Re: Form based login authentication

Sat, 10 Nov 2012 09:15:12 -0800 

On 08/11/12 22:48, Russ Kepler wrote:

On Friday, November 09, 2012 01:02:55 AM Konstantin Kolinko wrote:


1. When and how do you obtain the value for your jsessionid? Beware
that the session id is changing when you do authentication. That is
done to prevent session fixation attacks.


The .jnlp would be generated on the fly after a login, so it would have the
jsessionid just generated by the user authentication - if I can get through
the login.  But I'm not getting there as a successful login isn't redirected
to the original target (or, perhaps, the jsessionid generated by the login
isn't properly appended to the original url).


2. It isn't timeout.
It means that you've got a new session, and so Tomcat does not know
where to redirect you after the login.

See
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT
call in o.a.c.authenticator.FormAuthenticator


I landed in the login as a function of the authentication, so it seems that I
should end up where I was originally trying to go after the authentication
succeeds.  Since the session has to be in the URL there should have been a URL
rewrite for the new session performed after the login and session was created.

This old thread seem applicable:

http://tomcat.10.n6.nabble.com/AuthenticatorBase-
setChangeSessionIdOnAuthentication-without-cookies-td4987045.html

It's entirely possible (likely) that I'm missing something, but it sure looks
like you can't get through a login.jsp with URL based session data.  I'd be
delighted to wrap this test case up in a .war, I was posting here to make sure
that I wasn't completely missing some point.


Russ,
I thought it would helpful to let you know that I am very nearly ready to submitting a lot of new unit tests for the FormAuthenticator class. The new tests explore url path extensions to carry the sessionid in the absence of cookies.
I have a couple of cases left to develop, which are closely related to your situation. If you are not in too much hurry, then I suggest you wait for me, rather than waste time developing a demonstration war...
I'll get back to you later this week if I need any more information about your problem, or even if I think you are just experiencing a "that's just the way it works" situation (at the moment I am not sure). 

Regards,

Brian


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to