realm
Hi All, I am trying to write a custom realm for my web application. I have added the realm in the sever.xml file as below: Realm className=com.web.tomcat.security.CustomRealm debug=0/ and I had the following entries in my web.xml file. security-constraint web-resource-collection web-resource-namewebfiles/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameeveryone/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameCustomRealm/realm-name /login-config security-role role-nameeveryone/role-name /security-role When I access a page in my app, I'm expecting to get a Login Dialog box that's provided by the web browser. But it doesn't happen, when I try to access a web page. If I remove my custom realm entry in the server.xml, the login dialog appears. Has the appearance of the Login Dialog got to do anything with the Realm? Can someone please let me know what's going wrong here? Thanks, Kalyan.
Re: DIGEST authentication; Does it work??
So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone know how I can set this?* * -Mark Mark Leone wrote: I found a silly classpath error that fixed the problem using RealmBase. I didn't realize that my system still had environment variable %catalina_home% pointing to an old tomcat 4.1.24 directory. So when I opened a command window to generate digest values I was executing RealmBase in tomcat 4.1.24. But guess what. When I digest the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24 and Tomcat 5.5.8 I get different digest values. And DIGEST authentication still doesn't work, in either case. Something very strange is going on here. :( -Mark Mark Leone wrote: Okay, I was using 5.5.7. So I just downloaded the source and built 5.5.8, and things got worse. Digest authentication is not working for me. I believe I've set everything up correctly. Using an HTTP monitor I see a 401 response coming back from Tomcat with a www-authenticate header whose parameters specify digest authentication and identify the realm as JDBCRealm. And I have a digested password that I created by digesting {username}:JDBCRealm:{password} (including the colons- is that correct?), as directed in the how-to documentation. But when I enter that username and password, the authentication fails. Now I used SHA-1 to digest the password, and my realm/ element in Server.xml identifies SHA as the digest algorithm for digesting passwords. Does this mean that the DIGEST authentication will also be done using SHA-1? Or do I need to specify that somewhere? Am I missing something else? I said it got worse with 5.5.8 because now I can't even get RealmBase to generate a digested password. I enter java -cp %catalina_home%\server\lib\catalina.jar org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password} and I get: Exception in thread main java.lang.NoClassDefFoundError: org/apache/commons/lo gging/LogFactory at org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69) So it's finding RealmBase, but while executing that code it fails to find LogFactory. I don't see an org\apache\commons path in any of the class directories generated during the build. Do I have a defective build? Was I supposed to download something else? -Mark Mark Thomas wrote: Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth:BASIC, FORM, DIGEST Realm:Memory, UserDatabase, JDBC, DataSource Passwords:Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put
RE: DIGEST authentication; Does it work??
The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone know how I can set this?* * -Mark Mark Leone wrote: I found a silly classpath error that fixed the problem using RealmBase. I didn't realize that my system still had environment variable %catalina_home% pointing to an old tomcat 4.1.24 directory. So when I opened a command window to generate digest values I was executing RealmBase in tomcat 4.1.24. But guess what. When I digest the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24 and Tomcat 5.5.8 I get different digest values. And DIGEST authentication still doesn't work, in either case. Something very strange is going on here. :( -Mark Mark Leone wrote: Okay, I was using 5.5.7. So I just downloaded the source and built 5.5.8, and things got worse. Digest authentication is not working for me. I believe I've set everything up correctly. Using an HTTP monitor I see a 401 response coming back from Tomcat with a www-authenticate header whose parameters specify digest authentication and identify the realm as JDBCRealm. And I have a digested password that I created by digesting {username}:JDBCRealm:{password} (including the colons- is that correct?), as directed in the how-to documentation. But when I enter that username and password, the authentication fails. Now I used SHA-1 to digest the password, and my realm/ element in Server.xml identifies SHA as the digest algorithm for digesting passwords. Does this mean that the DIGEST authentication will also be done using SHA-1? Or do I need to specify that somewhere? Am I missing something else? I said it got worse with 5.5.8 because now I can't even get RealmBase to generate a digested password. I enter java -cp %catalina_home%\server\lib\catalina.jar org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password} and I get: Exception in thread main java.lang.NoClassDefFoundError: org/apache/commons/lo gging/LogFactory at org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69) So it's finding RealmBase, but while executing that code it fails to find LogFactory. I don't see an org\apache\commons path in any of the class directories generated during the build. Do I have a defective build? Was I supposed to download something else? -Mark Mark Thomas wrote: Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth:BASIC, FORM, DIGEST Realm:Memory, UserDatabase, JDBC, DataSource Passwords:Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about
Re: DIGEST authentication; Does it work??
Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader() But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone know how I
Re: DIGEST authentication; Does it work??
Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this -- org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader()-- But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through the Tomcat documentation, and I can't find a configuration parameter to set the www-authenticate response header to indicate SHA-1 algorithm for the digest. I see the API that supports this in org.apache.catalina.authenticator.DigestAuthenticator ( setAuthenticateHeader() ), but I can't find a configuration parameter that will determine the value for algorithm passed to this method. Does anyone
Re: DIGEST authentication; Does it work??
When all else fails, look at the source code (Dave, thanks for the suggestion). There is no support for SHA-1 in Tomcat's implementation of DigestAuthenticator. It should be easy enough to implement, provided the core JDK supports the creation of an instance of java.security.MessageDigest that is implemented with SHA-1. I'll give this a try tomorrow- no midnight java tonight. -Mark Mark Leone wrote: Dave, thanks very much for your help. Unfortunately, the passage you quoted is referring to how the password is digested when it is stored in the realm. This is working fine for me, and I've been able to configure it to use SHA-1 or MD-5 algorithms by setting the digest attribute in the realm/ element to either SHA or MD5, which are the appropriate keywords to identify those algorithms. What I described above works fine when I select BASIC authentication by putting the following in my web.xml login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config However, I change BASIC above to DIGEST to induce the server to tell the client that DIGEST authentication is required, meaning that instead of sending the username and password as a Base64 encoded text string, which anyone can decode and thereby compromise the user's credentials, it will send a hash of the username and password, with a random value and a sequence counter generated by the server also included as an input to the hash function. This of course is a much more secure way to send login credentials. According to the spec that governs DIGEST access authentication (rfc2617), if the server does not explicitly specify a hash algorithm in the www-authenticate header of the HTTP response message (status 401- unauthorized), it defaults to MD5. So after much thrashing around, I discovered that I could only get DIGEST authentication to work by specifying MD-5 in the realm/ digest attribute, and then letting the client default to using MD5 for the DIGEST authentication algorithm, since Tomcat is not specifying the algorithm in the HTTP header (which I verified with an HTTP monitor tool). What I would LIKE to do is use SHA-1, since it's a more secure algorithm (and because I have engineer's disease, and I have to figure out how to do something even if there's an almost-as-good alternative). I know I can set the realm/ digest attribute to SHA-1, but I don't know how I cant tell Tomcat to require SHA-1 algorithm in the www-authenticate response header. I found a method that does this org.apache.catalina.authenticator.DigestAuthenticator.setAuthenticateHeader() But I'd like to do it with a configuration parameter. I've looked thorough all the Tomcat docs, and I see nothing that appears to do this. I opened the Servlet spec and looked at the XSD for the web.xml document, and there appears to be nothing there that can set the DIGEST algorithm. Perhaps it can be set in the server.xml file. I'm going to look for that XSD next, but if anyone knows off-hand what the parameter is, please enlighten me. If there's not a configuration parameter, could someone tell me how to do this programmatically? I'm fairly new to Tomcat, and I think I can figure out how to get access to the aforementioned setAuthenticateHeader() method in the servlet context, but I don't know how to make the container do that for the duration of a browser session, as opposed to setting the www-authenticate header every time my JSP or servlet is called. -Mark David Owens wrote: The docs say this: When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the *digest* attribute on your Realm element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm. I have starred the word digest. If you look at the source for the page you will notice the word digest is in code tags, and I think they are trying to indicate this is a key word you can use in the realm tag. Let us know if this works for you. |)ave -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 1:53 AM To: Tomcat Users List Subject: Re: DIGEST authentication; Does it work?? So at 3:00 AM I decided to read the Basic and Digest Access Authentication spec (RFC 2617), and it says that MD5 is the default hash algorithm. I had previously seen that Tomcat wasn't sending any response headers explicitly specifying the hash algorithm, even though I had specified SHA in the realm/ element in Server.xml. So I changed my digest algorithm for the realm to MD5, and DIGEST authentication is now working. I'd like to make it work with SHA-1. I've looked all through
Re: How to trap errors while authenticating user : Custon Authentication mechanism ?
Besides, giving to the USER a different authentication failure message is a bad idea - hackers use that information to know which accounts to try to hack. On the other hand, though, custom handling of the error would be nice - the LDAP servers I use disconnect silently without traffic for some amount of time, but there's no way for me to trap that error - it just appears as an authentication failure to the user, and they have to try to authenticate again so Tomcat can establish a new connection. w On Mon, 21 Mar 2005 13:27:50 -0900, Erik Fiegel [EMAIL PROTECTED] wrote: That seems like overkill. Did you try turning up the debug level of your Realm? Realm className=org.apache.catalina.realm.JNDIRealm debug=9 connectionURL=ldap://localhost:389; userBase=ou=people,dc=mycompany,dc=com userSearch=(mail={0}) userRoleName=memberOf roleBase=ou=groups,dc=mycompany,dc=com roleName=cn roleSearch=(uniqueMember={0}) / - Erik [EMAIL PROTECTED] wrote: Hello, I'm trying to use a Novell LDAP server, and let it manage the Passwords instead of my webapp. Unfortunately I've found that the JNDIRealm doesn't tell me the reason of the failure when authenticating a user. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Réf. : Re: How to trap errors while authenticating user : Custon Authentication mechanism ?
Hi, I don't want to give to the user the error why his login fails, but I want to open a popup calling the good service from my Novell server. Beside of that, I'm developping an Intranet application, so hacking is not our primary concern. What can I do instead of unpacking calalina.jar and compiling it from scratch... - including the mbean descriptor file ? Regards Cyril ZEKSER William Stranathan Pour : Tomcat Users List tomcat-user@jakarta.apache.org [EMAIL PROTECTED] cc : com Objet : Re: How to trap errors while authenticating user : Custon Authentication mechanism ? 22/03/2005 13:10 Veuillez répondre à Tomcat Users List Besides, giving to the USER a different authentication failure message is a bad idea - hackers use that information to know which accounts to try to hack. On the other hand, though, custom handling of the error would be nice - the LDAP servers I use disconnect silently without traffic for some amount of time, but there's no way for me to trap that error - it just appears as an authentication failure to the user, and they have to try to authenticate again so Tomcat can establish a new connection. w On Mon, 21 Mar 2005 13:27:50 -0900, Erik Fiegel [EMAIL PROTECTED] wrote: That seems like overkill. Did you try turning up the debug level of your Realm? Realm className=org.apache.catalina.realm.JNDIRealm debug=9 connectionURL=ldap://localhost:389; userBase=ou=people,dc=mycompany,dc=com userSearch=(mail={0}) userRoleName=memberOf roleBase=ou=groups,dc=mycompany,dc=com roleName=cn roleSearch=(uniqueMember={0}) / - Erik [EMAIL PROTECTED] wrote: Hello, I'm trying to use a Novell LDAP server, and let it manage the Passwords instead of my webapp. Unfortunately I've found that the JNDIRealm doesn't tell me the reason of the failure when authenticating a user. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to trap errors while authenticating user : Custon Authentication mechanism ?
This is probably by design. This sort of information can be useful to an attacker. If you want to implement this yourself possible starting points would be overriding the relevant methods of org.apache.catalina.realm.JNDIRealm or extending org.apache.catalina.realm.RealmBase HTH Mark [EMAIL PROTECTED] wrote: Hello, I'm trying to use a Novell LDAP server, and let it manage the Passwords instead of my webapp. Unfortunately I've found that the JNDIRealm doesn't tell me the reason of the failure when authenticating a user. In this case I cannot know where to redirect in the Novell portal ( Forgot Password or Password Expired functions - depending on the LDAP exception captured). since I'm new to authentication in Tomcat, can you tell me what is/are the best way to start implementing a Custom Realm that return to the application the trapped exception, in order to redirect to the correct Novell Function. Thanks in advance.. Cyril ZEKSER - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth: BASIC, FORM, DIGEST Realm: Memory, UserDatabase, JDBC, DataSource Passwords: Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
Okay, I was using 5.5.7. So I just downloaded the source and built 5.5.8, and things got worse. Digest authentication is not working for me. I believe I've set everything up correctly. Using an HTTP monitor I see a 401 response coming back from Tomcat with a www-authenticate header whose parameters specify digest authentication and identify the realm as JDBCRealm. And I have a digested password that I created by digesting {username}:JDBCRealm:{password} (including the colons- is that correct?), as directed in the how-to documentation. But when I enter that username and password, the authentication fails. Now I used SHA-1 to digest the password, and my realm/ element in Server.xml identifies SHA as the digest algorithm for digesting passwords. Does this mean that the DIGEST authentication will also be done using SHA-1? Or do I need to specify that somewhere? Am I missing something else? I said it got worse with 5.5.8 because now I can't even get RealmBase to generate a digested password. I enter java -cp %catalina_home%\server\lib\catalina.jar org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password} and I get: Exception in thread main java.lang.NoClassDefFoundError: org/apache/commons/lo gging/LogFactory at org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69) So it's finding RealmBase, but while executing that code it fails to find LogFactory. I don't see an org\apache\commons path in any of the class directories generated during the build. Do I have a defective build? Was I supposed to download something else? -Mark Mark Thomas wrote: Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth:BASIC, FORM, DIGEST Realm:Memory, UserDatabase, JDBC, DataSource Passwords:Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DIGEST authentication; Does it work??
I found a silly classpath error that fixed the problem using RealmBase. I didn't realize that my system still had environment variable %catalina_home% pointing to an old tomcat 4.1.24 directory. So when I opened a command window to generate digest values I was executing RealmBase in tomcat 4.1.24. But guess what. When I digest the same info with the same algorithm specifier (SHA) in Tomcat 4.1.24 and Tomcat 5.5.8 I get different digest values. And DIGEST authentication still doesn't work, in either case. Something very strange is going on here. :( -Mark Mark Leone wrote: Okay, I was using 5.5.7. So I just downloaded the source and built 5.5.8, and things got worse. Digest authentication is not working for me. I believe I've set everything up correctly. Using an HTTP monitor I see a 401 response coming back from Tomcat with a www-authenticate header whose parameters specify digest authentication and identify the realm as JDBCRealm. And I have a digested password that I created by digesting {username}:JDBCRealm:{password} (including the colons- is that correct?), as directed in the how-to documentation. But when I enter that username and password, the authentication fails. Now I used SHA-1 to digest the password, and my realm/ element in Server.xml identifies SHA as the digest algorithm for digesting passwords. Does this mean that the DIGEST authentication will also be done using SHA-1? Or do I need to specify that somewhere? Am I missing something else? I said it got worse with 5.5.8 because now I can't even get RealmBase to generate a digested password. I enter java -cp %catalina_home%\server\lib\catalina.jar org.apache.catalina.realm.RealmBase -a SHA {username}:JDBCRealm:{password} and I get: Exception in thread main java.lang.NoClassDefFoundError: org/apache/commons/lo gging/LogFactory at org.apache.catalina.realm.RealmBase.clinit(RealmBase.java:69) So it's finding RealmBase, but while executing that code it fails to find LogFactory. I don't see an org\apache\commons path in any of the class directories generated during the build. Do I have a defective build? Was I supposed to download something else? -Mark Mark Thomas wrote: Yes it does. I tested this extensively with both IE and Firefox. Any combination of the following is OK: Auth:BASIC, FORM, DIGEST Realm:Memory, UserDatabase, JDBC, DataSource Passwords:Cleartext, digested There is a complication when using digested passwords with the digest realm. You need to be using 4.1.x from CVS HEAD or 5.5.8+ For more info see: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Mark Mark Leone wrote: I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_RealmuserTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
How to trap errors while authenticating user : Custon Authentication mechanism ?
Hello, I'm trying to use a Novell LDAP server, and let it manage the Passwords instead of my webapp. Unfortunately I've found that the JNDIRealm doesn't tell me the reason of the failure when authenticating a user. In this case I cannot know where to redirect in the Novell portal ( Forgot Password or Password Expired functions - depending on the LDAP exception captured). since I'm new to authentication in Tomcat, can you tell me what is/are the best way to start implementing a Custom Realm that return to the application the trapped exception, in order to redirect to the correct Novell Function. Thanks in advance.. Cyril ZEKSER - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to trap errors while authenticating user : Custon Authentication mechanism ?
That seems like overkill. Did you try turning up the debug level of your Realm? Realm className=org.apache.catalina.realm.JNDIRealm debug=9 connectionURL=ldap://localhost:389; userBase=ou=people,dc=mycompany,dc=com userSearch=(mail={0}) userRoleName=memberOf roleBase=ou=groups,dc=mycompany,dc=com roleName=cn roleSearch=(uniqueMember={0}) / - Erik [EMAIL PROTECTED] wrote: Hello, I'm trying to use a Novell LDAP server, and let it manage the Passwords instead of my webapp. Unfortunately I've found that the JNDIRealm doesn't tell me the reason of the failure when authenticating a user. In this case I cannot know where to redirect in the Novell portal ( Forgot Password or Password Expired functions - depending on the LDAP exception captured). since I'm new to authentication in Tomcat, can you tell me what is/are the best way to start implementing a Custom Realm that return to the application the trapped exception, in order to redirect to the correct Novell Function. Thanks in advance.. Cyril ZEKSER - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DIGEST authentication; Does it work??
I'm trying to use DIGEST authentication with Tomcat, and it doesn't seem to work. I found some articles with Google about IE implementing DIGEST authentication in a way that only worked with MS servers, and I assume that hasn't been corrected. But I'm also using Firefox with the same results as IE. I saw an article about a workaround in Apache server to make DIGEST authentication work with IE, but I didn't see anything about Tomcat. Anyone know of any way to get DIGEST authentication in Tomcat to work with ANY browser? I should mention that I'm also using digested passwords in a JDBC Realm (implemented with mySQL), and I followed the how-to instructions for creating digested passwords to work with DIGEST authentication. And authentication with JDBCRealm works fine when I use BASIC authentication. For the record, I put the following in the Host element in Server.xml Context path=/MyApp docBase=MyApp Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / /Context I put the following in Server.xml's Engine element Realm className=org.apache.catalina.realm.JDBCRealm debug=99 driverName=com.mysql.jdbc.Driver connectionURL=jdbc:mysql:///Tomcat_Realm userTable=users userNameCol=user_name userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name digest=SHA/ And I put the following in my app's web.xml security-constraint.../ (elided) login-config auth-methodDIGEST/auth-method realm-nameJDBCRealm/realm-name /login-config security-role.../ (elided) And when I created the digested password to store in my JDBCRealm database, I digested: (username) : JDBCRealm : (password). As you can see, I specified SHA as the digest algorithm in Server.xml's realm element, and I used SHA to create the digested password that I stored in the database. I assume that the server will prompt the browser to use SHA also when it sends the challenge header requesting DIGEST authentication? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
pbm reg:Client-cert authentication
Hi , I installed a trial-client-cert , but iam facing an error while accessing my secured .jsp ,.Appreciate if any one can help us in resolving this issue. Here are the steps which I followed after installing the trial client-cert: Webserver: Tomcat 1) included an option called -auth in my httpd.config file 2) accessed the secure webserver's home page( https:/// https:// :porthttps://host-name:port) and got the value of the variable HTTPS_CLIENT_SUBJECT and provided the same under username in tomcat-users.xml file 2) included auth-name, realm-namein web.xml file 3) accessed the jsp under secure directory 4) the below error has been reported: === HTTP Status 400 - No client certificate chain in this request Type : Status report Message : No Client certificate chain in this request Description : The request sent by the client was syntactically in correct(No client certificate chain in this request) NonStop Servlets For JavaServer Pages == Please help me by giving any information which i might have missed out. Thanks in advance, Shyama Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.
Re: Authentication for streaming file (OT)
Have you tried other browsers than MSIE? If it works for FireFox, then you've probably hit http://issues.apache.org/bugzilla/show_bug.cgi?id=28750. Mark Leone [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Slightly off-topic -- Tomcat related I have a servlet that is invoked by clicking a hyperlink that is rendered by a JSP running in Tomcat. The servlet receives a file path parameter in the HTTP request, and then streams that file to the requesting client. I have a security-constraint/ defined in Tomcat for the JSP, requiring basic password authentication. However, if I define the security-constraint/ so that it applies to the servlet also, then the following error occurs when the servlet attempts to stream the file to the client. The browser presents the file info and prompts to save or open the file, but then when the actual streaming is attempted, the browser reports that the site is unreachable. This is apparently caused by the lack of any authentication during the file streaming operation, because when I define the security-constraint/ so that it applies to the JSP but not the servlet, the problem does not occur. I don't really understand why it behaves this way, since the servlet was invoked with proper authorization, and the problem occurs only when the servlet starts streaming a file to the client. But it does seem to be an authorization problem, since it goes away when I don't constrain the servlet for authentication. I can operate this way, but then my JSP is protected and the servlet is not. Is there a way to specify authentication parameters during the file streaming operation? Does anyone have an explanation for what I'm experiencing? Here's my servlet code: public class FileSender extends HttpServlet{ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ String filename = request.getParameter(file); File file = new File(filename); MimetypesFileTypeMap mimeTypes = new MimetypesFileTypeMap (C:\\Program Files\\Java\\jdk1.5.0_01\\lib\\mime.types); String mime = mimeTypes.getContentType(file); response.setContentType(mime); response.setHeader(Content-Disposition, attachment; + filename= + file.getName()); FileInputStream in = new FileInputStream(file); OutputStream out = response.getOutputStream(); byte[] buf = new byte[1024]; int i = 0; while((i=in.read(buf))!=-1) { out.write(buf, 0, i); } in.close(); out.close(); } } And here's my web.xml. With this configuration, the file downolad fails as described above. To make it work, I remove the second url-pattern/ element as indicated. !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app display-name File Port /display-name description Makes files available through the web container /description servlet servlet-nameFilePort/servlet-name description Retrieves specified file and sends it to requester /description servlet-classFileSnatcher.FileSender/servlet-class /servlet servlet-mapping servlet-nameFilePort/servlet-name url-pattern/FilePort/url-pattern /servlet-mapping !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameFileSnatcher/web-resource-name url-pattern*.jsp/url-pattern url-pattern/FilePort/url-pattern !-- remove this to make it work -- /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication for streaming file (OT)
Yes, that's exactly my problem. It only fails with HTTPS connections on IE. It works with Firefox (using the built-in download manager or Flashgot) as well as Safari on a Mac. Nice to see, according to a posting in the BZ link you provided, that M$ has decided to label it a feature rather than a bug. I applied the workaround you described in BZ #27122, and it now works properly with all resources of the web app protected by a security-constraint/. Thanks for pointing me to the solution. -Mark Bill Barker wrote: Have you tried other browsers than MSIE? If it works for FireFox, then you've probably hit http://issues.apache.org/bugzilla/show_bug.cgi?id=28750. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Interframework Authentication.
Howdy all, I am writing an web application for a client in which customers can browse an order database. This application would be linked to from a .net application in which the said user has already been authenticated. Can anyone suggest or know of an authentication scheme which could be shared by both so the customers don't have to log in twice? Cheers, Elam Daly - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Interframework Authentication.
You might look into: http://tp.its.yale.edu/tiki/tiki-index.php?page=CentralAuthenticationService Elam Daly wrote: Howdy all, I am writing an web application for a client in which customers can browse an order database. This application would be linked to from a .net application in which the said user has already been authenticated. Can anyone suggest or know of an authentication scheme which could be shared by both so the customers don't have to log in twice? Cheers, Elam Daly - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication for streaming file (OT)
Slightly off-topic -- Tomcat related I have a servlet that is invoked by clicking a hyperlink that is rendered by a JSP running in Tomcat. The servlet receives a file path parameter in the HTTP request, and then streams that file to the requesting client. I have a security-constraint/ defined in Tomcat for the JSP, requiring basic password authentication. However, if I define the security-constraint/ so that it applies to the servlet also, then the following error occurs when the servlet attempts to stream the file to the client. The browser presents the file info and prompts to save or open the file, but then when the actual streaming is attempted, the browser reports that the site is unreachable. This is apparently caused by the lack of any authentication during the file streaming operation, because when I define the security-constraint/ so that it applies to the JSP but not the servlet, the problem does not occur. I don't really understand why it behaves this way, since the servlet was invoked with proper authorization, and the problem occurs only when the servlet starts streaming a file to the client. But it does seem to be an authorization problem, since it goes away when I don't constrain the servlet for authentication. I can operate this way, but then my JSP is protected and the servlet is not. Is there a way to specify authentication parameters during the file streaming operation? Does anyone have an explanation for what I'm experiencing? Here's my servlet code: public class FileSender extends HttpServlet{ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{ String filename = request.getParameter(file); File file = new File(filename); MimetypesFileTypeMap mimeTypes = new MimetypesFileTypeMap (C:\\Program Files\\Java\\jdk1.5.0_01\\lib\\mime.types); String mime = mimeTypes.getContentType(file); response.setContentType(mime); response.setHeader(Content-Disposition, attachment; + filename= + file.getName()); FileInputStream in = new FileInputStream(file); OutputStream out = response.getOutputStream(); byte[] buf = new byte[1024]; int i = 0; while((i=in.read(buf))!=-1) { out.write(buf, 0, i); } in.close(); out.close(); } } And here's my web.xml. With this configuration, the file downolad fails as described above. To make it work, I remove the second url-pattern/ element as indicated. !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app display-name File Port /display-name description Makes files available through the web container /description servlet servlet-nameFilePort/servlet-name description Retrieves specified file and sends it to requester /description servlet-classFileSnatcher.FileSender/servlet-class /servlet servlet-mapping servlet-nameFilePort/servlet-name url-pattern/FilePort/url-pattern /servlet-mapping !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameFileSnatcher/web-resource-name url-pattern*.jsp/url-pattern url-pattern/FilePort/url-pattern !-- remove this to make it work -- /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameJDBCRealm/realm-name /login-config !-- Security roles referenced by this web application -- security-role description The role that is required to log in to the Manager Application /description role-namemanager/role-name /security-role /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with BASIC authentication
Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with BASIC authentication
Hi Lionel, Thanks for your response. I tried both suggestions but no luck.. Maybe it's something to do with the fact that I've not *installed* tomcat but only copied the binaries from an installed location (then how come the maanger app works? :-( Anyways, I also have a problem when shutting down tomcat. When I run shutdown.sh, I get the following error and there are process threads that I have to kill manually I have not altered the default server.xml (Ajp13 connector is not commented out) so can someone help me? Catalina.stop: java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124) at java.net.Socket.init(Socket.java:268) at java.net.Socket.init(Socket.java:95) at org.apache.catalina.startup.Catalina.stop(Catalina.java:581) at org.apache.catalina.startup.Catalina.execute(Catalina.java:402) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) gmake: *** [stop_tomcat] Error 1 Thanks in advance Sanjay Karanjkar fc3sdi team -Original Message- From: Lionel Farbos [mailto:[EMAIL PROTECTED] Sent: 17 March 2005 09:58 To: Tomcat Users List Cc: Karanjkar, Sanjay V (IT) Subject: Re: Problem with BASIC authentication Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE
Re: Problem with BASIC authentication
I don't run 4 so these are only suggestions. 1. Remove the user-data-constraint 2. Change your tomcat-user.xml to look like this tomcat-users user name=userid password=passwd roles=ieg-sc-user / /tomcat-users - Original Message - From: Karanjkar, Sanjay V (IT) [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Thursday, March 17, 2005 12:19 AM Subject: RE: Problem with BASIC authentication Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with BASIC authentication
On Thu, 17 Mar 2005 16:35:43 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi Lionel, Thanks for your response. I tried both suggestions but no luck.. Maybe it's something to do with the fact that I've not *installed* tomcat but only copied the binaries from an installed location (then how come the maanger app works? :-( The Manager, by default, is installed but not activated. In your installation, you have - $CATALINA_HOME/server/lib/servlets-manager.jar - $CATALINA_HOME/webapps/manager.xml You have to add: role rolename=manager/ user username=userid password=password roles=manager/ And you can access to the HTML manager (in the default installation) with : http://localhost:8080/manager/html/ Anyways, I also have a problem when shutting down tomcat. When I run shutdown.sh, I get the following error and there are process threads that I have to kill manually I have not altered the default server.xml (Ajp13 connector is not commented out) so can someone help me? Catalina.stop: java.net.ConnectException: Connection refused java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:350) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:137) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:124) at java.net.Socket.init(Socket.java:268) at java.net.Socket.init(Socket.java:95) at org.apache.catalina.startup.Catalina.stop(Catalina.java:581) at org.apache.catalina.startup.Catalina.execute(Catalina.java:402) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) gmake: *** [stop_tomcat] Error 1 I think you have to re-install properly your Tomcat... (and verify your port 8080 is free, otherwise change it). Thanks in advance Sanjay Karanjkar fc3sdi team -Original Message- From: Lionel Farbos [mailto:[EMAIL PROTECTED] Sent: 17 March 2005 09:58 To: Tomcat Users List Cc: Karanjkar, Sanjay V (IT) Subject: Re: Problem with BASIC authentication Hi, Compared to Manager's web.xml, it seems you don't have the section resource-env-ref with the link to your user DataBase. Perhaps, try to put the role names without a - (rather a _ or nothing) Cheers. On Thu, 17 Mar 2005 10:49:29 +0530 Karanjkar, Sanjay V \(IT\) [EMAIL PROTECTED] wrote: Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited
RE: Problem with BASIC authentication
Hi, Anyone had a chance to look at this one yet? Thanks Sanjay -Original Message- From: Karanjkar, Sanjay V (IT) Sent: 15 March 2005 11:19 To: tomcat-user@jakarta.apache.org Subject: Problem with BASIC authentication Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with BASIC authentication
Hi, I have the following setup: 1. A copied version of Tomcat 4.1.24 on Unix (i.e. I have merely *copied* the entire tomcat folder from another installed location instead of installing it) 2. My application WAR file referenced by the following Context in Server.xml: Context path=/ieg-sc docBase=/var/tmp/DEV/install/common/lib/tc.ieg.war reloadable=true debug=99 privileged=true ResourceLink name=users type=org.apache.catalina.UserDatabase global=UserDatabase/ /Context 3. My app's web.xml has the following: security-constraint web-resource-collection web-resource-nameMy Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameieg-sc-user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameMy Application/realm-name /login-config security-role role-nameieg-sc-user/role-name /security-role 4. I have defined the user/role in conf/tomcat-users.xml: ?xml version='1.0' encoding='utf-8'? tomcat-users role rolename=ieg-sc-user/ user username=userid password=passwd roles=ieg-sc-user/ /tomcat-users When I start tomcat, everything seems to run fine except that I do not get a login window! I have gone over the setup so many times now, I'm going madHave I missed something? Is it because I've copied the tomcat binaries instead of installing it? If so, why does authentication work correctly for the inbuilt Manager application..? Appreciate if you could help me.. Thanks and regards Sanjay Karanjkar NOTICE: If received in error, please destroy and notify sender. Sender does not waive confidentiality or privilege, and use is prohibited. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS authentication and global realms
Hello ! I'm trying to use a host wide JAAS Realm. I've written the LoginModule and tested it by declaring the Realm in the Context/ of one of my app. This app is not declared in server.xml, but in its own context.xml in /webapps. Everything is working just fine. My LoginModule logs using just System.out.println(), so I fiind its logs in logs/catalina.out. When I move the Realm decleration from the context.xml to server.xml (either in the host/ node or the Engine/ node) it stops working ... I dont see any logs of any kind ... What am I doing wrong ? The doc made me think I could just move this Realm around to change its visibility, but there would not need to do anything more ... Thanks for the help. Guillaume -- Guillaume Lederrey Informaticien Développement Tecost - Technology Consulting Studies Fribourg (Switzerland) http://www.tecost.ch/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and logging problem
I found the problem : I was using a UserPrincipal and a RolePrincipal that had a case insensitive equals() method. I was first adding the UserPrincipal with name admin, and then adding a RolePrincipal with name Admin. The case insensitive equals() implies that the Role was not added as it was equals to the User ... Pretty easy problem, but I still took 1 full day to track it down ! Guillaume On Friday 04 March 2005 15.23, Guillaume Lederrey wrote: I'm having problem with a JAAS authentication realm. I created a LoginModule, configured it as explained in http://forum.java.sun.com/thread.jspa?threadID=233317tstart=0, defined the permissions in my WEB-INF/web.xml ... The log statements (System.out.println()) I have in my login module show that the user is authenticated and that the correct roles are added to the subject. BUT : I still get a 403 when trying to access my servlets. I installed a log4j logger for Tomcat as explained in http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some more informations. The relevant lines are included below. It seems the roles didnt get added, wich is not consistant with what I read in my LoginModule doc ... My context definition (in conf/server.xml) is : Context path=/siems-ds docBase=/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war / privileged=true reloadable=true Realm className=org.apache.catalina.realm.JAASRealm appName=SIEMS-ds userClassNames=ch.tecost.siems.jaas.UserPrincipal roleClassNames=ch.tecost.siems.jaas.RolePrincipal debug=99/ /Context the following code is used to add roles in the commit() method of the LoginModule, subject is the subject received in initialize() log(adding roles ...); Collection roleList = RolePrincipal.findByUser(DBAccess .currentConnection(), userPrincipal); for (Iterator it = roleList.iterator(); it.hasNext();) { RolePrincipal role = (RolePrincipal) it.next(); log(Adding role : + role.getName()); subject.getPrincipals().add(role); } Does anybody have any idea where i should be looking to find the solution ? Thanks Guillaume Lederrey DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[SIEMS - Data Service protected area]' against GET /UserList -- true DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAASRealm login requested for username admin using LoginContext for application SIEMS-ds DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login context created admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS LoginContext created for username admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking Principal admin [ch.tecost.siems.jaas.UserPrincipal] DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Principal admin is a valid user class. We will use this as the user Principal. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No valid role Principals found. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username admin successfully authenticated as Principal {1} -- Subject was created too DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking roles admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if user Principal admin possesses role Root DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles Principals found. User Principal or Subject is null, or user Principal not in cache DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role found: Root DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if user Principal admin possesses role Admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles Principals found. User Principal or Subject is null, or user Principal not in cache DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role found: Admin DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] org.apache.catalina.session.ManagerBase - Start expire sessions StandardManager at 1109945560722 sessioncount 0 DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] org.apache.catalina.session.ManagerBase - Start expire sessions StandardManager at 1109945560722 sessioncount 0 -- Guillaume Lederrey Informaticien Développement Tecost - Technology Consulting Studies Fribourg (Switzerland) http://www.tecost.ch/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to logout using JAASRealm for authentication?
Hi, I am using tomcat 5.5.7 with JAAS authentication via the JAASRealm realm implementation. I have written my own custom LoginModule. How do I get my implementation of logout() to be called? I tried just invalidating the session from a JSP page but this didn't work. Is there some hook that I'm missing or does the current JAASRealm implementation not support logging out? Thanks in advance, David Donn
Authentication and logging problem
Hello ! I'm having problem with a JAAS authentication realm. I created a LoginModule, configured it as explained in http://forum.java.sun.com/thread.jspa?threadID=233317tstart=0, defined the permissions in my WEB-INF/web.xml ... The log statements (System.out.println()) I have in my login module show that the user is authenticated and that the correct roles are added to the subject. BUT : I still get a 403 when trying to access my servlets. I installed a log4j logger for Tomcat as explained in http://jakarta.apache.org/tomcat/tomcat-5.5-doc/logging.html to get some more informations. The relevant lines are included below. It seems the roles didnt get added, wich is not consistant with what I read in my LoginModule doc ... My context definition (in conf/server.xml) is : Context path=/siems-ds docBase=/home/gehel/tecost/siems/siems/ds/target/siems-ds-0.1-SNAPSHOT.war/ privileged=true reloadable=true Realm className=org.apache.catalina.realm.JAASRealm appName=SIEMS-ds userClassNames=ch.tecost.siems.jaas.UserPrincipal roleClassNames=ch.tecost.siems.jaas.RolePrincipal debug=99/ /Context the following code is used to add roles in the commit() method of the LoginModule, subject is the subject received in initialize() log(adding roles ...); Collection roleList = RolePrincipal.findByUser(DBAccess .currentConnection(), userPrincipal); for (Iterator it = roleList.iterator(); it.hasNext();) { RolePrincipal role = (RolePrincipal) it.next(); log(Adding role : + role.getName()); subject.getPrincipals().add(role); } Does anybody have any idea where i should be looking to find the solution ? Thanks Guillaume Lederrey DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking constraint 'SecurityConstraint[SIEMS - Data Service protected area]' against GET /UserList -- true DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAASRealm login requested for username admin using LoginContext for application SIEMS-ds DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Login context created admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - JAAS LoginContext created for username admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking Principal admin [ch.tecost.siems.jaas.UserPrincipal] DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Principal admin is a valid user class. We will use this as the user Principal. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No valid role Principals found. DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Username admin successfully authenticated as Principal {1} -- Subject was created too DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - Checking roles admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if user Principal admin possesses role Root DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles Principals found. User Principal or Subject is null, or user Principal not in cache DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role found: Root DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - Checking if user Principal admin possesses role Admin DEBUG http-8080-Processor25 org.apache.catalina.realm.JAASRealm - No roles Principals found. User Principal or Subject is null, or user Principal not in cache DEBUG http-8080-Processor25 org.apache.catalina.realm.RealmBase - No role found: Admin DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] org.apache.catalina.session.ManagerBase - Start expire sessions StandardManager at 1109945560722 sessioncount 0 DEBUG ContainerBackgroundProcessor[StandardEngine[Catalina]] org.apache.catalina.session.ManagerBase - Start expire sessions StandardManager at 1109945560722 sessioncount 0 -- Guillaume Lederrey Informaticien Développement Tecost - Technology Consulting Studies Fribourg (Switzerland) http://www.tecost.ch/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
authentication does not work if web-app provides a JAX-RPC service AND JSP
Hi, If I enable the snippet below I can access my Web Services but if I call a JSP I'm facing a weird error. Using BASIC-auth-method I can sign-in and I'm being forwarded to the appropriate page, but the JSP-expressions within this page are not evaluated (Hello ${user.name}). With FORM-auth-method I will be forwarded to a page called-url/$%7Burl%7D. So the problem seems to be the same. I have a simple web-application which manages some data and allows anybody to get this data via Web Services (JAX-RPC). Only Admins should modify data with JSPs, so I would like to use the built-in security-constraint of tomcat. Thanks for your help in advance. -- Tobias web-app [...] security-constraint web-resource-collection web-resource-nameAdminPages/web-resource-name url-pattern/pages/*/url-pattern url-pattern/faces/*/url-pattern url-pattern/services/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint security-role role-nameadmin/role-name /security-role login-config auth-methodFORM/auth-method form-login-config form-login-page/pages/logon.jsp/form-login-page form-error-page/pages/logonerr.jsp/form-error-page /form-login-config /login-config [...] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
What is the best way to create a secure manual-submission authentication form?
I'm using form-based authentication in Tomcat 5.5 and would like to have a user-initiated login action, in addition to container-initiated logins triggered by security-constraints. My site implements both personalization for all pages and security for sensitive pages. I'd like to have a single sign-on for both personalization and security, with personalization persisting indefinitely while security-access has a session-timeout. I'm planning to use a separate cookie for the personalization, created after any authentication. The authentication and sensitive pages should all be limited to https access, while the non-sensitive pages are accessed via http. Non-sensitive pages do not have security-constraints as users are not required to login. If not logged in, the user sees a default unpersonalized view. A user may wish to manually specify a login to acquire his or her personalized view of a non-sensitive page. Is there any way to achieve this? I can think of indirect partial solutions. E.g., link to a protected jsp page that takes as a parameter the desired non-sensitive page (e.g., the home page) and forwards to this page. This could work assuming I want just a button or link for the user-initiated login action (causing the attempt to access the security-constrained forwarding page to post the login-page). However, what if I would like to have a login-form directly on the page from which the user can initiate the authentication? Is this possible? I tried placing. a copy of the form on the form-login-page onto the home page, and then submitted this form from the home page after a session-timeout from a prior session (that had been authenticated by a container-initiated posting of the form-login-page). The home-page form submission achieved the new authentication, but forwarded the request to the sensitive page that had been accessed in the earlier session's container-initiated authentication! That seems to be a bug. I would appreciate any advice on how to best achieve this. A corollary issue is that I'd like the submission of any login form to be made over https to protect the password, even if the page containing the login form was accessed via http. Can the solution to the above achieve this as well? Thanks for any advice, Chuck - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication against MemoryRealm
Hi, The SSL client authentication doesn't work agains MemoryRealm, because the authentication mechanism passes the DN of the client certificate to the realm after validation for role assignement, but the memory realm don't allow usernames that contains , or = characters. Because the DN contains these characters, the user can't get authenticated. I haven't tested this with other Realms, but it's important to fix it on MemoryRealm, used primarily for testing purposes. The tomcat version with I'm using is 5.0.16. Greetings -- Jesus De Oliveira Consultor IT Baysystem Consultores C.A. Tlf: (0212) 339.06.96 (0414) 300.06.46 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Configure Valve which is called after authentication process???
Hi Is it possible to configure a valve which is called after the authentication process? I've configured the Valve after the Realm but the Valve is called first. Thanks for your support. Oliver *** BITTE BEACHTEN *** Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Configure Valve which is called after authentication process???
Hi Is it possible to configure a valve which is called after the authentication process? I've configured the Valve after the Realm but the Valve is called first. Thanks for your support. Oliver *** BITTE BEACHTEN *** Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat NTLM Authentication - 403 Error
Hi All, We use Integrated Windows Authentication with Kerberos authentication protocol to logon to our website (running on Tomcat). This works great in dev/test/prod but when I try it on my localhost, I get the following error: - message: This server does not allow NTLM, but the client attempted NTLM anyway description: Access to the specified resource (This server does not allow NTLM, but the client attempted NTLM anyway) has been forbidden. - I was wondering if there was some Tomcat configuration that would allow my localhost to allow NTLM. At the moment, I do not have access to any of the environments but my localhost. I would have compared the server.xml etc. otherwise. Thanks, Kal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client-Servlet LDAP authentication
Im writing a client-servlet program. If i use a client (not webbrowser) is it then possible to use Tomcat Realm(JNDI) to authenticate to LDAP using SOAP(Axis) protocol? Or do i have to make the authentication myself in my java servlet using JNDI (is this safe by the way)? Client---SOAP--- Tomcat(Realm) -- Servlet //Johan _ Hitta rätt på nätet med MSN Sök http://search.msn.se/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Java.mail smtp authentication
Try setting the mail.smtp.auth property to true.
Java.mail smtp authentication
Hi I am using the following config with tc/jndi javamail to connect to an smtp server which needs authentication. If OI put the username/password/port into Outlook Express and check needs authentication it works OK. With TC and my settings I get an auth failure. AM I using the correct properties? The password prop doesn't seem to appear any where in the docs Many thanks if anyone knows this - I've not found any answers on Google (only questions) Resource name=mail/Session auth=Container type=javax.mail.Session/ ResourceParams name=mail/Session parameter namemail.smtp.host/name valuesmtp.myispname.com/value /parameter parameter namemail.smtp.port/name value225/value /parameter parameter namemail.smtp.auth/name valuetrue/value /parameter parameter namemail.smtp.user/name valuemyusername/value /parameter parameter namemail.smtp.password/name valuemypassword/value /parameter /ResourceParams
authentication sporadically fails?
I have Tomcat 5.5.4 configured with basic authentication through a JNDI named JDBC connection pool. The Resource and Realm are specified in META-INF/context.xml. The resource-ref and security-constraint are specified in WEB-INF/web.xml (releveant parts included at the end of this message). There are 3 users assigned roles in the db (MySQL 4.1.8). Sometimes I am seeing one or more of these users fail to authenticate, even though moments before they were able to authenticate. Usually, 1 of the users can still authenticate but the other 2 cannot (though I have seen all 3 fail). Restarting Tomcat usually fixes the problem (though sometimes several restarts are required). I am using IE, Firefox, Java code making HttpUrlConnections, and Apache Axis code making SOAP requests so I'm pretty sure the issue is with Tomcat and not with the component making the request. To the best of my knowledge, when authentication fails, it is failing on the same Authorization header that was succeeding moments before (from watching the access logs and packet sniffing). The problem is inconsistent but frustrating and important for us to figure out. Has anyone seen this kind of behavior? Does anyone have any suggestions for how I can isolate the problem further? thx --- context.xml --- Resource name=jdbc/mydb auth=Container type=javax.sql.DataSource maxActive=64 maxIdle=16 maxWait=1 driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://localhost/MYDB username=user password=pass / Realm className=org.apache.catalina.realm.DataSourceRealm localDataSource=true dataSourceName=jdbc/mydb userTable=user userNameCol=name userCredCol=password userRoleTable=role roleNameCol=rolename digest=SHA / --- web.xml --- resource-ref descriptionmy database/description res-ref-namejdbc/mydb/res-ref-name res-typejavax.sql.DataSource/res-type res-authContainer/res-auth /resource-ref security-constraint web-resource-collection web-resource-nameAuthentication/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namemyRole/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameMy Realm/realm-name /login-config security-role role-namemyRole/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Ream authentication + Apache Web Server Authentication
That's my configuration, Apache serves static pages and tomcat dynamic ones. My problem is authenticate the user with servlets FORM mechanism, and at the same time, be authenticated in Apache. Like a Single-Sign-On. Is that posible? Is there a mechanism to do that with JK2 connector? José Antonio Tarifa Lorenzo SAGE-OMEL Tfno. +34 91 659 89 79 -Mensaje original- De: Jorge Davila [mailto:[EMAIL PROTECTED] Enviado el: lunes, 31 de enero de 2005 21:43 Para: Tomcat Users List Asunto: Re: Ream authentication + Apache Web Server Authentication try to configure ajp13 connector to put apache in front of tomcat. SAG - Jose Antonio Tarifa wrote: Hi. I have a question. How can I mix authentication on both servers, Tomcat and Apache? I want to use Form authentication with Tomcat, also I need Apache Web Server to be authenticated. Is posible to authenticate a user in Tomcat and get authenticated in Apache at the same time? Thanks. José Antonio Tarifa Lorenzo SAGE-OMEL Tfno. +34 91 659 89 79 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5 Apache Authentication
Hi, I´m having problems getting Tomcat 5 to use Apache authentication. I´am using: apache 2.0.49 + tomcat 5.0.19 + mod_jk2 2.0.4 I have added tomcatAuthentication=false to server.xml and request.tomcatAuthentication=false to jk2.properties. I´am using the Directory directive and .htaccess files, but it doesn´t work. Directory /app/ AllowOverride AuthConfig Order allow,deny Satisfy Any /Directory Could you help me please? Thanks in advanced. Arantza ** DISCLAIMER *** This message may contain confidential, proprietary or legally privileged information. If you are not the intended recipient of this message, please notify it to the sender and delete without resending or backing it, as it is legally prohibited. ** AVISO LEGAL ** Este mensaje puede contener información confidencial, en propiedad o legalmente protegida. Si usted no es el destinatario, le rogamos lo comunique al remitente y proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no autorizado está prohibido legalmente. **
Ream authentication + Apache Web Server Authentication
Hi. I have a question. How can I mix authentication on both servers, Tomcat and Apache? I want to use Form authentication with Tomcat, also I need Apache Web Server to be authenticated. Is posible to authenticate a user in Tomcat and get authenticated in Apache at the same time? Thanks. José Antonio Tarifa Lorenzo SAGE-OMEL Tfno. +34 91 659 89 79
Re: Ream authentication + Apache Web Server Authentication
try to configure ajp13 connector to put apache in front of tomcat. SAG - Jose Antonio Tarifa wrote: Hi. I have a question. How can I mix authentication on both servers, Tomcat and Apache? I want to use Form authentication with Tomcat, also I need Apache Web Server to be authenticated. Is posible to authenticate a user in Tomcat and get authenticated in Apache at the same time? Thanks. José Antonio Tarifa Lorenzo SAGE-OMEL Tfno. +34 91 659 89 79 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]