Form Based Authentication
Hello, We're currently using form-based authentication (i.e. auth-methodFORM/auth-method) but, as I suspect many people have found, it's rather limited. One requirement we have is enforced password changes in certain scenarios. Currently the approach we were thinking of using is as follows: a) the realm recognizes that the user has a mandatory password change flag set, and so gives them a degenerate set of roles; instead of their true role, they just have a MUST_CHANGE_PASSWORD role. b) a filter checks for the existance of this role, and if it's found, forces the user to go to our change password page. c) the password is changed and the user reauthenticated with their new credentials, to retrieve their full set of roles. It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. Our thinking is that we can resolve the inability to reauthenticate by creating a custom Authenticator; we could set some flag in the session to perform on-demand reauthentication, which would repopulate the list of roles, and everything would be hunky dory. Is this approach reasonable? How have other people tackled similar requirements? Is there any less contrived way of achieving what we want with the minimum of Tomcat-specific code? Peter *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. ***
RE: Form Based Authentication
From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:18 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:23 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
Although we are working in a Websphere/LDAP environment, we had the same requirement as you, and we managed to solve it. What we did (and I'm going from fairly distant memories, so hopefully I'm at least close to right) is this... user logs on. We have a filter that checks for password expired/reset (both a forced PW change) via flags set in a previous filter (values taken from LDAP) and redirects to the change screen if applicable. This all of course happens only after a successful logon, i.e., user entered valid credentials, including expired password already. We destroy the session before leaving that filter. Password is changed, all without creating a new session along the way. Once it is changed, we redirect back through the logon process as before. We decided that it was *better* to make the user log on again because it proves they remember the password they entered 2 seconds ago :) I suppose if I had to allow that automatic authentication, I would NOT destroy the session and instead just redirect to the first protected resource of the app from the change PW screen. Since the user was let in the first time around, they are really authenticated already. In essence, the filter that catches that forced PW change flag is acting like the container, intercepting all protected requests and redirecting to a change PW screen. If you did it smartly you should be able to grab what resource was requested when the filter fired so as to not have to hardcode where to go to after that forced PW screen is finished. Frank -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com AIM: fzammetti Yahoo: fzammetti MSN: [EMAIL PROTECTED] On Tue, October 11, 2005 12:24 pm, Peter Bright said: -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:23 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: combining form based authentication with https
Peddireddy Srikanth wrote: Hi all, I have a basic doubt If there are any resoursec which will me on this please point me towards them. I will carry on from there. My question is how to combine the form based authentication, where we use jsecuritycheck , jusername etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck. But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this?? Providing you have an https connector configured, you can use something like this in your security-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint See the spec for more details. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Reg form based authentication
sree kanth wrote: Hi all, i have been developing on JSP's for the last one year,but still i have never implemented form based authentication. Can any one help me in implenting form based authentication? Thank you all Sreekanth Very basic example: Put login.jsp and error.jsp in the root of your application and add the web.xml snippet to your application's web.xml file. Mark login.jsp html head titleLogin/title /head body form method=POST action='%= response.encodeURL(j_security_check) %' name=loginForm input type=text name=j_username size=16 id=username/ input type=password name=j_password size=16 id=password/ input type=submit value=Submit / input type=reset value=Reset / /form /body /html error.jsp html head titleLogin Error/title /head body pLogin failed./p /body /html web.xml snippet login-config auth-methodFORM/auth-method realm-nameTest/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Reg form based authentication
Hi all, i have been developing on JSP's for the last one year,but still i have never implemented form based authentication. Can any one help me in implenting form based authentication? Thank you all Sreekanth
Re: Reg form based authentication
chk this link this might help you http://www.onjava.com/pub/a/onjava/2002/06/12/form.html u wil find lot of resources on net on this On 9/30/05, sree kanth [EMAIL PROTECTED] wrote: Hi all, i have been developing on JSP's for the last one year,but still i have never implemented form based authentication. Can any one help me in implenting form based authentication? Thank you all Sreekanth - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
combining form based authentication with https
Hi all, I have a basic doubt If there are any resoursec which will me on this please point me towards them. I will carry on from there. My question is how to combine the form based authentication, where we use jsecuritycheck , jusername etc with https. As far as I know if we use form based authentication username and password will be authenticated by the container managed resource called 'jsecuritycheck. But the data transfer from client browser to tomcat will be still a plain text. i want to encrypt this and obviously i need to use https. So how to combine both and how tomcat wil help me doping this?? thanx in advance Regards Srikanth Peddireddy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mixing Form-based authentication with Public Resources
Hi, Im using Tomcat Form-based Authentication with a JDBC realm, this is working ok for all my pages that are protected trough web.xml with security-constraint web-resource-collection web-resource-nameAll System/web-resource-name url-pattern*.do/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namesys_user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint however, now I have a set of pages, report*.jps and report*.do for which I would like to NOT require authentication. I.e. Public access. My question is how can I declare a Public Resource in web xml that will not affect the All System security constrain above ? I tried, without luck, inserting before the constrain above a new constrain like so: security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/includes/*/url-pattern url-patternreport*.do/url-pattern url-patternreport*.jsp/url-pattern /web-resource-collection auth-constraint role-nameAnonymous/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint Anybody knows the solution for this problem? Thanks, Omar -- Omar Marquez Techops Software Engineer NAVTEQ 222 Merchandise Mart Suite 900 Chicago, IL 60654, USA Ph. (312) 894-7689 The information contained in this communication may be CONFIDENTIAL and is intended only for the use of the recipient(s) named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please notify the sender and delete/destroy the original message and any copy of it from your computer or paper files.
Re: Mixing Form-based authentication with Public Resources
No solution. You can filter prefix, or suffix, but not both. -Tim Marquez, Omar wrote: Hi, Im using Tomcat Form-based Authentication with a JDBC realm, this is working ok for all my pages that are protected trough web.xml with security-constraint web-resource-collection web-resource-nameAll System/web-resource-name url-pattern*.do/url-pattern url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint role-namesys_user/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint however, now I have a set of pages, report*.jps and report*.do for which I would like to NOT require authentication. I.e. Public access. My question is how can I declare a Public Resource in web xml that will not affect the All System security constrain above ? I tried, without luck, inserting before the constrain above a new constrain like so: security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/includes/*/url-pattern url-patternreport*.do/url-pattern url-patternreport*.jsp/url-pattern /web-resource-collection auth-constraint role-nameAnonymous/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint Anybody knows the solution for this problem? Thanks, Omar - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
login form based authentication
My web application uses tomcat 5.5.10. By using basic authentication, the application works fine. By using the form based authentication, if I submit a invalidate username/password, appication seems worked, a error.jsp was showed up. But if I submit a valid username/password, I got a HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser. Is there anyone having this kind problem and to be solved? Please help me out. Thanks, Julia - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
URLConnection and form based authentication (j_username)
I cannot get this to work. It works for all other sites besides ones that have j_username j_password. It always comes back to the login page. I see other messageboards via google that have the same problem, but there is no answer. form method=POST action='/cpvs/login' input type=hidden name=auth value=securid / table border=0 cellspacing=5 tr th align=rightUsername:/th td align=leftinput type=text name=j_username/td /tr tr th align=rightPassword:/th td align=leftinput type=password name=j_password /td /tr tr td align=rightinput type=submit value=Log In name=login /td td align=leftinput type=reset/td /tr /table /form /div /center Anthony Smith Programmer Analyst International Technologies 901-263-8953 Having education and talent doesn't make you better than the world... it makes you responsible for it!
RE: Form Based Authentication
Never Mind - It was permissions on the tomcat-users.xml file. Duh! -Original Message- From: David B. Saul [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 7:37 PM To: 'Tomcat Users List' Subject: Form Based Authentication Having a problem being challenged on Linux. Form based using the tomcat-users.xml file works under windows. However, when same code is deployed to Linux the page is never challenged. I checked server.xml on both platforms as well as the specific webapp. Even built a Hello World example to eliminate other stuff. Any suggestions/ideas? thanks Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication
Having a problem being challenged on Linux. Form based using the tomcat-users.xml file works under windows. However, when same code is deployed to Linux the page is never challenged. I checked server.xml on both platforms as well as the specific webapp. Even built a Hello World example to eliminate other stuff. Any suggestions/ideas? thanks Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Form Based Authentication
If the authentication is realized by the container (the realm), you can't access the request before the authentication takes over. If you really want to do it, don't define the security constraint in your web.xml, and make your own application security mechanism (use filter, and forward or redirect on login page). -Message d'origine- De : Wade Chandler [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 mai 2005 07:10 À : Tomcat Users List Objet : Re: Form Based Authentication Wade Chandler wrote: I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ok, So I think I should be able to do this with a filter, but I need some help. Basically it looks like I should be able to use a filter to some how get the original target before the authentication form is displayedis this correct? Basically I need to some how know when a particular URL pattern is being displayed or is attempted to be accessed...before the login form is displayed. When it is displayed I'll set an attribute in the request in the filters doFilter method. However, now I need to know how I can access the Request before the authentication mechanism takes over I suppose because from my login form accessing the getPathInfo() method is returning the login form information when I really need to know the actual path the user was attempting to access. So, can I use a filter to do this, and if so how do I make sure my filter is called in time to give me the information I need? Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication
I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authentication
Wade Chandler wrote: I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ok, So I think I should be able to do this with a filter, but I need some help. Basically it looks like I should be able to use a filter to some how get the original target before the authentication form is displayedis this correct? Basically I need to some how know when a particular URL pattern is being displayed or is attempted to be accessed...before the login form is displayed. When it is displayed I'll set an attribute in the request in the filters doFilter method. However, now I need to know how I can access the Request before the authentication mechanism takes over I suppose because from my login form accessing the getPathInfo() method is returning the login form information when I really need to know the actual path the user was attempting to access. So, can I use a filter to do this, and if so how do I make sure my filter is called in time to give me the information I need? Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
basic or form based authentication not working
Hi i am using tomcat5.0.28 and trying to setup basic or form based authentication, and it is just not working, following is the information in web.xml security-constraint web-resource-collection web-resource-namesecure download maps software /web-resource-name url-pattern/pages/download/*/url-pattern url-pattern/download/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config security-role description Only download role allowed to download /description role-nameadmin/role-name /security-role What may be the error Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic or form based authentication not working
can you show haow you set up the context for this webapp? On Thu, 20 Jan 2005 11:49:02 -0800 (PST), Ashish Kulkarni [EMAIL PROTECTED] wrote: Hi i am using tomcat5.0.28 and trying to setup basic or form based authentication, and it is just not working, following is the information in web.xml security-constraint web-resource-collection web-resource-namesecure download maps software /web-resource-name url-pattern/pages/download/*/url-pattern url-pattern/download/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config security-role description Only download role allowed to download /description role-nameadmin/role-name /security-role What may be the error Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: basic or form based authentication not working
Hi I was able to get it working, in context i had not set privileged=true, i added this line and it works fine now Ashish --- Omar Adobati [EMAIL PROTECTED] wrote: can you show haow you set up the context for this webapp? On Thu, 20 Jan 2005 11:49:02 -0800 (PST), Ashish Kulkarni [EMAIL PROTECTED] wrote: Hi i am using tomcat5.0.28 and trying to setup basic or form based authentication, and it is just not working, following is the information in web.xml security-constraint web-resource-collection web-resource-namesecure download maps software /web-resource-name url-pattern/pages/download/*/url-pattern url-pattern/download/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/error.jsp/form-error-page /form-login-config /login-config security-role description Only download role allowed to download /description role-nameadmin/role-name /security-role What may be the error Ashish __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
form-based authentication with dynamically computed credentials
I wish to use form-based authentication that accepts users with the following credentials: username = any string (ex.: test) password = length of username (ex: 4) This is a silly security system, I admit. However, a solution to this problem will help me to solve my *real* problem. Obviously, a database of any sort is inappropriate, since there are infinitely many valid credentials, and unnecessary, since the password can be computed from the username. After reading through the archives, I have the impression that I must implement a custom realm. Where can I go to learn how this is done? Hints greatly appreciated.
FORM based authentication config
Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris
RE: FORM based authentication config
Hi, see this this might help you http://www.webservertalk.com/message633890.html cheers Manish -Original Message- From: Chris Chappell [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 7:45 PM To: Tomcat Users List Subject: FORM based authentication config Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris *** Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the [EMAIL PROTECTED] and destroy the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication config
Thanks for that - but what it describes is what I have done, I think. The problem is: If you have the servlet definitions and mappings, the page isn't found - Since they are JSPs above web-inf in the context folder I think they don't need them. If you don't have the mappings then you get: HTTP Status 400 - Invalid direct reference to form login page - with a correct pw/un org.apache.catalina.authenticator.FormAuthenticator authenticate WARNING: Unexpected error forwarding to error page java.lang.NullPointerException with incorrect un/pw i.e. FormAuthenticator cannot forward to say the error page Chris - Original Message - From: Goel, Manish Kumar [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 2:26 PM Subject: RE: FORM based authentication config Hi, see this this might help you http://www.webservertalk.com/message633890.html cheers Manish -Original Message- From: Chris Chappell [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 7:45 PM To: Tomcat Users List Subject: FORM based authentication config Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet- name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris *** Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the [EMAIL PROTECTED] and destroy the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication config
On Tue, 2004-12-21 at 16:15, Chris Chappell wrote: Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris Try to use static resources for the form-login-page and form-error-page. It works for me. And skip servlet mapping Viorel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication with Cookies?
I have been looking for a way withing tomcat using a JDBCRealm to do form bases authentication and allow users to set some sort of Remember Me cookie, so they do not need to log into my application more than once a month or so. It looks like to me that FormAuthenticator is sort of hardcoded into tomcat without a way to allow for a context to allow for a CustomFormAuthenticator that would allow for this. Am I missing something, or is there no easy way to do this? Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication with Cookies?
Chris, For what it's worth, I spent ages trying to get a remember-me login thing going out of the box but never managed it. In the end I implemented my own user/role setup and use a Filter to ensure the user is logged in when accessing servlets/ JSPs with specifice URL paths. The login page sets cookies to do the remembering. If you get your's going (I'm now on Tomcat 5.0.28, maybe there's something new) I'd be interested in the details. Good luck. Best regards Chris -- Chris Ward, Horizon Asset Limited mailto:[EMAIL PROTECTED] Tel +44 (20) 7367 7028, Fax 7367 7029 -- THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E- MAIL. ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN. HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED BY THE FINANCIAL SERVICES AUTHORITY. -Original Message- From: Chris Forbis [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 7:45 PM To: [EMAIL PROTECTED] Subject: Form Based Authentication with Cookies? I have been looking for a way withing tomcat using a JDBCRealm to do form bases authentication and allow users to set some sort of Remember Me cookie, so they do not need to log into my application more than once a month or so. It looks like to me that FormAuthenticator is sort of hardcoded into tomcat without a way to allow for a context to allow for a CustomFormAuthenticator that would allow for this. Am I missing something, or is there no easy way to do this? Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Compiling Error - Form Based Authentication
I have to give u a bad news. What i said yesterday night was wrong. I have the same error also putting tools.jar (the JDK 1.5 ones)... so I'm in trouble again! Omar - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Omar Adobati' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:53 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Hi Omar, You should install the entire new JDK. Having 1 jar file from 1 version of the JDK and all the other JAR files from another version could cause a lot of problems. I'd be surprised if it doesn't. Also, to avoid this problem and similar ones from happening you should install the same version of Tomcat on the Linux box also. Developing on 1 box and trying to deploy on another box running different versions of Tomcat the JDK is NOT advisable. Let me know what you do. I'm interested. John -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 12:39 PM To: John Najarian Subject: Re: Tomcat Compiling Error - Form Based Authentication Exactly...just replace the old tools.jar with the new one! I'm so happy It was drive me crazy! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Omar Adobati' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:31 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication YEEE HA! Good for you glad I could help. So you didn't have to install the new jdk but used the tools.jar from the new jdk? I'd install the entire 1.5 JDK. Compiling and running other things may cause similar problems to what you just had occur. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 12:22 PM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication WOW, it works! I have tried to upload the JDK 1.5.0 tools.jar into $Tomcat-home$\commons\lib and all works! Thankyou very much for help and yur time! regards Omar (Italian happy guy!) - Original Message - From: Omar Adobati [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:11 PM Subject: Re: Tomcat Compiling Error - Form Based Authentication I hope you've right. Tomorrow i'll do it and write here if it works... thx a lot - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Omar, this may be the problem my hunch is that it is. You've built run code against never version of tomcat, jdk, jre... It could be there is 1 or more things that work/compile... with these newer versions that aren't backward compatible. It maybe the tools.jar files aren't compatible. If you can get jdk 1.5 and tomcat 5.28 for Linux download, install them and rebuild your app. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:50 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday
RE: Tomcat Compiling Error - Form Based Authentication
I'd suggest rebuilding your appliation against java 5, and also running your tomcat with the java 5 JDK as well. Make sure that everything is happy at that level. Ta Matt -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 04 October 2004 13:44 To: John Najarian; Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I have to give u a bad news. What i said yesterday night was wrong. I have the same error also putting tools.jar (the JDK 1.5 ones)... so I'm in trouble again! Omar - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Omar Adobati' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:53 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Hi Omar, You should install the entire new JDK. Having 1 jar file from 1 version of the JDK and all the other JAR files from another version could cause a lot of problems. I'd be surprised if it doesn't. Also, to avoid this problem and similar ones from happening you should install the same version of Tomcat on the Linux box also. Developing on 1 box and trying to deploy on another box running different versions of Tomcat the JDK is NOT advisable. Let me know what you do. I'm interested. John -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 12:39 PM To: John Najarian Subject: Re: Tomcat Compiling Error - Form Based Authentication Exactly...just replace the old tools.jar with the new one! I'm so happy It was drive me crazy! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Omar Adobati' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:31 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication YEEE HA! Good for you glad I could help. So you didn't have to install the new jdk but used the tools.jar from the new jdk? I'd install the entire 1.5 JDK. Compiling and running other things may cause similar problems to what you just had occur. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 12:22 PM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication WOW, it works! I have tried to upload the JDK 1.5.0 tools.jar into $Tomcat-home$\commons\lib and all works! Thankyou very much for help and yur time! regards Omar (Italian happy guy!) - Original Message - From: Omar Adobati [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:11 PM Subject: Re: Tomcat Compiling Error - Form Based Authentication I hope you've right. Tomorrow i'll do it and write here if it works... thx a lot - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Omar, this may be the problem my hunch is that it is. You've built run code against never version of tomcat, jdk, jre... It could be there is 1 or more things that work/compile... with these newer versions that aren't backward compatible. It maybe the tools.jar files aren't compatible. If you can get jdk 1.5 and tomcat 5.28 for Linux download, install them and rebuild your app. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:50 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission
Tomcat Compiling Error - Form Based Authentication
Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:296) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat Compiling Error - Form Based Authentication
I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:296) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Any opinions expressed in this E-mail may be those of the individual and not necessarily the company. This E-mail and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this E-mail in error and that any use or copying is strictly prohibited. If you have received this E-mail in error please notify the beCogent postmaster at [EMAIL PROTECTED] Unless expressly stated, opinions in this email are those of the individual sender and not beCogent Ltd. You must take full responsibility for virus checking this email and any attachments. Please note that the content of this email or any of its attachments may contain data that falls within the scope of the Data Protection Acts
Re: Tomcat Compiling Error - Form Based Authentication
I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:296) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e
RE: Tomcat Compiling Error - Form Based Authentication
This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:683) at java.lang.Thread.run(Thread.java:534) - To unsubscribe, e
Re: Tomcat Compiling Error - Form Based Authentication
Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne ction(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584
RE: Tomcat Compiling Error - Form Based Authentication
You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151
Re: Tomcat Compiling Error - Form Based Authentication
On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164 ) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.core.StandardPipeline.invoke
RE: Tomcat Compiling Error - Form Based Authentication
Omar, this may be the problem my hunch is that it is. You've built run code against never version of tomcat, jdk, jre... It could be there is 1 or more things that work/compile... with these newer versions that aren't backward compatible. It maybe the tools.jar files aren't compatible. If you can get jdk 1.5 and tomcat 5.28 for Linux download, install them and rebuild your app. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:50 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase .java:551) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex t.java:149) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:578
Re: Tomcat Compiling Error - Form Based Authentication
I hope you've right. Tomorrow i'll do it and write here if it works... thx a lot - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Omar, this may be the problem my hunch is that it is. You've built run code against never version of tomcat, jdk, jre... It could be there is 1 or more things that work/compile... with these newer versions that aren't backward compatible. It maybe the tools.jar files aren't compatible. If you can get jdk 1.5 and tomcat 5.28 for Linux download, install them and rebuild your app. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:50 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDis patcher.java:506) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatch er.java:443) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher .java:359) at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthent icator.java:259
Re: Tomcat Compiling Error - Form Based Authentication
WOW, it works! I have tried to upload the JDK 1.5.0 tools.jar into $Tomcat-home$\commons\lib and all works! Thankyou very much for help and yur time! regards Omar (Italian happy guy!) - Original Message - From: Omar Adobati [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:11 PM Subject: Re: Tomcat Compiling Error - Form Based Authentication I hope you've right. Tomorrow i'll do it and write here if it works... thx a lot - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 9:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication Omar, this may be the problem my hunch is that it is. You've built run code against never version of tomcat, jdk, jre... It could be there is 1 or more things that work/compile... with these newer versions that aren't backward compatible. It maybe the tools.jar files aren't compatible. If you can get jdk 1.5 and tomcat 5.28 for Linux download, install them and rebuild your app. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:50 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication On the windows box I'm using: - Tomcat 5.0.28 - JDK jre: 1.5.0 beta every help is wellcome! - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:45 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication You're still using the app on a Windows XP machine right? What version of Tomcat, jdk jre are on that box? You may want to upgrade the jre/plugin to 1.4.2_05. I'm not sure if this will fix your problem but it won't hurt or take much time. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 11:25 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication Tomcat: 5.0.18 JDK jre: 1.4.2 O.S.: Linux ther's anything wrong? - Original Message - From: John Najarian [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 8:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication This may be an 'out there' question for your problem but which versions Of Tomcat, jdk jre are you using? I could be that you've got a mismatch. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Sunday, October 03, 2004 10:24 AM To: Tomcat Users List Subject: Re: Tomcat Compiling Error - Form Based Authentication I don't think it was a permission problem on the webapps application 'couse all other still work good and have the same permissions settings as this one that gives troubles. This is the permission on tools.jar, I think it's all ok... -rwxr--r--1 root root 5092901 ott 3 16:47 tools.jar Tomcat version I'm using is the 5.0.18 Hope this help you to help me in solving this trouble! - Original Message - From: Dale, Matt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Sunday, October 03, 2004 7:07 PM Subject: RE: Tomcat Compiling Error - Form Based Authentication I've run out of ideas but could this be a permissions problem? Either on the tools.jar or on the work directory for the webapp? Which version of tomcat are you running? -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: 03 October 2004 16:35 To: Tomcat Users List Subject: Tomcat Compiling Error - Form Based Authentication Sorry Matt, the log was changeing. Now it show just this instead off the error that cant compile... why? I'm still usinf form-based authentication and the webapp in a localmachine with WinXP + Tomcat worls good but gives this problem on a server with Linux RH plus Tomcat. (Tomcat is the same on thae Linux machine and on the Win one) === 3-ott-2004 17.30.19 org.apache.catalina.authenticator.FormAuthenticator authenticate AVVERTENZA: Unexpected error forwarding to login page org.apache.jasper.JasperException: Unable to load class for JSP at org.apache.jasper.JspCompilationContext.load(JspCompilationContext.java:584) at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.jav a:177) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 96) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:301) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:204) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher. java:742
basic FORM-based authentication failing
Hello all I have been trying to set up FORM based authentication, but it only works half-way. When I try to get to the protected resource, it sends me to the login page: good. If I authenticate incorrectly, then it sends me to the login error page: good. If I authenticate _correctly_, it also sends me to the login error page: bad. I have been reading at jakarta.apache.org, and in JSP Servlets cookbook, and I don't know what I am doing wrong. Please find the config files below. My form uses the j_user_name, j_password and so forth. I have reloaded the app and restarted tomcat. Thank you for any help/pointers... fb. --tomcat-users.xml (truncated...) user username=joedoe password=1joe2 roles=clients/ --end tomcat-users.xml --web.xml ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app !-- Beginning of web.xml deployment descriptor -- security-constraint web-resource-collection web-resource-nameClient login/web-resource-name url-pattern/clients/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameclients/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config security-role role-nameclients/role-name /security-role /web-app --end web.xml - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [SOLVED] basic FORM-based authentication failing
Awful typo... works much better when j_user_name is spelled j_username Issue resolved. Thanks. fb. Quoting Fred Blaise [EMAIL PROTECTED]: Hello all I have been trying to set up FORM based authentication, but it only works half-way. When I try to get to the protected resource, it sends me to the login page: good. If I authenticate incorrectly, then it sends me to the login error page: good. If I authenticate _correctly_, it also sends me to the login error page: bad. I have been reading at jakarta.apache.org, and in JSP Servlets cookbook, and I don't know what I am doing wrong. Please find the config files below. My form uses the j_user_name, j_password and so forth. I have reloaded the app and restarted tomcat. Thank you for any help/pointers... fb. --tomcat-users.xml (truncated...) user username=joedoe password=1joe2 roles=clients/ --end tomcat-users.xml --web.xml ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app !-- Beginning of web.xml deployment descriptor -- security-constraint web-resource-collection web-resource-nameClient login/web-resource-name url-pattern/clients/index.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameclients/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/loginError.jsp/form-error-page /form-login-config /login-config security-role role-nameclients/role-name /security-role /web-app --end web.xml - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Bug in Form Based Authentication? (v5.0.25)
I through I'd try re-explaining an issue I didn't get an answer on before. Hopefully this is clearer! I've deployed two apps to a single instance of Tomcat v5.0.25. Both apps are deployed as the default app for their respective domains (i.e. Context path= ...) The app deployed to www.mydomain.com does not use authentication. The second app deployed to a subdomain of www.mydomain.com (i.e. dev.mydomain.com) is deployed with FORM based authentication. Tomcat correctly presents the login page when an attempt to access a protected URI is made with the second app. Unfortunately after submitting the login form, Tomcat returns a 404 response and a blank page. I believe the backing realm and protected resource URIs are correct because redeploying the second web app with BASIC authentication results in the expected behaviour...dialog box pops up requiring login when the same protected URI is accessed and upon successful login, the desired page is rendered. I do not see any error messages in any of the log files or the console when the app is deployed with FORM based authentication. The same web app deployed to a localhost host with an explicit context path (i.e. Context path=/SecuredWebapp ...) works correctly with FORM based authentication. If anyone can atleast let me know how to troubleshoot (if not solve) this it would be greatly appreciated (I've now spent 1 week on this). Thanks in advance, Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based authentication - last login
Hi All, I'm supposed to record the last login timestamp. IMHO the best sollution would be to intercept the authentication process (I'm working with Tomcat 4.x), to smuggle some custom code there that updates the appropriate column in the database. The question is.. how can I do this?? Or maybe someone has a better idea how to do this?? Thanx in advance for your suggestions Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based authentication - last login
On Fri, Sep 03, 2004 at 10:08:59AM +0200, [EMAIL PROTECTED] wrote: : IMHO the best sollution would be to intercept the authentication process (I'm working with Tomcat 4.x), to smuggle some custom code there that updates the appropriate column in the database. The question is.. how can I do this?? Or maybe someone has a better idea how to do this?? There are several ways to do this, I'm sure. My preferred method: map a Filter to the protected area(s) that checks for the presence of some session object. If the object isn't there, the person has just logged in, so you record the timestamp and store the object. Otherwise, the person's already logged in and the filter can pass the request/response down the chain. The marker object needn't be anything special: a simple Boolean will do, if you don't store any other objects for users who are logged in. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How does Tomcat manage Form-based authentication?
Thank you for your answer. Sorry about the new thread for new topic business - I hadn't understood the thread mechanism. I presume for this topic I'd better continue as we are and I'll get it right next time. I was wondering exactly how the servlet container knows whether the user has already authenticated or not. With BASIC authorization an Authorization header is sent and based on that the programmes know whether to re-present the sign in or not. I'm using an old nuts and bolts programme that actually programmatically sent the Authorization header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. On Thu, 1 Apr 2004 09:10:18 -0600, QM [EMAIL PROTECTED] wrote: On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote: : With BASIC authorization, which I used to use, the browser was sent an : Authorization header. : : This doesn't happen with FORM-based authorization. : I believe Tomcat deals with it all, but how? Anybody know? Not sure I understand your question -- with FORM-based auth: - the container detects an attempt to access a protected resource - container sends requestor to designated form page, which posts to the blackbox j_security_check - success = user is taken to originally-requested page - failure = user is taken designated no-go page Is that the answer to your question? btw, please start new threads for new topics -- replying to an old message plays hell with thread-aware mail readers, even if you change the subject. ;) -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does Tomcat manage Form-based authentication?
That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:12 AM To: Tomcat Users List Subject: Re: How does Tomcat manage Form-based authentication? I'm using an old nuts and bolts programme that actually programmatically sent the Authorization header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how.
Re: How does Tomcat manage Form-based authentication?
I've tried including the session id, but it creates a new one. It's calling a url in another application in the same engine. Can't session info be shared across applications? I've allowed single sign-on in server.xml. I don't want to merge them into one application, because I may put one of them in another virtual machine. On Fri, 2 Apr 2004 10:31:59 +0200, Ralph Einfeldt [EMAIL PROTECTED] wrote: That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:12 AM To: Tomcat Users List Subject: Re: How does Tomcat manage Form-based authentication? I'm using an old nuts and bolts programme that actually programmatically sent the Authorization header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How does Tomcat manage Form-based authentication?
Malcolm Warren wrote: I've tried including the session id, but it creates a new one. It's calling a url in another application in the same engine. Can't session info be shared across applications? No. Session information cannot be shared between contexts (webapps). I've allowed single sign-on in server.xml. I think single sign-on allows you to share container-based authentication between webapps. In other words, if you've authenticated successfully against one webapp, and you've got single sign-on enabled, you're authenticated against other webapps within the same container. I don't want to merge them into one application, because I may put one of them in another virtual machine. Maybe you can persist session info that needs to be shared to a backend database. AFAIK, sessions can't cross contexts per the servlet spec. On Fri, 2 Apr 2004 10:31:59 +0200, Ralph Einfeldt [EMAIL PROTECTED] wrote: That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:12 AM To: Tomcat Users List Subject: Re: How does Tomcat manage Form-based authentication? I'm using an old nuts and bolts programme that actually programmatically sent the Authorization header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Chris Egolf http://www.ugholf.net [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How does Tomcat manage Form-based authentication?
With BASIC authorization, which I used to use, the browser was sent an Authorization header. This doesn't happen with FORM-based authorization. I believe Tomcat deals with it all, but how? Anybody know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How does Tomcat manage Form-based authentication?
On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote: : With BASIC authorization, which I used to use, the browser was sent an : Authorization header. : : This doesn't happen with FORM-based authorization. : I believe Tomcat deals with it all, but how? Anybody know? Not sure I understand your question -- with FORM-based auth: - the container detects an attempt to access a protected resource - container sends requestor to designated form page, which posts to the blackbox j_security_check - success = user is taken to originally-requested page - failure = user is taken designated no-go page Is that the answer to your question? btw, please start new threads for new topics -- replying to an old message plays hell with thread-aware mail readers, even if you change the subject. ;) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does Tomcat manage Form-based authentication?
It sends you the html form you specify in the form-login-config section of web.xml See chapter 12 (Security) Appendix A (Deployment Descriptor) of Servlet Spec 2.3 for details. http://java.sun.com/products/servlet/download.html#specs Martin -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: 01 April 2004 15:39 To: Tomcat Users List Subject: How does Tomcat manage Form-based authentication? With BASIC authorization, which I used to use, the browser was sent an Authorization header. This doesn't happen with FORM-based authorization. I believe Tomcat deals with it all, but how? Anybody know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: post data through form based authentication example?
Hmm. You're right. I just tested it on my JBoss (running 3.2.4RC1 with tomcat 5.0.19) and I got the same effect. Rats! This is not good. Trying to get info out of JBoss is like trying to get blood out of a stones. I assume there's a bug report? I haven't looked at JBoss's bugzilla yet. On 03/29/2004 01:10 AM Martin Alley wrote: After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1) Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description !--url-pattern/form.html/url-pattern-- url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config security-rolerole-namecustomer/role-name/security-role security-rolerole-namemerchant/role-name/security-role security-rolerole-nameadmin/role-name/security-role /web-app I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport
RE: post data through form based authentication example?
No formal bug report yet. The current state of play is at http://www.jboss.org/index.html?module=bbop=viewtopict=47595 If you would like to add your weight to this observation... Thanks Martin -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 29 March 2004 09:17 To: Tomcat Users List Subject: Re: post data through form based authentication example? Hmm. You're right. I just tested it on my JBoss (running 3.2.4RC1 with tomcat 5.0.19) and I got the same effect. Rats! This is not good. Trying to get info out of JBoss is like trying to get blood out of a stones. I assume there's a bug report? I haven't looked at JBoss's bugzilla yet. On 03/29/2004 01:10 AM Martin Alley wrote: After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1) Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description !--url-pattern/form.html/url-pattern-- url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config security-rolerole-namecustomer/role-name/security-role security-rolerole-namemerchant/role-name/security-role security-rolerole-nameadmin/role-name/security-role /web-app I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern
Re: post data through form based authentication example?
Right I see. I shall ponder what jumping in at some point as well if you get no replies, but the replies from the JBoss people tend to be sporadic and I suffer all sorts of superstitious doubts about how best to elicit an answer from them. By the way, you can post HTML code there, you have to put it in [CODE] blocks, rather than [QUOTE] blocks which you tried. Adam On 03/29/2004 12:30 PM Martin Alley wrote: No formal bug report yet. The current state of play is at http://www.jboss.org/index.html?module=bbop=viewtopict=47595 If you would like to add your weight to this observation... Thanks Martin -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 29 March 2004 09:17 To: Tomcat Users List Subject: Re: post data through form based authentication example? Hmm. You're right. I just tested it on my JBoss (running 3.2.4RC1 with tomcat 5.0.19) and I got the same effect. Rats! This is not good. Trying to get info out of JBoss is like trying to get blood out of a stones. I assume there's a bug report? I haven't looked at JBoss's bugzilla yet. On 03/29/2004 01:10 AM Martin Alley wrote: After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1) Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description !--url-pattern/form.html/url-pattern-- url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config security-rolerole-namecustomer/role-name/security-role security-rolerole-namemerchant/role-name/security-role security-rolerole-nameadmin/role-name/security-role /web-app I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web
RE: post data through form based authentication example?
The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description !--url-pattern/form.html/url-pattern-- url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config security-rolerole-namecustomer/role-name/security-role security-rolerole-namemerchant/role-name/security-role security-rolerole-nameadmin/role-name/security-role /web-app I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config /web-app WEB-INF\jboss-web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE jboss-web PUBLIC -//JBoss//DTD Web Application 2.3//EN http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd; jboss-web security-domainjava:/jaas/authtest/security-domain !-- Resource Environment References -- !-- Resource references
RE: post data through form based authentication example?
After further testing, I believe this is a bug specific to the JBoss environment (both 3.2.3 and 3.2.4RC1) Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 28 March 2004 15:24 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? The updated web.xml below now correctly lists the required security-role tags, but the only effect was to bring the form.html resource into the secured area (ie login is requested before accessing this page now), so I have also modified web.xml to put form.html *outside* the secured area - thus still requiring post data to transition the form based logon. ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description !--url-pattern/form.html/url-pattern-- url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config security-rolerole-namecustomer/role-name/security-role security-rolerole-namemerchant/role-name/security-role security-rolerole-nameadmin/role-name/security-role /web-app I can't see the point of protecting the POST method if the data fails to transition. Has anyone got a working example of this? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:47 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config /web-app WEB
RE: post data through form based authentication example?
Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config /web-app WEB-INF\jboss-web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE jboss-web PUBLIC -//JBoss//DTD Web Application 2.3//EN http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd; jboss-web security-domainjava:/jaas/authtest/security-domain !-- Resource Environment References -- !-- Resource references -- !-- EJB References -- /jboss-web -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10 To: Tomcat Users List Subject: Re: post data through form based authentication example? Martin, I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL. Adam On 03/25/2004 02:45 PM Martin Alley wrote: Hi, Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from outside the secured area? My actual situation is I already have a web application with form based auth working fine, but I have a problem when the user is at a web form, about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost. I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector. Thanks in advance Martin PS I have also posted to JBoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: post data through form based authentication example?
I forgot to mention it's behaviour!! Basically when the is no security constraint, it works. When there is a security constraint, the post data gets killed. Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 27 March 2004 09:43 To: 'Tomcat Users List' Subject: RE: post data through form based authentication example? Hi Adam, I've put together a simple test for posting to a secured resource which seems to throw up a problem. Included files are the web app. Based on JBoss3.2.3 embedded tomcat4.1. Martin Index.html html body a href=form.htmlform/a /body /html form.html html body form action=process.jsp method=post input type=text name=text1/ input type=submit value=OK/ /form /body /html login.html html body h4Please login:/h4 form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password input type=submit value=OK /form /body /html process.jsp html body text1=%=request.getParameter(text1)% /body /html WEB-INF\web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd; web-app session-config session-timeout2/session-timeout /session-config security-constraint web-resource-collection web-resource-nameSignon/web-resource-name descriptionDeclarative security tests/description url-pattern/form.html/url-pattern url-pattern/process.jsp/url-pattern http-methodHEAD/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namecustomer/role-name role-namemerchant/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionno description/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/login.html/form-error-page /form-login-config /login-config /web-app WEB-INF\jboss-web.xml ?xml version=1.0 encoding=UTF-8? !DOCTYPE jboss-web PUBLIC -//JBoss//DTD Web Application 2.3//EN http://www.jboss.org/j2ee/dtd/jboss-web_3_0.dtd; jboss-web security-domainjava:/jaas/authtest/security-domain !-- Resource Environment References -- !-- Resource references -- !-- EJB References -- /jboss-web -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10 To: Tomcat Users List Subject: Re: post data through form based authentication example? Martin, I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL. Adam On 03/25/2004 02:45 PM Martin Alley wrote: Hi, Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from outside the secured area? My actual situation is I already have a web application with form based auth working fine, but I have a problem when the user is at a web form, about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost. I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector. Thanks in advance Martin PS I have also posted to JBoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
post data through form based authentication example?
Hi, Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from outside the secured area? My actual situation is I already have a web application with form based auth working fine, but I have a problem when the user is at a web form, about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost. I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector. Thanks in advance Martin PS I have also posted to JBoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: post data through form based authentication example?
Martin, I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL. Adam On 03/25/2004 02:45 PM Martin Alley wrote: Hi, Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from outside the secured area? My actual situation is I already have a web application with form based auth working fine, but I have a problem when the user is at a web form, about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost. I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector. Thanks in advance Martin PS I have also posted to JBoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: post data through form based authentication example?
Hi Adam, That's encouraging. I'm actually using struts in this app too. I'll do some debugging and see where I get. Thanks for now Martin -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 15:10 To: Tomcat Users List Subject: Re: post data through form based authentication example? Martin, I would check your problem again. That is not the normal behaviour of the container-managed login. It will cache the original request during the login and send it on to the originally requested URL. Adam On 03/25/2004 02:45 PM Martin Alley wrote: Hi, Has any one got an example of a servlet secured with form based authentication, where the request to the servlet is posted, from outside the secured area? My actual situation is I already have a web application with form based auth working fine, but I have a problem when the user is at a web form, about to post the data when their session times out. Then they submit the form, get sent to the login page, and then the on to the original form processing servlet. However the post data is now lost. I am using tomcat4.1 as bundled with JBoss 3.2.3 and the coyote connector. Thanks in advance Martin PS I have also posted to JBoss - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
form-based authentication question
Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth to form-based. I'm having difficulty in one area. After creating the new form and posting to j_security_check, I wish to GET my welcome page. It appears to be doing this from the URL in the address bar, but the page looks exactly like my login page. That is, it seems to have posted to itself. What's the appropriate way to forward to the welcome page? A working example login page, welcome page, and deployment descriptor would be appreciated. Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message.
RE: form-based authentication question
It may be good for someone to answer this, but I figured out my problem. I accidentally used the login page name where the welcome page name should have been in the servlet configuration. Cockpit error. -Original Message- From: Koes, Derrick Sent: Tuesday, March 23, 2004 2:49 PM To: '[EMAIL PROTECTED]' Subject: form-based authentication question Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth to form-based. I'm having difficulty in one area. After creating the new form and posting to j_security_check, I wish to GET my welcome page. It appears to be doing this from the URL in the address bar, but the page looks exactly like my login page. That is, it seems to have posted to itself. What's the appropriate way to forward to the welcome page? A working example login page, welcome page, and deployment descriptor would be appreciated. Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
double submit in form-based authentication throws IllegaStateException
Hello! I sent this mail to the dev list some days ago but got no answer. I apologize for the cross-posting. Hopefully someone will be able to help me here. I'm having a problem when trying to cope with double submits in a page with form-based authentication in Tomcat 4.1.30. I get to the login page when I try to access a protected page (actually a struts action - .do). I then inform the username and password in the form whose target is j_security_check and, if I just push submit once, everything goes allright, I am authenticated and taken to the struts action, that does its job and forwards to its view. But if I simulate a double submit (impatient users , I am shown a IllegalStateException, thrown by org.apache.catalina.servlets.DefaultServlet. Well, I downloaded tomcat's source code and traced it to see what was going on. I found out that in the first request org.apache.catalina.core.ApplicationFilterChain.internalDoFilter() will call servlet.service(), and in this case the servlet is struts' ActionServlet, whereas in the second (and simultaneous) submit, the servlet invoked is org.apache.catalina.servlets.DefaultServlet. I think this behaviour is probably because in the second submit the resource I !first! requested was j_security_check (the action of the form), and not the struts action (.do extension), like in the first submit). DefaultServlet will then try to serve, in the second submit, j_security_check. It will not find the resource and will try to call response.sendError(HttpServletResponse.SC_NOT_FOUND, request.getRequestURI()); The thing is that, at this point, response.isCommitted() == true, and then it throws IllegalStateException. If we analyse what is actually going on, the problem is not the IllegalStateException itself, but the fact that tomcat is trying to serve j_security_check in the second submit, rather than the struts action I requested in the first place. The exception I get is just a consequence of the wrong processing. Would this be a bug in tomcat? Would there be any workarounds to make it remind that the second submit still has as target the struts action, and not j_security_check as it is currently interpreting? I'd appreciate any thoughts. Best Regards, Andrigo Gomes PS: here is the stack trace I get: java.lang.IllegalStateException at org.apache.coyote.tomcat4.CoyoteResponseFacade.sendError(CoyoteResponseFacade.java:310) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:936) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:518) at org.apache.catalina.servlets.DefaultServlet.doPost(DefaultServlet.java:554) at javax.servlet.http.HttpServlet.service(HttpServlet.java:760) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) at companyFilter.doFilter(some row) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.jboss.web.catalina.security.JBossSecurityMgrRealm.invoke(JBossSecurityMgrRealm.java:227) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:492) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext
Form based authentication
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form-based authentication question
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication - Registration
We have form based authentication working as follows : 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer authenticates 4.) Customer redirected to realm as original request No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to auto/fake login from within the webapplication Is this currently possible ? Thanks Alex Alexander F. Hartner eMail : [EMAIL PROTECTED] Work : +27-11-646-6459 Fax : +27-11-646-5868 The programmers of old were mysterious and profound. We cannot fathom their thoughts, so all we do is describe their appearance. Aware, like a fox crossing the water. Alert, like a general on the battlefield. Kind, like a hostess greeting her guests. Simple, like uncarved blocks of wood. Opaque, like black pools in darkened caves. Who can tell the secrets of their hearts and minds? The answer exists only in the Tao. -- Geoffrey James, The Tao of Programming - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authentication - Registration
On 02/14/2004 10:31 AM Alexander F. Hartner wrote: No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to auto/fake login from within the webapplication You cannot access the original request if the url is protected by a security-constraint and the user has not logged in. Tomcat will always jump in first with the CMS login. To fake it and keep CMS, reduce your real realm to a security constraint on one URL and set up a filter to check for the user's status. If not logged in, saved the parts of the request you need in the session, and redirect the user to the protected page to trigger the container login. Then after the login succeeds and the user gets through to that protected URL, check the session for the info and redirect them to their original destination. You can put a link on the login page to the registration URL - I'm not sure about the redirection logic but it should be possible to redirect them after registration back to the login page to login, and then on to their original destination. HTH Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication - Registration
We have form based authentication working as follows : 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer authenticates 4.) Customer redirected to realm as original request No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to auto/fake login from within the webapplication Is this currently possible ? Thanks Alex Alexander F. Hartner eMail : [EMAIL PROTECTED] Work : +27-11-646-6459 Fax : +27-11-646-5868 The programmers of old were mysterious and profound. We cannot fathom their thoughts, so all we do is describe their appearance. Aware, like a fox crossing the water. Alert, like a general on the battlefield. Kind, like a hostess greeting her guests. Simple, like uncarved blocks of wood. Opaque, like black pools in darkened caves. Who can tell the secrets of their hearts and minds? The answer exists only in the Tao. -- Geoffrey James, The Tao of Programming
FORM based authentication referer
Here's some starting context for my question I have a war file that has been configured to use FORM based authentication. I have set the form-login-page in the web.xml of the war file to point to a jsp file in my war file. When a user invokes any jsp without being logged in the login jsp is displayed. The user enters the userid/password submits the page to j_security_check, is validated and redirected to the requested page. My question is ... Has anyone ever tried discovering the page that the user is trying to access from within the jsp page referenced as the form-login-page? I have tried checking the HTTP headers and session, but have not discovered it being saved anywhere. Usually when a page invokes another page the HTTP header REFERER exists with the URL to the previous page. I have noticed that once the user posts the login form on my login.jsp to j_security_check and is authenticated they are redirect to the correct location .. correct location being back to the page they wanted to access originally. This would mean that it has to be somewhere, but where??
RE: FORM based authentication referer
Ricardo García wrote: Here's some starting context for my question I have a war file that has been configured to use FORM based authentication. I have set the form-login-page in the web.xml of the war file to point to a jsp file in my war file. When a user invokes any jsp without being logged in the login jsp is displayed. The user enters the userid/password submits the page to j_security_check, is validated and redirected to the requested page. My question is ... Has anyone ever tried discovering the page that the user is trying to access from within the jsp page referenced as the form-login-page? I have tried checking the HTTP headers and session, but have not discovered it being saved anywhere. Usually when a page invokes another page the HTTP header REFERER exists with the URL to the previous page. I have noticed that once the user posts the login form on my login.jsp to j_security_check and is authenticated they are redirect to the correct location .. correct location being back to the page they wanted to access originally. This would mean that it has to be somewhere, but where?? We do this manually instead of using the form-login-page mechanism. In the header included at the top of every page for authentication, we capture session.setAttribute(login.target, request.getRequestURI() ); before redirecting to the login page. If you wait until you get to the page that is processing your login request, you've already lost the original request. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based authentication
Hi all, I thought I would share some of my experiences with JDBCRealm authentication. First what I wanted to do was see if JDBCRealm based authentication even worked. All I got was Tomcat quitting. My first problem was that my web.xml file wasn't in the right order. I went to BEA's website and used their web.xml file explanation page to get all of the spelling and order of the elements right. But Tomcat still wasn't running. It turned out my second problem was that for some reason the MySQL JDBC driver wasn't being found, even though I had placed it in the common\lib directory. So I edited the catalina file manually and added in the jar file. Next whenever I would authenticate I would get a stylesheet instead of my intended destination. Then one time I authenticated and accidentally hit the login page. It showed me a different styled login page. That happened because my stylesheet was kept inside the context directory it wasn't being retrieved till I authenticated. So instead of pulling up index.html after I authenticate it pulled up the stylesheet because my browser was waiting to load that file. Solution of course was to place the stylesheet in an unsecure directory. I hope that someone finds this useful. Cheers, -- _ Atreya Basu Developer, Greenfield Research Inc. e-mail: atreya (at) greenfieldresearch (dot) ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based authentication
Hello Atreya, Your stylesheet is returned after authentication because it is access restricted. If you make your stylesheet freely accessible it will work. grts, Patrick -Original Message- From: Atreya Basu [mailto:[EMAIL PROTECTED] Sent: Friday, November 28, 2003 8:01 AM To: Tomcat Users List Subject: Form based authentication Hi all, I thought I would share some of my experiences with JDBCRealm authentication. First what I wanted to do was see if JDBCRealm based authentication even worked. All I got was Tomcat quitting. My first problem was that my web.xml file wasn't in the right order. I went to BEA's website and used their web.xml file explanation page to get all of the spelling and order of the elements right. But Tomcat still wasn't running. It turned out my second problem was that for some reason the MySQL JDBC driver wasn't being found, even though I had placed it in the common\lib directory. So I edited the catalina file manually and added in the jar file. Next whenever I would authenticate I would get a stylesheet instead of my intended destination. Then one time I authenticated and accidentally hit the login page. It showed me a different styled login page. That happened because my stylesheet was kept inside the context directory it wasn't being retrieved till I authenticated. So instead of pulling up index.html after I authenticate it pulled up the stylesheet because my browser was waiting to load that file. Solution of course was to place the stylesheet in an unsecure directory. I hope that someone finds this useful. Cheers, -- _ Atreya Basu Developer, Greenfield Research Inc. e-mail: atreya (at) greenfieldresearch (dot) ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
FORM based authentication pages
I have setup Tomcat 4.1 to use FORM based auth, but I've found myself replicating login and error pages in every context I want to protect. The problem is that the path that point to the pages in the login-config tag in the web.xml file of the context is relative to the context. login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/auth/login.html/form-login-page form-error-page/auth/error.html/form-error-page /form-login-config /login-config Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication pages
Sorry, tomcat doesn't provide that functionality. A simple workaround is to keep those pages in a shared area then on site build (I hope your using ant), copy those files into your webapp. -Tim Ricardo García wrote: I have setup Tomcat 4.1 to use FORM based auth, but I've found myself replicating login and error pages in every context I want to protect. The problem is that the path that point to the pages in the login-config tag in the web.xml file of the context is relative to the context. login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/auth/login.html/form-login-page form-error-page/auth/error.html/form-error-page /form-login-config /login-config Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication pages
Ricardo, Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file? You want the login pages for every webapp to look the same? If that's what you really want to do, I think you'll have to use symbolic links on the filesystem. You're much better off duplicatig the files. That has the advantage of allowing you to customize the login screens for each application. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form Based Authentication not redirecting to URL with IE
Hi, I am using: tomcat 4.1.18 Using Form Based Authentication with JDBCRealm login-config auth-methodFORM/auth-method realm-nameJDBCRealm/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp/form-error-page /form-login-config /login-config When I try a URL like: /something.do?id=1 it goes to the login.jsp authenticates and then goes to /index.jsp instead of /something.do?id=1 This behaviour only happens in IE (6.0). It works fine in Netscape (using 7.0) What could be the problem? Appreciate your help. thanks, Ramesh - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Example form-based authentication
Hi, I'm under Tomcat/4.1.18-LE-jdk14 and just have tested form based example. Unfortunately, when I access http://localhost:8080/examples/jsp/security/protected/index.jsp i'm well redirected to login.jsp as mentionned in web.xml form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config but I've got the following error message: Generated servlet error: [javac] Compiling 1 source file C:\java\plateforme\tomcat\work\Standalone\localhost\examples\jsp\security\protected\login_jsp.java:1: expected package org.apache.jsp.jsp.security.protected; ^ 1 error I've changed nothing to examples directory, so is it an known error? How may i fix this? Thanks in advance for your response, Regards, Cyril.
mozilla nightly build and tomcat form-based authentication
Is anybody else out there using a Mozilla nightly build? Seems they've introduced a bug since the last major release (1.5) that stops me logging in using form-based authentication. It would cool if anybody else affected here would vote for the bug on bugzilla: http://bugzilla.mozilla.org/show_bug.cgi?id=223891 Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 ssl form-based authentication mozilla
Adam Hardy wrote: I have set this up with the minimum configuration possible to try to find the problem. 1 JSP, one Struts action mapping, 1 servlet mapping, and the tomcat realm - no SSO, no filters, no templates, no SSL-redirection. With this security: web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/login.do/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint when I try to login to my login.do mapping, in mozilla I get repeated login requests from tomcat. The first time twice only, the 2nd time 5 times, 3rd time 10 times etc etc. I can see from my logging that the realm login is successful, but tomcat keeps giving the login page as stated. This does not happen in IE6 or lynx, in which the login works as normal. Has anybody else experienced this? Did you get correctly switched to SSL mode ? -- x Rémy Maucherat Senior Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 ssl form-based authentication mozilla
On 10/15/2003 10:32 AM Remy Maucherat wrote: With this security: web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/login.do/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint when I try to login to my login.do mapping, in mozilla I get repeated login requests from tomcat. The first time twice only, the 2nd time 5 times, 3rd time 10 times etc etc. I can see from my logging that the realm login is successful, but tomcat keeps giving the login page as stated. This does not happen in IE6 or lynx, in which the login works as normal. Has anybody else experienced this? Did you get correctly switched to SSL mode ? Yes. I have reduced the webapp to a minimum and bundled it in a war at http://www.cyberspaceroad.com/test.war (right click it save target as...) if you want to see what I'm doing. It contains the struts.jar and is therefore 0.85MB. If you don't have broadband I can bundle it without the jars too. Sometimes the ssl form-based authentication loops on the login page, and sometimes it gives the invalid direct reference error. As mentioned above, the non-SSL normal form-based login works fine. In IE6 it works fine too. Rgds Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: manager.xml: cannot configure SSL for form-based authentication
Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Sorry if this comes through twice. I think it got eaten by my email software the first time. I have tried putting the following in $CATALINA_HOME/server/webapps/manager/WEB-INF/web.xml but the SSL config is ignored: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config I have the login error pages in $CATALINA_HOME/server/webapps/manager/ Basically it always stays in non-SSL protocol. I posted this in bugzilla, being confident that tomcat was not doing what it was supposed to, but apparently it is. I got the following solution via bugzilla, but I don't understand it! How is this telling me I should configure SSL for the manager login? Pretty simple really: a href=https://my.host.com/manager;Manager/a And, I agree with Remy's comments in BZ. Unless there is a last-minute change in the Servlet 2.4 spec, Tomcat is working as expected. Of course the place to complain is: [EMAIL PROTECTED] Thanks On 10/13/2003 02:19 PM [EMAIL PROTECTED] wrote: [...] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23766 cannot configure SSL for form-based authentication [...] --- Additional Comments From [EMAIL PROTECTED] 2003-10-13 12:19 --- FORM can be implemented as an internal redirection, like welcome files. As a result, it is not subject to constraints. Please do not reopen the report. -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: manager.xml: cannot configure SSL for form-based authentication
On 10/14/2003 08:41 AM Bill Barker wrote: Adam Hardy [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Basically it always stays in non-SSL protocol. I posted this in bugzilla, being confident that tomcat was not doing what it was supposed to, but apparently it is. I got the following solution via bugzilla, but I don't understand it! How is this telling me I should configure SSL for the manager login? Pretty simple really: a href=https://my.host.com/manager;Manager/a And, I agree with Remy's comments in BZ. Unless there is a last-minute change in the Servlet 2.4 spec, Tomcat is working as expected. Of course the place to complain is: [EMAIL PROTECTED] Hi Bill, thanks for answering. Pretty simple indeed. I have no complaints over the interpretation of the servlet spec. I do feel that it is inefficient that I should have to find out about this change in this way - i.e. looking at my app not working as I expect it to (as it did in the past), thinking I've configured it wrong, checking all my configuration, mailing the user list, entering an issue into bugzilla etc. This issue in the servlet spec does not stand out as something new, there are no notes on this on the tomcat website, there is nothing in the Release Notes. I know what you're going to say: this is open-source, we all do what we can, perhaps I should monitor the tomcat dev list and write a recap every month for the user list etc. - touchee I guess. Thanks anyway, Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
TC5 ssl form-based authentication mozilla
I have set this up with the minimum configuration possible to try to find the problem. 1 JSP, one Struts action mapping, 1 servlet mapping, and the tomcat realm - no SSO, no filters, no templates, no SSL-redirection. With this security: web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/login.do/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint when I try to login to my login.do mapping, in mozilla I get repeated login requests from tomcat. The first time twice only, the 2nd time 5 times, 3rd time 10 times etc etc. I can see from my logging that the realm login is successful, but tomcat keeps giving the login page as stated. This does not happen in IE6 or lynx, in which the login works as normal. Has anybody else experienced this? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
manager.xml: cannot configure SSL for form-based authentication
Sorry if this comes through twice. I think it got eaten by my email software the first time. I have tried putting the following in $CATALINA_HOME/server/webapps/manager/WEB-INF/web.xml but the SSL config is ignored: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config I have the login error pages in $CATALINA_HOME/server/webapps/manager/ Basically it always stays in non-SSL protocol. I posted this in bugzilla, being confident that tomcat was not doing what it was supposed to, but apparently it is. I got the following solution via bugzilla, but I don't understand it! How is this telling me I should configure SSL for the manager login? Thanks On 10/13/2003 02:19 PM [EMAIL PROTECTED] wrote: [...] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23766 cannot configure SSL for form-based authentication [...] --- Additional Comments From [EMAIL PROTECTED] 2003-10-13 12:19 --- FORM can be implemented as an internal redirection, like welcome files. As a result, it is not subject to constraints. Please do not reopen the report. -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cannot configure SSL for form-based authentication
I have tried putting the following in $CATALINA_HOME/server/webapps/manager/WEB-INF/web.xml but the SSL config is ignored: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config I have the login error pages in $CATALINA_HOME/server/webapps/manager/ Basically it always stays in non-SSL protocol. I posted this in bugzilla, being confident that tomcat was not doing what it was supposed to, but apparently it is. I got the following solution via bugzilla, but I don't understand it! How is this telling me I should configure SSL for the manager login? Thanks On 10/13/2003 02:19 PM [EMAIL PROTECTED] wrote: [...] http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23766 cannot configure SSL for form-based authentication [...] --- Additional Comments From [EMAIL PROTECTED] 2003-10-13 12:19 --- FORM can be implemented as an internal redirection, like welcome files. As a result, it is not subject to constraints. Please do not reopen the report. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Although I've no real idea what an internal tomcat SessionEvent is, it
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.
Adam
On 10/12/2003 01:57 AM Tim Funk wrote:
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1
based on lines 304-308.
if ( event.getData() != null
logout.equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for
single-sign-on.
I have the following JSP:
remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
cookies. I then go to a second site on my tomcat and get a second
JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over
and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
This shouldn't be the case I'm sure. If I delete the SSO cookie in
mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie,
when I invalidate the session, I immediately get a login request.
Strange.
This is not correct behaviour for tomcat, is it?
Adam
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
form-based authentication session.invalidate
I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication. I saw the same issue in bugzilla but for basic authentication: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147 where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request. Is this the same for form-based authentication? I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Authentication information is somewhat stored in the session for form based authentication. (I can't remember the specifics) So using session.invalidate should log the user out. This works since the session id which is a cookie or URL rewriting scheme is what the browser keys in on. By invalidating that id on the server, the browser is now sending an invalid credential and thus logged out. In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser. [Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ] -Tim Adam Hardy wrote: I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication. I saw the same issue in bugzilla but for basic authentication: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147 where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request. Is this the same for form-based authentication? I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on. I have the following JSP: remote user %=request.getRemoteUser() % in session %= session.getId() % % session.invalidate(); % and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO. Now going to this page which has the stuff above, and refreshing over and over always showed the following: remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5 I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request. Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange. This is not correct behaviour for tomcat, is it? Adam On 10/11/2003 06:04 PM Tim Funk wrote: Authentication information is somewhat stored in the session for form based authentication. (I can't remember the specifics) So using session.invalidate should log the user out. This works since the session id which is a cookie or URL rewriting scheme is what the browser keys in on. By invalidating that id on the server, the browser is now sending an invalid credential and thus logged out. In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser. [Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ] -Tim Adam Hardy wrote: I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication. I saw the same issue in bugzilla but for basic authentication: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147 where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request. Is this the same for form-based authentication? I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Hmm. I always thought that when using the SSO valve, logging out of one
webapp automatically logs you out of all webapps.
The 5 code looks broken based on *very quick* inspection compared to 4.1
based on lines 304-308.
if ( event.getData() != null
logout.equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.
-Tim
Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for
single-sign-on.
I have the following JSP:
remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO
cookies. I then go to a second site on my tomcat and get a second
JSESSIONID without having to do a login coz of SSO.
Now going to this page which has the stuff above, and refreshing over
and over always showed the following:
remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active.
This shouldn't be the case I'm sure. If I delete the SSO cookie in
mozilla, I get a login request on my next request.
Also if I only login to one site, even though I get the SSO cookie, when
I invalidate the session, I immediately get a login request. Strange.
This is not correct behaviour for tomcat, is it?
Adam
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[Q] Form-based authentication with DatasourceRealm
Hi, I'm trying to use Realms for the first time. The documentation of Tomcat is pretty straight foward and everything is clear (and surprisingly simple), except how I must name the action=??? paramaters for my form in which the authentication is done. The Tomcat example is: form method=POST action='%= response.encodeURL(j_security_check) %' for a MemoryRealm Is this standard for all Realms and can/should I use it as is, or how does it look for a Datasource Realm? Thanks! __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [Q] Form-based authentication with DatasourceRealm
This is a three part problem. First you have a process that does the challenging of access. In the case of Form Based Authentication this means redirecting the user to a login page. Second you have a scheme to take the credentials the user provides and validate them. This is the job of the realm. You should simply need to replace the Realm element in Server.xml that currently refers to your MemoryRealm and put in place the Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase/ element which is provided in the default server.xml (but commented out). Next this Realm is dependent on the 3rd part of the equation - the UserDatabase resource. This may be of some use: http://www.servlets.com/jservlet2/examples/ch08/index.html -Original Message- From: Riaan Oberholzer [mailto:[EMAIL PROTECTED] Sent: 24 July 2003 09:51 To: [EMAIL PROTECTED] Subject: [Q] Form-based authentication with DatasourceRealm Hi, I'm trying to use Realms for the first time. The documentation of Tomcat is pretty straight foward and everything is clear (and surprisingly simple), except how I must name the action=??? paramaters for my form in which the authentication is done. The Tomcat example is: form method=POST action='%= response.encodeURL(j_security_check) %' for a MemoryRealm Is this standard for all Realms and can/should I use it as is, or how does it look for a Datasource Realm? Thanks! __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ This e-mail has been scanned for viruses by MessageLabs. _ This e-mail has been scanned for viruses by MessageLabs. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
WEBDAV and FORM-Based Authentication
Does anyone know if it is possible to have a FORM-based authentication with webdav servlet (which is open as a web folder). I have tried, but unsuccessfully. If a servlet runs in a regular way (HTTP://), the form log-in page is displayed. However, if the webdav servlet is open the webdav way (as a web folder), the form is never displayed ? Thanks . - Chinh - Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month!
Re: Auto Login Using Form Based Authentication
I was using mod_jk as a short-hand for the entire server-suite. There is a Domino connector, but I don't believe that there is a binary for it. You can get the source and compile it from http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4 /src/. Documentation is at http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.4 /doc/jk/domhowto.html. John Turner [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] mod_jk is strictly for Apache, since the mod typically means Apache module. But JK (AJP13) is a protocol. It can be implemented however you like. There are JK connectors for Apache and IIS, for example. John On Wed, 11 Jun 2003 10:53:37 -0400, vtobin [EMAIL PROTECTED] wrote: Hi Bill and Matt, There are two problems with this: 1) Your Filter will not get called, since authentication happens before Filters (you'd need to use a Valve, but then you are locked into Tomcat) . 2) Unless you are using Tomcat 5.x nightly, Request attibutes won't be available to the login-page for the simple reason that that happens on a different Request. The simplest solution would be to use mod_jk to connect Domino Tomcat and set tomcatAuthentication=false. However, the Domino connector is probably the least tested . Raible, Matt [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] You could put a filter on /* in your app, and if the user is routed to the login page (check the URL for an indexOf(login.jsp)) - then set a request variable containing the parameter you want to save. Matt I'd like to thank you both for responding to my posting. I'm researching your suggestions, though I guess I'll probably have to give up the idea of using a filter based on Bill's information. I'm looking up the info on mod_jk. That was a good lead, though the particulars are still eluding me. I had always thought that mod_jk was strictly for Apache and Tomcat, but if it'll work with Domino, that's great. Val - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Auto Login Using Form Based Authentication
1) Your Filter will not get called, since authentication happens before
Filters (you'd need to use a Valve, but then you are locked into Tomcat).
In my experience, and my current working app, this is not the case. The
following code works for me in a filter (mapped to /*) to auto-login a user:
snip
if ((request.getRequestURL().indexOf(login)) {
// Check to see if we should automatically login the user
// container is routing user to login page, check for remember me cookie
Cookie userCookie = RequestUtil.getCookie(request, username);
String username =
(passCookie != null)
? URLDecoder.decode(userCookie.getValue(), UTF-8) : null;
if ((rememberMe != null) (password != null)) {
// authenticate user without displaying login page
String route = request.getContextPath() +
/j_security_check?j_username= + username
+ j_password= + StringUtil.decodeString(password);
if (log.isDebugEnabled()) {
log.debug(I remember you ' + username
+ ', attempting authentication...);
}
response.sendRedirect(response.encodeRedirectURL(route));
return;
}
}
Matt
/snip
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Auto Login Using Form Based Authentication
Hi Bill and Matt, There are two problems with this: 1) Your Filter will not get called, since authentication happens before Filters (you'd need to use a Valve, but then you are locked into Tomcat). 2) Unless you are using Tomcat 5.x nightly, Request attibutes won't be available to the login-page for the simple reason that that happens on a different Request. The simplest solution would be to use mod_jk to connect Domino Tomcat and set tomcatAuthentication=false. However, the Domino connector is probably the least tested . Raible, Matt [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] You could put a filter on /* in your app, and if the user is routed to the login page (check the URL for an indexOf(login.jsp)) - then set a request variable containing the parameter you want to save. Matt I'd like to thank you both for responding to my posting. I'm researching your suggestions, though I guess I'll probably have to give up the idea of using a filter based on Bill's information. I'm looking up the info on mod_jk. That was a good lead, though the particulars are still eluding me. I had always thought that mod_jk was strictly for Apache and Tomcat, but if it'll work with Domino, that's great. Val - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
