j_security_check
Hi How to configure j_security_check in TOMCAT. I am getting error 404 which states that the resource /control_center/j_security_check not available. Basically it is to do with enforcing security in TOMCAT. Thanks, Vikas Nagpal. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check
Hello all, I'm having problems with j_security_check because when I try to log in my login.jsp it doesn't work and I don't know why. Here is my web.xml : < ?xml version="1.0" encoding="UTF-8"? > http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> action org.apache.struts.action.ActionServlet application TourismResources config /WEB-INF/struts-config.xml debug 3 detail 3 0 dbInit com.wrox.tourism.db.util.DBInitServlet driverClass org.gjt.mm.mysql.Driver jdbcURL jdbc:mysql://localhost:3306/tourism_db minCount 1 maxCount 10 1 action *.do index.jsp /bean /WEB-INF/struts-bean.tld /form /WEB-INF/struts-form.tld /logic /WEB-INF/struts-logic.tld /template /WEB-INF/struts-template.tld /html /WEB-INF/struts-html.tld Edit attraction /editAttraction.do Update attraction /updateAttraction.do Deregister attraction /deregisterAttraction.do List events /listEvents.do Add event /editEvent.jsp Edit event /editEvent.do Update event /updateEvent.do Delete event /deleteEvent.do attraction FORM /login.jsp /login.jsp My login.jsp: User ID: Password: Why not work?, Any idea?. Thanks so much __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check
Hi, I have the following code in a scheduler class, which is trying to invoke a servlet String url = "https://localhost:8444/servlet/TestServlet";; // Get HTTP client instance HttpClient httpClient = new HttpClient(); // Create HTTP GET method and execute it GetMethod getMethod = null; PostMethod postMethod = null; int int_result = 0; getMethod = new GetMethod( url ); getMethod.setFollowRedirects(true); int_result = httpClient.executeMethod( getMethod ); String contents = getMethod.getResponseBodyAsString(); getMethod.releaseConnection(); postMethod = new PostMethod( "https://localhost:8444/j_security_check"; ); postMethod.addParameter( "j_username", "test" ); postMethod.addParameter( "j_password", "test" ); int_result = httpClient.executeMethod( postMethod ); contents = postMethod.getResponseBodyAsString(); postMethod.releaseConnection(); postMethod = new PostMethod( url ); postMethod.addParameter( "Password", "foo" ); int_result = httpClient.executeMethod( postMethod ); -->At this point when the test servlet is called, the parameter password is null. getParameter always returns null getMethod returns GET when it should be post It seems that the POST is behaving like a GET. This code works just fine on tomcat 5.0. After upgrading to 6.0, i am seeing this bizarre behaviour Any thoughts? Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
j_security_check
Hello everybody, a jaas login module - the first one I've actually written - authenticates a user by connecting to an imap server and if the connection is established, the credentials are considered valid and the user is authenticated. (I've written about that in another mail last week I think.) As yet everything is done by means of the j_security_check. But now two problems arise. The credentials are needed in serveral servlets, as the web app will be a mail application. According to the servlet specs (12.3 Programmatic Security) programmatic security constists of - getRemoteUser - isUserInRole - getUserPrinciple After using getUserPrinciple the application has to call doAs() (JAAS Authorizsation) and proceed the same code as the login module to retrieve the subject which stores the username and password (lc.getSubject(); subject.getPrivateCredentials()). Choosing this way means: 2 logins in every servlet. 1st login: to authenticate in order to call doAs(); 2nd login: to process the application code, like fetching messages, creating folders, etc. Is there any way by the means of tomcat to get the credentials that are delivered to j_security_check (initial login), in order to store them in the Session object? So I could ommit the extra server login for doAs() to retrieve the credentials that way. Or do I need to write an extra servlet to do that? I would then bypass j_security_check. The second problem is simple compared to the above: Where is the correct place for application defined configuration and how to access configuration values from within a servlet? Best Regards, Oliver Block - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
j_security_check
I would like Tomcat to automatically redirect to a special session expiry notification page when a user session times out. I am currently using the meta tag to force redirection as follows: However, I also have an unload Javascipt directive in some of my pages to prompt users when they navigate away from these pages. The JavaScirpt code looks like this: window.onbeforeunload = confirmUnload(); function confirmUnload() { return "Navigate away?"; } I am not sure I understand exactly why, but it seems to me that, although the sessionTimeout.jsp page is not protected, if the user responds to "Navigate away" prompt after Tomcat removes the session from the session list, then, Tomcat presents the login form instead of the session expiry notification page. Once user submits the login form, Tomcat reports an HTTP Status 400 - Invalid direct reference to form login page. I am not sure exactly what happens behind the scens and would like to get some advice to better troubleshoot or fix this kind of issue. I would also like to know why ${pageContext.session.maxInactiveInterval} evaluates to 900 even if I set the session-timeout variable to 1 minute in the application web.xml configuration file (and even in Tomcat conf/web.xml file). I find it odd that looking at the manager application main page, the sessions listed on that page show Expire sessions with idle >= 1 minutes, but yet, the TTL in the application session page starts at 15 minutes and session only expires after 15 minutes. I am using Tomcat 6.0.18. Martin
j_security_check
Hello, when I map my application with a different context path, I cannot use the j_security_check resource. I have put in a security constraint in my web.xml, which works perfectly when I am not using the context. However, any time I refer to the application through its context mapping name, I get a 404 response for j_security_check. Is there something I am supposed to add to the context definition? Thanks for your help. Here is my context definition: Thanks for your help. Best Regards, Khawaja Shams
j_security_check
I have tried all I can to setup Netbeans/Tomcat to use postgre for my user auth via J_security_check by talking with my Postgre DBcan anyone review the following files and let me know if I have done anything wrong. I verified I can connect via a JSP and return a result. But I cant get the Auth to work. Here is what I used that works to talk to the DB: <% Class.forName("org.postgresql.Driver"); String url = "jdbc:postgresql://localhost:5432/landt"; Connection con = DriverManager.getConnection(url, "postgres", "postgres"); Statement stmt = con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet srs = stmt.executeQuery("SELECT username FROM users"); while (srs.next()) { String name = srs.getString("username"); out.println(name); } %> Web.xml --- http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> 30 index.jsp TenantConstraint tenant Tenant /secureTenant/* GET POST HEAD PUT OPTIONS TRACE DELETE tenant LandlordConstraint landlord Landlord /secureLandlord/* GET POST HEAD PUT OPTIONS TRACE DELETE landlord FORM /login.jsp /error.html For Tenants tenant For Landlords landlord - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check
Greetings, Anybody here know a post or a link to something that might help me understand exactly how j_security_check works? Where is the j_security_check servlet ? The source code etc... conf files or a full breakdown step by step of what it's doing and where ? ... gracias - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check error
Hi all, I need help with problem that I can't fix. I am using Apache Tomee 8, but I know that Apache Tomee rest on Apache Tomcat, in this case version 9. My problem is when some user exit from application this forward to login page doing this: HttpSession session = request.getSession(); session.invalidate(); request.getRequestDispatcher("/login.jsp").forward(request, response); then if same user try to login, this launch something like this: http://localhost:8080/appweb/privado/j_security_check Asking in other forums, I read that " when you use JEE-standard Container security, the user should not explicitly request the login/loginfail pages. It won't work right." However I have other applicacion running on payara and that works, then I start to think that maybe is something misconfigured... Someone has some idea about this problem? Regards Fernando
j_security_check error
Hi I have a single signon page after clicking on the single signon button I am getting the /control/j_security_check resource not available error. Can anyone help me in resolving this error. Thanks, With regards, Vikas Nagpal. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Assuming tomcat 5.5, have you read http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html ? --David VIKASS NAGPAL wrote: >Hi > >How to configure j_security_check in TOMCAT. >I am getting error 404 which states that the resource >/control_center/j_security_check not available. >Basically it is to do with enforcing security in >TOMCAT. > >Thanks, >Vikas Nagpal. > >__ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carlos, Carlos Morales wrote: | I'm having problems with j_security_check because when I try to log | in my login.jsp it doesn't work and I don't know why. Care to elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiZ3Q8ACgkQ9CaO5/Lv0PBK5QCguKDVvhWrrHUtVeDMlh3kR8mk eQQAniprO4jnnkeTlgoXAkYmPaPQnl6L =Y+kt -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
I have my login and password to access onto my web which I try to go after authenticate my login and password in a form called login.jsp where I use the j_security_check, well when I press logon, it doesn't work. It stays in the same page login.jsp but I use my password and login well and I don't know why when I try to log on, it doesn't work and it doesn't go to the next page which I try to access. Thanks - Mensaje original De: Christopher Schultz <[EMAIL PROTECTED]> Para: Tomcat Users List Enviado: miércoles, 6 de agosto, 2008 19:19:11 Asunto: Re: j_security_check -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carlos, Carlos Morales wrote: | I'm having problems with j_security_check because when I try to log | in my login.jsp it doesn't work and I don't know why. Care to elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiZ3Q8ACgkQ9CaO5/Lv0PBK5QCguKDVvhWrrHUtVeDMlh3kR8mk eQQAniprO4jnnkeTlgoXAkYmPaPQnl6L =Y+kt -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
In my conf folder inside of my Tomcat directory in my server.xml I have this: - Mensaje original De: Carlos Morales <[EMAIL PROTECTED]> Para: Tomcat Users List Enviado: miércoles, 6 de agosto, 2008 19:52:36 Asunto: Re: j_security_check I have my login and password to access onto my web which I try to go after authenticate my login and password in a form called login.jsp where I use the j_security_check, well when I press logon, it doesn't work. It stays in the same page login.jsp but I use my password and login well and I don't know why when I try to log on, it doesn't work and it doesn't go to the next page which I try to access. Thanks - Mensaje original De: Christopher Schultz <[EMAIL PROTECTED]> Para: Tomcat Users List Enviado: miércoles, 6 de agosto, 2008 19:19:11 Asunto: Re: j_security_check -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Carlos, Carlos Morales wrote: | I'm having problems with j_security_check because when I try to log | in my login.jsp it doesn't work and I don't know why. Care to elaborate? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiZ3Q8ACgkQ9CaO5/Lv0PBK5QCguKDVvhWrrHUtVeDMlh3kR8mk eQQAniprO4jnnkeTlgoXAkYmPaPQnl6L =Y+kt -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Enviado desde Correo Yahoo! La bandeja de entrada más inteligente. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
I suggest you start with a working example and modify it once you have it working. You might also provide the following information if you expect help. In general though I think you should have a read of the following: http://www.catb.org/~esr/faqs/smart-questions.html What realm do you have configured? What version of tomcat? What does your meta-inf/context.xml look like? Is it your submit button that is not working? What does your login.jsp page look like? What does the security section of your web.xml file look like? Good luck, Fu-Tung --- On Wed, 8/6/08, Carlos Morales <[EMAIL PROTECTED]> wrote: > From: Carlos Morales <[EMAIL PROTECTED]> > Subject: Re: j_security_check > To: "Tomcat Users List" > Date: Wednesday, August 6, 2008, 5:52 PM > I have my login and password to access onto my web which I > try to go after authenticate my login and password in a form > called login.jsp where I use the j_security_check, well when > I press logon, it doesn't work. It stays in the same > page login.jsp but I use my password and login well and I > don't know why when I try to log on, it doesn't work > and it doesn't go to the next page which I try to > access. > Thanks > > > > - Mensaje original > De: Christopher Schultz > <[EMAIL PROTECTED]> > Para: Tomcat Users List > Enviado: miércoles, 6 de agosto, 2008 19:19:11 > Asunto: Re: j_security_check > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Carlos, > > Carlos Morales wrote: > | I'm having problems with j_security_check because > when I try to log > | in my login.jsp it doesn't work and I don't know > why. > > Care to elaborate? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - > http://enigmail.mozdev.org > > iEYEARECAAYFAkiZ3Q8ACgkQ9CaO5/Lv0PBK5QCguKDVvhWrrHUtVeDMlh3kR8mk > eQQAniprO4jnnkeTlgoXAkYmPaPQnl6L > =Y+kt > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > > __ > Enviado desde Correo Yahoo! La bandeja de entrada más > inteligente. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
https & j_security_check
Hi, I have an issue with both https and j_secutiry_check... i've an application that works fine with only authentication (j_security_check) but when I try to access with https the application redirects the browser to the form-login page that is set in the web.xml file. The curious thing is that when the password is wrong the redirection is to the form-error page defined in the web.xml file. So, I was hoping you could give me some sort of advice or where could I start looking to know why it behaves like that. Thanks for reading. Sincerely, Julio César Chaves _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Re: j_security_check
Ashok Venkat wrote: Hi, I have the following code in a scheduler class, which is trying to invoke a servlet String url = "https://localhost:8444/servlet/TestServlet";; // Get HTTP client instance HttpClient httpClient = new HttpClient(); // Create HTTP GET method and execute it GetMethod getMethod = null; PostMethod postMethod = null; int int_result = 0; getMethod = new GetMethod( url ); getMethod.setFollowRedirects(true); int_result = httpClient.executeMethod( getMethod ); String contents = getMethod.getResponseBodyAsString(); getMethod.releaseConnection(); postMethod = new PostMethod( "https://localhost:8444/j_security_check"; ); postMethod.addParameter( "j_username", "test" ); postMethod.addParameter( "j_password", "test" ); int_result = httpClient.executeMethod( postMethod ); contents = postMethod.getResponseBodyAsString(); postMethod.releaseConnection(); postMethod = new PostMethod( url ); postMethod.addParameter( "Password", "foo" ); int_result = httpClient.executeMethod( postMethod ); -->At this point when the test servlet is called, the parameter password is null. getParameter always returns null getMethod returns GET when it should be post It seems that the POST is behaving like a GET. Why shouldn't it return null? My reading (pre-morning coffee, admittedly) of this code would do the following (in shorthand): 1. GET TestServlet -> 401 AUTH REQD TestServlet does *not* execute, instead return a login request 2. POST j_security_check -> 200 OK Login succeeds, forward to originally requested resource TestServlet *does* execute, with original params(none) & GET method 3. POST TestServlet.(Password=foo) TestServlet *does* execute, with params(Password=foo) & POST method So, look further down in your logs, for the 2nd execution of TestServlet. regards, Pid This code works just fine on tomcat 5.0. After upgrading to 6.0, i am seeing this bizarre behaviour Any thoughts? Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check
Tough to say without seeing the source.. Can we see the code for GetMethod.java ? Can we see the code for PostMethod.javaMartin __Disclaimer and confidentiality noteEverything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.> Date: Sat, 2 Feb 2008 19:38:29 -0800> From: [EMAIL PROTECTED]> Subject: j_security_check> To: users@tomcat.apache.org> > Hi,> I have the following code in a scheduler class, which is trying to invoke a servlet> > String url = "https://localhost:8444/servlet/TestServlet";;> > // Get HTTP client instance> HttpClient httpClient = new HttpClient();> // Create HTTP GET method and execute it> > GetMethod getMethod = null;> PostMethod postMethod = null;> > int int_result = 0;> getMethod = new GetMethod( url );> getMethod.setFollowRedirects(true);> int_result = httpClient.executeMethod( getMethod );> String contents = getMethod.getResponseBodyAsString();> getMethod.releaseConnection();> > postMethod = new PostMethod( "https://localhost:8444/j_security_check"; );> postMethod.addParameter( "j_username", "test" );> postMethod.addParameter( "j_password", "test" );> int_result = httpClient.executeMethod( postMethod );> contents = postMethod.getResponseBodyAsString();> postMethod.releaseConnection();> > postMethod = new PostMethod( url );> postMethod.addParameter( "Password", "foo" );> int_result = httpClient.executeMethod( postMethod );> > --> At this point when the test servlet is called, the parameter password is null. > getParameter always returns null> getMethod returns GET when it should be post > It seems that the POST is behaving like a GET. > > This code works just fine on tomcat 5.0. After upgrading to 6.0, i am seeing this bizarre behaviour> > Any thoughts?> > > > Never miss a thing. Make Yahoo your home page. > http://www.yahoo.com/r/hs _ Shed those extra pounds with MSN and The Biggest Loser! http://biggestloser.msn.com/
Re: j_security_check
You do 1) GET call > int_result = httpClient.executeMethod( getMethod ); The server caches your request and returns html page that contains the login form. 2) POST call > postMethod = new PostMethod( > "https://localhost:8444/j_security_check"; ); > int_result = httpClient.executeMethod( postMethod ); You imitate posting the login form. If the credentials are OK, tomcat answers with a redirect to the original requested address (1). response.sendRedirect(response.encodeRedirectURL(requestURI)); 3) When the next request comes, its url is compared against the one that was requested at the first time. If there is a match, the _original_ request is restored and processed, but the current one is ignored. Thus your second POST is ignored and a cached copy of the first GET is used instead. You may want to look in the sources of org.apache.catalina.authenticator.FormAuthenticator that does the trick. It is by design. I do not know what was wrong with 5.0 that your code was working there. You should change your code so that all the information be included with the first call to TestServlet. And the second call to the TestServlet can be changed to be a simple GET, with no parameters. Or may be you can throw it away at all, if you set "postMethod.setFollowRedirects(true);" on your post to j_security_check. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Thanks for the detailed explanation, as you mentioned it seems that the second request is being ignored ,but i am not clear how come the original request is matching with the second request? The original is GET and the second one is POST? does tomcat compare just the URL strings? - Original Message From: Konstantin Kolinko <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Sunday, February 3, 2008 9:39:41 AM Subject: Re: j_security_check You do 1) GET call >int_result = httpClient.executeMethod( getMethod ); The server caches your request and returns html page that contains the login form. 2) POST call >postMethod = new PostMethod( > "https://localhost:8444/j_security_check"; ); >int_result = httpClient.executeMethod( postMethod ); You imitate posting the login form. If the credentials are OK, tomcat answers with a redirect to the original requested address (1). response.sendRedirect(response.encodeRedirectURL(requestURI)); 3) When the next request comes, its url is compared against the one that was requested at the first time. If there is a match, the _original_ request is restored and processed, but the current one is ignored. Thus your second POST is ignored and a cached copy of the first GET is used instead. You may want to look in the sources of org.apache.catalina.authenticator.FormAuthenticator that does the trick. It is by design. I do not know what was wrong with 5.0 that your code was working there. You should change your code so that all the information be included with the first call to TestServlet. And the second call to the TestServlet can be changed to be a simple GET, with no parameters. Or may be you can throw it away at all, if you set "postMethod.setFollowRedirects(true);" on your post to j_security_check. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Re: j_security_check
You may look into FormAuthenticator.java of package org.apache.catalina.authenticator and see it with your own eyes. 2008/2/3, Ashok Venkat <[EMAIL PROTECTED]>: > Thanks for the detailed explanation, as you mentioned it seems that the > second request is being ignored ,but i am not clear how come the original > request is matching with the second request? The original is GET and the > second one is POST? does tomcat compare just the URL strings? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
The second POST should still occur, but it should occur after the initial GET is recovered after authentication. Your confusion is that you are seeing the 1st GET, when you expect (incorrectly) the POST. When you make the first request, you are not authenticated, which causes the 401 & the requirement for auth. However, when you *do* successfully complete auth, you are then directed to the result of the initial request - which is a GET, with no params. As Konstantin also explained, your first request could be the POST, complete with params, as that is where you will end up, after auth. p Ashok Venkat wrote: Thanks for the detailed explanation, as you mentioned it seems that the second request is being ignored ,but i am not clear how come the original request is matching with the second request? The original is GET and the second one is POST? does tomcat compare just the URL strings? - Original Message From: Konstantin Kolinko <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Sunday, February 3, 2008 9:39:41 AM Subject: Re: j_security_check You do 1) GET call int_result = httpClient.executeMethod( getMethod ); The server caches your request and returns html page that contains the login form. 2) POST call postMethod = new PostMethod( "https://localhost:8444/j_security_check"; ); int_result = httpClient.executeMethod( postMethod ); You imitate posting the login form. If the credentials are OK, tomcat answers with a redirect to the original requested address (1). response.sendRedirect(response.encodeRedirectURL(requestURI)); 3) When the next request comes, its url is compared against the one that was requested at the first time. If there is a match, the _original_ request is restored and processed, but the current one is ignored. Thus your second POST is ignored and a cached copy of the first GET is used instead. You may want to look in the sources of org.apache.catalina.authenticator.FormAuthenticator that does the trick. It is by design. I do not know what was wrong with 5.0 that your code was working there. You should change your code so that all the information be included with the first call to TestServlet. And the second call to the TestServlet can be changed to be a simple GET, with no parameters. Or may be you can throw it away at all, if you set "postMethod.setFollowRedirects(true);" on your post to j_security_check. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Thanks much. I swapped calls 1 & 3, it works just fine. - Original Message From: Pid <[EMAIL PROTECTED]> To: Tomcat Users List Sent: Sunday, February 3, 2008 3:33:35 PM Subject: Re: j_security_check The second POST should still occur, but it should occur after the initial GET is recovered after authentication. Your confusion is that you are seeing the 1st GET, when you expect (incorrectly) the POST. When you make the first request, you are not authenticated, which causes the 401 & the requirement for auth. However, when you *do* successfully complete auth, you are then directed to the result of the initial request - which is a GET, with no params. As Konstantin also explained, your first request could be the POST, complete with params, as that is where you will end up, after auth. p Ashok Venkat wrote: > Thanks for the detailed explanation, as you mentioned it seems that the > second request is being ignored ,but i am not clear how come the original > request is matching with the second request? The original is GET and the > second one is POST? does tomcat compare just the URL strings? > > > - Original Message > From: Konstantin Kolinko <[EMAIL PROTECTED]> > To: Tomcat Users List > Sent: Sunday, February 3, 2008 9:39:41 AM > Subject: Re: j_security_check > > You do > > 1) GET call >>int_result = httpClient.executeMethod( getMethod ); > The server caches your request and returns html page that contains the > login form. > > 2) POST call >>postMethod = new PostMethod( >> "https://localhost:8444/j_security_check"; ); >>int_result = httpClient.executeMethod( postMethod ); > You imitate posting the login form. If the credentials are OK, tomcat answers > with a redirect to the original requested address (1). > > response.sendRedirect(response.encodeRedirectURL(requestURI)); > > 3) When the next request comes, its url is compared against the one > that was requested at the first time. If there is a match, the > _original_ request is restored and processed, but the current one is > ignored. > > Thus your second POST is ignored and a cached copy of the first GET is > used instead. > > You may want to look in the sources of > org.apache.catalina.authenticator.FormAuthenticator that does the > trick. > > It is by design. I do not know what was wrong with 5.0 that your code > was working there. > > You should change your code so that all the information be included > with the first call to TestServlet. > > And the second call to the TestServlet can be changed to be a simple > GET, with no parameters. Or may be you can throw it away at all, if > you set "postMethod.setFollowRedirects(true);" on your post to > j_security_check. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, Martin Dubuc wrote: > I am not sure I understand exactly why, but it seems to me that, although > the sessionTimeout.jsp page is not protected, if the user responds to > "Navigate away" prompt after Tomcat removes the session from the session > list, then, Tomcat presents the login form instead of the session expiry > notification page. Perhaps Tomcat is reacting to a request for a different resource. Can you post your access log for the time period around this request? Also, you might want to post your sections from web.xml. > I would also like to know why ${pageContext.session.maxInactiveInterval} > evaluates to 900 even if I set the session-timeout variable to 1 minute in > the application web.xml configuration file (and even in Tomcat conf/web.xml > file). I find it odd that looking at the manager application main page, the > sessions listed on that page show Expire sessions with idle >= 1 minutes, > but yet, the TTL in the application session page starts at 15 minutes and > session only expires after 15 minutes. Maybe you'd better post that configuration as well. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk1YkoACgkQ9CaO5/Lv0PDHQwCgv2/xLxBa8JMG5UxRQMmXWF14 2osAn3VOaoptfmdDq53bU3Y84vPw+e3v =/Wrd -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
I finally managed to get the sessions to time out after 1 minute. This makes it much easier for testing purposes! I style get the exception however. Here is the security-constraint definition: Page constraints for users /index.html /main.jsf /stylesheet.css /images/* /logOut.jsf myrole CONFIDENTIAL Here is the access log: 192.168.0.110 - admin [02/Dec/2008:17:13:02 +] "GET /images/hidden.gif HTTP/1.1" 200 1510 192.168.0.110 - admin [02/Dec/2008:17:13:02 +] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "POST /main.jsf HTTP/1.1" 200 90018 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org.ajax4jsf.javascript.AjaxScript.jsf HTTP/1.1" 200 53724 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org.ajax4jsf.javascript.PrototypeScript.jsf HTTP/1.1" 200 95028 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/utils.js.jsf HTTP/1.1" 200 9094 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/ajax4jsf/javascript/scripts/form.js.jsf HTTP/1.1" 200 2098 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/form.js.jsf HTTP/1.1" 200 372 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/panelMenu.js.jsf HTTP/1.1" 200 10162 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/panelMenu.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 1262 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/data-table.js.jsf HTTP/1.1" 200 5500 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/s/3_2_2.SR1c ss/table.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 2717 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf HTTP/1.1" 200 1164 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /stylesheet.css HTTP/1.1" 200 8715 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /images/hiddenimage.gif HTTP/1.1" 200 68 192.168.0.110 - admin [02/Dec/2008:17:13:06 +] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - admin [02/Dec/2008:17:13:13 +] "POST /manager/html/sessions?path=/system HTTP/1.1" 200 5114 192.168.0.110 - admin [02/Dec/2008:17:28:01 +] "POST /manager/html/sessions?path=/system HTTP/1.1" 200 4436 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /sessionTimeout.jsf HTTP/1.1" 200 2614 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 6857 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf HTTP/1.1" 200 4134 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf HTTP/1.1" 200 1164 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /favicon.ico HTTP/1.1" 200 21630 192.168.0.110 - - [02/Dec/2008:17:28:11 +] "POST /j_security_check HTTP/1.1" 400 1100 192.168.0.110 - - [02/Dec/2008:17:28:11 +] "GET /favicon.ico HTTP/1.1" 200 21630 On Tue, Dec 2, 2008 at 11:28 AM, Christopher Schultz < [EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Martin, > > Martin Dubuc wrote: > > I am not sure I understand exactly why, but it seems to me that, although > > the sessionTimeout.jsp page is not protected, if the user responds to > > "Navigate away" prompt after Tomcat removes the session from the session > > list, then, Tomcat presents the login form instead of the session expiry > > notification page. > > Perhaps Tomcat is reacting to a request for a different resource. Can > you post your access log for the time period around this request? Also, > you might want to post your sections from web.xml. > > > I would also like to know why ${pageContext.session.maxInactiveInterval} > > evaluates to 900 even if I set the session-timeout variable to 1 minute > in > > the application web.xml configuration file (and even in Tomcat > conf/web.xml > > file). I find it odd that looking at the manager application main page, > the > > sessions listed on that pa
Re: j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, Martin Dubuc wrote: > I finally managed to get the sessions to time out after 1 minute. What did you have to change? > Here is the security-constraint definition: > > > > Page constraints for users > > /index.html > /main.jsf > /stylesheet.css > /images/* > /logOut.jsf > > > myrole > Does your login page attempt to display any of these files? Perhaps an image or your stylesheet? If so, this isn't going to work properly and you'll get a bunch of requests that all get sent to the login page after a session timeout. > Here is the access log: Care to point out when the session expires? > 192.168.0.110 - admin [02/Dec/2008:17:13:13 +] "POST > /manager/html/sessions?path=/system HTTP/1.1" 200 5114 It looks like you wait for 15 minutes, here, and then there's another request: > 192.168.0.110 - admin [02/Dec/2008:17:28:01 +] "POST > /manager/html/sessions?path=/system HTTP/1.1" 200 4436 > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /sessionTimeout.jsf > HTTP/1.1" 200 2614 Was this request for /sessionTimeout.jsf done from your javascript code, or by you typing something into the URL bar of your browser? > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf > HTTP/1.1" 200 6857 > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf > HTTP/1.1" 200 4134 > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf > HTTP/1.1" 200 1164 Are any of the above requests related to the problem you are observing? > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /favicon.ico HTTP/1.1" > 200 21630 > 192.168.0.110 - - [02/Dec/2008:17:28:11 +] "POST /j_security_check > HTTP/1.1" 400 1100 This is obviously where you get the 400 response. Which request resulted in the login page being shown in the first place? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk1fmgACgkQ9CaO5/Lv0PCddQCgsXyX7KJ5gOZFn2xNeaPPxY3p 4Z0AoLbp8FYcs6B+lxx/W/Nl7vKRZTyP =5oYE -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check
Christopher, I will describe the browser interactions with regards to the access logs. At 17:13:06, the user accessed the main.jsf page. The session timeout for the application is 1 minute. The main.jsf page has meta tag that redirectes to sessionTimeout.jsf after 1 minute. The main.jsf page also has a window.onbeforeunload directive. After the meta timeout occurs (after 1 minute), I assume the client automatically tries to redirect to sessionTimeout.jsf. Before the redirection takes place, the onbeforeunload event is serviced and a prompt is presented to the user (Do you want to navigate away from current page). In the recorded session, the user pressed OK at 17:28:04. Note that accesses at 17:13:13 and 17:28:01 to the manager application were done to verify if the session was still alive or not. At 17:28:01, the session was not present anymore in the list of live Tomcat sessions. My assumption is that clicking on OK caused the client to be redirected to sessionTimeout.jsf. I do not understand why, but that redirection seems to cause Tomcat to ask for authentication, altough there is no protected resources used by sessionTimeout.jsf or any other URLs that are listed in the access log after 17:13:06. So to answer some of your question more specifically,: - To get the session timeout to kick in after 1 minute, I had to disable some of my application code that was hard coding all sessions maxInactiveInterval value to 15 minutes on startup (bypassing the web.xml value). - The sessionTimeout.jsf was triggered from JavaScript. - The login page does not access any of the protected resources (it doesn't use the stylesheet, nor any images). - I believe that the session expired at 17:14:06, although I think the client only gets redirected to sessionTimeout.jsf at 17:28:04 after user clicks on OK. - I do not know why any request resulted in the login page to be shown in the first place. None of the a4j/*, favicon.ico should trigger the login page. On Tue, Dec 2, 2008 at 1:29 PM, Christopher Schultz < [EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Martin, > > Martin Dubuc wrote: > > I finally managed to get the sessions to time out after 1 minute. > > What did you have to change? > > > Here is the security-constraint definition: > > > > > > > > Page constraints for users > > > > /index.html > > /main.jsf > > /stylesheet.css > > /images/* > > /logOut.jsf > > > > > > myrole > > > > Does your login page attempt to display any of these files? Perhaps an > image or your stylesheet? If so, this isn't going to work properly and > you'll get a bunch of requests that all get sent to the login page after > a session timeout. > > > Here is the access log: > > Care to point out when the session expires? > > > 192.168.0.110 - admin [02/Dec/2008:17:13:13 +] "POST > > /manager/html/sessions?path=/system HTTP/1.1" 200 5114 > > It looks like you wait for 15 minutes, here, and then there's another > request: > > > 192.168.0.110 - admin [02/Dec/2008:17:28:01 +] "POST > > /manager/html/sessions?path=/system HTTP/1.1" 200 4436 > > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /sessionTimeout.jsf > > HTTP/1.1" 200 2614 > > Was this request for /sessionTimeout.jsf done from your javascript code, > or by you typing something into the URL bar of your browser? > > > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > > > /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf > > HTTP/1.1" 200 6857 > > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > > > /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf > > HTTP/1.1" 200 4134 > > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET > > /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf > > HTTP/1.1" 200 1164 > > Are any of the above requests related to the problem you are observing? > > > 192.168.0.110 - - [02/Dec/2008:17:28:04 +] "GET /favicon.ico > HTTP/1.1" > > 200 21630 > > 192.168.0.110 - - [02/Dec/2008:17:28:11 +] "POST /j_security_check > > HTTP/1.1" 400 1100 > > This is obviously where you get the 400 response. Which request resulted > in the login page being shown in the first place? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkk1fmgACgkQ9CaO5/Lv0PCddQCgsXyX7KJ5gOZFn2xNeaPPxY3p > 4Z0AoLbp8FYcs6B+lxx/W/Nl7vKRZTyP > =5oYE > -END PGP SIGNATURE- > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, Martin Dubuc wrote: > I will describe the browser interactions with regards to the access logs. Thanks, this was helpful. > My assumption is that clicking on OK caused the client to be > redirected to sessionTimeout.jsf. I think you mean that the browser simply requested sessionTimeout.jsf, rather than being redirected. The response was 200, which means that it should have been successfully serviced. I think recent Tomcats return 200 when the login-page is shown, though, so it's tough to tell exactly what happened. Requests for the following resources seemed to happen simultaneously (probably from the original page being loaded): /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf /a4j/s/3_2_2.SR1org/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAF7sqpgb-jyGdIAFrMEaw__.jsf /a4j/g/3_2_2.SR1org/richfaces/renderkit/html/scripts/skinning.js.jsf /favicon.ico HTTP/1.1 None of those should have caused the login page to be displayed, either (which wouldn't have happened anyway, since it would have been included in the main content, rather than being the response to the initial request). > I do not understand why, but that > redirection seems to cause Tomcat to ask for authentication, altough there > is no protected resources used by sessionTimeout.jsf or any other URLs that > are listed in the access log after 17:13:06. Are you sure you don't have any other sections in your web.xml? > So to answer some of your question more specifically,: > > - To get the session timeout to kick in after 1 minute, I had to disable > some of my application code that was hard coding all sessions > maxInactiveInterval value to 15 minutes on startup (bypassing the web.xml > value). That'll do it ;) > - The sessionTimeout.jsf was triggered from JavaScript. Okay, so this simply requests /sessionTimeout.jsf after the session should have timed out. This should behave exactly as if you manually typed-in /sessionTimeout.jsf into your browser. Remember to run that URL through response.encodeURL() before putting it into your Javascript, just in case your client isn't using cookies. > - The login page does not access any of the protected resources (it doesn't > use the stylesheet, nor any images). Ok. > - I believe that the session expired at 17:14:06, although I think the > client only gets redirected to sessionTimeout.jsf at 17:28:04 after user > clicks on OK. You can easily convince yourself that your login expired because you are asked to login again ;) Not sure why you have to, but at least you know your session is gone. > - I do not know why any request resulted in the login page to be shown in > the first place. None of the a4j/*, favicon.ico should trigger the login > page. Ok. Can you post more of your web.xml? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk4OpIACgkQ9CaO5/Lv0PC3vgCdHtyFdztw6px/s35pmI6rzep7 2WEAniK8Oh49jZCcoitk0Z3ks79RT/Fb =LCGJ -END PGP SIGNATURE- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check & SSL
And another one: AFAIK, when using Form-based Authentication, the parameters for j_security_check are send in a readable manner over the wire, thus prone for an attack. Therefore, it is recommended to use SSL-encription for the Form-Loginpage. However, that means that one has to buy one of those quite expensive SSL-certs. Since those pages actually don't need SSL at all except for the Login-process, is there any way to achieve encryption for the Login-process without a valid SSL-cert? Your suggestions very welcome Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: j_security_check
> From: Khawaja Shams [mailto:[EMAIL PROTECTED] > Subject: j_security_check > > when I map my application with a different context path, > I cannot use the j_security_check resource. Don't suppose you'd want to give us a hint about which Tomcat level you're using? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check
I connect to Oracle, but mine's configured slightly different. in the server.xml file, connectionName="user_name" connectionPassword="password" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name"/> I have an underscore between mine -- on the roleNameCol value. Does j_security check require that? And are you also configuring this within the server.xml file as well as the web.xml file? I'm running TC 4.1.3 and it requires it there, too...maybe not for your version. Good luck! -Original Message- From: Wade Little [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 27, 2007 2:37 PM To: users@tomcat.apache.org Subject: j_security_check I have tried all I can to setup Netbeans/Tomcat to use postgre for my user auth via J_security_check by talking with my Postgre DBcan anyone review the following files and let me know if I have done anything wrong. I verified I can connect via a JSP and return a result. But I cant get the Auth to work. Here is what I used that works to talk to the DB: <% Class.forName("org.postgresql.Driver"); String url = "jdbc:postgresql://localhost:5432/landt"; Connection con = DriverManager.getConnection(url, "postgres", "postgres"); Statement stmt = con.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet srs = stmt.executeQuery("SELECT username FROM users"); while (srs.next()) { String name = srs.getString("username"); out.println(name); } %> Web.xml --- http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";> 30 index.jsp TenantConstraint tenant Tenant /secureTenant/* GET POST HEAD PUT OPTIONS TRACE DELETE tenant LandlordConstraint landlord Landlord /secureLandlord/* GET POST HEAD PUT OPTIONS TRACE DELETE landlord FORM /login.jsp /error.html For Tenants tenant For Landlords landlord - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check exception
Hello working with Tomcat i am unable to get the replication to preform smoothly , when i start an authentication session (login) i see my application finishing the login procedure correctly but the replication is throwing this exception and the application and tomcat freeze. Any one ever encountered this behavior before ? Thanks Assaf 2006-11-07 14:22:34,951 [http-8443-Processor25] DEBUG org.apache.catalina.cluster.tcp.ReplicationValve - Invoking replication request on /jsp/pages/j_security_check 2006-11-07 14:22:35,086 [http-8443-Processor25] ERROR org.apache.coyote.tomcat5.CoyoteAdapter - An exception or error occurred in the container during the r equest processing java.lang.ClassCastException at org.apache.catalina.cluster.session.DeltaRequest.setPrincipal(DeltaRequest.java:89) at org.apache.catalina.cluster.session.DeltaSession.setPrincipal(DeltaSession.java:567) at org.apache.catalina.cluster.session.DeltaSession.setPrincipal(DeltaSession.java:561) at org.apache.catalina.authenticator.AuthenticatorBase.register(AuthenticatorBase.java:818) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:176) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.cluster.tcp.ReplicationValve.invoke(ReplicationValve.java:141) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:535) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) at java.lang.Thread.run(Thread.java:534) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check
There isn't a j_security_check servlet. The places to start are: - servlet spec - http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/ apache/catalina/authenticator/FormAuthenticator.java Configuration is automatic if you specify FORM authentication in your web.xml Mark > -Original Message- > From: B Wiley Snyder [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 27, 2005 12:17 AM > To: users@tomcat.apache.org > Subject: j_security_check > > > Greetings, > Anybody here know a post or a link to something that might help me > understand exactly how j_security_check works? Where is the > j_security_check servlet ? The source code etc... conf files > or a full > breakdown step by step of what it's doing and where ? ... > > gracias > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check
Greetings, This is a big help ... http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java thank you ! also, There isn't a j_security_check servlet. <- then why does it act like one ? The places to start are: - servlet spec < if it's not a servlet why do I need to review the servlet spec ? "Configuration is automatic if you specify FORM authentication in your web.xml" my point exactly "configured automatically"... my question was is there a step by step break down of the process involved in authenticating a user using j_security_check ... thanks for the reply At 04:00 PM 10/26/2005, you wrote: apache/catalina/authenticator/FormAuthenticator.java - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: j_security_check
Whilst I think everyone who writes JSPs and Servlets should read and understand the specs before they start writing any code - and for that matter before they post to the Tomcat user list ;) - this wasn't the reason I pointed you towards the servlet spec. Neither did I do it for kicks. Quite simply, the spec answers the questions you asked - see my response below. More generally, the Servlet spec defines how a Servlet container should behave. It covers more than just the javax.serlet.* API and includes, for example, authentication. > From: B Wiley Snyder [mailto:[EMAIL PROTECTED] > There isn't a j_security_check servlet. <- then why does > it act like one ? Because that is how the servlet spec says it should act. > The places to start are: > - servlet spec < if it's not a servlet why do I need to > review the > servlet spec ? Because the servlet spec defines how it works. > "Configuration is automatic if you specify FORM > authentication in your web.xml" > > my point exactly "configured automatically"... > > my question was is there a step by step break down of the > process involved > in authenticating a user using j_security_check ... Yes, the servlet spec. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check error
Im using Tomcat and a MySQL database that contains usernames/passwords/roles for form-based authentication. Logging in with correct username/password successfully directs to index.jsp (from login.jsp). Logging in with incorrect username/password successfully directs to error.jsp (from login.jsp). However, an unsuccessful login followed by attempting to login with the correct username/password leads to an HTTP Status 404 j_security_check error that says the requested resource is not available. Does anyone know what may be wrong? Here are the details of my configuration. Software -Windows 7 -MySQL 5.6 -Tomcat 7.042 context.xml login.jsp mywebapp demo Please login to continue Username: Password: web.xml (for the webapp) http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> webapp Form-Based Authentication with mySQL mySQL Database jdbc/database javax.sql.DataSource Container webapps /* GET POST rolename NONE FORM /login.jsp /error.jsp
Re: j_security_check error
On 16/08/2024 16:16, Fernando wrote: Hi all, I need help with problem that I can't fix. I am using Apache Tomee 8, but I know that Apache Tomee rest on Apache Tomcat, in this case version 9. My problem is when some user exit from application this forward to login page doing this: HttpSession session = request.getSession(); session.invalidate(); request.getRequestDispatcher("/login.jsp").forward(request, response); then if same user try to login, this launch something like this: http://localhost:8080/appweb/privado/j_security_check Asking in other forums, I read that " when you use JEE-standard Container security, the user should not explicitly request the login/loginfail pages. It won't work right." That is correct. Some implementations have additional configuration options so this doesn't break but you would be better forwarding to a default page that requires authentication. The FORM auth will do its thing. However I have other applicacion running on payara and that works, then I start to think that maybe is something misconfigured... Someone has some idea about this problem? https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes Look for "landingPage" Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check error
Mark, On 8/16/24 11:38, Mark Thomas wrote: On 16/08/2024 16:16, Fernando wrote: Hi all, I need help with problem that I can't fix. I am using Apache Tomee 8, but I know that Apache Tomee rest on Apache Tomcat, in this case version 9. My problem is when some user exit from application this forward to login page doing this: HttpSession session = request.getSession(); session.invalidate(); request.getRequestDispatcher("/login.jsp").forward(request, response); then if same user try to login, this launch something like this: http://localhost:8080/appweb/privado/j_security_check Asking in other forums, I read that " when you use JEE-standard Container security, the user should not explicitly request the login/loginfail pages. It won't work right." That is correct. Some implementations have additional configuration options so this doesn't break but you would be better forwarding to a default page that requires authentication. The FORM auth will do its thing. However I have other applicacion running on payara and that works, then I start to think that maybe is something misconfigured... Someone has some idea about this problem? https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes Look for "landingPage" Or... https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Form Authenticator Valve_Attributes_landingPage -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
filters on j_security_check
Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know how can I apply filters to j_security_check to verify the status of login before continue with my authentication process. I was thinking to use valves, but I read on internet that valves will be replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do . Please, this is very important to me and any help will be appreciated. Best Regards. -- Alejandro Soto
404 for j_security_check
After moving from tomcat 9 to tomcat 10after a user successfully logs in and then hits a restricted page, the login page is hit again but on this second login hit I get 404 page not found How do I set the correct path in my login jsp so that j_security_check is found? BTW I actually am wondering why a successful logged on user would even be sent to the log in page again? My login page is -> /membership/login.jsp Here is how I set the path to j_security_check in above login.jsp My restricted web.xml snippet External /external/* radiovoodoo NONE Auth /auth/* radiovoodoo NONE FORM /membership/login.jsp /membership/error.jsp Rick Noel Systems Programmer | Westwood One rn...@westwoodone.com
Re: https & j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julio, Julio César Chaves Fernández wrote: | The curious thing is that when the password is | wrong the redirection is to the form-error page defined in the | web.xml file. So, I was hoping you could give me some sort of advice | or where could I start looking to know why it behaves like that. Perhaps I have misunderstood your question, but what you describe above is simply the way that form-based authentication is designed in the servlet specification. See section 12.5.3 of the servlet specification for the full story. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkidBO0ACgkQ9CaO5/Lv0PAL2wCfZfMx+WfG0pXRFkzC2JBIBSi6 sdkAnjhzQVfyHLESWHHFlbfLiYix4sOe =Fy6M -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: https & j_security_check
Yes, it is the way it's designed ... but my problem is when the user and password are right ... i doesn't takes me to the site but leaves me again in the login page (this when I have https, without it the application works fine)... with the redirection to the form-error page defined in the web.xml file i know that it tries to authenticate the user and if it fails everything works how it's supossed to ... with https the authentication, although correct, redirects me to the login page ... so my problem is when i have https active ... otherwise everything works perfectly. Thanks again for helping. Julio César > Date: Fri, 8 Aug 2008 22:46:05 -0400> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: https & j_security_check> > -BEGIN > PGP SIGNED MESSAGE-> Hash: SHA1> > Julio,> > Julio César Chaves Fernández > wrote:> | The curious thing is that when the password is> | wrong the > redirection is to the form-error page defined in the> | web.xml file. So, I > was hoping you could give me some sort of advice> | or where could I start > looking to know why it behaves like that.> > Perhaps I have misunderstood > your question, but what you describe above> is simply the way that form-based > authentication is designed in the> servlet specification. See section 12.5.3 > of the servlet specification> for the full story.> > - -chris> > -BEGIN > PGP SIGNATURE-> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG > with Mozilla - http://enigmail.mozdev.org> > > iEYEARECAAYFAkidBO0ACgkQ9CaO5/Lv0PAL2wCfZfMx+WfG0pXRFkzC2JBIBSi6> > sdkAnjhzQVfyHLESWHHFlbfLiYix4sOe> =Fy6M> -END PGP SIGNATURE-> > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Re: https & j_security_check
Julio César Chaves Fernández wrote: but my problem is when the user and password are right ... i doesn't takes me to the site but leaves me again in the login page Are you logging in over https? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: https & j_security_check
Yes, i'm logging over https ...without https the application authenticates the user and then calls for an action (with struts) ... but with https the application returns to the login page ... it's like nothing had happened. > Date: Sat, 9 Aug 2008 17:37:10 +0100> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: https & j_security_check> > Julio César > Chaves Fernández wrote:> > but my problem is when the user and password are > right ... i doesn't takes me to the site but leaves me again in the login > page> Are you logging in over https?> > Mark> > > > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline
RE: https & j_security_check
Hi, I was checking the http in my application and the server response is a 302 ... what could possibly do this when using https ... could it be something related to the URL ... or how could the server get confused given that with http it works fine. TIA, Julio César _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE
Re: https & j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julio, Julio César Chaves Fernández wrote: | I was checking the http in my application and the server response is | a 302 ... what could possibly do this when using https ... could it | be something related to the URL ... or how could the server get | confused given that with http it works fine. Are you switching between HTTP and HTTPS? Some folks try to use HTTPS for the login and then redirect to HTTP for the rest of the application. That doesn't work unless the session cookie has been created from a non-secure URL. Otherwise the cookie itself is marked as "secure" and won't be sent by your browser when you switch back to HTTP. Could this be your problem? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkijBCIACgkQ9CaO5/Lv0PD5/QCfVCw6UgMkYilZqsVUnKRQAznX 8xwAni9vqVdMJpHV7Z0jJQoTqicT3Ct3 =hk6b -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: https & j_security_check
No i'm working with https all the time ... when it's only over http the application works ... it's just that i've been reading about something related to j_security_check and that it adds port 80 to the url ... so i don't know if it's related to my problem... i read this in http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html ... may be i'm wrong or i don't have the right idea ... but when i saw that 302 the only thing that came to my mind was some problem related to the url and the server not finding the associated resources ... i'm checking if maybe thats the reason... Julio César > Date: Wed, 13 Aug 2008 11:56:19 -0400> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: https & j_security_check> > -BEGIN > PGP SIGNED MESSAGE-> Hash: SHA1> > Julio,> > Julio César Chaves Fernández > wrote:> | I was checking the http in my application and the server response > is> | a 302 ... what could possibly do this when using https ... could it> | > be something related to the URL ... or how could the server get> | confused > given that with http it works fine.> > Are you switching between HTTP and > HTTPS? Some folks try to use HTTPS> for the login and then redirect to HTTP > for the rest of the application.> That doesn't work unless the session cookie > has been created from a> non-secure URL. Otherwise the cookie itself is > marked as "secure" and> won't be sent by your browser when you switch back to > HTTP. Could this> be your problem?> > - -chris> -BEGIN PGP > SIGNATURE-> Version: GnuPG v1.4.9 (MingW32)> Comment: Using GnuPG with > Mozilla - http://enigmail.mozdev.org> > > iEYEARECAAYFAkijBCIACgkQ9CaO5/Lv0PD5/QCfVCw6UgMkYilZqsVUnKRQAznX> > 8xwAni9vqVdMJpHV7Z0jJQoTqicT3Ct3> =hk6b> -END PGP SIGNATURE-> > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
Re: https & j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julio, Julio César Chaves Fernández wrote: | No i'm working with https all the time ... when it's only over http | the application works ... it's just that i've been reading about | something related to j_security_check and that it adds port 80 to the | url Tomcat does not add port 80 to the URL. It uses whatever port was already being used. | ... so i don't know if it's related to my problem... i read this | in | http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html | ... may be i'm wrong or i don't have the right idea ... but when i | saw that 302 the only thing that came to my mind was some problem | related to the url and the server not finding the associated | resources ... i'm checking if maybe thats the reason... Where does the 302 send you? Back to the login-error page? Are you sure that the only difference between a working configuration and a non-working configuration is the use of HTTPs? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkijCesACgkQ9CaO5/Lv0PA3cwCfUeM4okC0y2h7QQlTcb5p4w2R zPkAn09q7o10IodI+udoVCSLz92HDFOS =E4Jq -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: https & j_security_check
The 302 sends me back to the login page ... honestly i can't totally blame https ... i tested the applicaction with https via JSSE and it works (this was done in my pc)... but when i changed the application to another server https became the main issue where before it wasn't ... so i'm trying to find what the real problem is ... it's just that the only thing different between the working and the not working application is the use of https. Julio César > Date: Wed, 13 Aug 2008 12:20:59 -0400> From: [EMAIL PROTECTED]> To: > users@tomcat.apache.org> Subject: Re: https & j_security_check> > -BEGIN > PGP SIGNED MESSAGE-> Hash: SHA1> > Julio,> > Julio César Chaves Fernández > wrote:> | No i'm working with https all the time ... when it's only over > http> | the application works ... it's just that i've been reading about> | > something related to j_security_check and that it adds port 80 to the> | url> > > Tomcat does not add port 80 to the URL. It uses whatever port was> already > being used.> > | ... so i don't know if it's related to my problem... i read > this> | in> |> > http://www.velocityreviews.com/forums/t145712-load-balancing-an-https-java-web-application-in-tomcat.html> > | ... may be i'm wrong or i don't have the right idea ... but when i> | saw > that 302 the only thing that came to my mind was some problem> | related to > the url and the server not finding the associated> | resources ... i'm > checking if maybe thats the reason...> > Where does the 302 send you? Back to > the login-error page? Are you sure> that the only difference between a > working configuration and a> non-working configuration is the use of HTTPs?> > > - -chris> -BEGIN PGP SIGNATURE-> Version: GnuPG v1.4.9 (MingW32)> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org> > > iEYEARECAAYFAkijCesACgkQ9CaO5/Lv0PA3cwCfUeM4okC0y2h7QQlTcb5p4w2R> > zPkAn09q7o10IodI+udoVCSLz92HDFOS> =E4Jq> -END PGP SIGNATURE-> > > -> To > start a new topic, e-mail: users@tomcat.apache.org> To unsubscribe, e-mail: > [EMAIL PROTECTED]> For additional commands, e-mail: [EMAIL PROTECTED]> _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
Re: https & j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Julio, Julio César Chaves Fernández wrote: | The 302 sends me back to the login page ... honestly i can't totally | blame https ... i tested the applicaction with https via JSSE and it | works (this was done in my pc)... but when i changed the application | to another server https became the main issue where before it wasn't | ... so i'm trying to find what the real problem is ... it's just that | the only thing different between the working and the not working | application is the use of https. If you moved the application to another server, is it possible that the login itself is actually failing, and Tomcat is reacting correctly? One of my complaints about TC's authenticator is that it tends to swallow errors. You might try to write a little test on the new server to see if you can correctly access your user database. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkijHYcACgkQ9CaO5/Lv0PCYpwCff97yGzzjteCe6NPrVmVV0XmP 8LIAoKqGTkkbfvwIorRXRlMUa5y6KkWG =PKpu -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check requires session
I am having a problem posting credentials to j_security_check for form-based authentication. It seems that tomcat expects that I already have a session established before posting the username and password. If I don't already have a JSESSIONID cookie, j_security_check returns a 408. Unfortunately, I have another application attempting to talk to this one that requires that the first thing it does is post credentials to the j_security_check, so I have no mechanism of hitting another page first to establish a session. This mechanism worked fine with BEA Weblogic, but it seems that tomcat's handling of j_security_check is different. Does anyone know of any options to modify the behavior of j_security_check so that it would just do the authentication and establish the session in one shot at the time of the POST request? Thanks, Paul
Re: j_security_check & SSL
Gregor Schneider wrote: > And another one: > > AFAIK, when using Form-based Authentication, the parameters for > j_security_check are send in a readable manner over the wire, thus > prone for an attack. Correct. > Therefore, it is recommended to use SSL-encription for the Form-Loginpage. Correct. > However, that means that one has to buy one of those quite expensive > SSL-certs. Or self-sign but that has other issues. > Since those pages actually don't need SSL at all except for the You need to protect the session ID as well so you do need SSL for all those pages. > Login-process, is there any way to achieve encryption for the > Login-process without a valid SSL-cert? Ditch FORM auth, use DIGEST. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: j_security_check & SSL
> From: Gregor Schneider [mailto:rc4...@googlemail.com] > Subject: j_security_check & SSL > > is there any way to achieve encryption for the > Login-process without a valid SSL-cert? We normally use a self-signed certificate. That does pop up a browser message to that effect, which might scare off clients that haven't been forewarned. Note that if the login is performed under HTTPS, the generated session is only for HTTPS; falling back to HTTP will result in use of a different session object. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
Mark, On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote: > > Ditch FORM auth, use DIGEST. > I'm afraid I don't see how to combine DIGEST with a Login-form - and that's a customer request. I know that SecurityFilter is quite a handy tool, however, that doesn't support Tomcat's SSO-functionality yet (?). I guess I can live with an unencrypted SessionID since our sites are not that important as to expect any session-hijacking (btw., does Tomcat check if the SessionID maps to a certain IP?). What is important is performance - therefore I tend to not use SSL except for the LoginForm. Looks like we have to get a few certs then. Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 3/10/2009 5:44 PM, Gregor Schneider wrote: > Mark, > > On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas wrote: >> >> Ditch FORM auth, use DIGEST. >> > I'm afraid I don't see how to combine DIGEST with a Login-form - and > that's a customer request. Then you're out of luck. The only workarounds I've ever heard are to use some javascript tricks to hash or encrypt the username and/or password before it's sent to the server. Of course, this technique actually /reduces/ the security to zero because either replay attacks are trivial or the encryption keys are found in the javascript code. Duh. > I know that SecurityFilter is quite a handy tool, however, that > doesn't support Tomcat's SSO-functionality yet (?). Correct. It also doesn't support FORM auth with anything but plaintext j_password parameters. > I guess I can live with an unencrypted SessionID since our sites are > not that important as to expect any session-hijacking (btw., does > Tomcat check if the SessionID maps to a certain IP?). No. But securityfilter's cvs head contains a filter that does just that. You can use it completely independently of securityfilter if you want to "borrow" it from the project. ;) > What is important is performance - therefore I tend to not use SSL > except for the LoginForm. > > Looks like we have to get a few certs then. I would give your customer the choice: no cert (less money) but you have to use DIGEST auth ; versus use form auth and buy an SSL cert. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6bKEACgkQ9CaO5/Lv0PCSigCgu5sIRcpHaR97j2sDDJzHcVz5 4xEAoJE6nrwCHFKEYfCNmeAjnfBJzIer =D8C3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 3/10/2009 3:24 PM, Caldarale, Charles R wrote: >> From: Gregor Schneider [mailto:rc4...@googlemail.com] >> Subject: j_security_check & SSL >> >> is there any way to achieve encryption for the >> Login-process without a valid SSL-cert? > > Note that if the login is performed under HTTPS, the generated > session is only for HTTPS; falling back to HTTP will result in use of > a different session object. Just to be clear, it's the session creation that is sensitive to SSL, not the actual login (authentication step). If your session exists and is visible to non-secure communications before authentication, then it will also be so after authentication. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6bPoACgkQ9CaO5/Lv0PACKQCfRYLd0qS2v84xckUW0Tpk/y2g +y4AnjJR9ny4mWd7RdBPJjhE8CRS7GXp =Deaf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
Hi guys. I'm following this loosely, along with some other threads. There is another one going on right now which also talks about authentication, hijacking JSESSIONID etc.. Gregor, what is not very clear to me, and maybe you want to do a wrapup, is what exactly you are - and are not - trying to achieve. For example, /why/ you want the users to login, and /if/ you want this one login to be valid for your 4 websites/applications (say "convenience SSO") or not. And /if/ you want that one user, having logged-in once today, should be able to re-access the same application later on without re-logging in, if in the meantime he went to have a long lunch, or closed his browser etc.. Or if you want a login just to block robots from accessing the site, or if you want a login just so that you can track a user for reasons of statistics and so on. From earlier explanations, it does not seem that you really have any confidential information to protect, nor that you are too worried about someone hijacking a user session etc.. And, if you want users to login, how are you giving them a user-id and password to login ? I'm just mentioning all this because I generally get the feeling that you are not too hot on using HTTPS and CA certificates on all these sites, and maybe you don't really need to, for what you want to achieve. Unless I am mistaken, I don't think that using HTTPS in order to protect the user-id/password from eavesdropping by some miscreant, you necessarily have to have a Verisign certificate for each site. Again unless I am mistaken, a CA-signed certificate is meant to be used to reassure the client that he is really talking to the server you say you are, and not some other impersonating phishing site. But it is not a prerequisite for simply making a connection through HTTPS. Or ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 3/13/2009 10:38 AM, André Warnier wrote: > Unless I am mistaken, I don't think that using HTTPS in order to protect > the user-id/password from eavesdropping by some miscreant, you > necessarily have to have a Verisign certificate for each site. Correct. You need to use an SSL cert, but it doesn't need to be signed by a widely-trusted certificate authority. > Again unless I am mistaken, a CA-signed certificate is meant to be used > to reassure the client that he is really talking to the server you say > you are, and not some other impersonating phishing site. Again, correct. > But it is not a prerequisite for simply making a connection through HTTPS. Right, but it /is/ a prerequisite for most users not getting a scary "UNTRUSTED SECURITY CERTIFICATE" warning. It's too bad that, with the introduction of EV certs, the big CAs aren't just giving-away the old certs. Or, offering a super-low-cost certificate that says "this is really only good for channel encryption, we didn't do any checking into the legitimacy of this organization". - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6eHYACgkQ9CaO5/Lv0PC3YQCgtNnSZoK+9MrVZYD5zrfJ65mo g3kAn0h4yitFysnid4jq6dN70CRC7Ad0 =IsQQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
Chris, On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz wrote: > > Just to be clear, it's the session creation that is sensitive to SSL, > not the actual login (authentication step). If your session exists and > is visible to non-secure communications before authentication, then it > will also be so after authentication. > Well, I believe this scenario is quite unlikely, since the login-form (running as https) usually is the first page to be displayed. Let me twist your words a bit ;) If the session is created *after* the login-form, that means it's created while using HTTP, there shouldn't be any problems left except for the Session-Cookies which might be hijacked, right? So would following scenario work? - login using form-based login via https - when successful: HttpSession session = request.getSession(); // guess that shoudln't happen if (session != null) { session.invalidate(); } session = request.getSession (true); Looks ok to me - you comments? Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 3/13/2009 11:42 AM, Gregor Schneider wrote: > So would following scenario work? > > - login using form-based login via https > > - when successful: >HttpSession session = request.getSession(); >// guess that shoudln't happen >if (session != null) { > session.invalidate(); >} >session = request.getSession (true); > > Looks ok to me - you comments? I don't see how this could work. Immediately after login you invalidate the session, thus logging-out the user. Here's what you want to do: - - Write a filter that intercepts all HTTPS traffic and redirects it to HTTP. This will make sure that anyone attempting to use HTTPS for the fun of it will end up seeing a non-secure page. This will not affect calls to j_security_check. - - Modify your login page to invalidate the session and redirect to HTTP if HTTPS is detected. This will expire sessions that are created in the secure realm in response to deep requests to your webapp (this handles the case of someone trying to hit /some/secure/place and Tomcat automatically forwarding to the login page, in HTTPS mode). I was going to say that you should make sure that your login page forces a session creation, but Tomcat will already have created your session before the login page displays. Make sure your login form points to https://your.server/j_security_check (of course!). I think that will make it all work. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6hmkACgkQ9CaO5/Lv0PAtfwCdGxR5PFUxNNc+DHtXhEVmBukS ercAnRdFVf/EAUPr6NfP5xzOGDOw5FUT =8q9E -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
Hi André, first: Please forgive me my late answer also to your PM, however, I was really busy here so that I didn't find any time to answer in an appropriate (aka detailed) manner. So here we go: Customers When talking about customers, I'm actually talking about our staff from the business-dept, and I'm talking about external customers. Since we are a Reinsurer, the external customers are primary insurers as mots of you guys will have to deal with sooner or later. If any requirement for a website is suggested, this always comes from our internal customers Type of Websites - We have to distinguish between to different types of websites: Type I: Are websites open to the public which might be interested in our products. This contains some data available to the public, plus some protected contents where only selected propects / customers have access to. Currently, those sites are not SSL-encrypted, however, there is AAA for some content using Form-based login. Type II: Are websites accessible to our external worlwide customers (Life-Insurers) only. Since our clients also might enter data from their customers (i.e. Life-Insurance-clients from primary insurers), data always are confidential, thus those sites are always SSL-encrypted. Setup Our current setup for both types is as follows: - Apache 2.2 in front for static content - Tomcat 5.5 for dynamic content attached to Apache HTTPD via mod_jk - For authorization we are using Apache HTTPD's authorization in combination with mod_auth_cookie_mysql2 (http://home.digithi.de/digithi/dev/mod_auth_cookie_mysql/) AAA works in such a way, that Apache HTTPD is taking the request, checks, if it point to protected content, if so, forwards to a protected Tomcat-hosted JSP. The JSP is utilizing Tomcat's FORM-Login, and after successful login writes a Session-cookie into a MySQL-database (among other stuff). When the next request to a protected content comes to Apache HTTPD, Apache HTTPD checks wether a certain cookie exists and compares it's value with the value stored inside the MySQL-database. If found, it's ok, else it goes back to the Login-Page. As I said before, we have multiple website all hosted on the same servers (behind a Loadbalancer). Role-Based AAA Since some customers do have access to more than one website of ours, we hvae created a role-based system so that once authorized and belonging to multiple roles, they don't have to re-login again thanks to Tomcat's SSO-Valve. We are using session-cookies timing out after a defined period of time. They are also invalidated if the brwoser is closed. Motivation for Setup We server a lot of static content (html, javascript, pdf), so that we decided to serve this via Apache HTTPD for performance reasons. Since for security reasons we didn't want to use PHP for dynamic content (and since I'm a Java-guy), we opted for JSPs / Servlets for dynamic content. Since I'm into Opensource and I like Apache Group's stuff a lot (and for some other reasons), we opted for Tomcat for the dynamic content. Problems -- Most of our users are running IE in various versions. Sometimes, some strange error occurs when instead of dynamic content to be served, the user just sees a "Page cannot be displayed" error-message. We checked our logs (Apache HTTPD, Tomcat), alas, to no avail. However, whene I checked the logs of mod_jk, I found some messages like this one: [Fri Mar 13 13:48:22 2009][0869:] [info] jk_handler::mod_jk.c (1971): Aborting connection for worker=wrkr [Fri Mar 13 13:48:44 2009][20858:] [info] ajp_process_callback::jk_ajp_common.c (1412): Connection aborted or network problems [Fri Mar 13 13:48:44 2009][20858:] [info] ajp_service::jk_ajp_common.c (1761): Receiving from tomcat failed, because of client error without recovery in send loop 0 Besides, it's quite difficult when a Tomcat session times out: This has to be propagated to Apache HTTPD, meaning, the cookie-entry has to be removed from the MySQL-database. Currently we're achieving this with a SessionListener clearing the values from the database once a Session gets destroyed. SSL / Costs - Actually the costs of the SSL-certs is not such a big issue (we talk about 300€ which is an equivalent for 3 hrs work - this is not the money *I'm* getting but what my company calculates with). It's just the hazzle getting them via our provider, re-authenticate with the SSL-provider and so on. It's simply not a smooth process, and that's why I was looking for an alternate solution. Current Development -- I'm curently porting the first few site into a Tomcat-only-environment strctly following the KISS-principle: Keep It Simple, Stupid! I'm testing them now with Tomcat 6 using the APR, thus avoiding all the hazzle with Apache / mod_jk / Tomcat-connectivity, avoiding the hazzle with AAA using mod_auth_co
Re: j_security_check & SSL
Chris, On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Gregor, > > On 3/13/2009 11:42 AM, Gregor Schneider wrote: >> So would following scenario work? >> >> - login using form-based login via https >> >> - when successful: >> HttpSession session = request.getSession(); >> // guess that shoudln't happen >> if (session != null) { >> session.invalidate(); >> } >> session = request.getSession (true); >> >> Looks ok to me - you comments? > > I don't see how this could work. Immediately after login you invalidate > the session, thus logging-out the user. > Duuh... you're right: Invalidated the session logs the user out. > Here's what you want to do: > [ snip ] > > I think that will make it all work. > So will I then be able to access the HttpSession-object created when inside HTTPS (login-page) when I'm querying it from within a JSP served via plain HTTP? That was the problem Chuck mentioned, and this I tried to solve with my - silly - suggestion from above? Actually I don't think so. What I'm just wondering is: I sees quite some pages using HTTPS for Authorization (Form-based), but once authorized, they serve via HTTP. How just simply do they do that? Rgds Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check & SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gregor, On 3/13/2009 1:58 PM, Gregor Schneider wrote: > So will I then be able to access the HttpSession-object created when > inside HTTPS (login-page) when I'm querying it from within a JSP > served via plain HTTP? No, the session will be created in HTTP mode, then you'll submit in HTTPS mode (and the non-secure session is viewable in the secure context) and then go back to HTTP mode. > That was the problem Chuck mentioned, and this I tried to solve with > my - silly - suggestion from above? Try creating a sequence of requests that you think are likely, and apply the rules I laid out to see how the webapp would react. If there's a case you think won't work, let me know and I'll see if I can come up with an idea. > I sees quite some pages using HTTPS for Authorization (Form-based), > but once authorized, they serve via HTTP. > How just simply do they do that? The session is created in HTTP mode which is why this works. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkm6x/cACgkQ9CaO5/Lv0PD4BQCfcqJdd3wVDn7/YfMtKiMTMMia 0jMAn07FSA6Au3j9ZwWqAhmS10J3uHVu =ncMM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem in j_security_check
i have a problem in Tomcat & jsp when i use j_security_check it gives me following error. The request sent by the client was syntactically incorrect (Invalid direct reference to form login page why this so my web.xml http://java.sun.com/xml/ns/j2ee " xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance " xsi:schemaLocation=3D"http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd " version=3D" 2.4"> My first jsp example Work on Jsp TestApp Security Constraint Protected Area DELETE GET POST PUT /saraf/* * FORM Form-Based Authentication /login.jsp /error.jsp -- Cup of Java + Suger of XML = Secure WebApp
j_security_check event?=20
Hi everyone, first of all i would like to thanks you guys out there who help me me the last week with my issue on the freenode #tomcat channel! well im now having a bit complicated issue (for me at least) what i'am trying to do is: when a user log in forma based authentication i want to perform a request and see if the authentication was succeessfull or not if the authentification was okay so i want to submite some cookies and some data into the users session, if the authentication was not successfull so i will redirect the user either to an error page or back to the login page so my aim is to know if there is a way / a solution/ a kind of a listner or a manner that i can use/ask to request this event so that i can set my cookies and session data since im trying to achieve a singel sign on it is important for me to get this kind of cookies for only authenticated users thanks in advance! yel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check error
J. Brian Hall wrote: I’m using Tomcat and a MySQL database that contains usernames/passwords/roles for form-based authentication. Logging in with correct username/password successfully directs to index.jsp (from login.jsp). Logging in with incorrect username/password successfully directs to error.jsp (from login.jsp). However, an unsuccessful login followed by attempting to login with the correct username/password leads to an HTTP Status 404 j_security_check error that says the requested resource is not available. Does anyone know what may be wrong? Here are the details of my configuration. To understand what is going on there, I suggest that you install a browser plugin such as HttpFox, Live HTTP headers, or Fiddler2(for IE), and that you have a look at which request URLs and HTTP headers are really being sent by the browser to the server (and vice-versa), at each step. Probably what happens is that the original URL requested by the browser is lost somewhere when you go through the error page, and that by the time you do the second (correct) authentication, the server does not know anymore where to forward the (now authenticated) request to. So it ends up being forwarded to some invalid URL, and you get back a 404 error. What does your "error.jsp" page really look like ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check error
Hi. You posted your original question to the Tomcat Users list, and that is where you should keep posting. This way, other users later who search the list archives may find the answers they are looking for. Some further answers below. J. Brian Hall wrote: Hey Andre, I found the problem, but don't understand it. My error page is below. The problem is that the error page contained a link back to go back to the login.jsp page (which seemed reasonable), but when I changed the link to go to index.jsp (rather than login.jsp), everything now works as expected. I can also login successfully (after the first login failure) if I just use the back-page button in the browser. Maybe you know what is going on here? Here's my error page: Login Error You failed to login correctly. To go back to the login page. You need to think a bit, and figure out how this all works. Then you'll be able to fix it, and maybe also figure out better ways (for you) of doing what you want. There are many HTTP authentication schemes, but roughly they all follow some basic schema : 1) the browser sends a request to the server, for some resource. For the sake of the example, say this is "/index.html". 2) the server receives the request, and notices that "/index.html" is within a "protected area" which requires authentication. The server then checks if the request included some form of authentication. 3a) if the request contained a valid authentication for that protected area, the server returns the requested resource and that's it. 3b) if the request did not contain a valid authentication, the server returns "something" to the browser, to indicate that authentication is required. This "something" can be a 401 HTTP response ("Authorization required"), or - in your case - a login page. 4) Now some form of authentication has to be provided by the browser. In some cases, the browser pops up a dialog for the user to fill-in a login and password. In other cases, the browser does that itself internally, based on the network or domain login of the user. In your case, the login form is shown, the user fills it in and submits the form. 5) the server receives this new request. In some cases, it may be a request for the origina URL again ("/index.html"), just with some authentication information attached. In such a case, the server would redo items (2) and (3a) above. In the case of form-based authentication, it is a bit more complicated : the server receives this *new* request (from the login page), verifies the credentials supplied, and if they are ok, it should "remember" that the original request was for "/index.html", and forward the request back there. That's the key here : this "remembering" on the part of the server. It must be able to store somewhere that the original request was for "/index.html", and then, when receiving this totally different request from the browser (the submit of the login page), there should be something in the login request which allows the server to retrieve this previously-stored information. Obviously, in your case, it works when the user requests "/index.html" the first time, gets the login page instead, fills it in correctly, sends the completed login page, and finally receives the page "/index.html" from the server. But it doesn't work anymore if 1) the browser sends a request for "/index.html" 2) the server returns the login page "login.jsp" 3) the user fills in the (wrong) credentials and submits that form to the server 4) the server returns the error page "error.jsp" 5) a link on that page links directly to the login page again, and the user clicks it Can you guess why ? Hint : the link on the error page should direct back to the original "/index.html", not directly to the login page. Or, if you want it otherwise, then *you* must provide some way for the server to remember what was the original request that started it all, through the full login-error-new login sequence. -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Sunday, December 01, 2013 4:05 PM To: Tomcat Users List Subject: Re: j_security_check error J. Brian Hall wrote: I’m using Tomcat and a MySQL database that contains usernames/passwords/roles for form-based authentication. Logging in with correct username/password successfully directs to index.jsp (from login.jsp). Logging in with incorrect username/password successfully directs to error.jsp (from login.jsp). However, an unsuccessful login followed by attempting to login with the correct username/password leads to an HTTP Status 404 j_security_check error that says the requested resource is not avai
Re: filters on j_security_check
On 13/10/2011 15:09, Alejandro Soto wrote: > Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know > how can I apply filters to j_security_check to verify the status of login > before continue with my authentication process. You can't use Filters because the Authentication Valves act before the Filter chain. Why do you need to filter on j_security_check? p > I was thinking to use valves, but I read on internet that valves will be > replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do > . > > Please, this is very important to me and any help will be appreciated. > > Best Regards. > signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
Hi, thanks for reply, well, what i need is to know if the authentication was successful or not, I want to get the status of that authentication, I just need to know that status and has to be before the authentication mechanism continues. I am trying to invoke j_security_check from inside another servlet. Any suggestions about how resolve my requirement? Thanks in advance. Alejandro On Thu, Oct 13, 2011 at 12:50 PM, Pid wrote: > On 13/10/2011 15:09, Alejandro Soto wrote: > > Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to > know > > how can I apply filters to j_security_check to verify the status of login > > before continue with my authentication process. > > You can't use Filters because the Authentication Valves act before the > Filter chain. > > Why do you need to filter on j_security_check? > > > p > > > I was thinking to use valves, but I read on internet that valves will be > > replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to > do > > . > > > > Please, this is very important to me and any help will be appreciated. > > > > Best Regards. > > > > > -- Alejandro Soto M. Cel: 705-63861
RE: filters on j_security_check
> From: Alejandro Soto [mailto:smalejan...@gmail.com] > Subject: Re: filters on j_security_check > what i need is to know if the authentication was successful or not What are you going to do with said information? > I just need to know that status and has to be before the authentication > mechanism continues. Why? It seems like you might actually need to write a custom , not a filter. > I am trying to invoke j_security_check from inside another servlet. That sounds really, really wrong. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
Hi Chuck, call j_security_check from inside another servlet is just an idea, why is bad idea? If possible, I don't want a custom , I want to use the authentication mechanism of the container (JDBCRealm), use something like this: . Context context = (Context) host.findChild("myContext"); Realm realm = context.getRealm(); String username = request.getParameter("j_username"); String password = request.getParameter("j_password"); Principal principal = realm.authenticate(username, password); if (principal == null) { // some tasks } else { // } But this give me problems with catalina.jar library inside of my .war file. Thanks. Alejandro On Thu, Oct 13, 2011 at 2:11 PM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote: > > From: Alejandro Soto [mailto:smalejan...@gmail.com] > > Subject: Re: filters on j_security_check > > > what i need is to know if the authentication was successful or not > > What are you going to do with said information? > > > I just need to know that status and has to be before the authentication > > mechanism continues. > > Why? It seems like you might actually need to write a custom , not > a filter. > > > I am trying to invoke j_security_check from inside another servlet. > > That sounds really, really wrong. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: filters on j_security_check
> From: Alejandro Soto [mailto:smalejan...@gmail.com] > Subject: Re: filters on j_security_check > call j_security_check from inside another servlet is > just an idea, why is bad idea? Because it's not supported by the spec; please read SRV.12. If you want to do programmatic security in addition to declarative security, you can use the getRemoteUser(), isUserInRole(), and getUserPrincipal() methods of the object implementing HttpServletRequest. You can, of course, completely roll your own programmatic security, but in that case you must not configure any spec-defined declarative security elements in web.xml. The field names j_username and j_password are for use by the web server to handle form-based authentication. You may customize the content of the form, but not the processing of the submitted form. Since the spec leaves the implementation undefined, Tomcat chooses to handle that with s. If you want to perform additional checks, either create a custom , or use the methods listed above. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 10/13/2011 2:11 PM, Caldarale, Charles R wrote: >> From: Alejandro Soto [mailto:smalejan...@gmail.com] Subject: Re: >> filters on j_security_check > >> what i need is to know if the authentication was successful or >> not > > What are you going to do with said information? > >> I just need to know that status and has to be before the >> authentication mechanism continues. > > Why? It seems like you might actually need to write a custom > , not a filter. Checking for authentication pass/fail can be done in a Realm, but you can't really do anything with the information other than write it to the database. And all you have is username/password (or other credential-only information) to log. This is one of the reasons I switched to SecurityFilter: there is a FlexibleRealmInterface that passes-in the HttpServletRequest that was used to attempt authentication. That allows you to get nice things like the ip address of the request for logging. >> I am trying to invoke j_security_check from inside another >> servlet. > > That sounds really, really wrong. Yes. Yes, it does. If you (Alejandro) want to trigger authentication manually, servlet 3.0 has added the HttpServletRequest.authenticate method to allow you to do this yourself. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6XRM4ACgkQ9CaO5/Lv0PBgoQCcC7SCZRzkx15PLBVLRxW45198 C6EAn2Q6RjtCy2VvbWBYvzIB4tkQZzqG =Y+bH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
On 13/10/2011 20:53, Caldarale, Charles R wrote: > If you want to do programmatic security in addition to declarative security, Or use the Servlet 3.0 APIs, supported by Tomcat. p signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
This is one of the reasons I switched to SecurityFilter: there is a > FlexibleRealmInterface that passes-in the HttpServletRequest that was > used to attempt authentication. That allows you to get nice things > like the ip address of the request for logging. > > I'm interested on what are talking about , where I can find info about SecurityFilter ? I've used Spring Security for reasons like you but I want try another options Thanks
RE: filters on j_security_check
> From: Chema [mailto:demablo...@gmail.com] > Subject: Re: filters on j_security_check > where I can find info about SecurityFilter ? The first hit on Google... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 10/15/2011 4:18 PM, Chema wrote: > This is one of the reasons I switched to SecurityFilter: there is > a > >> FlexibleRealmInterface that passes-in the HttpServletRequest that >> was used to attempt authentication. That allows you to get nice >> things like the ip address of the request for logging. >> >> > I'm interested on what are talking about , where I can find info > about SecurityFilter ? I've used Spring Security for reasons like > you but I want try another options Frankly, if you're using Spring Security, I'd stick with it. I myself am thinking of making the switch. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6bC1QACgkQ9CaO5/Lv0PCQOgCfaFI5mg1TtXUa8OK3aWQfo/S1 Cu0AnRYPLLjdLF6v/G4hlFxSQbYDfvD4 =ZyEQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
> > > > Frankly, if you're using Spring Security, I'd stick with it. I myself > am thinking of making the switch. > > Yes, I tried it and like it , but I need Single Sign On support and the solutions what Spring Security offers are complicated to implement by me
Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 10/16/2011 1:55 PM, Chema wrote: >> >> >> >> Frankly, if you're using Spring Security, I'd stick with it. I >> myself am thinking of making the switch. >> >> > Yes, I tried it and like it , but I need Single Sign On support and > the solutions what Spring Security offers are complicated to > implement by me sf does not support SSO at all, so there's definitely no reason for you to switch. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6cRs8ACgkQ9CaO5/Lv0PCtHwCgxA1AkaSclPEsb06SHcKaLF2F T4EAoIItWnxsiIAnzh+kKW6Lji2cjjVl =gqf5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 404 for j_security_check
Rick, On 3/14/24 15:37, Rick Noel wrote: After moving from tomcat 9 to tomcat 10 after a user successfully logs in and then hits a restricted page, the login page is hit again but on this second login hit I get 404 page not found This is actually expected, since j_security_check is only supposed to be used when the container (Tomcat) interrupts a user workflow to request authentication. How do I set the correct path in my login jsp so that j_security_check is found? BTW I actually am wondering why a successful logged on user would even be sent to the log in page again? That's more of a question for your application than anything else. My login page is -> /membership/login.jsp Here is how I set the path to j_security_check in above login.jsp My restricted web.xml snippet Are you doing what I call a "direct login" where you have a "login page" that most users hit first. Like from example.com/app/ where there is no initial request for a protected resource? Or are your users always (1) requesting a protected resource then (2) Tomcat requests authentication then (3) the user is forwarded to the resource originally requested in (1)? External /external/* radiovoodoo NONE Auth /auth/* radiovoodoo NONE FORM /membership/login.jsp /membership/error.jsp Those NONE lines look weird to me. Why are you explicitly specifying those? What part of your configuration actually requests authentication and authorization? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
j_security_check Tomcat bad redirection
Hello, When I do the login with wrong username & password i have a redirection on the same(login) page. After that i try to login with correct user & pass and have a bad redirection: Http status http://localhost:8080/{webapp}/secure/j_security_check Is there any way to restart the whole tomcat app? I have a check: httpServletRequest.getUserPrincipal().getName() How can i create new UserPrincipal object to erease the previous user? Regards -- View this message in context: http://www.nabble.com/j_security_check-Tomcat-bad-redirection-tp19047465p19047465.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check Tomcat user status
Hello! For Connection on database i initialize in context.xml: [CODE] [/CODE] j_security_check works fine. Now, i want to check another column on login: userstatus. Value of the column can be 0 or 1. Only users with correct username and status 1 can login. How can i do this with j_security_check? Regards -- View this message in context: http://www.nabble.com/j_security_check-Tomcat-user-status-tp19563429p19563429.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check requires session
[EMAIL PROTECTED] wrote: > I am having a problem posting credentials to j_security_check for > form-based authentication. > > It seems that tomcat expects that I already have a session established > before posting the username and password. If I don't already have a > JSESSIONID cookie, j_security_check returns a 408. Unfortunately, I > have another application attempting to talk to this one that requires > that the first thing it does is post credentials to the > j_security_check, so I have no mechanism of hitting another page first > to establish a session. > > This mechanism worked fine with BEA Weblogic, but it seems that tomcat's > handling of j_security_check is different. Does anyone know of any > options to modify the behavior of j_security_check so that it would just > do the authentication and establish the session in one shot at the time > of the POST request? Sorry, no. That isn't the way the spec is written. However, http://securityfilter.sourceforge.net/ should do exactly what you want. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check requires session
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, [EMAIL PROTECTED] wrote: > It seems that tomcat expects that I already have a session established > before posting the username and password. If I don't already have a > JSESSIONID cookie, j_security_check returns a 408. This behavior adheres to the Servlet Specification. See section 12.5.3. There is no provision for "drive-by" logins. > Unfortunately, I > have another application attempting to talk to this one that requires > that the first thing it does is post credentials to the > j_security_check, so I have no mechanism of hitting another page first > to establish a session. This is non-portable (as you have seen from moving between servlet containers). I think you have a couple of options: 1. Change your remote client to first request the desired secure resource from the server, then submit the credentials with a second request (and you'll be sent to the originally-requested resource, as per the spec) 2. Switch to using securityfilter (which allows drive-bys, and which Mark already plugged) 3. Remove the security constraint from your target service and implement an alternate authentication and authorization strategy (such as checking the credentials yourself in the service) manually > This mechanism worked fine with BEA Weblogic, but it seems that tomcat's > handling of j_security_check is different. Does anyone know of any > options to modify the behavior of j_security_check so that it would just > do the authentication and establish the session in one shot at the time > of the POST request? There are no spec-compliant options. BEA's behavior is an extension to the servlet specification so whatever you do will be container-specific, unless you go outside the container-managed security provider (say, by using something like securityfilter). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjcE+AACgkQ9CaO5/Lv0PCrUgCgrHAzHozD9/JjmHRlZE/Jpl2X aucAn2mBQ/dIqkYQo2Nn9bYt8dBPUKM/ =g6J7 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: j_security_check requires session
... or simply switch to BASIC auth-method. Rossen - Original Message - From: "Christopher Schultz" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Thursday, September 25, 2008 6:42:40 PM GMT -05:00 US/Canada Eastern Subject: Re: j_security_check requires session -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, [EMAIL PROTECTED] wrote: > It seems that tomcat expects that I already have a session established > before posting the username and password. If I don't already have a > JSESSIONID cookie, j_security_check returns a 408. This behavior adheres to the Servlet Specification. See section 12.5.3. There is no provision for "drive-by" logins. > Unfortunately, I > have another application attempting to talk to this one that requires > that the first thing it does is post credentials to the > j_security_check, so I have no mechanism of hitting another page first > to establish a session. This is non-portable (as you have seen from moving between servlet containers). I think you have a couple of options: 1. Change your remote client to first request the desired secure resource from the server, then submit the credentials with a second request (and you'll be sent to the originally-requested resource, as per the spec) 2. Switch to using securityfilter (which allows drive-bys, and which Mark already plugged) 3. Remove the security constraint from your target service and implement an alternate authentication and authorization strategy (such as checking the credentials yourself in the service) manually > This mechanism worked fine with BEA Weblogic, but it seems that tomcat's > handling of j_security_check is different. Does anyone know of any > options to modify the behavior of j_security_check so that it would just > do the authentication and establish the session in one shot at the time > of the POST request? There are no spec-compliant options. BEA's behavior is an extension to the servlet specification so whatever you do will be container-specific, unless you go outside the container-managed security provider (say, by using something like securityfilter). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjcE+AACgkQ9CaO5/Lv0PCrUgCgrHAzHozD9/JjmHRlZE/Jpl2X aucAn2mBQ/dIqkYQo2Nn9bYt8dBPUKM/ =g6J7 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
j_security_check redirect after login
How does j_security_check know where to redirect users to after they have logged in? I have searched for any documentation related to how j_security_check works but to no avail nor am I able to find out where in the Tomcat source code j_security_check is declared or invoked. Thanks, Andrew R Feller, Analyst Subversion Administrator University Information Systems Louisiana State University [EMAIL PROTECTED] (office) 225.578.3737
j_security_check and RequestDispatcher forward
Hi, I am using a servlet to intercept form based authentication in order to insert attribute into the request and then to redirect the request to j_security_check using RequestDispatcher. But I'm getting a 404 page with the following error: type Status report message /myApp/j_security_check description The requested resource (/MyApp/j_security_check) is not available. If I'm going directly to /MyApp/j_security_check using my browser - j_security_check is found Here is the code snippet: String params = "j_username=" + request.getParameter("j_username") + "&j_password=" + request.getParameter("j_password"); String encodedSecurityURL = response.encodeRedirectURL("/j_security_check?" + params); RequestDispatcher dispatcher ; dispatcher = getServletContext().getRequestDispatcher(encodedSecurityURL); dispatcher.forward( request, response); Does anyone know why the code does not work but the direct call using the browser does work? Regards, Chen Paz
Re: j_security_check with https
i dont know how to request j_security_check on https! i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work /login.do /login/loginError.jsp tomcat redirect to Http! cheers - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
Diego Armando Gusava wrote: > i dont know how to request j_security_check on https! > > i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work I think the above attempts to find an SSL cert, but falls back to FORM auth. Which isn't perhaps what you want? > > > > /login.do > /login/loginError.jsp > > Set CONFIDENTIAL in the security constraint section, as below. Ensure that you have an SSL enabled connector and that the redirect port on the normal connector matches the SSL port. Protected Area /mySecurePath/ GET ... POST rolename CONFIDENTIAL p > tomcat redirect to Http! > > cheers > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
let me explain when i try to access mySecurePath for example, tomcat show me a login page with https but after that i dont need for example be with https, because i only need to send protected username and password. i want to only need login.jsp with https!! 2009/1/6 Pid : > Diego Armando Gusava wrote: >> i dont know how to request j_security_check on https! >> >> i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work > > I think the above attempts to find an SSL cert, but falls back to FORM > auth. Which isn't perhaps what you want? > >> >> >> >> /login.do >> /login/loginError.jsp >> >> > > Set CONFIDENTIAL in the > security constraint section, as below. Ensure that you have an SSL > enabled connector and that the redirect port on the normal connector > matches the SSL port. > > > > Protected Area > > /mySecurePath/ > > GET >... > POST > > > rolename > > > CONFIDENTIAL > > > > p > > >> tomcat redirect to Http! >> >> cheers >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
"orm Based Authentication has the same lack of security as Basic Authentication since the user password is transmitted as plain text and the target server is not authenticated. Again additional protection can alleviate some of these concerns: a secure transport mechanism (HTTPS)." i want " secure transport mechanism (HTTPS)" how can i do it? 2009/1/6 Diego Armando Gusava : > let me explain > > when i try to access mySecurePath for example, tomcat show me a login > page with https but after that i dont need for example be with https, > because i only need to send protected username and password. > > i want to only need login.jsp with https!! > > > > 2009/1/6 Pid : >> Diego Armando Gusava wrote: >>> i dont know how to request j_security_check on https! >>> >>> i attemped http://wiki.apache.org/tomcat/SSLWithFORMFallback but didnt work >> >> I think the above attempts to find an SSL cert, but falls back to FORM >> auth. Which isn't perhaps what you want? >> >>> >>> >>> >>> /login.do >>> >>> /login/loginError.jsp >>> >>> >> >> Set CONFIDENTIAL in the >> security constraint section, as below. Ensure that you have an SSL >> enabled connector and that the redirect port on the normal connector >> matches the SSL port. >> >> >> >> Protected Area >> >> /mySecurePath/ >> >> GET >>... >> POST >> >> >> rolename >> >> >> CONFIDENTIAL >> >> >> >> p >> >> >>> tomcat redirect to Http! >>> >>> cheers >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: j_security_check with https
> From: Diego Armando Gusava [mailto:diegogus...@gmail.com] > Subject: Re: j_security_check with https > > when i try to access mySecurePath for example, tomcat show me a login > page with https but after that i dont need for example be with https, > because i only need to send protected username and password. > > i want to only need login.jsp with https!! You cannot switch a secure (HTTPS) session to an insecure transport (HTTP) - your login would be worthless if you could. Once you log in via SSL, you'll need to stay with HTTPS to utilize the session. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
no man, example, email when u login, your username and password will be transport https, but after that, you are in http! u dont need https because, you are only reading messages(emails) 2009/1/6 Caldarale, Charles R : >> From: Diego Armando Gusava [mailto:diegogus...@gmail.com] >> Subject: Re: j_security_check with https >> >> when i try to access mySecurePath for example, tomcat show me a login >> page with https but after that i dont need for example be with https, >> because i only need to send protected username and password. >> >> i want to only need login.jsp with https!! > > You cannot switch a secure (HTTPS) session to an insecure transport (HTTP) - > your login would be worthless if you could. Once you log in via SSL, you'll > need to stay with HTTPS to utilize the session. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava wrote: > no man, example, email > > when u login, your username and password will be transport https, but > after that, you are in http! u dont need https because, you are only > reading messages(emails) > Then just phrase your url-pattern in your security-constraint-section accordingly - should work. Gregor -- just because your paranoid, doesn't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: j_security_check with https
> From: Diego Armando Gusava [mailto:diegogus...@gmail.com] > Subject: Re: j_security_check with https > > when u login, your username and password will be transport https, but > after that, you are in http! u dont need https because, you are only > reading messages(emails) And what does that have to do with the behavior of a servlet container? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
this didnt work Usuario /login/* POST GET CONFIDENTIAL if i try /login/login.jsp work, but when i try an action and has restrict access, and havent user logged, tomcat redirect to login page with http !!! 2009/1/6 Caldarale, Charles R : >> From: Diego Armando Gusava [mailto:diegogus...@gmail.com] >> Subject: Re: j_security_check with https >> >> when u login, your username and password will be transport https, but >> after that, you are in http! u dont need https because, you are only >> reading messages(emails) > > And what does that have to do with the behavior of a servlet container? > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
Gregor Schneider wrote: > On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava > wrote: >> no man, example, email >> >> when u login, your username and password will be transport https, but >> after that, you are in http! u dont need https because, you are only >> reading messages(emails) >> > > Then just phrase your url-pattern in your security-constraint-section > accordingly - should work. It won't. Tomcat won't let a session created under HTTPS transition to HTTP as the session ID is effectively the password. If the password needed HTTPS then the session ID does too. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: j_security_check with https
My question is how to combine the form based authentication, where we use "jsecuritycheck" , "jusername" etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck". But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this?? 2009/1/6 Mark Thomas : > Gregor Schneider wrote: >> On Tue, Jan 6, 2009 at 9:13 PM, Diego Armando Gusava >> wrote: >>> no man, example, email >>> >>> when u login, your username and password will be transport https, but >>> after that, you are in http! u dont need https because, you are only >>> reading messages(emails) >>> >> >> Then just phrase your url-pattern in your security-constraint-section >> accordingly - should work. > > It won't. Tomcat won't let a session created under HTTPS transition to HTTP as > the session ID is effectively the password. If the password needed HTTPS then > the session ID does too. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: j_security_check with https
Howdy, First, to clear an incorrect point made... There is a point of switching back to HTTP after HTTPS. From a server load perspective having to perform SSL computations for every single HTTP request can be a serious performance bottleneck. As for the security aspect, transmission of the username/password should be done over HTTPS, as this is considered "private/confidential" data and can be used to establish future authenticated sessions, however unless you are in a location where eavesdropping attacks are a risk, there is no need for encryption as the session ID is either a hashed string in a cookie, or the servlet is making use of URL re-writing, both of which are only "temporary passes" until the HttpSession has been invalidated. Second, to answer the question regarding actions redirect to HTTP... The reason the redirects are not going to HTTPS is because of the RequestDispatcher. When Tomcat sees that you are trying to access a resource for which login is required, it FOWARDs the request to the login form. The security constraints defined in web.xml are for when requests are made directly for those resources. What this means is that your configuration to make sure that the login pages use SSL only come into affect when the browser requests them directly. Requests that have been FORWARDed by the RequestDispatcher totally bypass the SSL constraints. What is the solution? Create a Filter subclass with the sole purpose of having its "doFilter" method call "sendRedirect" on the HttpServletResponse object. Map this Filter to the same URL pattern you use for SSL and make sure to use the tags for FORWARD, INCLUDE, ERROR, and whatever other RequestDispatcher operations you want to ensure use SSL. Hope this helps. Justin > Date: Tue, 6 Jan 2009 19:01:24 -0200 > From: diegogus...@gmail.com > To: users@tomcat.apache.org > Subject: Re: j_security_check with https > > this didnt work > > > > > > Usuario > /login/* > POST > GET > > > > > CONFIDENTIAL > > > > > if i try /login/login.jsp work, but when i try an action and > has restrict access, and havent user logged, tomcat redirect to login > page with http !!! > > 2009/1/6 Caldarale, Charles R : > >> From: Diego Armando Gusava [mailto:diegogus...@gmail.com] > >> Subject: Re: j_security_check with https > >> > >> when u login, your username and password will be transport https, but > >> after that, you are in http! u dont need https because, you are only > >> reading messages(emails) > > > > And what does that have to do with the behavior of a servlet container? > > > > - Chuck > > > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > > MATERIAL and is thus for use only by the intended recipient. If you > > received this in error, please contact the sender and delete the e-mail and > > its attachments from all computers. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _ Keep in touch and up to date with friends and family. Make the connection now. http://www.microsoft.com/windows/windowslive/
RE: j_security_check with https
> From: Justin Randall [mailto:ran...@hotmail.com] > Subject: RE: j_security_check with https > > There is a point of switching back to HTTP after HTTPS. From > a server load perspective having to perform SSL computations > for every single HTTP request can be a serious performance > bottleneck. Of course - everyone recognizes that. Serious sites will offload the SSL processing to a separate box or NIC card for that very reason. > however unless you are in a location where eavesdropping > attacks are a risk, Such as pretty much anywhere on the Internet? If eavesdropping attacks were not a risk, there would be no point in encrypting the security credentials. You can't have it both ways. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org