-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/12/15 7:10 PM, rop wrote:
> Hi Chris, Yes, we are applying salt before hashing (to prevent
> googling up many passwords from the hashes).
Depending upon how you are storing the salt, you may be able to use
Tomcat out of the box, now, beca
Hi Chris,
Yes, we are applying salt before hashing (to prevent googling up many
passwords from the hashes).
Override probably seemed like easiest way at the time, but maybe a better
way now. Will check it out, thanks.
/Rop
On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz <
ch...@christophers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/12/15 3:33 PM, rop wrote:
> Finally, found the issue.
Please bottom-post if you can. Also, please sign your posts.
> On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas
> wrote:
>
>> On 12/03/2015 15:51, rop wrote:
>>> Ah, I got it now. Thank
Finally, found the issue.
The crucial change was in the method RealmBase.compareCredentials(),
which is new in 7.0.50 (the comparison was much simpler before that).
Dunno if we do something unusual here,
but we just extend DataSourceRealm, like MyDataSourceRealm,
and implement the message-digest
On 12/03/2015 15:51, rop wrote:
> Ah, I got it now.
> Thanks, David.
>
> Yes, the a-b-c-d points are OK then.
>
> As a trouble-shoot action, I actually did an install-and-test "binary
> search"
> among the intermediate tomcat-versions to pinpoint exactly which version
> breaks our app.
>
> Turns
Ah, I got it now.
Thanks, David.
Yes, the a-b-c-d points are OK then.
As a trouble-shoot action, I actually did an install-and-test "binary
search"
among the intermediate tomcat-versions to pinpoint exactly which version
breaks our app.
Turns out, up to 7.0.47 it still works OK.
(7.0.48 and 7.0.
On 3/12/2015 10:16 AM, rop wrote:
Hi Chris,
Thanks for your input.
Re your points a+b:
"You have put your into conf/context.xml instead of into your web
application's META-INF/context.xml"
Actually neither we define the in
$CATALINA_BASE/conf/server.xml
That's also what I see in the
Hi Chris,
Thanks for your input.
Re your points a+b:
"You have put your into conf/context.xml instead of into your web
application's META-INF/context.xml"
Actually neither we define the in
$CATALINA_BASE/conf/server.xml
That's also what I see in the Tomcat-docs:
http://tomcat.apache.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 3/10/15 2:57 PM, rop wrote:
> We are trying to upgrade Tomcat from 7.0.35 to 7.0.59.
>
> For some reason, the form-based authentication gets broken after
> the upgrade, and just gives "Invalid username and/or password,
> please try again" w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 6/26/13 7:14 AM, Jan Vávra wrote:
> Hello,
When I create user with password with czech String
"ŽežUlička.1" the browser sends correctly this string as:
POST http://localhost:70/myapp/j_security_check HTTP/1.1
Conte
Hello,
When I create user with password with czech String "ŽežUlička.1" the
browser sends correctly this string as:
POST http://localhost:70/myapp/j_security_check HTTP/1.1
Content-Type: application/x-www-form-urlencoded
j_username=p&j_password=%C5%BDe%C5%BEUli%C4%8Dka.1
The browser is not sen
On 24/06/2013 12:52, Jan Vávra wrote:
>> Hello,
>>I'm successfully using form based authenntication when login or
>> password contains only letters from English alphabet.
OK. That means you've got the basics set up correctly.
>> I have also written own realm.
I'd suggest testing with the de
Well, it is custom created and managed xml file.
But the core of problem is in the string credentials in method public
Principal authenticate(String username, String credentials).
If the string was encoded properly (in java as utf-16) the
credentials.length would be equal to 11 but its real leng
On 07/12/2010 11:14, mike lan wrote:
Hello everyone,
is there a way to do FORM based authentication in tomcat
but with MD5 encrypted password ?
Yes. Read the realm docs for details.
Mark
-
To unsubscribe, e-mail: users-unsu
Am Sonntag, 21. Juni 2009 01:34:29 schrieb Caldarale, Charles R:
> [...] you hard-code the single role name in the LoginModule, using whatever
> value you have in web.xml (currently "User"). You must have a role class
> that implements Principal and Serializable (in addition to the Principal
> cl
> From: Oliver Block [mailto:li...@oliver-block.eu]
> Subject: Re: Form-based authentication
>
> Are the roles passed to the LoginModule?
No, you hard-code the single role name in the LoginModule, using whatever value
you have in web.xml (currently "User"). You must
Am Samstag, 20. Juni 2009 23:41:11 schrieb Caldarale, Charles R:
> > From: Oliver Block [mailto:li...@oliver-block.eu]
> > Subject: Form-based authentication
> >
> > But now I do not see how to connect the authentication module
> > to a security constraint. I mean, do I have to add every user
> > t
> From: Oliver Block [mailto:li...@oliver-block.eu]
> Subject: Form-based authentication
>
> But now I do not see how to connect the authentication module
> to a security constraint. I mean, do I have to add every user
> that has an imap account to web.xml?
No, each user would normally have a s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Martin,
On 5/13/2009 9:27 AM, Martin Gainty wrote:
> if you are asking how to overcome Man-in-the-middle fraudulent
> manipulation based on basic authentication?
He's not.
> and or Man-in-the middle
> fraudulent manipulation based on Form-based auth
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 5/13/2009 8:16 AM, Caldarale, Charles R wrote:
>> From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
>> Subject: Re: Form Based Authentication creates user session before it
>> is authenticated?
>>
>> P.S: BTW,
; Date: Wed, 13 May 2009 07:16:50 -0500
> Subject: RE: Form Based Authentication creates user session before it is
> authenticated?
>
> > From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
> > Subject: Re: Form Based Authentication creates user session before it
>
> From: umeshkavade [mailto:umeshkav...@yahoo.co.in]
> Subject: Re: Form Based Authentication creates user session before it
> is authenticated?
>
> P.S: BTW, is Tomcat planning to resolve this vulnerability in near
> future?
I'll bite: what "vulnerability" are y
Christopher, I got the solution.
Thanks.
Umesh
--
View this message in context:
http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---
>No, you'd have to write your own authentication mechanism. Tomcat is
>required to store the request that triggered authentication for re-play
>after a successful authentication. If not the request, where else should
>it be stored?
Christopher, thanks for the reply.
This is inline with my analys
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Umesh,
On 5/8/2009 9:03 PM, umeshkavade wrote:
> In my web application, I am using tomcat's form based authentication for
> protecting my secure web pages. Thus whenever user starts accessing webapp
> by providing an URL of protected page, it is redir
er.com
> To: users@tomcat.apache.org
> Subject: Re: Form Based Authentication creates user session before it is
> authenticated?
>
> Pid wrote:
> > umeshkavade wrote:
> >> Hello,
> >>
> >> In my web application, I am using tomcat's form based au
Pid wrote:
> umeshkavade wrote:
>> Hello,
>>
>> In my web application, I am using tomcat's form based authentication for
>> protecting my secure web pages. Thus whenever user starts accessing webapp
>> by providing an URL of protected page, it is redirected to login page.
>> However, while doing so
umeshkavade wrote:
> Hello,
>
> In my web application, I am using tomcat's form based authentication for
> protecting my secure web pages. Thus whenever user starts accessing webapp
> by providing an URL of protected page, it is redirected to login page.
> However, while doing so it creates a sess
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 3:11 PM, Jill Han wrote:
> What I want to do is all the applications have the same realm config
> in server.xml.
That's not what you said earlier: you said you wanted /certain/
applications to have SSO behavior. SSO works by creati
aldar...@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
> From: Jill Han [mailto:jill@alverno.edu]
> Subject: RE: form based authentication
>
> However, this makes authentication activated only once although the
> applica
plications in the web.xml have different , those
applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
BASIC
TEST
is used.
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Wednesday, Apri
> From: Jill Han [mailto:jill@alverno.edu]
> Subject: RE: form based authentication
>
> However, this makes authentication activated only once although the
> applications have different realms.
To quote from the SSO doc:
"All web applications configured for this virtual
il 22, 2009 11:11 AM
To: Tomcat Users List
Subject: Re: form based authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
> I tried to use form based authentication with JNDIRealm. What I want to
> accomplish is to have the two applicatio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
> I tried to use form based authentication with JNDIRealm. What I want to
> accomplish is to have the two applications with the same realm be
> authenticated once. It seems the tomcat ignored the realm. I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steven,
Steven Rock wrote:
> Sorry for the long explanation but this is a tricky problem that has me
> stumped. I hope someone else has experienced this.
When you build your URL using javascript, make sure to run the URL
through HttpServletResponse.
Rémy Maucherat wrote:
On 5/2/07, Frank McCown <[EMAIL PROTECTED]> wrote:
The default contents of the conf/tomcat-users.xml file *should* be
but the file that ships with 6.0 is missing all the tags.
No default users will be provided.
Do you mean you are leaving users out on p
On 5/2/07, Frank McCown <[EMAIL PROTECTED]> wrote:
The default contents of the conf/tomcat-users.xml file *should* be
but the file that ships with 6.0 is missing all the tags.
No default users will be provided.
And the server.xml file is missing the line:
It has a functio
osure, dissemination,
distribution or copying of it or its
contents
- Original Message -
From: "Christopher Buffington" <[EMAIL PROTECTED]>
To: "Tomcat Users List" ; "Martin Gainty" <[EMAIL
PROTECTED]>
Sent: Monday, December 04, 2006 5:40 PM
Subj
Thanks for the info. I have actually gotten this far. In the examples
connectionName and connectionPassword are used and I'm trying not to put
those valuse in my Realm configuration. I am able to do it by turning on
anonymous logins in ADAM but I know this will not be allowed for a final
solution.
Christopher-
A programmatic example and javadoc is located here
http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/JNDIRealm.html#referrals
HTH
M-
This e-mail communication and any attachments may contain confidential and
privileged information for the use of the
Would have to see your server.xml configuration for http://mail-archives.apache.org/mod_mbox/tomcat-users/200311.mbox/[EMAIL
PROTECTED]
Here is the javadoc for JNDIRealm (for programmatic implementation)
This e-mail communication and any attachments may contain confidential and
privileged informa
IIRC there is no way to do that. As an alternative, you can hack
JNDIRealm to have it do what you wish.
-Tim
Christopher Buffington wrote:
I'm trying to use form based authentication with JNDIRealm to validate
users
in an Active Directory Application Mode (ADAM) directory. I have a small
test
John,
> When I call request.getUserPrincipal(); I still get the Principal back
> and I can still call request.isUserInRole( "Foo" ); and get a valid
> response for the currently logged in user.
Are you checking those values during the same request in which you
killed the session? It's possible th
When I call request.getUserPrincipal(); I still get the Principal back
and I can still call request.isUserInRole( "Foo" ); and get a valid
response for the currently logged in user.
John
From: John McPeek [mailto:[EMAIL PROTECTED]
Subject: FORM based authentication LOGOUT
I have tried to in
> From: John McPeek [mailto:[EMAIL PROTECTED]
> Subject: FORM based authentication LOGOUT
>
> I have tried to invalidate the session and get a new one.
> No Dice.
When you say "No Dice", what actually happens?
All the admin app for Tomcat does is the following, which seems to work:
Htt
too bad. resin has this
On 1/18/06, Mark Thomas <[EMAIL PROTECTED]> wrote:
> Leonardo Kenji Shikida wrote:
> > using tomcat´s form-based authentication ("j_username" and
> > "j_password"), is there any support for "remember me" feature? (saving
> > encripted password into a cookie and reading it b
Leonardo Kenji Shikida wrote:
> using tomcat´s form-based authentication ("j_username" and
> "j_password"), is there any support for "remember me" feature? (saving
> encripted password into a cookie and reading it back in the next
> visit), or will I have to code myself the a whole new authenticati
47 matches
Mail list logo
