Re: Automatic authentication when accessing a servlet ?????????
It's for administration stuff. Then there is not a lot of possible users. I am using the form authentication, but I think I was not clear when I said that Tomcat popups up a page... in fact, Tomcat redirect to my login page. No popup is displayed... here is only the login-config (from web.xml) the security-constraint part is set FORM Form-Based Authentication Area /pages/login.jsp /pages/error.jsp I am using the j_security_check functionality provided by Tomcat. If my component sends a request, Tomcat will try to popup this page... if I add the j_username and j_password to the same request, will Tomcat retrieves these authentication parameter and performs an automatic authentication... do I have to config something else to make it work ? Is it clearer now :) Thanks all Eric From: "Parsons Technical Services" <[EMAIL PROTECTED]> Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Subject: Re: Automatic authentication when accessing a servlet ? Date: Thu, 18 Mar 2004 18:12:09 -0500 Is this for a few users or a bunch? If it is a few users then HTTPS Client authentication may work. But more likely what will fit your plan is to use form authentication. If you are getting a prompt for name and password then you are using basic authentication. See SRV .12.5 in the Servlet 2.4 spec. For examples the TC manager uses basic where the admin uses form. Doug www.parsonstechnical.com - Original Message - From: "Halcyon62 ." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 18, 2004 4:32 PM Subject: Automatic authentication when accessing a servlet ? > Hi > > Is it possible to incorporate the j_username & j_password (used by the > servlet "j_security_check") in the request to authenticate the caller and > then, grant access to the servlet that i am trying to access ? > > I explain the context: > > I have a servlet that allows the caller to download of log files. I can > download these logs using my browser, enter the address and then select the > log I want. > > Now, I want to get these log automatically. I built an external component to > perform that (it's a requirement i have). The external component builds the > HTTP request and sends it to Tomcat. If the security constraint it commented > out, it works perfectely. But if the security constraint is on, it does not > work because Tomcat is trying to popup a login page, waiting for username & > password. > > Then, is it possible to incorporate the j_username & j_password (used by the > servlet "j_security_check") in the request to authenticate the caller and > then, grant access to the servlet that i am trying to access ? > > _ > MSN Premium helps eliminate e-mail viruses. Get 2 months FREE* > http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ MSN Premium helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Automatic authentication when accessing a servlet ?????????
Is this for a few users or a bunch? If it is a few users then HTTPS Client authentication may work. But more likely what will fit your plan is to use form authentication. If you are getting a prompt for name and password then you are using basic authentication. See SRV .12.5 in the Servlet 2.4 spec. For examples the TC manager uses basic where the admin uses form. Doug www.parsonstechnical.com - Original Message - From: "Halcyon62 ." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 18, 2004 4:32 PM Subject: Automatic authentication when accessing a servlet ? > Hi > > Is it possible to incorporate the j_username & j_password (used by the > servlet "j_security_check") in the request to authenticate the caller and > then, grant access to the servlet that i am trying to access ? > > I explain the context: > > I have a servlet that allows the caller to download of log files. I can > download these logs using my browser, enter the address and then select the > log I want. > > Now, I want to get these log automatically. I built an external component to > perform that (it's a requirement i have). The external component builds the > HTTP request and sends it to Tomcat. If the security constraint it commented > out, it works perfectely. But if the security constraint is on, it does not > work because Tomcat is trying to popup a login page, waiting for username & > password. > > Then, is it possible to incorporate the j_username & j_password (used by the > servlet "j_security_check") in the request to authenticate the caller and > then, grant access to the servlet that i am trying to access ? > > _ > MSN Premium helps eliminate e-mail viruses. Get 2 months FREE* > http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Automatic authentication when accessing a servlet ?????????
Hi Is it possible to incorporate the j_username & j_password (used by the servlet "j_security_check") in the request to authenticate the caller and then, grant access to the servlet that i am trying to access ? I explain the context: I have a servlet that allows the caller to download of log files. I can download these logs using my browser, enter the address and then select the log I want. Now, I want to get these log automatically. I built an external component to perform that (it's a requirement i have). The external component builds the HTTP request and sends it to Tomcat. If the security constraint it commented out, it works perfectely. But if the security constraint is on, it does not work because Tomcat is trying to popup a login page, waiting for username & password. Then, is it possible to incorporate the j_username & j_password (used by the servlet "j_security_check") in the request to authenticate the caller and then, grant access to the servlet that i am trying to access ? _ MSN Premium helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS support for tomcat using openSSL with Client Authentication
Hi I got the answer and its working too. saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Thursday, March 18, 2004 7:17 PM To: Tomcat Users List Subject: RE: HTTPS support for tomcat using openSSL with Client Authentication First of all did u try without tomcat? [EMAIL PROTECTED] wrote: Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with "clientAuth=false" in tomcat's configuration file "server.xml file". http://marc.theaimsgroup.com/?l=tomcat-user &m=106293430225790&w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks & Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS support for tomcat using openSSL with Client Authentication
First of all did u try without tomcat? [EMAIL PROTECTED] wrote: Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with "clientAuth=false" in tomcat's configuration file "server.xml file". http://marc.theaimsgroup.com/?l=tomcat-user &m=106293430225790&w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks & Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
RE: Client authentication and customized error pages
(Hi everyone! Here i'm again, asking for some help about https authentication and custom error pages.) Dear Mr. Bill Barker, We've used "clientAuth=want" as you suggested; and now we've managed to "know" that a client tried to access the application without a valid certificate. That's is OK, and we thank you very much. But when we try to launch an customized error page, a new error happens. It seems that the conection with the remote browser is broken. Who closed it? When? How? The point is that we can't return our error page... I've seen that Mr. Alain Baucant has been working with the same problem. Maybe he could help us. Thanks in advice, Carlos Guardiola PS- We've got the stacktrace in our catalina.out; it's quite large, i think i'm gonna send you a shorter one ;-) ADVERTENCIA: Exception getting SSL Cert java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177) at java.net.Socket.setSoTimeout(Socket.java:924) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:137) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp ort.java:163) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082) () (Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake INFO: SSL Error getting client Certs javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 05) () (Sysdate) org.apache.coyote.http11.Http11Processor action ADVERTENCIA: Exception getting SSL Cert javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) at java.io.InputStream.read(InputStream.java:89) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup port.java:126) () Here is the access log; it seems that it's trying to get the "Error 400" page... (client IP) - - [(Sysdate)] "GET /(app. directory)/ HTTP/1.1" 400 45 -Mensaje original- De: news [mailto:[EMAIL PROTECTED] En nombre de Bill Barker Enviado el: viernes, 05 de marzo de 2004 3:20 Para: [EMAIL PROTECTED] Asunto: Re: Client authentication and customized error pages Using clientAuth="true", the error happens too early to be able to invoke an error-page. You might try using clientAuth="want" instead. In this case, the user still gets prompted for a cert, but the request continues if she hits "cancel". It is then the responsibility of your webapp to handle the case where there is no cert sent. "Carlos Guardiola" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi everyone! > I'm using SSL client authentication in a tomcat 5.0.19. Everything goes > fine, but i need some help customizing error pages. > > When a client want to use my application, the browser asks him to choose > a valid certificate, but perhaps he hasn't a valid one. If he doesn't > have a certificate, the client authentication can't be done, so my > application is never invoked. O.K. > > So, the browser shows a "page not found error", wich isn't one of my > application's customized error pages (as my application have never been > invoked). How can i customize that error page, in order to show > something like "you need a valid certificate"? > > I've created my own ErrorReportValve, used in the > "errorReportValveClass" directive of the Host in my tomcat's server.xml. > But it also seems not being invoked... > > Any help will be useful, thanks in advice, > > Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: HTTPS support for tomcat using openSSL with Client Authentication
Still I am looking in to it. If you have any idea please let me know. Regards saravanan -Original Message- From: Anbu [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 17, 2004 7:38 PM To: Tomcat Users List Subject: Re: HTTPS support for tomcat using openSSL with Client Authentication Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with "clientAuth=false" in tomcat's configuration file "server.xml file". http://marc.theaimsgroup.com/?l=tomcat-user &m=106293430225790&w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks & Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS support for tomcat using openSSL with Client Authentication
Hello Saravanan, Have you got the answer you wanted ? Anbu [EMAIL PROTECTED] wrote: Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with "clientAuth=false" in tomcat's configuration file "server.xml file". http://marc.theaimsgroup.com/?l=tomcat-user &m=106293430225790&w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks & Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam
Timeout or log out for Realm authentication
Hello, Is it possible to set a timeout or manually logout a user that is authenticated with a realm? Because the user is always 'logged' until the navigator is closed. Cheers, -- *** Joan Jesús Pujol Espinar Tècnic de Sistemes Universitat de Girona Dpt. Informàtica i Matemàtica Aplicada Campus Montilivi 17003 - Girona (Spain) e-mail: [EMAIL PROTECTED] +34 972 418418 Fax: +34 972 418792 *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
HTTPS support for tomcat using openSSL with Client Authentication
Hi All, I wanted to support SSL with Client Authentication over Tomcat 4.18. I followed the steps mentioned in the link below, but I couldn't succeed in getting the client authentication to work,however I was able to get the https working with "clientAuth=false" in tomcat's configuration file "server.xml file". http://marc.theaimsgroup.com/?l=tomcat-user <http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2> &m=106293430225790&w=2 I have attached the screenshot of the security message I see on the client which doesn't list any certificate to choose from, though I have imported the client certificate.pkcs12 (step 16) and the CA certificate on the client system. Please let me know If I am doing something wrong? Thanks & Regards csaravanan Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.
Re: Tomcat Realm Authentication + Storing Objects In The Session
On 03/11/2004 08:56 AM Ronald Wildenberg wrote: My biggest unknown right now is, because the server handles the creation of the session, what would it take to make the server grab a user object from the database and store it in the session after the user logs in? Can't you use an HttpSessionListener for this? It is called right after a session is created (and when it's destroyed again). I'm not sure though whether there's enough information in the HttpSession object for you to be able to grab something from the database at the time HttpSessionListener.sessionCreated() is called. I do it with a filter. Easy to check request.getRemoteUser(), fetch the session and check for the user bean. Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Realm Authentication + Storing Objects In The Session
> My biggest unknown right now is, because the server handles > the creation > of the session, what would it take to make the server grab a > user object > from the database and store it in the session after the user > logs in? > Can't you use an HttpSessionListener for this? It is called right after a session is created (and when it's destroyed again). I'm not sure though whether there's enough information in the HttpSession object for you to be able to grab something from the database at the time HttpSessionListener.sessionCreated() is called. Regards, Ronald. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AD authentication if exact jndi context not known
Hi, I'm trying to use referrals="follow" in the JNDIRealm in order to make it work against Active Directory, but it's not working, I' receiving the exception below (I'm supposing the AD process is broken). Also I've found that the JNDI tutorial says that referrals="follow" doesn't work for AD: http://java.sun.com/products/jndi/tutorial/ldap/referral/jndi.html Somebody knows if referrals="follow" is working with Active Directory? if somebody has it working, please send me the version of AD you're using. Thanks in advance P.S. Sorry if this message arrives duplicated, I sent it yesterday but I don't see it on the mailing list. 2004-03-03 09:01:31 JNDIRealm[Standalone]: Exception performing authentication javax.naming.PartialResultException. Root exception is javax.naming.CommunicationException: neptuno:389. Root exception is java.net.ConnectException: Connection timed out: connect at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158) at java.net.Socket.connect(Socket.java:426) at java.net.Socket.connect(Socket.java:376) at java.net.Socket.(Socket.java:291) at java.net.Socket.(Socket.java:119) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:346) at com.sun.jndi.ldap.Connection.(Connection.java:181) at com.sun.jndi.ldap.LdapClient.(LdapClient.java:119) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1668) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2528) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:275) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:173) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:134) at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:35) at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:579) at javax.naming.spi.NamingManager.processURL(NamingManager.java:361) at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:341) at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:313) at com.sun.jndi.ldap.LdapReferralContext.(LdapReferralContext.java:93) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:132) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:334) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:207) at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:170) at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1036) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Realm Authentication + Storing Objects In The Session
Hi, >I've run into this in JBoss and ended up making some custom mechanisms - >I'm hoping I don't have to do the same here! You would have to write custom code. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Realm Authentication + Storing Objects In The Session
Hey Everyone - I have been trying to figure out if Realm authentication is appropriate for my project or if I need to implement my own. My biggest unknown right now is, because the server handles the creation of the session, what would it take to make the server grab a user object from the database and store it in the session after the user logs in? I've run into this in JBoss and ended up making some custom mechanisms - I'm hoping I don't have to do the same here! Thanks, Alan
Using Tomcat to implement a Weblogic like SSO authentication
Hi, I am trying to evaluate migrating our application from Weblogic to a Tomcat/JBoss environment. One of the main roadblocks at the moment is our reliance on the way SSO is done in weblogic. In weblogic, even within the same virtual host, you can specify different SSO domains by defining diferent names for the sessionID parameter. All webapps sharing the same sessionID name will share the same user authentication information. This is independent of whether the sessionID is passed as a coockie or as a parameter of the request. So given the following URLs: /app1/main.html;dom1Id=sdjhfaksjdhfa /app2/other.html;dom1Id=sdjhfaksjdhfa /app3/another.html;dom2Id=sdjhfaksjdhfa In this case going from /app1 to /app2 will not require authentication because the they use the same SSO information. But going to /app3 will cause a login since the domain is different. Moreover, this needs to work without cookies. We have to shitch-off the use of cookies due to problems in the session cookie handle by some Browsers. Is such a configuration possible in Tomcat? Or, if not, does the Tomcat API provide what is needed so one can EASILY build such an authentication module? Any additional suggestions? I have looked and looked around for answers on this regard but found nothing. Thanks in advance, Jose - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client authentication and customized error pages
Using clientAuth="true", the error happens too early to be able to invoke an error-page. You might try using clientAuth="want" instead. In this case, the user still gets prompted for a cert, but the request continues if she hits "cancel". It is then the responsibility of your webapp to handle the case where there is no cert sent. "Carlos Guardiola" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi everyone! > I'm using SSL client authentication in a tomcat 5.0.19. Everything goes > fine, but i need some help customizing error pages. > > When a client want to use my application, the browser asks him to choose > a valid certificate, but perhaps he hasn't a valid one. If he doesn't > have a certificate, the client authentication can't be done, so my > application is never invoked. O.K. > > So, the browser shows a "page not found error", wich isn't one of my > application's customized error pages (as my application have never been > invoked). How can i customize that error page, in order to show > something like "you need a valid certificate"? > > I've created my own ErrorReportValve, used in the > "errorReportValveClass" directive of the Host in my tomcat's server.xml. > But it also seems not being invoked... > > Any help will be useful, thanks in advice, > > Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client authentication and customized error pages
Hi everyone! I'm using SSL client authentication in a tomcat 5.0.19. Everything goes fine, but i need some help customizing error pages. When a client want to use my application, the browser asks him to choose a valid certificate, but perhaps he hasn't a valid one. If he doesn't have a certificate, the client authentication can't be done, so my application is never invoked. O.K. So, the browser shows a "page not found error", wich isn't one of my application's customized error pages (as my application have never been invoked). How can i customize that error page, in order to show something like "you need a valid certificate"? I've created my own ErrorReportValve, used in the "errorReportValveClass" directive of the Host in my tomcat's server.xml. But it also seems not being invoked... Any help will be useful, thanks in advice, Carlos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based authentication
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form-based authentication question
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Alternatives to J2EE Authentication
Hello.
The idea of a servlet filter to manage part of the user login process
that I read here rang a bell in my head. Diggin' in books & articles I
finally found where I have first heard such a thing :^) In "Professional
Struts Applications" (Carnel, Linwood, Zawadzki - Apress, 2003) the authors
state that it is possible to define "[...] a filter [...] that checks if the
user is logged on into the application. If the user has not logged in yet,
they will automatically be logged in as an anonymous user", furthermore,
"[...] this filter is called every time the Struts ActionServlet is invoked"
(achieved by mapping the filter and action servlet to the same url pattern,
of course)
This whole filter thing seems like a pretty good trick to me, and
becomes even more interesting if, for instance, you think of adding Tiles
into the mix to take care of different (and automatically loaded)
application Look & Feel depending on the type of user...
Anyway, just some thoughts I thought I'd share on the list...
Best regards,
Carlos
"You start coding. I'll go find out what they want."
Computer analyst to programmer
- Original Message -
From: "David Evans" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 26, 2004 10:31 PM
Subject: Re: Alternatives to J2EE Authentication
> Having just researched this, here's what i found.
> Using a javax.servlet.Filter works very well.
> As you say, You check the session for an attribute value that indicates
> authentication. in its absence you use a RequestDispatcher to
> forward to a login servlet which checks for four cases:
> 1. no request parameters, display logon form
> 2. invalid request parameters, display errors
> 3. unable to authenticate with valid parameters, display error
> 4. parameters authenticate, forward to home page
> Thanks to Rick Bay on the struts-users list for this idea.
> along with option 3 on this email.
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg24504.html
>
> This is a fully featured, xml file configurable filter
> that i will eventually use as my solution:
> http://securityfilter.sourceforge.net/
>
> but for fun and understanding i wrote (cut and pasted bits from the web
> really) this one, as a test:
>
> public final class AuthFilter implements Filter {
>
> public void doFilter(ServletRequest request, ServletResponse response,
>FilterChain chain)
> throws IOException, ServletException {
>
> boolean auth = false;
>
> if (request instanceof HttpServletRequest) {
> HttpSession session =
> ((HttpServletRequest)request).getSession();
> String path = ((HttpServletRequest) request).getPathInfo();
> Boolean authAttr =
> (Boolean) session.getAttribute("authenticated");
> if (authAttr != null) auth = authAttr.booleanValue();
> }
> if (auth) {
> chain.doFilter(request, response);
> return;
> }
> else {
> RequestDispatcher dispatcher =
> request.getRequestDispatcher("/login.do");
> dispatcher.forward (request, response);
> return;
> }
> }
>
> }
>
> Hope that helps.
>
> dave
>
> On Thu, 2004-02-26 at 18:19, Steven J. Owens wrote:
> > Hi folks,
> >
> > The most common (and frustrating) bookmarked login page gotcha
> > with J2EE authentication has been oft-discussed (broken as designed)
> > on this list.
> >
> > What are people's favorite alternatives to J2EE authentication?
> > And why?
> >
> > Something I'm particularly interested is alternatives that don't
> > require me to rebuild the application from scratch. I'm looking at
> > tearing out the old login process and putting in a new one and I don't
> > really want to start the whole thing over.
> >
> > If I had to build it from scratch myself, I'd do it as a simple
> > Servlet filter that checks for a Principal object stored in the user's
> > HttpSession.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Alternatives to J2EE Authentication
Hi folks, The most common (and frustrating) bookmarked login page gotcha with J2EE authentication has been oft-discussed (broken as designed) on this list. What are people's favorite alternatives to J2EE authentication? And why? Something I'm particularly interested is alternatives that don't require me to rebuild the application from scratch. I'm looking at tearing out the old login process and putting in a new one and I don't really want to start the whole thing over. If I had to build it from scratch myself, I'd do it as a simple Servlet filter that checks for a Principal object stored in the user's HttpSession. -- Steven J. Owens [EMAIL PROTECTED] "I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt." - Me at http://darksleep.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Alternatives to J2EE Authentication
http://securityfilter.sourceforge.net/ This is perfect! Not container specific! On Feb 26, 2004, at 4:19 PM, Steven J. Owens wrote: Hi folks, The most common (and frustrating) bookmarked login page gotcha with J2EE authentication has been oft-discussed (broken as designed) on this list. What are people's favorite alternatives to J2EE authentication? And why? Something I'm particularly interested is alternatives that don't require me to rebuild the application from scratch. I'm looking at tearing out the old login process and putting in a new one and I don't really want to start the whole thing over. If I had to build it from scratch myself, I'd do it as a simple Servlet filter that checks for a Principal object stored in the user's HttpSession. -- Steven J. Owens [EMAIL PROTECTED] "I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt." - Me at http://darksleep.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Alternatives to J2EE Authentication
Having just researched this, here's what i found.
Using a javax.servlet.Filter works very well.
As you say, You check the session for an attribute value that indicates
authentication. in its absence you use a RequestDispatcher to
forward to a login servlet which checks for four cases:
1. no request parameters, display logon form
2. invalid request parameters, display errors
3. unable to authenticate with valid parameters, display error
4. parameters authenticate, forward to home page
Thanks to Rick Bay on the struts-users list for this idea.
along with option 3 on this email.
http://www.mail-archive.com/[EMAIL PROTECTED]/msg24504.html
This is a fully featured, xml file configurable filter
that i will eventually use as my solution:
http://securityfilter.sourceforge.net/
but for fun and understanding i wrote (cut and pasted bits from the web
really) this one, as a test:
public final class AuthFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
boolean auth = false;
if (request instanceof HttpServletRequest) {
HttpSession session =
((HttpServletRequest)request).getSession();
String path = ((HttpServletRequest) request).getPathInfo();
Boolean authAttr =
(Boolean) session.getAttribute("authenticated");
if (authAttr != null) auth = authAttr.booleanValue();
}
if (auth) {
chain.doFilter(request, response);
return;
}
else {
RequestDispatcher dispatcher =
request.getRequestDispatcher("/login.do");
dispatcher.forward (request, response);
return;
}
}
}
Hope that helps.
dave
On Thu, 2004-02-26 at 18:19, Steven J. Owens wrote:
> Hi folks,
>
> The most common (and frustrating) bookmarked login page gotcha
> with J2EE authentication has been oft-discussed (broken as designed)
> on this list.
>
> What are people's favorite alternatives to J2EE authentication?
> And why?
>
> Something I'm particularly interested is alternatives that don't
> require me to rebuild the application from scratch. I'm looking at
> tearing out the old login process and putting in a new one and I don't
> really want to start the whole thing over.
>
> If I had to build it from scratch myself, I'd do it as a simple
> Servlet filter that checks for a Principal object stored in the user's
> HttpSession.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Possible to implement Pubcookie authentication using Tomcat Realm?
I recently found out about a way to create a single sign-on setup for authentication for Web applications called Pubcookie. The following link has a diagram that shows how it works. If a user hasn't yet authenticated, they are redirected to a separate server that displays a login page. Then, once the user has authenticated correctly, they are redirected back to the original Web application. http://www.pubcookie.org/docs/how-pubcookie-works.html I'm wondering if anyone knows if it would be possible to implement this in Tomcat as a Realm? Or, would it be more complicated than that since it does a redirect? Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Reg Form Authentication
Hi All, I am using FORM authentication for my web pages. I have no problems in authenticating a user during login where the flow would be like Secured page > Login Screen ----> Authentication via form ---> Secured Page on success. Now i have another page where a user can sign in. In this case, when i do a form submit of the user creation page, my secured page should be brought up, without going to the login screen. i.e, the user should be considered as authenticated. How can i do this. Thanks Shanmugam PL - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
NTLM Authentication & "POST" Method
Hello, I am using post method of sending data to servlet from a JSP page. I am unable to get the data by request.getParameter(). If I am using get method I am able to retrieve data from JSP page I was just searching on Google. Actually I am using NTLM Authentication in my Login Servlet. I think there is some conflict between NTLM Authentication and POST method. Any body has an idea what to do or set to get the things done ? http://support.microsoft.com/default.aspx?scid=kb;DE;308074 <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> <http://support.microsoft.com/default.aspx?scid=kb;DE;308074 <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> > I am using code from below link: http://www.jguru.com/faq/view.jsp?EID=1045412 <http://www.jguru.com/faq/view.jsp?EID=1045412> <http://www.jguru.com/faq/view.jsp?EID=1045412 <http://www.jguru.com/faq/view.jsp?EID=1045412> > Best Regards Abhay Kumar
Re: Form Based Authentication - Registration
On 02/14/2004 10:31 AM Alexander F. Hartner wrote: No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to "auto/fake" login from within the webapplication You cannot access the original request if the url is protected by a security-constraint and the user has not logged in. Tomcat will always jump in first with the CMS login. To fake it and keep CMS, reduce your real realm to a security constraint on one URL and set up a filter to check for the user's status. If not logged in, saved the parts of the request you need in the session, and redirect the user to the protected page to trigger the container login. Then after the login succeeds and the user gets through to that protected URL, check the session for the info and redirect them to their original destination. You can put a link on the login page to the registration URL - I'm not sure about the redirection logic but it should be possible to redirect them after registration back to the login page to login, and then on to their original destination. HTH Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication - Registration
We have form based authentication working as follows : 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer authenticates 4.) Customer redirected to realm as original request No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to "auto/fake" login from within the webapplication Is this currently possible ? Thanks Alex Alexander F. Hartner eMail : [EMAIL PROTECTED] Work : +27-11-646-6459 Fax : +27-11-646-5868 The programmers of old were mysterious and profound. We cannot fathom their thoughts, so all we do is describe their appearance. Aware, like a fox crossing the water. Alert, like a general on the battlefield. Kind, like a hostess greeting her guests. Simple, like uncarved blocks of wood. Opaque, like black pools in darkened caves. Who can tell the secrets of their hearts and minds? The answer exists only in the Tao. -- Geoffrey James, "The Tao of Programming" - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: NTLM Authentication & POST Method
Hi, Can anybody give a solution to the problem mentioned in the below Email I am still struggling .. Best Regards Abhay Kumar -Original Message- From: Yansheng Lin [mailto:[EMAIL PROTECTED] Sent: Thursday, February 12, 2004 2:27 PM To: 'Tomcat Users List' Subject: RE: NTLM Authentication & POST Method >From the servlet API: If the parameter data was sent in the request body, such as occurs with an HTTP POST request, then reading the body directly via getInputStream() or getReader() can interfere with the execution of this method. Just wondering if any of the method mentioned above being called in your doPost()? Hope this helps. -Original Message- From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 12:08 PM To: 'Tomcat Users List' Subject: NTLM Authentication & POST Method Importance: High Hello, I am using post method of sending data to servlet from a JSP page. I am unable to get the data by request.getParameter(). If I am using get method I am able to retrieve data from JSP page I was just searching on Google. Actually I am using NTLM Authentication in my Login Servlet. I think there is some conflict between NTLM Authentication and POST method. Any body has an idea what to do or set to get the things done ? http://support.microsoft.com/default.aspx?scid=kb;DE;308074 <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> I am using code from below link: http://www.jguru.com/faq/view.jsp?EID=1045412 <http://www.jguru.com/faq/view.jsp?EID=1045412> Best Regards Abhay Kumar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: NTLM Authentication & POST Method
>From the servlet API: If the parameter data was sent in the request body, such as occurs with an HTTP POST request, then reading the body directly via getInputStream() or getReader() can interfere with the execution of this method. Just wondering if any of the method mentioned above being called in your doPost()? Hope this helps. -Original Message- From: Kumar Abhay-CAK203C [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 12:08 PM To: 'Tomcat Users List' Subject: NTLM Authentication & POST Method Importance: High Hello, I am using post method of sending data to servlet from a JSP page. I am unable to get the data by request.getParameter(). If I am using get method I am able to retrieve data from JSP page I was just searching on Google. Actually I am using NTLM Authentication in my Login Servlet. I think there is some conflict between NTLM Authentication and POST method. Any body has an idea what to do or set to get the things done ? http://support.microsoft.com/default.aspx?scid=kb;DE;308074 <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> I am using code from below link: http://www.jguru.com/faq/view.jsp?EID=1045412 <http://www.jguru.com/faq/view.jsp?EID=1045412> Best Regards Abhay Kumar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
NTLM Authentication & POST Method
Hello, I am using post method of sending data to servlet from a JSP page. I am unable to get the data by request.getParameter(). If I am using get method I am able to retrieve data from JSP page I was just searching on Google. Actually I am using NTLM Authentication in my Login Servlet. I think there is some conflict between NTLM Authentication and POST method. Any body has an idea what to do or set to get the things done ? http://support.microsoft.com/default.aspx?scid=kb;DE;308074 <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> I am using code from below link: http://www.jguru.com/faq/view.jsp?EID=1045412 <http://www.jguru.com/faq/view.jsp?EID=1045412> Best Regards Abhay Kumar
NTLM Authentication & POST Method
> Hello, > > I am using post method of sending data to servlet from a JSP page. I am unable to > get the data by request.getParameter(). > If I am using get method I am able to retrieve data from JSP page > > I was just searching on Google. Actually I am using NTLM Authentication in my Login > Servlet. I think there is some conflict between NTLM Authentication and POST method. > > Any body has an idea what to do or set to get the things done ? > > http://support.microsoft.com/default.aspx?scid=kb;DE;308074 > <http://support.microsoft.com/default.aspx?scid=kb;DE;308074> > > I am using code from below link: > http://www.jguru.com/faq/view.jsp?EID=1045412 > <http://www.jguru.com/faq/view.jsp?EID=1045412> > > Best Regards > Abhay Kumar >
RE: Tomcat Manager/Admin authentication
Howdy, >I think you can turn it off by deleting the >definitions in >the file /WEB-INF/web.xml of both apps. Doh! ;) Well, at least I provided some humor today. Thanks Juan ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Manager/Admin authentication
Yes, this works. I just tested it with each on the current 5.0 from CVS -Original Message- From: Juan de Bravo [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 12:11 PM To: 'Tomcat Users List' Subject: RE: Tomcat Manager/Admin authentication I think you can turn it off by deleting the definitions in the file /WEB-INF/web.xml of both apps. Juan. -Mensaje original- De: Shapira, Yoav [mailto:[EMAIL PROTECTED] Enviado el: martes, 10 de febrero de 2004 18:04 Para: Tomcat Users List Asunto: RE: Tomcat Manager/Admin authentication Howdy, >Does any1 know how to turn off the Tomcat prompting for u/p when trying >to access manager / admin applications ? It's not possible without modifying the source code for those apps. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Manager/Admin authentication
I think you can turn it off by deleting the definitions in the file /WEB-INF/web.xml of both apps. Juan. -Mensaje original- De: Shapira, Yoav [mailto:[EMAIL PROTECTED] Enviado el: martes, 10 de febrero de 2004 18:04 Para: Tomcat Users List Asunto: RE: Tomcat Manager/Admin authentication Howdy, >Does any1 know how to turn off the Tomcat prompting for u/p when trying >to access manager / admin applications ? It's not possible without modifying the source code for those apps. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Manager/Admin authentication
Howdy, >Does any1 know how to turn off the Tomcat prompting for u/p when trying >to access manager / admin applications ? It's not possible without modifying the source code for those apps. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Manager/Admin authentication
Does any1 know how to turn off the Tomcat prompting for u/p when trying to access manager / admin applications ? Thanks, Pete. *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. *** For any information on the Quinn Group of Companies please visit :- http://www.quinn-group.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication - Registration
We have form based authentication working as follows : 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer authenticates 4.) Customer redirected to realm as original request No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to "auto/fake" login from within the webapplication Is this currently possible ? Thanks Alex Alexander F. Hartner eMail : [EMAIL PROTECTED] Work : +27-11-646-6459 Fax : +27-11-646-5868 The programmers of old were mysterious and profound. We cannot fathom their thoughts, so all we do is describe their appearance. Aware, like a fox crossing the water. Alert, like a general on the battlefield. Kind, like a hostess greeting her guests. Simple, like uncarved blocks of wood. Opaque, like black pools in darkened caves. Who can tell the secrets of their hearts and minds? The answer exists only in the Tao. -- Geoffrey James, "The Tao of Programming"
RE: How to restrict all webapps with http authentication in Tomcat?
Try again this (it works from my computer): http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si nglesignon.html I'm sorry if the url is divided into two lines in your incoming mail. Simply concatenate them. Radek > -Original Message- > From: Salvador Santander Gutierrez > [mailto:[EMAIL PROTECTED] > Sent: Friday, February 06, 2004 12:07 PM > To: Tomcat Users List > Subject: Re: How to restrict all webapps with http authentication in > Tomcat? > > Thanks for your help but the url passed doesn´t work. > > > - Original Message - > From: "rlipi" <[EMAIL PROTECTED]> > To: "'Tomcat Users List'" <[EMAIL PROTECTED]> > Sent: Friday, February 06, 2004 10:21 AM > Subject: RE: How to restrict all webapps with http authentication in > Tomcat? > > > > Will help this: > > http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si > > nglesignon.html#Security ? > > > > Radek > > > > > > > -Original Message- > > > From: Salvador Santander Gutierrez > > > [mailto:[EMAIL PROTECTED] > > > Sent: Friday, February 06, 2004 10:16 AM > > > To: Tomcat List > > > Subject: How to restrict all webapps with http authentication in > > Tomcat? > > > > > > I need to restrict all web applications in Tomcat with the same users? > > I > > > know how to restrict a specific web application with its web.xml > > but... > > > how > > > to restrict /* in tomcat, included html pages? > > > Thanks. > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to restrict all webapps with http authentication in Tomcat?
Thanks for your help but the url passed doesn´t work. - Original Message - From: "rlipi" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Friday, February 06, 2004 10:21 AM Subject: RE: How to restrict all webapps with http authentication in Tomcat? > Will help this: > http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si > nglesignon.html#Security ? > > Radek > > > > -Original Message- > > From: Salvador Santander Gutierrez > > [mailto:[EMAIL PROTECTED] > > Sent: Friday, February 06, 2004 10:16 AM > > To: Tomcat List > > Subject: How to restrict all webapps with http authentication in > Tomcat? > > > > I need to restrict all web applications in Tomcat with the same users? > I > > know how to restrict a specific web application with its web.xml > but... > > how > > to restrict /* in tomcat, included html pages? > > Thanks. > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to restrict all webapps with http authentication in Tomcat?
Will help this: http://www.ingrid.org/jajakarta/tomcat/tomcat-4.0b5/src/catalina/docs/si nglesignon.html#Security ? Radek > -Original Message- > From: Salvador Santander Gutierrez > [mailto:[EMAIL PROTECTED] > Sent: Friday, February 06, 2004 10:16 AM > To: Tomcat List > Subject: How to restrict all webapps with http authentication in Tomcat? > > I need to restrict all web applications in Tomcat with the same users? I > know how to restrict a specific web application with its web.xml but... > how > to restrict /* in tomcat, included html pages? > Thanks. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to restrict all webapps with http authentication in Tomcat?
I need to restrict all web applications in Tomcat with the same users? I know how to restrict a specific web application with its web.xml but... how to restrict /* in tomcat, included html pages? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help with Active directory authentication in tomcat 5
I am trying to authenticate web users against an active directory
instance, but for some reason the configuration that worked in tomcat 4.1
is not working in tomcat 5.0.18
Here is the message that I get from the realm authentication with
debugging turned on:
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: Searching for corp
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: base:
CN=Users,DC=development,DC=com filter:
([EMAIL PROTECTED])
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: entry found for corp with dn
CN=corp,CN=Users,DC=development,DC=com
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: retrieving values for
attribute member
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: validating credentials by
binding as the user
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: binding as
CN=corp,CN=Users,DC=development,DC=com
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: Username corp successfully
authenticated
2004-02-04 16:10:20 JNDIRealm[/lts/corp]:
getRoles(CN=corp,CN=Users,DC=development,DC=com)
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: Searching role base
'CN=Users,DC=development,DC=com' for attribute 'cn'
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: With filter expression
'\28member=CN=corp,CN=Users,DC=development,DC=com\29'
2004-02-04 16:10:20 JNDIRealm[/lts/corp]: Returning 0 roles
It appears to successfully authenticate the user, but does not find the
roles. In tomcat 4.1 I get very similar information, but it returns 1
role which is the correct behavior. I also noticed that instead of "("
and ")" the log is showing "\28" and "\29". Is this part of the problem?
Here is the server.xml excerpt that I am using:
ldap://dev:389";
userBase="cn=users,dc=development,dc=com"
userSearch="([EMAIL PROTECTED])"
userRoleName="member"
roleBase="cn=users,DC=development,DC=com"
roleName="cn"
roleSearch="(member={0})"
connectionName="CN=user,CN=users,DC=development,DC=com"
connectionPassword="pass"
roleSubtree="true"
userSubtree="true" />
The same realm configuration seems to work fine for tomcat 4.1 but can't
find the roles in 5.0.18.
Can anyone help me?
Thanks!!
RE: Customized authentication - overriding "getUserPrincipal()"
All my custom authentication schemes are now operational! On both 4.1.29 and 5.0.18.
I have had a real tough time, though. Apparently, the subject is complex, since no one
here had any comment.
-
Together with custom authentication, I can also do HTTP content compression, override
all input in the request like headers and the data to be read from the input-stream on
the way down filter-chains and on the way back up the chains, I can read headers set
upon the response, modify the content of the output-stream and do all sorts of tricks
necessary for internal snooping, modification and filtering.
The custom authentication scheme can also co-exist with one of the usual schemes part
of static servlet-configuration (though not desirable for anything but purposes of
test).
To do these things, I have implemented two generic adapters - one for the request and
one for the response. They both accept a number of plug-ins - a "HeaderResource" and a
"ParameterResource", for instance - same concept like the "IdentityResource"-interface
shown.
And yes, it does make a difference whether "request.getUserPrincipal()" or
"super.getUserPrincipal()" is called - same for headers and so on for all public
method of "HttpServletRequest" and "HttpServletResponse". Using "super" instead of
"request" does do the trick!!!
The default wrappers have side-effects, which are necessary to invoke. I do not know
which, because I have not looked Yet. I originally - and after a lot of thought -
chose "request" instead, because this will per-construction avoid cyclic calls, should
one of the methods from the interface "HttpServletRequest" be implemented in
"HttpServletRequestWrapper" by invoking *another* of the interface-methods. It was
intended to safe-guard me from "faulty" wrapper-implementations.
I sure hope, that the guys who implemented
"javax.servlet.http.HttpServletRequestWrapper" and "HttpServletResponseWrapper" did a
real good job. For each servlet-engine in existence.
If no interface-methods are implemented through other interface-methods, then
everything will continue to work. If not, then trouble is ahead somewhere.
Within TC 4.1.29 and 5.0.18, the side-effects are necessary and the default-wrappers
appears to be solid.
To those trying to implement generic wrappers with "plug-in" adapters, I can tell,
that the Servlet-API is not just ideal - that would be so very sad to say -, since for
instance headers can be accessed and modified in multiple ways, the input- and
output-streams can both be accessed in two ways ("getInputStream()", "getReader()" and
"getOutputStream()", "getWriter()") - and so on. So very clumsy - nothing becomes
simple. "HttpServletRequest" and "HttpServletResponse" are reasonable for direct
access, but not for adaption - they should have been designed in at least two levels -
one set for handling the protocol and one set for direct access - just like it is
possible to control streams by implementing "InputStream" and "OutputStream", but have
easy access by adapting them with "DataInputStream" and "DataOutputStream"
Most certainly impossible to repair at this point in time.
Common API's are far from perfect.
-
Next time, please give me a hint.
Regards,
Morten Sabroe Mortensen
-Original Message-
From: Morten S. Mortensen
Sent: 3. februar 2004 20:09
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Customized authentication - overriding "getUserPrincipal()"
Hi all,
I am in the process of testing some custom authentication schemes of my own. One
thing, I would like, is to have "request.getUserPrincipal()" and
"request.getAuthType()" return what I tell the request to return.
The "usual" way to grab and manipulate things is to write a filter (or servlet), which
wraps the incoming request and/or response and sends the wrapped versions down the
filter-chain. One should suspect, that e.g. a wrapping of the request ends up in the
request-objects accessible within JSP (possible wrapped again multiple times,
depending upon the implementation of the engine) - so if I override
"getUserPrincipal()" and "getAuthType()" and add a couple of setters
"setUserPrincipal()" and "setAuthType()", I can control the result of
"request.getUserPrincipal().getName()" and "request.getAuthType()".
This I have done.
Actually I created a kind of "plug-in"-object in the form of the interface shown
below; it is supposed to include "isUserInRole()", too. The specializations of this
interface have equivalent methods for setting the content to be returned. This
&q
Customized authentication - overriding "getUserPrincipal()"
Hi all,
I am in the process of testing some custom authentication schemes of my own. One
thing, I would like, is to have "request.getUserPrincipal()" and
"request.getAuthType()" return what I tell the request to return.
The "usual" way to grab and manipulate things is to write a filter (or servlet), which
wraps the incoming request and/or response and sends the wrapped versions down the
filter-chain. One should suspect, that e.g. a wrapping of the request ends up in the
request-objects accessible within JSP (possible wrapped again multiple times,
depending upon the implementation of the engine) - so if I override
"getUserPrincipal()" and "getAuthType()" and add a couple of setters
"setUserPrincipal()" and "setAuthType()", I can control the result of
"request.getUserPrincipal().getName()" and "request.getAuthType()".
This I have done.
Actually I created a kind of "plug-in"-object in the form of the interface shown
below; it is supposed to include "isUserInRole()", too. The specializations of this
interface have equivalent methods for setting the content to be returned. This
"IdentityResource" plugs into the type of request-wrapper, which I create in a filter
and use to invoke the filter-chain (of course a specialization of
"javax.servlet.http.HttpServletRequestWrapper").
*Apparently*, somewhere between my filter-chain - which implements the custom
authentication scheme and wraps the request before invoking the filter-chain - and the
actual JSP-pages, which I use as a test, the result og "getAuthType()" and
"getUserPrincipal()" is lost; the two methods return 'null'.
This is somewhat of a disappointment.
Since I suspect, that Tomcat does something with the request in between the
filter-chain and the JSP-page, I have looked a bit at the types. On the "main JSP
page", which I invoke, the request is of type -
"org.apache.coyote.tomcat4.CoyoteRequestFacade"
- and on a sub-page included from the main page with , the request is of
type -
"org.apache.catalina.core.ApplicationHttpRequest".
This has made me take a look at some of the source-code for this, but I can not find
anything suspect, except that the top appears to not wrap the original request,
but ends up in kind of a value-object...
Does something mess with the request before I hit the JSP-page-servlet-thingy?
This realm-plugin-facility, which Tomcat has built in - it does not touch the
request-object passed between filters and JSP-page-servlets?
Somehow it does not work. Maybe I have screwed something up in my code, but after a
lot of investigation, I do not thing this is the case.
Anyone care to comment?
Who knows some details?
Anyone have tried something similar?
(yes, I now that the subject of "custom authentication schemes" within Servlets has
been discussed, but postponed - but the construction, I try, should never the less be
possible, if wrapping is done consistently)
? ? ?
Regards,
Morten Sabroe Mortensen
-
/*** FILE "IdentityResource.java" */
/**/
/** **/
/** 2003-10-28 Morten Sabroe Mortensen. **/
/** **/
/**/
/*
* $Log$
*/
package dk.tefs.J2EE.servlet.resource.http.identity;
import java.security.*;
import java.util.*;
/*** IdentityResource: /
/**
* Identification of a authenticated user.
*
* @author mailto:[EMAIL PROTECTED]"
* >Morten Sabroe Mortensen
* @version 1.0
*/
public interface IdentityResource
{
/**
* Gets the name of the authentication scheme used to protect
* the requested resource.
* @see javax.servlet.http.HttpServletRequest#getAuthType
* @return Name of authentication scheme.
*/
String getAuthType();
/**
* Indicates, whether the authenticated user is included in
* a specified logical "role".
* @see javax.servlet.http.HttpServletRequest#isUserInRole
* @param role Logical role to get indication for.
* @return Indicates, if the role indicates the authenticated user.
*/
boolean isUserInRole(String role);
/**
* Gets a representation of the authenticated user, if any.
* If the user has not been authenticated,
* this return null.
* @see javax.servlet.http.HttpServletRequest#getUserPrincipal
* @return Representation of the authenticated user.
*/
Principal getUserPrincipal();
Re: Client Authentication
Michael, with SSL the browser and tomcat will handle the certs for you without having to parse them. You just have to make a cert for your tomcat and tell tomcat where it is, in the config for the connector. It's all well documented on the tomcat site. Otherwise the only thing you need to do is set up security-constraints in your web.xml for the appropriate pages. That is documented well in the servlet spec. Adam On 01/28/2004 11:24 PM Milazzo, Michael A HQISEC wrote: Hi, I am trying to configure Tomcat to protect my pages using SSL client authentication. I changed the clientAuth option within the HTTPS connector, but I'm not sure what to do next. My code already tries to look for the certs and parse them, but I am not sure what else I need to configure. Thanks, Michael A. Milazzo USAISEC-Technology Integration Center Communications Systems Evaluation Team Comm: (520) 533-3765 DSN: 821-3765 Email: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Authentication
Hi, I am trying to configure Tomcat to protect my pages using SSL client authentication. I changed the clientAuth option within the HTTPS connector, but I'm not sure what to do next. My code already tries to look for the certs and parse them, but I am not sure what else I need to configure. Thanks, Michael A. Milazzo USAISEC-Technology Integration Center Communications Systems Evaluation Team Comm: (520) 533-3765 DSN: 821-3765 Email: [EMAIL PROTECTED]
Problem using Tomcat Authentication
I am using the Jdbcrealm to authenticate the users.I want to use admin tool to create the users. But when I create the uses admin tool the user name and password r not being stored in the database rather they r being stored in /conf/Tomcat-users.xml. What should I do so that the user created through ADMIN Tool goes into the database? Thanx in advance Amit Varshney - Still single? Click here to find the perfect match. http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?141 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [URGENT] Problems getting SSL 2-Way Authentication to work
I am not familiar with openssl but having reviewed your steps you might want to try the following: - Import your CA cert into the trusted CAs for your browser. - You shouldn't need your CA cert in your keystore file, providing that the CA cert is installed in cacerts. Try removing it from the keystore. Good luck! Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[URGENT] Problems getting SSL 2-Way Authentication to work
To whomever can help: I'm trying to get a 2-way authentication mechanism working for Tomcat 4.1.29. I have browsed many archives and guides and have come up with some steps of commands to try and get the whole business up and running (see further down). I basically have a server and a client and I want the server to present a certificate to the client and vice versa, which the server then accepts and the user gains access to the protected resources. I am using an own CA (i.e. a self-signed one), which I employ to sign both the server and the client certificates. My problem is that even though the server seems to present to me the correct certificate when I examine it (i.e. correctly signed by my own CA), I get an error saying the following (using Mozilla to access the site): "Could not establish an encrypted connection, because certificate presented by is invalid or corrupted. Error Code: -8182" I looked this up in the Mozilla error codes database and it had the annotation "Peer's certificate has an invalid signature". I am really confused as to why this doesn't work. The exact steps I have taken for the whole process are as follows: == SETTING UP OWN CA == 1. Create directory "certificates" and subdirectories - ca - server - client 2. Create private key and certificate request for our own CA: (from root dir) openssl req -new -newkey rsa:1024 -nodes -out certificates/ca/ca.csr -keyout certificates/ca/ca.key -config /homes/ts200m/certificates/openssl.cnf Country Name [C] = GB State/Province Name [ST] = London Locality Name [L] = London Organization Name [O] = Imperial College London Organizational Unit Name [OU] = London e-Science Centre Common Name [CN] = ca.lesc.ic.ac.uk EMail Address [Email] = [EMAIL PROTECTED] Challenge Password = changeit 3. Create our CA's self-signed certificate: openssl x509 -trustout -signkey certificates/ca/ca.key -days 365 -req -in certificates/ca/ca.csr -out certificates/ca/ca.pem cp certificates/ca/ca.pem certificates/ca/ca.crt vim certificates/ca/ca.crt edit "ca.crt" so that strings "TRUSTED CERTIFICATE" read "CERTIFICATE" 4. Copy JDK Certificate Authorities Keystore into Tomcat root dir: cp $JAVA_HOME/jre/lib/security/cacerts tomcat/ chmod 0755 tomcat/cacerts 5. Import CA certificate into "cacerts": keytool -import -trustcacerts -keystore tomcat/cacerts -file certificates/ca/ca.pem -alias LeSC-CA Keystore Password = changeit Should get "Certificate was added to keystore" message 6. Create file to hold CA's serial numbers: echo "02" > certificates/ca/ca.srl == SETTING UP WEB SERVER == 1. Create keystore for server: (This creates a keystore, as well as a self-signed certificate with the details provided) keytool -genkey -alias server -dname "CN=epic-server.lesc.ic.ac.uk, O=Imperial College London, OU=London e-Science Centre, L=London, S=London, C=GB" -keysize 1024 -keystore certificates/server/server.ks -keypass changeit -storepass changeit -storetype JKS -validity 365 2. Create certificate request for web server: keytool -certreq -keystore certificates/server/server.ks -storepass changeit -alias server -file certificates/server/server.csr 3. Sign certificate request with own CA: openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key -CAserial certificates/ca/ca.srl -req -in certificates/server/server.csr -out certificates/server/server.crt -days 365 4. Import CA certificate into keystore as root certificate: (don't know if -trustcacerts is required...) keytool -import -alias root -keystore certificates/server/server.ks -storepass changeit -trustcacerts -keyalg RSA -file certificates/ca/ca.pem Should see message "Certificate was added to keystore" after import 5. Import signed server certificate into server keystore: (This should replace the self-signed cerificate with alias "server" that was created when the keystore was created) keytool -import -alias server -keystore certificates/server/server.ks -storepass changeit -keyalg RSA -file certificates/server/server.crt Should see message "Certificate reply was installed in keystore" after import 6. Move keystore file to Tomcat's root dir: mv certificates/server/server.ks tomcat/ chmod 0755 tomcat/server.ks 7. Set up SSL Connector for Tomcat (edit file tomcat/conf/server.xml): = SET UP AN SSL CLIENT = 1. Create a client certificate request openssl req -new -newkey rsa:512 -nodes -out certificates/client/client1.req -keyout certificates/client/client1.key -config /homes/ts200m/certificates/openssl.cnf Country Name = GB State/Province Name = London Locality Name = London Organization Name = Imperial College O
SV: Problem using Tomcat User Authentication
I guess you should look at session.invalidate();. BR Soren -Oprindelig meddelelse- Fra: amit varshney [mailto:[EMAIL PROTECTED] Sendt: 24. januar 2004 12:47 Til: [EMAIL PROTECTED] Emne: Problem using Tomcat User Authentication I am working in JSP/Servlets on Windows XP. I want to use the Tomcat user Authentication in my web application. So using tomcat's JDBC Realm I have stored the username and passwords in the Oracle 9I Database. I want to use authentcation for accessing the different modules. so I have created the main page on which there r links to different modules. Using Security Costraint in the web.xml file I have made the access restricted.so When a user clicks on a link he is asked the user name and password. this works fine but the problem I am facing is that when i come back to the main page and click on some other link the login page is not displayed rather there is eror message that "the access to the requested resource is denied" is there any way to solve this problem? Tahnx in advance Amit Varshney - Still single? Click here to find the perfect match. http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?141 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem using Tomcat User Authentication
I am working in JSP/Servlets on Windows XP. I want to use the Tomcat user Authentication in my web application. So using tomcat's JDBC Realm I have stored the username and passwords in the Oracle 9I Database. I want to use authentcation for accessing the different modules. so I have created the main page on which there r links to different modules. Using Security Costraint in the web.xml file I have made the access restricted.so When a user clicks on a link he is asked the user name and password. this works fine but the problem I am facing is that when i come back to the main page and click on some other link the login page is not displayed rather there is eror message that "the access to the requested resource is denied" is there any way to solve this problem? Tahnx in advance Amit Varshney - Still single? Click here to find the perfect match. http://www.bharatmatrimony.com/cgi-bin/bmclicks1.cgi?141 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Changing FORM Authentication page
If you get the referrer - but often you don't, depending on the browser. Ricardo, is your form authentication page a JSP? If so, it can deal with any parameters you pass it. What exactly are you thinking of? Adam On 01/21/2004 02:28 PM Matt Raible wrote: You could check the referer and change accordingly. -Original Message- From: Ricardo García [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 5:15 AM To: Tomcat-user-list (E-mail) Subject: Changing FORM Authentication page Is there some way to personalise the form authentication page of a context by passing a parameter? I want to change an image of the login page depending on the origin (static) page of the user. Is this possible? Thanks, Ricardo. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FORM based authentication referer
Ricardo García wrote:
> Here's some starting context for my question
>
> I have a war file that has been configured to use FORM based
> authentication. I have set the in the
> web.xml of the war file to point to a jsp file in my war
> file. When a user invokes any jsp without being logged
> in the login jsp is displayed. The user enters the
> userid/password submits the page to j_security_check, is
> validated and redirected to the requested page.
>
> My question is ...
>
> Has anyone ever tried discovering the page that the user is
> trying to access from within the jsp page referenced as the
> ? I have tried checking the HTTP headers
> and session, but have not discovered it being saved anywhere.
> Usually when a page invokes another page the HTTP header
> REFERER exists with the URL to the previous page. I have
> noticed that once the user posts the login form on my
> login.jsp to j_security_check and is authenticated they are
> redirect to the correct location .. correct location being
> back to the page they wanted to access originally. This
> would mean that it has to be somewhere, but where??
We do this manually instead of using the mechanism. In the header
included at the top of every page for authentication, we capture
session.setAttribute("login.target", request.getRequestURI() );
before redirecting to the login page. If you wait until you get to the page that is
processing your login request, you've already lost the original request.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
FORM based authentication referer
Here's some starting context for my question I have a war file that has been configured to use FORM based authentication. I have set the in the web.xml of the war file to point to a jsp file in my war file. When a user invokes any jsp without being logged in the login jsp is displayed. The user enters the userid/password submits the page to j_security_check, is validated and redirected to the requested page. My question is ... Has anyone ever tried discovering the page that the user is trying to access from within the jsp page referenced as the ? I have tried checking the HTTP headers and session, but have not discovered it being saved anywhere. Usually when a page invokes another page the HTTP header REFERER exists with the URL to the previous page. I have noticed that once the user posts the login form on my login.jsp to j_security_check and is authenticated they are redirect to the correct location .. correct location being back to the page they wanted to access originally. This would mean that it has to be somewhere, but where??
RE: Changing FORM Authentication page
You could check the referer and change accordingly. > -Original Message- > From: Ricardo García [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 21, 2004 5:15 AM > To: Tomcat-user-list (E-mail) > Subject: Changing FORM Authentication page > > > Is there some way to personalise the form authentication page > of a context by passing a parameter? I want to change an > image of the login page depending on the origin (static) page > of the user. Is this possible? > > Thanks, > Ricardo. > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Changing FORM Authentication page
Is there some way to personalise the form authentication page of a context by passing a parameter? I want to change an image of the login page depending on the origin (static) page of the user. Is this possible? Thanks, Ricardo.
Re: SSL Client authentication
It sounds like your client is trying to send a self-signed cert (which won't work). The client needs to send a cert that is signed by somebody in the TrustStore. "tkassem" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi All, > > Using jboss-3.2.3-tomact 4.1.29, i've got both server and client > authentication fully working. Using the same keystore and with > clientAuth set to false, everything works fine, but when i set > clientAuth to 'true', the server fails to authenticate my client. > My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is... > > > port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" > acceptCount="10" debug="5" scheme="https" secure="true"> > > keystoreFile="/opt/local/.keystore" keystorePass="picalo" > clientAuth="true" protocol="SSLv3"/> > > > The log file error indicates the handshake failed - 'null cert chain'. > > > any help. > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client authentication
Hi All, Using jboss-3.2.3-tomact 4.1.29, i've got both server and client authentication fully working. Using the same keystore and with clientAuth set to false, everything works fine, but when i set clientAuth to 'true', the server fails to authenticate my client. My connector in .../jbossweb-tomcat.sar/META-INF/jboss-service.xml is... The log file error indicates the handshake failed - 'null cert chain'. any help.
TOMCAT authentication
Hello I'm pretty sure this is a known issue, even though I didn't find much about it; I'm having a problem with authenticating users in TomCat. I have an IIS server to server static content and Tomcat to serve dynamic content, if users knows URL that goes directly to Tomcat then Tomcat wont even ask for use to enter his/her username and password while if user goes through first page of IIS (where it redirects to tomcat) IIS askes user for his/her username and password. How do I enable authentication at Tomcat so that even if users knows direct URL it would still ask him/her for his/her username and password? Thank you in advance h t t p : / / a l e x u s . o r g / - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TOMCAT authentication
It sounds like you may need to configure IIS require authentication from the user no matter how they get there by requireing authentication to the directory(s) with the dynamic content. But, don't know enough about IIS to tell you how to do that. >>> [EMAIL PROTECTED] 01/15/04 02:54PM >>> Hello I'm pretty sure this is a known issue, even though I didn't find much about it; I'm having a problem with authenticating users in TomCat. I have an IIS server to server static content and Tomcat to serve dynamic content, if users knows URL that goes directly to Tomcat then Tomcat wont even ask for use to enter his/her username and password while if user goes through first page of IIS (where it redirects to tomcat) IIS askes user for his/her username and password. How do I enable authentication at Tomcat so that even if users knows direct URL it would still ask him/her for his/her username and password? Thank you in advance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SV: TOMCAT authentication
Hi! If you make use of Tomcats web.xml and set appropriate security constraint (se http://www.servlets.com/jservlet2/examples/ch08/web.xml) in combination with the use of Session-objects, you should be able to do what you want to do, e.g. ask the user for a correct username and password. Kind regards Jonas Hello I'm pretty sure this is a known issue, even though I didn't find much about it; I'm having a problem with authenticating users in TomCat. I have an IIS server to server static content and Tomcat to serve dynamic content, if users knows URL that goes directly to Tomcat then Tomcat wont even ask for use to enter his/her username and password while if user goes through first page of IIS (where it redirects to tomcat) IIS askes user for his/her username and password. How do I enable authentication at Tomcat so that even if users knows direct URL it would still ask him/her for his/her username and password? Thank you in advance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
TOMCAT authentication
Hello I'm pretty sure this is a known issue, even though I didn't find much about it; I'm having a problem with authenticating users in TomCat. I have an IIS server to server static content and Tomcat to serve dynamic content, if users knows URL that goes directly to Tomcat then Tomcat wont even ask for use to enter his/her username and password while if user goes through first page of IIS (where it redirects to tomcat) IIS askes user for his/her username and password. How do I enable authentication at Tomcat so that even if users knows direct URL it would still ask him/her for his/her username and password? Thank you in advance - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat client authentication bug.
This is in bugzilla.
How can I resolve this problem??? Please help.
Here is an excerpt of the JSSE logs. We not only tried to authenticate
via a
browser but also via a Java client, so we possess client logs as well.
It seems as if, at some point during the handshake procedure, the server
is
waiting for the client to send further data. However, the client seems
to have
sent all data and is waiting for the server to respond. That way, client
and
server remain in a wait-state until the client finally gets a timeout
and
closes the socket.
Here are the log excerpts. Any ideas? We are pretty clueless...
CLIENT LOG
Thread-1, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 89, 42, 241, 220, 59, 116, 135, 170, 54, 230, 112, 71 }
***
Thread-1, WRITE: TLSv1 Handshake, length = 32
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software
caused
connection abort: recv failed
Thread-1, handling exception: java.net.SocketException: Software caused
connection abort: recv failed
Thread-1, SEND TLSv1 ALERT: fatal, description = unexpected_message
Thread-1, WRITE: TLSv1 Alert, length = 18
Exception sending alert: java.net.SocketException: Software caused
connection
abort: socket write error
Thread-1, called closeSocket()
==
Server log
2003-11-10 12:54:57,199 INFO [STDOUT] *** ServerHelloDone
2003-11-10 12:54:57,199 INFO [STDOUT] Thread-18, WRITE: SSLv3
Handshake,
length = 3631
2003-11-10 12:54:57,246 INFO [STDOUT] Thread-18, received EOFException:
error
2003-11-10 12:54:57,246 INFO [STDOUT] Thread-18, handling exception:
javax.net.ssl.SSLHandshakeException: Remote host closed connection
during
handshake
2003-11-10 12:54:57,262 INFO [STDOUT] Thread-18
2003-11-10 12:54:57,278 INFO [STDOUT] , SEND SSLv3 ALERT:
2003-11-10 12:54:57,278 INFO [STDOUT] fatal,
2003-11-10 12:54:57,293 INFO [STDOUT] description = unexpected_message
2003-11-10 12:54:57,293 INFO [STDOUT] Thread-18, WRITE: SSLv3 Alert,
length =
2
2003-11-10 12:54:57,309 INFO [STDOUT] Thread-18, called closeSocket()
2003-11-10 12:54:57,309 INFO [STDOUT] Thread-18, called close()
2003-11-10 12:54:57,324 INFO [STDOUT] Thread-18, called
closeInternal(true)
Amjad Shahrour
Application Developer
Tel: +966.2.653.3334 ext 213
[EMAIL PROTECTED]
www.labbaik.com
___Labbaik - The Integrated Solution Provider for the Hospitality
Industry
Re: IIS + Tomcat 5.0 + NT authentication AUTH_USER
Sorry, don't know where i found this anymore. The jk2 docs are out of date. but its definitely in the source code. some links: http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-connectors/jk/native2/server/isapi/isapi_redirector2.reg?rev=1.5&hideattic=0&view=markup http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-connectors/jk/native2/server/isapi/jk_isapi_plugin.c?rev=1.57&view=markup (11 month old) Why not give it a try? Jason Wilson wrote: Hi, I appreciate the info. Could you please point me to the documentation where you found this information, preferably some official documentation on the apache site, perhaps? Thanks, Jason --- Daniel Schmitt <[EMAIL PROTECTED]> wrote: There is an registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\2.0] "authComplete"="0" which toggles authentication handled by tomcat or iis. just an idea -- Daniel Schmitt http://www.shiftomat.com -- Daniel Schmitt http://www.shiftomat.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Vedr.: IIS + Tomcat 5.0 + NT authentication AUTH_USER
Simply put
request.tomcatAuthentication=false
somewhere in your jk2.properties file.
/Thomas
Jason Wilson <[EMAIL PROTECTED]>
08-01-04 18:54
Besvar venligst til "Tomcat Users List"
Til:[EMAIL PROTECTED]
cc:
Vedr.: IIS + Tomcat 5.0 + NT authentication AUTH_USER
Hi,
I'm using
Tomcat 5.0.16
connector-jk-2.0.2-win32-iis
IIS 5.0
Currently my application is running under IIS +
ColdFusion(Jrun), but will be migrating to a
IIS/Tomcat server. Since this is an intranet
application on an NT network, where it is a
requirement to have the users not have to implicitly
logon, I am using NT authentication with IIS. In
other words, for the virtual directory, I have set the
Anonomous access off, and Integrated Windows
Authenticated on.
In the IIS + ColdFusion setup, my servlet does a
request.getHeader("AUTH_USER"); and this returns the
domain/userid of the person logged into the client
machine. Then I can verify the user is allowed to use
the application. All is well.
However, in the IIS + Tomcat setup,
getHeader("AUTH_USER") is returning null. I have
tried other header keys and get null also.
Also, I am sure IIS is authenticating the user, since
I cannot get to the application using a browser that
doesn't support the windows authentication.
So, it appears, for some reason, the connector is not
setting the AUTH_USER header when it transfers to the
Tomcat container.
Does anyone know how I can fix this so it does, or if
there is anything I might be doing wrong.
Thanks in advance,
Jason
__
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
___
Vi gør opmærksom på, at denne e-mail kan indeholde fortrolig information. Hvis du ved
en fejltagelse modtager e-mailen, beder vi dig venligst informere afsender om fejlen
ved at bruge svar-funktionen. Samtidig beder vi dig slette e-mailen i dit system uden
at videresende eller kopiere den.
Selv om e-mailen og ethvert vedhæftet bilag efter vores overbevisning er fri for virus
og andre fejl, som kan påvirke computeren eller it-systemet, hvori den modtages og
læses, åbnes den på modtagerens eget ansvar. Vi påtager os ikke noget ansvar for tab
og skade, som er opstået i forbindelse med at modtage og bruge e-mailen.
___
Please note that this message may contain confidential information. If you have
received this message by mistake, please inform the sender of the mistake by sending a
reply, then delete the message from your system without making, distributing or
retaining any copies of it.
Although we believe that the message and any attachments are free from viruses and
other errors that might affect the computer or IT system where it is received and
read, the recipient opens the message at his or her own risk. We assume no
responsibility for any loss or damage arising from the receipt or use of this message.
RE: IIS + Tomcat 5.0 + NT authentication AUTH_USER
See if request.getHeader("Authorization") gives you anything. That is what I have
been using with IIS and Tomcat 4.X. The data is Base64 encoded, but I have some code
to grab the username and password from that if you need it.
-Brian
-Original Message-
From: Jason Wilson [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 08, 2004 12:54 PM
To: [EMAIL PROTECTED]
Subject: IIS + Tomcat 5.0 + NT authentication AUTH_USER
Hi,
I'm using
Tomcat 5.0.16
connector-jk-2.0.2-win32-iis
IIS 5.0
Currently my application is running under IIS + ColdFusion(Jrun), but will be
migrating to a IIS/Tomcat server. Since this is an intranet application on an NT
network, where it is a requirement to have the users not have to implicitly logon, I
am using NT authentication with IIS. In other words, for the virtual directory, I
have set the Anonomous access off, and Integrated Windows Authenticated on.
In the IIS + ColdFusion setup, my servlet does a
request.getHeader("AUTH_USER"); and this returns the domain/userid of the person
logged into the client machine. Then I can verify the user is allowed to use the
application. All is well.
However, in the IIS + Tomcat setup,
getHeader("AUTH_USER") is returning null. I have
tried other header keys and get null also.
Also, I am sure IIS is authenticating the user, since
I cannot get to the application using a browser that
doesn't support the windows authentication.
So, it appears, for some reason, the connector is not
setting the AUTH_USER header when it transfers to the
Tomcat container.
Does anyone know how I can fix this so it does, or if
there is anything I might be doing wrong.
Thanks in advance,
Jason
__
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: IIS + Tomcat 5.0 + NT authentication AUTH_USER
Hi, I appreciate the info. Could you please point me to the documentation where you found this information, preferably some official documentation on the apache site, perhaps? Thanks, Jason --- Daniel Schmitt <[EMAIL PROTECTED]> wrote: > There is an registry entry > [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software > Foundation\Jakarta Isapi > Redirector\2.0] > > "authComplete"="0" > > which toggles authentication handled by tomcat or > iis. > > just an idea > > > -- > Daniel Schmitt > http://www.shiftomat.com > > - > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: IIS + Tomcat 5.0 + NT authentication AUTH_USER
There is an registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\2.0] "authComplete"="0" which toggles authentication handled by tomcat or iis. just an idea -- Daniel Schmitt http://www.shiftomat.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
IIS + Tomcat 5.0 + NT authentication AUTH_USER
Hi,
I'm using
Tomcat 5.0.16
connector-jk-2.0.2-win32-iis
IIS 5.0
Currently my application is running under IIS +
ColdFusion(Jrun), but will be migrating to a
IIS/Tomcat server. Since this is an intranet
application on an NT network, where it is a
requirement to have the users not have to implicitly
logon, I am using NT authentication with IIS. In
other words, for the virtual directory, I have set the
Anonomous access off, and Integrated Windows
Authenticated on.
In the IIS + ColdFusion setup, my servlet does a
request.getHeader("AUTH_USER"); and this returns the
domain/userid of the person logged into the client
machine. Then I can verify the user is allowed to use
the application. All is well.
However, in the IIS + Tomcat setup,
getHeader("AUTH_USER") is returning null. I have
tried other header keys and get null also.
Also, I am sure IIS is authenticating the user, since
I cannot get to the application using a browser that
doesn't support the windows authentication.
So, it appears, for some reason, the connector is not
setting the AUTH_USER header when it transfers to the
Tomcat container.
Does anyone know how I can fix this so it does, or if
there is anything I might be doing wrong.
Thanks in advance,
Jason
__
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Forms Authentication
> I want to have a login link and a logout link. > how do you tell j_security_check where to go once the > user has logged in successfully. If your application requires the "click here to login" functionality, where would the user expect to go after logging in? If it's to a generic welcome/login confirmation page then could you not have that page in a protected url? (set up in web.xml) When the user clicks on the "Login" link they will get your login page based on the url and only successful users will go to the welcome/login confirmation page Are you storing other user specific info in cookies that can be used to determine their post-login destination? If so you could make the welcome page a JSP/servlet that is "smart". If you can do anything programmatic involving j_security_check let me know, I've asked a couple of times about this myself. Best regards Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Forms Authentication
If I may ask, why would you want to hit the login page directly? Is this for a "click here to login" link? Yes, I want to have a login link and a logout link. Thanks Gregg -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 6:02 PM To: Tomcat Users List Subject: Re: Forms Authentication : So is there a way to overcome this? BTW ? if I reference the login.jsp from : a secure page, everything works fine. So I know I have things setup : correctly thus far. If I may ask, why would you want to hit the login page directly? Is this for a "click here to login" link? -QM -- software -- http://www.brandxdev.net (C++ / Java / SSL) tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.558 / Virus Database: 350 - Release Date: 1/2/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.558 / Virus Database: 350 - Release Date: 1/2/2004 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Forms Authentication
I too need to access login page directly because, of Apache redirection to Tomcat, cannot find the login page directly. Let's say, main_page.htm is a secure page. Typing the url 'http://localhost/webapplication/main_page.htm' should bring up the login page. But it just gives me 'Error 500, The page cannot be displayed'. So, have to access login page directly, as it authenticates your login, but will give error 'Indirect referece to j_security_check' So, how do I implementss JDBC realms when Apache redirection to Tomcat is involved. - Original Message - From: "QM" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, January 08, 2004 8:01 AM Subject: Re: Forms Authentication > : So is there a way to overcome this? BTW ? if I reference the login.jsp from > : a secure page, everything works fine. So I know I have things setup > : correctly thus far. > > If I may ask, why would you want to hit the login page directly? > Is this for a "click here to login" link? > > -QM > > -- > > software -- http://www.brandxdev.net (C++ / Java / SSL) > tech news -- http://www.RoarNetworX.com > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Forms Authentication
: So is there a way to overcome this? BTW ? if I reference the login.jsp from : a secure page, everything works fine. So I know I have things setup : correctly thus far. If I may ask, why would you want to hit the login page directly? Is this for a "click here to login" link? -QM -- software -- http://www.brandxdev.net (C++ / Java / SSL) tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Forms Authentication
I am working with Tomcat 5 and Forms authentication. I am just using the tomcat-users.xml for now until I get everything working. What I am wondering is if I go directly to my login.jsp page instead of letting Tomcat determine if I need to go there based on the page I am accessing, how do you tell j_security_check where to go once the user has logged in successfully. As it is right now I get the following error : Invalid direct reference to form login page So is there a way to overcome this? BTW – if I reference the login.jsp from a secure page, everything works fine. So I know I have things setup correctly thus far. Thanks Gregg --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.558 / Virus Database: 350 - Release Date: 1/2/2004
RE: problem with forms authentication
Thanksthat seemed to be the problem. I had also upgraded my browser and it seems that the new privacy settings kicked in. Has someone approached the issue of why this won't work with URL rewriting when cookies are blocked? -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Monday, January 05, 2004 12:22 AM To: Tomcat Users List Subject: Re: problem with forms authentication : Invalid direct reference to form login page Just one, but it has nothing to do with the upgrade: are cookies enabled in your browser? -QM -- software -- http://www.brandxdev.net (C++ / Java / SSL) tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with forms authentication
: Invalid direct reference to form login page Just one, but it has nothing to do with the upgrade: are cookies enabled in your browser? -QM -- software -- http://www.brandxdev.net (C++ / Java / SSL) tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with forms authentication
I am running Tomcat 5.0.16 and using Form based authentication with the JDBC realm. I have ported an application that was previously running on Tomcat 4.x to 5.0.16. Now, after being authenticated on the login page I keep receiving this error: Invalid direct reference to form login page I am not directly accessing the login page, but rather am trying to access a protected resource and being redirected to the login page. Again, this exact same setup worked with the previous version of Tomcat. Any thoughts?
Re: Two authentication mechanisms in a webapp.
"Ilari Kontinen" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hello, > > I have a web-application that has a JSP-based UI and an AXIS-based web > service. I need to use FORM-based authentication for the UI users and > BASIC-authentication for web service users. > > Is it possible to have the two authentication mechanisms in one webapp, > or do I need to separate the UI and the web service in two webapps? > Well, anything is possible if you want to put enough work into it :). And this one is pretty high on the work-scale. You'd need to implement your own custom Authenticator that desides wether to delegate to FormAuthenticator or to BasicAuthenticator. The downside is that you are locked into Tomcat (and probably even a specific version of Tomcat). I don't know the specs for your project, but if possible, I'd probably try to split it into two webapps and use SingleSignOn. > Thanks > Ilari - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Two authentication mechanisms in a webapp.
Hello, I have a web-application that has a JSP-based UI and an AXIS-based web service. I need to use FORM-based authentication for the UI users and BASIC-authentication for web service users. Is it possible to have the two authentication mechanisms in one webapp, or do I need to separate the UI and the web service in two webapps? Thanks Ilari - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: 2 way SSL ( client authentication)
The ssl-howto has instructions for generating a self-signed Server-cert. You can't use a self-signed client-cert (Ok, I'm lying, but it's for your own good: You can with PureTLS, but for your own good, I'm going to make you look it up yourself :). The client-cert needs to be signed by someone in your TrustStore. "Amjad Shahrour" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi all, > > > > I am trying to implement 2 way SSL ( client authentication) on tomcat 4. > > > > I am following all steps. > > But still have something missing. ( all documentations descrips how to > deal with certificates that are varified by CA). > > > > I need to know how to generate a normal self-signed certificate and how > to use it in a proper way. > > > > Thnx. > > > > > > > > Amjad Shahrour > > Application Developer > > Tel: +966.2.653.3334 ext 213 > > [EMAIL PROTECTED] > > www.labbaik.com > > > > > > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
2 way SSL ( client authentication)
Hi all, I am trying to implement 2 way SSL ( client authentication) on tomcat 4. I am following all steps. But still have something missing. ( all documentations descrips how to deal with certificates that are varified by CA). I need to know how to generate a normal self-signed certificate and how to use it in a proper way. Thnx. Amjad Shahrour Application Developer Tel: +966.2.653.3334 ext 213 [EMAIL PROTECTED] www.labbaik.com
Re: Authentication Pattern
On 12/15/2003 06:05 PM Renato Romano wrote: it seems to me the simplest way to authenticate users is using form base auth, in conjunction with declarative security (declaring resources/roles in web.xml); the main problem with this approach in my opinion is handling several login pages, for example; moreover, in order to allow authentication to be performed on the home page, you need to "force" the client to make a request to a protected page (correct??!!), which seems not so clean!! Whether it's not clean is a point of view: from another point of view, why should someone login on your home page when you have decided not to protect it? I read something about JAAS, but didn't understand, for example, once logged in what should be done with the Subject object obtained after the login process!!! Following requests are automatically recognized coming from an authenticated user, as with normal form based auth ?? I'm a little confused about all this stuff... The main goals I have are: In your JAAS code you just give it to the container. The container does what it has to with it. It's not a problem. But in the appservers I have used (er well just tomcat) you don't get to see your Subject again. You can query methods on the request object to find out about it, but that's it. Allow login from the home page Only circuitously as you have guessed. Allow login from several pages (I can specify only one login page in web.xml !) Make all this in a clean way (for example not redirecting the user to a reserved page for making tomcat present the login page !!) Basically your idea of a clean way is ruling out the possibilities. People do make use of CMS, but when they need the features you need, they all end up using redirects. Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication Pattern
I would like some clarifications about handling authentication in a webapp: it seems to me the simplest way to authenticate users is using form base auth, in conjunction with declarative security (declaring resources/roles in web.xml); the main problem with this approach in my opinion is handling several login pages, for example; moreover, in order to allow authentication to be performed on the home page, you need to "force" the client to make a request to a protected page (correct??!!), which seems not so clean!! I read something about JAAS, but didn't understand, for example, once logged in what should be done with the Subject object obtained after the login process!!! Following requests are automatically recognized coming from an authenticated user, as with normal form based auth ?? I'm a little confused about all this stuff... The main goals I have are: Allow login from the home page Allow login from several pages (I can specify only one login page in web.xml !) Make all this in a clean way (for example not redirecting the user to a reserved page for making tomcat present the login page !!) Thanks everyone Renato Renato Romano Sistemi e Telematica S.p.A. Calata Grazie - Vial Al Molo Giano 16127 - GENOVA e-mail: [EMAIL PROTECTED] Tel.: 010 2712603 _ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Authentication/JAAS ??
I would like some clarifications about handling authentication in a webapp: it seems to me the simplest way to authenticate users is using form base auth, in conjunction with declarative security (declaring resources/roles in web.xml); the main problem with this approach in my opinion is handling several login pages, for example; moreover, in order to allow authentication to be performed on the home page, you need to "force" the client to make a request to a protected page (correct??!!), which seems not so clean!! I read something about JAAS, but didn't understand, for example, once logged in what should be done with the Subject object obtained after the login process!!! Following requests are automatically recognized coming from an authenticated user, as with normal form based auth ?? I'm a little confused about all this stuff... The main goals I have are: Allow login from the home page Allow login from several pages (I can specify only one login page in web.xml !) Make all this in a clean way (for example not redirecting the user to a reserved page for making tomcat present the login page !!) Thanks everyone Renato Renato Romano Sistemi e Telematica S.p.A. Calata Grazie - Vial Al Molo Giano 16127 - GENOVA e-mail: [EMAIL PROTECTED] Tel.: 010 2712603 _ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
bug in apache 2 authentication + tomcat 4.1.29 + mod_jk 1.2.5 ?
I have an issue with apache authentication and tomcat, but I'm not sure if this is a bug or just "the way it works". I have Apache 2.0.47 (windows + linux) tomcat 4.1.29 mod_jk 1.2.5 The connector element has tomcatAuthentication=false (I tried also putting this in jk2.properties, but this doesn't work anymore) I protect entire directories by placing an .htaccess file in those directories The problem is that every request which is handled by tomcat (*.jsp) bypasses the apache authentication. If the reqeust is handled directly by apache (e.g. *.html), authentication works fine (login/password is requested). There is an exception when calling http://hostname/dirname/ when it goes to a index.jsp. In this case apache asks for authentication. Calling http://hostname/dirname/index.jsp directly does not ask for authentication. The problem can be solved by placing the .htaccess directives directly inside the httpd.conf file ( I know for sure that this worked perfectly with apache 1.3.2x and tomcat 4.1.24 and mod_jk 1.2.2, so I don't know if this is a tomcat issue (4.1.29) or an apache issue (2.0.xx) or a mod_jk issue. But I also don't know if this is "the way it should work". I had filed a bug report (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25055) because I thought that I could not call getRemoteUser(), but this turned out to be because of the above described problem. So I'm asking the list - is there anyone having apache 2.0.47 and latest 4.1.x tomcat and latest mod_jk who works with .htaccess files? - does authentication work as expected? Thanks for any reply Regards Stefanos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Basic Authentication
Here is the exact code to do it my friend.
Redirect or whatever you want, after the System.out.println
-Jesse
=
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class AuthenticationServlet extends HttpServlet {
// Step 2: Challenge message
final private static byte[] CHALLENGE_MESSAGE =
{(byte)'N', (byte)'T', (byte)'L', (byte)'M', (byte)'S', (byte)'S', (byte)'P', 0,
2, 0, 0, 0, 0, 0, 0, 0,
40, 0, 0, 0, 1, (byte)130, 0, 0,
0, 2, 2, 2, 0, 0, 0, 0, // nonce
0, 0, 0, 0, 0, 0, 0, 0};
private String user;
/**
* Obtain the network ID from the HTTP request
*/
public void doPost(HttpServletRequest req, HttpServletResponse res) throws
IOException, ServletException {
try {
String auth = req.getHeader("Authorization");
if (auth == null)
{
res.setContentLength(0);
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "NTLM");
res.flushBuffer();
return;
}
if (!auth.startsWith("NTLM ")) {
return;
}
byte[] msg = new sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5));
// Step 1: Negotiation message received
if (msg[8] == 1)
{
// Send challenge message (Step 2)
res.setContentLength(2);
res.setStatus(res.SC_UNAUTHORIZED);
res.setHeader("WWW-Authenticate", "NTLM " + new
sun.misc.BASE64Encoder().encodeBuffer(CHALLENGE_MESSAGE));
res.flushBuffer();
return;
}
// Step 3: Authentication message received
if (msg[8] == 3)
{
int off = 30;
int length, offset;
length = (msg[off+1]<<8) + msg[off];
offset = (msg[off+3]<<8) + msg[off+2];
String domain = new String(msg, offset, length);
length = (msg[off+9]<<8) + msg[off+8];
offset = (msg[off+11]<<8) + msg[off+10];
user = new String(msg, offset, length);
length = (msg[off+17]<<8) + msg[off+16];
offset = (msg[off+19]<<8) + msg[off+18];
String ws = new String(msg, offset, length);
System.out.println("Username: " + removeBlanks(user) + " Domain: " +
removeBlanks(domain) + " Workstation: " + removeBlanks(ws));
}
}
catch (Throwable ex){
ex.printStackTrace();
}
}
/**
* Removes non-printable characters from a string
*/
private String removeBlanks(String s) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
if (c > ' ')
sb.append(c);
}
return sb.toString();
}
}
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Friday, December 05, 2003 11:58 AM
To: Tomcat Users List
Subject: Re: Basic Authentication
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm
-Tim
Bui, Bao-Ha D wrote:
> Hi all,
>
> I need to capture the WinNT account name of users to a jsp page.
>
> We have Active Directory at our company. We can have a basic login form
> (that standard pop up login form from Window).
>
> Could anyone tell me where to start and how to set it up? I have looked at
> the HowTo for Tomcat Realm on Apache website but not quite get it.
>
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication
http://jakarta.apache.org/tomcat/faq/windows.html#ntlm -Tim Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Basic Authentication
You might want to read the comments on the following URL - it shows how to configure authentication with a Windows domain, but apparently, it's out of date: http://www.raibledesigns.com/page/rd? anchor=easy_windows_authentication_with_tomcat Matt On Dec 5, 2003, at 9:45 AM, Bui, Bao-Ha D wrote: Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. * smime.p7s Description: S/MIME cryptographic signature
RE: Basic Authentication
Maybe through navigator object in user´s browser, you must check if there´s not permission constraint for that. > -- > De: Bui, Bao-Ha D[SMTP:[EMAIL PROTECTED] > Responder:Tomcat Users List > Enviada: sexta-feira, 5 de dezembro de 2003 13:45 > Para: 'Tomcat Users List' > Assunto: Basic Authentication > > Hi all, > > I need to capture the WinNT account name of users to a jsp page. > > We have Active Directory at our company. We can have a basic login form > (that standard pop up login form from Window). > > Could anyone tell me where to start and how to set it up? I have looked > at > the HowTo for Tomcat Realm on Apache website but not quite get it. > > Thanks very much for any help. > > Bao-Ha Dam Bui > [EMAIL PROTECTED] > St. Jude Medical, Inc > 651.765.1018 > > > > > * > This communication may contain information that is proprietary, > privileged, > confidential or legally exempt from disclosure. If you are not a named > addressee, you are notified that you are not authorized to read, print, > retain, copy or disseminate this communication without the consent of the > sender and that doing so may be unlawful. If you have received this > communication in error, please notify the sender via return e-mail and > delete it from your computer. Thank you. St. Jude Medical, Inc. > * >
Basic Authentication
Hi all, I need to capture the WinNT account name of users to a jsp page. We have Active Directory at our company. We can have a basic login form (that standard pop up login form from Window). Could anyone tell me where to start and how to set it up? I have looked at the HowTo for Tomcat Realm on Apache website but not quite get it. Thanks very much for any help. Bao-Ha Dam Bui [EMAIL PROTECTED] St. Jude Medical, Inc 651.765.1018 * This communication may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please notify the sender via return e-mail and delete it from your computer. Thank you. St. Jude Medical, Inc. *
Apache, Tomcat and authentication appear to be working correctly<%String uName = request.getRemoteUs
Apache, Tomcat and authentication appear to be working correctly<%String uName = request.getRemoteUser();%> //returns nullNetware 6 sp3Apache 2.0.48Tomcat 4.1.29mod_jk 1.2.5more info: http://developer-forums.novell.com/group/novell.devsup.webserver.apache2/readerNoFrame.tpt/@[EMAIL PROTECTED]@[EMAIL PROTECTED]@D-,[EMAIL PROTECTED]/@[EMAIL PROTECTED]
Re: Difficulty with SSL authentication without client certificate
Tomcat doesn't currently have a clientAuth="want" option. Yes, it's on my to-do list someplace, but you could move it up a lot by submitting a patch ;-). "Lira, Alesio" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] After all, there is a solution installing Apache and configuring certificates as optional But there must be a Tomcat alone solution. > -Mensaje original- > De: Lira, Alesio > Enviado el: jueves 27 de noviembre de 2003 11:17 > Para: Tomcat Users List > Asunto: RE: Difficulty with SSL authentication without client certificate > > The most usual case that this behavior of tomcat is a nuissance, is when you wish to accept a SSL session; but if there is no client certificate, go ahead but with some functionality excluded. In my case, I give more sensitive information if a client certificate is present. Trapping the Error 400 (bad request), doesn't gives me the behavior I want. > I don't think that an absence of client certificate is a bug. Think you of accessing in a hurry a secure site from a hotel bussines service because your laptop is kaput... I will not import my certificate into a machine that is used by anyone unkown. But if the secure service recognizes you ( but with lesser power ) because you don't give a certificate and let you go forward; that is what i want. > > > -Mensaje original- > > De: Bill Barker [SMTP:[EMAIL PROTECTED] > > Enviado el: jueves 27 de noviembre de 2003 4:21 > > Para: [EMAIL PROTECTED] > > Asunto: Re: Difficulty with SSL authentication without client certificate > > > > For what you want, I'd probably go with a Filter that stores the Principal > > under a "well-known-name" for use by the Servlet. For Container level > > security, it is clearly an error if the client won't provide a client-cert. > > > > Note: I consider that the fact that you are getting any response at all to > > be a bug (which I plan to look into;). If the client doesn't provide a > > cert, then the connection should be rudely terminated. > > > > "Lira, Alesio" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > Hello there. > > > > I've tried to configure a security realm for pages; that if a user > > certificate is present it will be used, but if it doesn't exist the > > application will resolve the situation with the user authentication level > > already known. > > After wrestling with the web.xml parameters and defining a user realm; I > > have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is > > never ever given to the user realm defined. So, I turned into the source > > code. > > > > > > In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've > > found this : > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication with JAAS / Form Autenthication/ "j_security_check"
Jose, How about sending the user to an intermediate page after logging in to select a company? Robert >= Original Message From Jose Antonio Chirinos <[EMAIL PROTECTED]> = >Thanks for yours sugestions, the reason for which i need to do that is because i have to do an authentication module that are able to authenticate a user depending on a company. That is because a user can be in 2 or more companys and the data of the companys is diferent. >Thanks in Advanced. > >Adam Hardy <[EMAIL PROTECTED]> wrote: >Yes, but if they happen to have javascript disabled, they will get very >confused! > >On 11/28/2003 11:23 AM Andoni wrote: >> You don't have to instruct the user to do this. Just have login form as a >> hidden form and fill (and submit) it using JavaScript. You can get the >> values from a login form you call whatever you like and then append whatever >> you like to the end of each of the username and password. >> >> This does sound rather odd though and you should really be looking at the >> bigger picture of your architecture to see why you have this problem in the >> first place as it sounds like you are trying to hack a solution to me!! >> Sorry if your not! >> >> Andoni. >> >> - Original Message - >> From: "Adam Hardy" >> To: "Tomcat Users List" >> Sent: Thursday, November 27, 2003 10:08 PM >> Subject: Re: Authentication with JAAS / Form Autenthication/ >> "j_security_check" >> >> >> >>>On 11/27/2003 06:41 PM Jose Antonio Chirinos wrote: >>> >>>Hi, i have a web application that use web authentication through >>>"j_security_check" servlet; i need to add an extra parameter diferent >>>of "j_password" and "j_username"; i guess that i have to put the >>>extra parameter in the login form and in the definition of the realm; >>>but where i have to include the code for the comparation of the new >>>parameter.Thanks in Advanced.Jose Antonio Chirinos. >>> >>>Jose, >>>tomcat (and all servlet spec compliant app servers) won't process any >>>further parameters other than the two you mention. When you code your >>>realm, you code a LoginModule or equivalent which is passed these 2 >>>parameters. >>> >>>This means the only option you have is to instruct the user to place the >>>extra parameter on the end of the username, perhaps after an appropriate >>>seperator character, so that you can then split your extra parameter >>>from the user name in your realm code. >>> >>> >>>HTH >>>Adam >>>-- >>>struts 1.1 + tomcat 5.0.14 + java 1.4.2 >>>Linux 2.4.20 RH9 >>> >>>- >>>To unsubscribe, e-mail: [EMAIL PROTECTED] >>>For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> >> >> - >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > >-- >struts 1.1 + tomcat 5.0.14 + java 1.4.2 >Linux 2.4.20 RH9 > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > >- >Do you Yahoo!? >Free Pop-Up Blocker - Get it now - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based authentication
Hello Atreya, Your stylesheet is returned after authentication because it is access restricted. If you make your stylesheet freely accessible it will work. grts, Patrick -Original Message- From: Atreya Basu [mailto:[EMAIL PROTECTED] Sent: Friday, November 28, 2003 8:01 AM To: Tomcat Users List Subject: Form based authentication Hi all, I thought I would share some of my experiences with JDBCRealm authentication. First what I wanted to do was see if JDBCRealm based authentication even worked. All I got was Tomcat quitting. My first problem was that my web.xml file wasn't in the right order. I went to BEA's website and used their web.xml file explanation page to get all of the spelling and order of the elements right. But Tomcat still wasn't running. It turned out my second problem was that for some reason the MySQL JDBC driver wasn't being found, even though I had placed it in the common\lib directory. So I edited the catalina file manually and added in the jar file. Next whenever I would authenticate I would get a stylesheet instead of my intended destination. Then one time I authenticated and accidentally hit the login page. It showed me a different styled login page. That happened because my stylesheet was kept inside the context directory it wasn't being retrieved till I authenticated. So instead of pulling up index.html after I authenticate it pulled up the stylesheet because my browser was waiting to load that file. Solution of course was to place the stylesheet in an unsecure directory. I hope that someone finds this useful. Cheers, -- _ Atreya Basu Developer, Greenfield Research Inc. e-mail: atreya (at) greenfieldresearch (dot) ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based authentication
Hi all, I thought I would share some of my experiences with JDBCRealm authentication. First what I wanted to do was see if JDBCRealm based authentication even worked. All I got was Tomcat quitting. My first problem was that my web.xml file wasn't in the right order. I went to BEA's website and used their web.xml file explanation page to get all of the spelling and order of the elements right. But Tomcat still wasn't running. It turned out my second problem was that for some reason the MySQL JDBC driver wasn't being found, even though I had placed it in the common\lib directory. So I edited the catalina file manually and added in the jar file. Next whenever I would authenticate I would get a stylesheet instead of my intended destination. Then one time I authenticated and accidentally hit the login page. It showed me a different styled login page. That happened because my stylesheet was kept inside the context directory it wasn't being retrieved till I authenticated. So instead of pulling up index.html after I authenticate it pulled up the stylesheet because my browser was waiting to load that file. Solution of course was to place the stylesheet in an unsecure directory. I hope that someone finds this useful. Cheers, -- _ Atreya Basu Developer, Greenfield Research Inc. e-mail: atreya (at) greenfieldresearch (dot) ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication with JAAS / Form Autenthication/ "j_security_check"
Thanks for yours sugestions, the reason for which i need to do that is because i have to do an authentication module that are able to authenticate a user depending on a company. That is because a user can be in 2 or more companys and the data of the companys is diferent. Thanks in Advanced. Adam Hardy <[EMAIL PROTECTED]> wrote: Yes, but if they happen to have javascript disabled, they will get very confused! On 11/28/2003 11:23 AM Andoni wrote: > You don't have to instruct the user to do this. Just have login form as a > hidden form and fill (and submit) it using JavaScript. You can get the > values from a login form you call whatever you like and then append whatever > you like to the end of each of the username and password. > > This does sound rather odd though and you should really be looking at the > bigger picture of your architecture to see why you have this problem in the > first place as it sounds like you are trying to hack a solution to me!! > Sorry if your not! > > Andoni. > > - Original Message - > From: "Adam Hardy" > To: "Tomcat Users List" > Sent: Thursday, November 27, 2003 10:08 PM > Subject: Re: Authentication with JAAS / Form Autenthication/ > "j_security_check" > > > >>On 11/27/2003 06:41 PM Jose Antonio Chirinos wrote: >> >>>Hi, i have a web application that use web authentication through >>>"j_security_check" servlet; i need to add an extra parameter diferent >>>of "j_password" and "j_username"; i guess that i have to put the >>>extra parameter in the login form and in the definition of the realm; >>>but where i have to include the code for the comparation of the new >>>parameter.Thanks in Advanced.Jose Antonio Chirinos. >> >>Jose, >>tomcat (and all servlet spec compliant app servers) won't process any >>further parameters other than the two you mention. When you code your >>realm, you code a LoginModule or equivalent which is passed these 2 >>parameters. >> >>This means the only option you have is to instruct the user to place the >>extra parameter on the end of the username, perhaps after an appropriate >>seperator character, so that you can then split your extra parameter >>from the user name in your realm code. >> >> >>HTH >>Adam >>-- >>struts 1.1 + tomcat 5.0.14 + java 1.4.2 >>Linux 2.4.20 RH9 >> >>- >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Do you Yahoo!? Free Pop-Up Blocker - Get it now
Re: Authentication with JAAS / Form Autenthication/ "j_security_check"
Yes, but if they happen to have javascript disabled, they will get very confused! On 11/28/2003 11:23 AM Andoni wrote: You don't have to instruct the user to do this. Just have login form as a hidden form and fill (and submit) it using JavaScript. You can get the values from a login form you call whatever you like and then append whatever you like to the end of each of the username and password. This does sound rather odd though and you should really be looking at the bigger picture of your architecture to see why you have this problem in the first place as it sounds like you are trying to hack a solution to me!! Sorry if your not! Andoni. - Original Message - From: "Adam Hardy" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, November 27, 2003 10:08 PM Subject: Re: Authentication with JAAS / Form Autenthication/ "j_security_check" On 11/27/2003 06:41 PM Jose Antonio Chirinos wrote: Hi, i have a web application that use web authentication through "j_security_check" servlet; i need to add an extra parameter diferent of "j_password" and "j_username"; i guess that i have to put the extra parameter in the login form and in the definition of the realm; but where i have to include the code for the comparation of the new parameter.Thanks in Advanced.Jose Antonio Chirinos. Jose, tomcat (and all servlet spec compliant app servers) won't process any further parameters other than the two you mention. When you code your realm, you code a LoginModule or equivalent which is passed these 2 parameters. This means the only option you have is to instruct the user to place the extra parameter on the end of the username, perhaps after an appropriate seperator character, so that you can then split your extra parameter from the user name in your realm code. HTH Adam -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication with JAAS / Form Autenthication/ "j_security_check"
You don't have to instruct the user to do this. Just have login form as a hidden form and fill (and submit) it using JavaScript. You can get the values from a login form you call whatever you like and then append whatever you like to the end of each of the username and password. This does sound rather odd though and you should really be looking at the bigger picture of your architecture to see why you have this problem in the first place as it sounds like you are trying to hack a solution to me!! Sorry if your not! Andoni. - Original Message - From: "Adam Hardy" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Thursday, November 27, 2003 10:08 PM Subject: Re: Authentication with JAAS / Form Autenthication/ "j_security_check" > On 11/27/2003 06:41 PM Jose Antonio Chirinos wrote: > > Hi, i have a web application that use web authentication through > > "j_security_check" servlet; i need to add an extra parameter diferent > > of "j_password" and "j_username"; i guess that i have to put the > > extra parameter in the login form and in the definition of the realm; > > but where i have to include the code for the comparation of the new > > parameter.Thanks in Advanced.Jose Antonio Chirinos. > > Jose, > tomcat (and all servlet spec compliant app servers) won't process any > further parameters other than the two you mention. When you code your > realm, you code a LoginModule or equivalent which is passed these 2 > parameters. > > This means the only option you have is to instruct the user to place the > extra parameter on the end of the username, perhaps after an appropriate > seperator character, so that you can then split your extra parameter > from the user name in your realm code. > > > HTH > Adam > -- > struts 1.1 + tomcat 5.0.14 + java 1.4.2 > Linux 2.4.20 RH9 > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
