-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/12/15 7:10 PM, rop wrote:
Hi Chris, Yes, we are applying salt before hashing (to prevent
googling up many passwords from the hashes).
Depending upon how you are storing the salt, you may be able to use
Tomcat out of the box, now,
On 3/12/2015 10:16 AM, rop wrote:
Hi Chris,
Thanks for your input.
Re your points a+b:
You have put your Realm into conf/context.xml instead of into your web
application's META-INF/context.xml
Actually neither we define the Realm in
$CATALINA_BASE/conf/server.xml
That's also what I
Hi Chris,
Thanks for your input.
Re your points a+b:
You have put your Realm into conf/context.xml instead of into your web
application's META-INF/context.xml
Actually neither we define the Realm in
$CATALINA_BASE/conf/server.xml
That's also what I see in the Tomcat-docs:
Ah, I got it now.
Thanks, David.
Yes, the a-b-c-d points are OK then.
As a trouble-shoot action, I actually did an install-and-test binary
search
among the intermediate tomcat-versions to pinpoint exactly which version
breaks our app.
Turns out, up to 7.0.47 it still works OK.
(7.0.48 and
On 12/03/2015 15:51, rop wrote:
Ah, I got it now.
Thanks, David.
Yes, the a-b-c-d points are OK then.
As a trouble-shoot action, I actually did an install-and-test binary
search
among the intermediate tomcat-versions to pinpoint exactly which version
breaks our app.
Turns out, up to
Finally, found the issue.
The crucial change was in the method RealmBase.compareCredentials(),
which is new in 7.0.50 (the comparison was much simpler before that).
Dunno if we do something unusual here,
but we just extend DataSourceRealm, like MyDataSourceRealm,
and implement the message-digest
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/12/15 3:33 PM, rop wrote:
Finally, found the issue.
Please bottom-post if you can. Also, please sign your posts.
On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org
wrote:
On 12/03/2015 15:51, rop wrote:
Ah, I got it
Hi Chris,
Yes, we are applying salt before hashing (to prevent googling up many
passwords from the hashes).
Override probably seemed like easiest way at the time, but maybe a better
way now. Will check it out, thanks.
/Rop
On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/10/15 2:57 PM, rop wrote:
We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
For some reason, the form-based authentication gets broken after
the upgrade, and just gives Invalid username and/or password,
please try again when
Hello,
When I create user with password with czech String ŽežUlička.1 the
browser sends correctly this string as:
POST http://localhost:70/myapp/j_security_check HTTP/1.1
Content-Type: application/x-www-form-urlencoded
j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1
The browser is not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 6/26/13 7:14 AM, Jan Vávra wrote:
Hello,
When I create user with password with czech String
ŽežUlička.1 the browser sends correctly this string as:
POST http://localhost:70/myapp/j_security_check HTTP/1.1
Content-Type:
Well, it is custom created and managed xml file.
But the core of problem is in the string credentials in method public
Principal authenticate(String username, String credentials).
If the string was encoded properly (in java as utf-16) the
credentials.length would be equal to 11 but its real
On 24/06/2013 12:52, Jan Vávra wrote:
Hello,
I'm successfully using form based authenntication when login or
password contains only letters from English alphabet.
OK. That means you've got the basics set up correctly.
I have also written own realm.
I'd suggest testing with the default
On 07/12/2010 11:14, mike lan wrote:
Hello everyone,
is there a way to do FORM based authentication in tomcat
but with MD5 encrypted password ?
Yes. Read the realm docs for details.
Mark
-
To unsubscribe, e-mail:
Am Sonntag, 21. Juni 2009 01:34:29 schrieb Caldarale, Charles R:
[...] you hard-code the single role name in the LoginModule, using whatever
value you have in web.xml (currently User). You must have a role class
that implements Principal and Serializable (in addition to the Principal
class
From: Oliver Block [mailto:li...@oliver-block.eu]
Subject: Form-based authentication
But now I do not see how to connect the authentication module
to a security constraint. I mean, do I have to add every user
that has an imap account to web.xml?
No, each user would normally have a set of
Am Samstag, 20. Juni 2009 23:41:11 schrieb Caldarale, Charles R:
From: Oliver Block [mailto:li...@oliver-block.eu]
Subject: Form-based authentication
But now I do not see how to connect the authentication module
to a security constraint. I mean, do I have to add every user
that has an
From: Oliver Block [mailto:li...@oliver-block.eu]
Subject: Re: Form-based authentication
Are the roles passed to the LoginModule?
No, you hard-code the single role name in the LoginModule, using whatever value
you have in web.xml (currently User). You must have a role class
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 5/13/2009 8:16 AM, Caldarale, Charles R wrote:
From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
Subject: Re: Form Based Authentication creates user session before it
is authenticated?
P.S: BTW, is Tomcat planning to resolve
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 5/13/2009 9:27 AM, Martin Gainty wrote:
if you are asking how to overcome Man-in-the-middle fraudulent
manipulation based on basic authentication?
He's not.
and or Man-in-the middle
fraudulent manipulation based on Form-based
From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
Subject: Re: Form Based Authentication creates user session before it
is authenticated?
P.S: BTW, is Tomcat planning to resolve this vulnerability in near
future?
I'll bite: what vulnerability are you referring to?
- Chuck
: chuck.caldar...@unisys.com
To: users@tomcat.apache.org
Date: Wed, 13 May 2009 07:16:50 -0500
Subject: RE: Form Based Authentication creates user session before it is
authenticated?
From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
Subject: Re: Form Based Authentication creates user session
No, you'd have to write your own authentication mechanism. Tomcat is
required to store the request that triggered authentication for re-play
after a successful authentication. If not the request, where else should
it be stored?
Christopher, thanks for the reply.
This is inline with my analysis.
Christopher, I got the solution.
Thanks.
Umesh
--
View this message in context:
http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Umesh,
On 5/8/2009 9:03 PM, umeshkavade wrote:
In my web application, I am using tomcat's form based authentication for
protecting my secure web pages. Thus whenever user starts accessing webapp
by providing an URL of protected page, it is
umeshkavade wrote:
Hello,
In my web application, I am using tomcat's form based authentication for
protecting my secure web pages. Thus whenever user starts accessing webapp
by providing an URL of protected page, it is redirected to login page.
However, while doing so it creates a session.
Pid wrote:
umeshkavade wrote:
Hello,
In my web application, I am using tomcat's form based authentication for
protecting my secure web pages. Thus whenever user starts accessing webapp
by providing an URL of protected page, it is redirected to login page.
However, while doing so it creates
Subject: Re: Form Based Authentication creates user session before it is
authenticated?
Pid wrote:
umeshkavade wrote:
Hello,
In my web application, I am using tomcat's form based authentication for
protecting my secure web pages. Thus whenever user starts accessing webapp
by providing
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
I tried to use form based authentication with JNDIRealm. What I want to
accomplish is to have the two applications with the same realm be
authenticated once. It seems the tomcat ignored the realm. I
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, April 22, 2009 11:11 AM
To: Tomcat Users List
Subject: Re: form based authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
I tried to use form
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes authentication activated only once although the
applications have different realms.
To quote from the SSO doc:
All web applications configured for this virtual host must share the same
Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
From: Jill Han [mailto:jill@alverno.edu]
Subject: RE: form based authentication
However, this makes
: Wednesday, April 22, 2009 2:12 PM
To: 'Tomcat Users List'
Subject: RE: form based authentication
There is single Host in server.xml
Engine name=Catalina defaultHost=localhost
...
Realm className=org.apache.catalina.realm.JNDIRealm
debug=99
connectionName
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 3:11 PM, Jill Han wrote:
What I want to do is all the applications have the same realm config
in server.xml.
That's not what you said earlier: you said you wanted /certain/
applications to have SSO behavior. SSO works by
On 5/2/07, Frank McCown [EMAIL PROTECTED] wrote:
The default contents of the conf/tomcat-users.xml file *should* be
tomcat-users
user name=tomcat password=tomcat roles=tomcat /
user name=role1 password=tomcat roles=role1 /
user name=both password=tomcat roles=tomcat,role1 /
Rémy Maucherat wrote:
On 5/2/07, Frank McCown [EMAIL PROTECTED] wrote:
The default contents of the conf/tomcat-users.xml file *should* be
tomcat-users
user name=tomcat password=tomcat roles=tomcat /
user name=role1 password=tomcat roles=role1 /
user name=both password=tomcat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steven,
Steven Rock wrote:
Sorry for the long explanation but this is a tricky problem that has me
stumped. I hope someone else has experienced this.
When you build your URL using javascript, make sure to run the URL
through
Thanks for the info. I have actually gotten this far. In the examples
connectionName and connectionPassword are used and I'm trying not to put
those valuse in my Realm configuration. I am able to do it by turning on
anonymous logins in ADAM but I know this will not be allowed for a final
, dissemination,
distribution or copying of it or its
contents
- Original Message -
From: Christopher Buffington [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org; Martin Gainty [EMAIL
PROTECTED]
Sent: Monday, December 04, 2006 5:40 PM
Subject: Re: Form Based Authentication
IIRC there is no way to do that. As an alternative, you can hack
JNDIRealm to have it do what you wish.
-Tim
Christopher Buffington wrote:
I'm trying to use form based authentication with JNDIRealm to validate
users
in an Active Directory Application Mode (ADAM) directory. I have a small
Would have to see your server.xml configuration for Realm
Here is an example of a successful AD entry specified in Realm
be mindful that referrals=follows must be specified follows to use
Microsoft AD
Declarative example follows here
Christopher-
A programmatic example and javadoc is located here
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/JNDIRealm.html#referrals
HTH
M-
This e-mail communication and any attachments may contain confidential and
privileged information for the use of
When I call request.getUserPrincipal(); I still get the Principal back
and I can still call request.isUserInRole( Foo ); and get a valid
response for the currently logged in user.
John
From: John McPeek [mailto:[EMAIL PROTECTED]
Subject: FORM based authentication LOGOUT
I have tried to
John,
When I call request.getUserPrincipal(); I still get the Principal back
and I can still call request.isUserInRole( Foo ); and get a valid
response for the currently logged in user.
Are you checking those values during the same request in which you
killed the session? It's possible that
From: John McPeek [mailto:[EMAIL PROTECTED]
Subject: FORM based authentication LOGOUT
I have tried to invalidate the session and get a new one.
No Dice.
When you say No Dice, what actually happens?
All the admin app for Tomcat does is the following, which seems to work:
too bad. resin has this
On 1/18/06, Mark Thomas [EMAIL PROTECTED] wrote:
Leonardo Kenji Shikida wrote:
using tomcat´s form-based authentication (j_username and
j_password), is there any support for remember me feature? (saving
encripted password into a cookie and reading it back in the
46 matches
Mail list logo
