Re: Programatic JAAS login in Tomcat 6.0.26!
On 20/01/2011 10:02, neo21 zerro wrote: Hello, I'm using Tomcat 6.0.26 and java 1.5 SDK and I'm trying to implement a programmatic login in tomcat. I'm using JAAS for the container based security. Is there anyone that has done this before? I've tryied to bypass it by making a post with the username and the password in this request http://localhost:8080/acm/flex/j_security_checkusername=testpassword=test but it seems that Tomcat caches this request and then expects another request. I don't know what else to do. Read up on FORM auth in the Servlet spec. There is a specific sequence of events that looks roughly like (for a successful auth): 1. Browser sends original request 2. Server saves request, creates session and responds with login page 3. Browser sends login details to server 4. Server validates login details 5. Server restores saved request and processes it 6. Server sends response to original request to browser. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
On Thu, 20 Jan 2011 15:16:15 +, Mark Thomas ma...@apache.org wrote: Read up on FORM auth in the Servlet spec. There is a specific sequence of events that looks roughly like (for a successful auth): 1. Browser sends original request 2. Server saves request, creates session and responds with login page 3. Browser sends login details to server 4. Server validates login details 5. Server restores saved request and processes it 6. Server sends response to original request to browser. Hi Mark, That explains problem some people complain about: When you invalidate session in second step, server is not able to restore previous request and leaves user with the same login form with URL /j_security_check. Real problem is, that now cryptic error appears: HTTP Status 400 - Invalid direct reference to form login page. It's enough for user to open login form page, wait until session invalidates due to inactivity time, then try to login. One solution is to use HttpSession.isNew() check on login JSP page and perform redirect to e.g. to main page. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
Hi Mikolaj and Mark, Thanks for the replay. The problem is that I read the specifications and I still don't know how to push the login details and the request for the main page in one call. The fact is that I need to open a browser from a swing app with the main page for my other application(that uses JAAS) programatic. So the real problem is how do push the request from the swing app to open an browser with an authenticated user and the main page from my other app. Because as I already said I cannot push to the application that uses JAAS my login credentials and the request to my main app. So I push the credentials as I already said but HTTP Status 400 - Invalid direct reference to form login page because I have no initial request with my main page, so that Tomcat can restore it. I cannot use JSP, my login page is a simple html page. Thanks a lot for your time! From: Mikolaj Rydzewski m...@ceti.pl To: Tomcat Users List users@tomcat.apache.org Sent: Thu, January 20, 2011 5:53:04 PM Subject: Re: Programatic JAAS login in Tomcat 6.0.26! On Thu, 20 Jan 2011 15:16:15 +, Mark Thomas ma...@apache.org wrote: Read up on FORM auth in the Servlet spec. There is a specific sequence of events that looks roughly like (for a successful auth): 1. Browser sends original request 2. Server saves request, creates session and responds with login page 3. Browser sends login details to server 4. Server validates login details 5. Server restores saved request and processes it 6. Server sends response to original request to browser. Hi Mark, That explains problem some people complain about: When you invalidate session in second step, server is not able to restore previous request and leaves user with the same login form with URL /j_security_check. Real problem is, that now cryptic error appears: HTTP Status 400 - Invalid direct reference to form login page. It's enough for user to open login form page, wait until session invalidates due to inactivity time, then try to login. One solution is to use HttpSession.isNew() check on login JSP page and perform redirect to e.g. to main page. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
On 20/01/2011 17:25, neo21 zerro wrote: Hi Mikolaj and Mark, Thanks for the replay. The problem is that I read the specifications and I still don't know how to push the login details and the request for the main page in one call. In Tomcat 6.0.x you can't. In Tomcat 7, the landing page attribute of the form authenticator may help. Alternatively, don't use FORM authentication. Seems like BASIC auth is more appropriate. Mark The fact is that I need to open a browser from a swing app with the main page for my other application(that uses JAAS) programatic. So the real problem is how do push the request from the swing app to open an browser with an authenticated user and the main page from my other app. Because as I already said I cannot push to the application that uses JAAS my login credentials and the request to my main app. So I push the credentials as I already said but HTTP Status 400 - Invalid direct reference to form login page because I have no initial request with my main page, so that Tomcat can restore it. I cannot use JSP, my login page is a simple html page. Thanks a lot for your time! From: Mikolaj Rydzewski m...@ceti.pl To: Tomcat Users List users@tomcat.apache.org Sent: Thu, January 20, 2011 5:53:04 PM Subject: Re: Programatic JAAS login in Tomcat 6.0.26! On Thu, 20 Jan 2011 15:16:15 +, Mark Thomas ma...@apache.org wrote: Read up on FORM auth in the Servlet spec. There is a specific sequence of events that looks roughly like (for a successful auth): 1. Browser sends original request 2. Server saves request, creates session and responds with login page 3. Browser sends login details to server 4. Server validates login details 5. Server restores saved request and processes it 6. Server sends response to original request to browser. Hi Mark, That explains problem some people complain about: When you invalidate session in second step, server is not able to restore previous request and leaves user with the same login form with URL /j_security_check. Real problem is, that now cryptic error appears: HTTP Status 400 - Invalid direct reference to form login page. It's enough for user to open login form page, wait until session invalidates due to inactivity time, then try to login. One solution is to use HttpSession.isNew() check on login JSP page and perform redirect to e.g. to main page. -- Mikolaj Rydzewski m...@ceti.pl - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
How do I set it?Is it a configuration is my deployment descriptor or in the server.xml file?In tomcat 7 .. Thanks!
Re: Programatic JAAS login in Tomcat 6.0.26!
On 1/20/11 5:41 PM, neo21 zerro wrote: How do I set it?Is it a configuration is my deployment descriptor or in the server.xml file?In tomcat 7 .. If you're using Tomcat 7.0, just login programmatically using the HttpServletRequest.login(user, pass) method. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Programatic JAAS login in Tomcat 6.0.26!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 1/20/2011 12:28 PM, Mark Thomas wrote: On 20/01/2011 17:25, neo21 zerro wrote: Hi Mikolaj and Mark, Thanks for the replay. The problem is that I read the specifications and I still don't know how to push the login details and the request for the main page in one call. In Tomcat 6.0.x you can't. The OP should be able to do the following, since he's got complete control over the client: 1. Issue a request to http://host/some/protected/resource 2. Capture the JSESSIONID cookie that comes back with the request 3. Use the existing j_security_check URL plus ;jsessionid= shoved into it with the JSESSIONID from step #2 to open the browser window - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk04l6EACgkQ9CaO5/Lv0PC60wCfbafrd+6h7IhPZuY2AbR2vuu5 jFAAn2Q1k0NcmwaPFcfMyo/O0LJ3W1Z4 =5ASP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org