Re: Programmatic login
I think the same Bill implements with a Valve could be implemented with a
Filter with an HttpRequestWrapper for setting the principal. Am I right?
- Original Message -
From: Bill Barker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, November 17, 2002 8:53 AM
Subject: Re: Programmatic login
The following is a bare-bones implemetation. Posted under the standard
Apache Licence.
import java.io.*;
import java.security.Principal;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.catalina.*;
public class MyValve implements Valve {
public MyValve() {}
public void invoke(Request request, Response response, ValveContext
context)
throws IOException, ServletException {
HttpSession session = ((HttpServletRequest)request.getRequest())
.getSession(false);
if(session != null) {
Principal user =
(Principal)session.getAttribute(my.login.principal);
if(user != null) {
((HttpRequest)request).setUserPrincipal(user);
}
}
context.invokeNext(request, response);
}
}
Zsolt Koppany [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi,
it sounds very interesting. Could you provide some implementation details
(source code)?
Zsolt
On Saturday 16 November 2002 08:26, Bill Barker wrote:
setUserPrincipal
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Programmatic login
Juergen Weber wrote: Hello, we have a portal. Now the marketing people want that on the portal page be a form with user and password field. After submitting the user should be logged in. First this looked like a very easy to do feature. We use container managed security to protect some pages. So submitting the above mentioned form should simply authenticate the user with the container. As simple as that seems, I cannot find any way to do this via the servlet API. Two posts by Craig R. McClanahan (http://archives.apache.org/eyebrowse/ReadMsg?[EMAIL PROTECTED]msgId=297658 and http://archives.apache.org/eyebrowse/ReadMsg?[EMAIL PROTECTED]msgId=297211) suggest, that this is in fact not possible. If that is indeed the case, this is a big deficiency of the servlet specification. Or is there another solution? I haven't tried this, but the following might work, and is probably portable... You need to have two portal home pages, one with the login form on, /portal/login, and one without, /portal/home. Make /portal/home the default page. Put a security constraint on /portal/home so that users who aren't logged in are automatically forwarded to /portal/login. If they log in, they are authenticated, and go to /portal/home. I don't know what happens if there are other links in /portal/login, but as long as they don't go to other protected pages, it ought to work. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Programmatic login
Hi Juergen, another approach is to put your welcome file under a security constraint. Your app will then start with the login page. Regards Christoph Juergen Weber schrieb: Hi, thanks to all who answered to my question. The valve solution looks good, but as we develop with tomcat and run on weblogic we cannot use nonportable solutions. So, if marketing insists on their idea we have to dump container managed security. Probably we will use a struts based security. Thanks, Juergen __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Programmatic login
Hi, it sounds very interesting. Could you provide some implementation details (source code)? Zsolt On Saturday 16 November 2002 08:26, Bill Barker wrote: setUserPrincipal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Programmatic login
The following is a bare-bones implemetation. Posted under the standard
Apache Licence.
import java.io.*;
import java.security.Principal;
import javax.servlet.*;
import javax.servlet.http.*;
import org.apache.catalina.*;
public class MyValve implements Valve {
public MyValve() {}
public void invoke(Request request, Response response, ValveContext
context)
throws IOException, ServletException {
HttpSession session = ((HttpServletRequest)request.getRequest())
.getSession(false);
if(session != null) {
Principal user =
(Principal)session.getAttribute(my.login.principal);
if(user != null) {
((HttpRequest)request).setUserPrincipal(user);
}
}
context.invokeNext(request, response);
}
}
Zsolt Koppany [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hi,
it sounds very interesting. Could you provide some implementation details
(source code)?
Zsolt
On Saturday 16 November 2002 08:26, Bill Barker wrote:
setUserPrincipal
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Programmatic login
Hi Jurgen- It is possible to subclass FormAuthenticator so that it short-circuts the typical servlet login process. What you need to do is define a standard login url in your applications, I chose /security and parameterize the url with information like j_username, j_password, j_redirect_url. This information is then used to authenticate with the realm and forward on to the desired resource. It's pretty straight forward and I think you can find a good example of it if you cull through the archives for this mailing list. HTH, jk -Original Message- From: Juergen Weber [mailto:weberjn;yahoo.com] Sent: Friday, November 15, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: Programmatic login Hello, we have a portal. Now the marketing people want that on the portal page be a form with user and password field. After submitting the user should be logged in. First this looked like a very easy to do feature. We use container managed security to protect some pages. So submitting the above mentioned form should simply authenticate the user with the container. As simple as that seems, I cannot find any way to do this via the servlet API. Two posts by Craig R. McClanahan (http://archives.apache.org/eyebrowse/ReadMsg?listName=tomcat-user @jakarta.apache.orgmsgId=297658 and http://archives.apache.org/eyebrowse/ReadMsg?listName=tomcat-user; jakarta.apache.orgmsgId=297211) suggest, that this is in fact not possible. If that is indeed the case, this is a big deficiency of the servlet specification. Or is there another solution? Thank you, Juergen __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Programmatic login
The only solution that I see, is to use your own security. One solution: use a Filter that is mapped to every request. Check if username and passwort are present, validate them and place a user object in the session. Where ever you want to have diffen content for an authenticated user you can query for that object to show the content. As we have implemented something like that, quite before something like realms came to the world, I havn't looked at the details of realms. So I'm not shure how much of the Realms you can reuse to implement this. Ralph Einfeldt Uptime Internet Solution Center GmbH Hamburg, Germany Hosting, Content Management, Java Consulting http://www.uptime-isc.de -Original Message- From: Juergen Weber [mailto:weberjn;yahoo.com] Sent: Friday, November 15, 2002 2:42 PM To: [EMAIL PROTECTED] Subject: Programmatic login we have a portal. Now the marketing people want that on the portal page be a form with user and password field. After submitting the user should be logged in. First this looked like a very easy to do feature. -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Programmatic login
I've had similar demands :). Since under this case, the validating servlet must be outside of any security-constraints, if the user is successfully validated it stores the Principal in as a well-known attribute in the Session. You then write a simple (Context-level) Valve that queries the session for this value, and if non-null, calls the setUserPrincipal on the HttpRequest with this value. Of course, this makes your system dependent on Tomcat, and can't be easily ported to any other servlet-container. Juergen Weber [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, we have a portal. Now the marketing people want that on the portal page be a form with user and password field. After submitting the user should be logged in. First this looked like a very easy to do feature. We use container managed security to protect some pages. So submitting the above mentioned form should simply authenticate the user with the container. As simple as that seems, I cannot find any way to do this via the servlet API. Two posts by Craig R. McClanahan (http://archives.apache.org/eyebrowse/ReadMsg?[EMAIL PROTECTED] pache.orgmsgId=297658 and http://archives.apache.org/eyebrowse/ReadMsg?[EMAIL PROTECTED] ache.orgmsgId=297211) suggest, that this is in fact not possible. If that is indeed the case, this is a big deficiency of the servlet specification. Or is there another solution? Thank you, Juergen __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Programmatic login with Tomcat 4.0.1
If you use BASIC authentication, user/password are contained in the Authorization HTTP 1.1 Header (in Base64 encoded form). Never tried, but should work when supplying correct data into your HTTP request (including headers). | How do I programmatically login into TC 4.0.1? | | Sincirely, | Sergei Batiuk. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Programmatic login with Tomcat 4.0.1
Well, but what about programmatic login, i. e. something like Context ctx = new InitialContext(); UserManager um = ( UserManager )ctx.lookup( java:comp/UserManager ); um.login( login, password ); Does Tomcat have an API similar to this? The thing is I have a login form on my first page, where a user should login to access protected functions (they are not displayed by default, and become available only after a user has logged in). -Original Message- From: Ing. Gabriel Gajdos [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 3:24 PM To: [EMAIL PROTECTED] Subject: RE: Programmatic login with Tomcat 4.0.1 If you use BASIC authentication, user/password are contained in the Authorization HTTP 1.1 Header (in Base64 encoded form). Never tried, but should work when supplying correct data into your HTTP request (including headers). | How do I programmatically login into TC 4.0.1? | | Sincirely, | Sergei Batiuk. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Programmatic login with Tomcat 4.0.1
Sergei: Do you need to programmatically log in as a 'client' (e.g. from a different JVM)? If so, you will need to open an HttpUrlConnection with a url that points to an appropriate page on your tomcat server. Apache SOAP provides a nicelittle Http Tunneling tool that will help you discover the details of what you need to send to Tomcat (over an HTTP connection). Download Apache SOAP from xml.apache.org. You don't need to 'install' it. The following link explains how to use this tool: http://xml.apache.org/soap/docs/index.html Start the tunnel gui, point your brower at it, and 'login' to your web site. The tunnel gui will display all request and response data. All that's left is to write code that sends the same data that your browser did, and that knows how to deal with the responses coming from tomcat. Regards, Tom Drake - Original Message - From: Sergei Batiuk [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, January 04, 2002 5:48 AM Subject: RE: Programmatic login with Tomcat 4.0.1 | Well, but what about programmatic login, i. e. something like | | Context ctx = new InitialContext(); | UserManager um = ( UserManager )ctx.lookup( java:comp/UserManager ); | um.login( login, password ); | | Does Tomcat have an API similar to this? The thing is I have a login form on | my first page, where a user should login to access protected functions (they | are not displayed by default, and become available only after a user has | logged in). | | -Original Message- | From: Ing. Gabriel Gajdos [mailto:[EMAIL PROTECTED]] | Sent: Friday, January 04, 2002 3:24 PM | To: [EMAIL PROTECTED] | Subject: RE: Programmatic login with Tomcat 4.0.1 | | | If you use BASIC authentication, user/password are contained in the | Authorization HTTP 1.1 Header (in Base64 encoded form). | Never tried, but should work when supplying correct data into your HTTP | request (including headers). | | | How do I programmatically login into TC 4.0.1? | | | | Sincirely, | | Sergei Batiuk. | | | -- | To unsubscribe: mailto:[EMAIL PROTECTED] | For additional commands: mailto:[EMAIL PROTECTED] | Troubles with the list: mailto:[EMAIL PROTECTED] | | | | -- | To unsubscribe: mailto:[EMAIL PROTECTED] | For additional commands: mailto:[EMAIL PROTECTED] | Troubles with the list: mailto:[EMAIL PROTECTED] | | | -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Programmatic login with Tomcat 4.0.1
I'm not sure I understand exactly what you want to do. Do you want to handle a login request on the server, or send an HTTP authentication header from a client. If you want to handle a login request on the server consider that tomcat is being accessed by HTTP which has a reasonably well defined technique for handling authentication. By allowing tomcat to handle authentication, when you access a web application, tomcat will send your browser, application or applet a security challenge that is typically handled by login dialog. You can use any of the Tomcat authorization schemes (basic/form/digest/certificat) to manage the authentication. For BASIC and DIGEST authentication (for example) your web browser will handle subsequent authorization challenges transparently(since HTTP is stateless you must authenticate with each access to a protected page). I think rolling your own authentication scheme would likely be unnecessarily complex and error prone, involving both authentication and session tracking. One would think that the various authentication schemes (basic/etc.) and three security realms (memory, JDBC and JNDI) would be able to handle this task in a more robust way. If you want to pass a basic authentication header from a Java Client (or any other client) it is relatively easy. I have implemented a client that sent a basic auth header in python and it essentially just concatinating the user name and password and base64 encoding it (make sure that your server is expecting an authenticated request or you might not see the auth user). I think the o'reilly servlet classes implement setting the basic authentication header in thier servlet package (see www.servlets.com). hope this helps, dennis. -Original Message- From: Sergei Batiuk [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 14:48 To: Tomcat Users List Subject: RE: Programmatic login with Tomcat 4.0.1 Well, but what about programmatic login, i. e. something like Context ctx = new InitialContext(); UserManager um = ( UserManager )ctx.lookup( java:comp/UserManager ); um.login( login, password ); Does Tomcat have an API similar to this? The thing is I have a login form on my first page, where a user should login to access protected functions (they are not displayed by default, and become available only after a user has logged in). -Original Message- From: Ing. Gabriel Gajdos [mailto:[EMAIL PROTECTED]] Sent: Friday, January 04, 2002 3:24 PM To: [EMAIL PROTECTED] Subject: RE: Programmatic login with Tomcat 4.0.1 If you use BASIC authentication, user/password are contained in the Authorization HTTP 1.1 Header (in Base64 encoded form). Never tried, but should work when supplying correct data into your HTTP request (including headers). | How do I programmatically login into TC 4.0.1? | | Sincirely, | Sergei Batiuk. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Programmatic login with Tomcat 4.0.1
On Fri, 4 Jan 2002, Sergei Batiuk wrote: Date: Fri, 4 Jan 2002 14:10:03 +0200 From: Sergei Batiuk [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Programmatic login with Tomcat 4.0.1 Hello people, I need to programmatically login my session into Tomcat 4.0.1 servlet container. However, I could not find the API in JavaDocs that accomplishes this goal. How do I programmatically login into TC 4.0.1? Tomcat doesn't have any direct APIs for that. One approach (which would actually be portable to other containers as well) would be to write a Filter which wrapped the incoming request, and overrode the getRemoteUser(), getUserPrincipal(), and isUserInRole() methods. It's really the *effect* of logging in that you're after, and this is how an application finds out. This wouldn't work in a J2EE environment (because the fake Principal you return wouldn't be a real one that allowed EJB access), but it should work fine for a servlet-only environment. Sincirely, Sergei Batiuk. Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Programmatic login with Tomcat 4.0.1
Maybe some folks might think that TC is a magical, all-in-one package for web services related solution, not just Servlet/JSP container. :-) Pae On Fri, 4 Jan 2002, Sergei Batiuk wrote: Date: Fri, 4 Jan 2002 14:10:03 +0200 From: Sergei Batiuk [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Programmatic login with Tomcat 4.0.1 Hello people, I need to programmatically login my session into Tomcat 4.0.1 servlet container. However, I could not find the API in JavaDocs that accomplishes this goal. How do I programmatically login into TC 4.0.1? Tomcat doesn't have any direct APIs for that. One approach (which would actually be portable to other containers as well) would be to write a Filter which wrapped the incoming request, and overrode the getRemoteUser(), getUserPrincipal(), and isUserInRole() methods. It's really the *effect* of logging in that you're after, and this is how an application finds out. This wouldn't work in a J2EE environment (because the fake Principal you return wouldn't be a real one that allowed EJB access), but it should work fine for a servlet-only environment. Sincirely, Sergei Batiuk. Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
