On 17/05/2015 23:44, Kim Ming Yap wrote:
> Hi,I'm building a website using form based authentication integrating with
> JAAS for user based authentication. I don't have issue when a successful
> credential is authenticated. Rather I'm having difficulty understanding the
> flow of JAAS back to the client should the form based authentication failed.
> SOFTWARE:1. Apache Tomee plus 1.7.12. Java 83. Tomcat JAAS Realm
> OBJECTIVE:Custom error captured in JAAS login module to propagate to error
> page
You are unlikely to get much help from Tomcat with this since
propagating back custom errors is considered poor security practise (an
attacker should not be able to tell why authentication failed).
> BASIC UNDERSTANDING:
> The Tomcat JAAS layer is not integrated with the web container layer. Hence
> the former does not have access to request, session etc.
JAAS is integrated as a Realm - i.e. something that validates
credentials provided by an Authenticator. The Authenticator has full
access to the request and the response. You may want to consider a
custom Authenticator.
> SOLUTION:
> Using ThreadLocal which capture the custom error message in JAAS layer to be
> used when the flow reaches back to the custom valve on the way back to the
> browser.
You need to be careful you don't trigger memory leaks when using
ThreadLocals.
> PROBELM:Understanding of basic request/response flow involving Tomcat and JAAS
> a. request --> valve --> JAAS --> Filter --> Servlet/JSP b. response <--
> valve (**) <-- JAAS <-- Filter <-- Servlet/JSP
I suspect that order is wrong.
JAAS is called by the Authenticator (which is a valve). The
Authenticator then calls the Filter (via a few other layers).
You might want to check the ordering of your valve and the Authenticator.
> (refer to above clause b)ThreadLocal in the JAAS layer managed to capture the
> custom error message and it i managed to print it after the getNext() method
> of the custom valve. Thought of adding this custom error as an attribute in
> the session object.
> However I noticed that the error page is already displayed before i could add
> this cusom error (immediately after the getNext method).
The error page will be handled by the webapp or the ErrorReportingValve
- both of whichh may get called before your Valve depending on how the
Valve is configured.
> Due to that the ready custom error message cannot be used
> SAMPLE CODES:
> 1. web.xml
> <login-config> <auth-method>FORM</auth-method> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/login-redirect-error.jsp?error=true</form-error-page>
> </form-login-config> </login-config>
> 2. Custom valve and defined in META-INF/context.xml
> public class SecurityValve extends ValveBase {
> public void invoke(Request request, Response response) throws
> IOException, ServletException { getNext().invoke(request,
> response); system.out.println("after getNext()"); --> break point
> (BP) }
> }
> 1. Did a break point on SecurityValve (indicated at BP) 2. On forms, i
> purposely enter wrong credential and submit 3. Break point stops at
> BP 4. login-redirect-error.jsp displayed already 5. Since it stop at
> break point BP in SecurityValve, the response back to client flow has not
> reached the browser. Yet the login-redirect-error.jsp is already displayed
> QUESTIONS: How can the login-redirect-error.jsp be displayed on the browser
> when the response flowing back to client stop at break point BP? The flow
> back to the client is not fully done yet.
You are confusing control and data. The data goes back to the client as
soon as the output is flushed (which can happen in the Servlet/JSP).
> I would really appreciate any help.Thanks.
Set a break point in a JSP / Servlet and look at the stack trace to see
which Valves the request/response flow through in which order.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
