Re: Capturing User Passwords
Thanks Larry - that's worked for me!-Original Message-From: Larry Meadors [mailto: [EMAIL PROTECTED]] Sent: 29 September 2005 04:01To: Tomcat Users List Subject: Re: Capturing User PasswordsHere is the code (this is for tomcat 4.1.x): if(log.isDebugEnabled()){ Principal principal = req.getUserPrincipal(); PropertyDescriptor[] pds; pds =PropertyUtils.getPropertyDescriptors(principal.getC lass()); for(int i = 0; i pds.length; i++){ try { String name = pds[i].getName(); Object value = PropertyUtils.getProperty(principal,name); log.debug("pds." + name + " = " + value); } catch (Exception e) { e.printStackTrace(); } } }LarryOn 9/28/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am trying to find a way of capturing a user's password so that I canhave the user login to one of my web applications (which acts as a client),and pass it to a second application (which acts as the server). I know that I can retrieve the user from the ServletRequest using req.getUserPrincipal(). However, I do not know how I can retrieve the password. Can anyone offer any advice on whether this can be done and if so, thebest way of doing it? [ I did attempt to use forms-based authentication and use a filter to capture the password whenever the j_security_check action was invoked. However, I read in another post that Tomcat does not allow filters tobe placed on j_security_check. ] Once I have the password, I'd ideally be looking at converting it to a Credentials object, so that I could pass that to my second app, ratherthan passing the raw password. Does anyone know whether this can beachieved by using Tomcat's UserPasswordCredentials class? Also, to prevent the password been exposed in the URL posted from thelogin page, I'd also be looking to implement SSL. I presume that this willcause encryption problems. Does anyone have any advice about how I couldwork around this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -To unsubscribe, e-mail: [EMAIL PROTECTED]For additional commands, e-mail: [EMAIL PROTECTED]IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender.This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority.This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title "received in error" to [EMAIL PROTECTED] then delete the email and destroy any copies of it.E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so.When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter.Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Hi Stephen, Aaron posted the link (Thanks Aaron!) - so I guess your request is best directed to him. Cheers, Greg -Original Message- From: Bovy, Stephen J [mailto:[EMAIL PROTECTED] Sent: Thu 29/09/2005 19:53 To: Tomcat Users List Cc: Subject: RE: Capturing User Passwords Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our
RE: Capturing User Passwords
Woops, sorry I misread Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Perry, Greg (UK - London) [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 11:58 AM To: Tomcat Users List Subject: RE: Capturing User Passwords Hi Stephen, Aaron posted the link (Thanks Aaron!) - so I guess your request is best directed to him. Cheers, Greg -Original Message- From: Bovy, Stephen J [mailto:[EMAIL PROTECTED] Sent: Thu 29/09/2005 19:53 To: Tomcat Users List Cc: Subject: RE: Capturing User Passwords Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed
Capturing User Passwords
I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). I know that I can retrieve the user from the ServletRequest using req.getUserPrincipal(). However, I do not know how I can retrieve the password. Can anyone offer any advice on whether this can be done and if so, the best way of doing it? [ I did attempt to use forms-based authentication and use a filter to capture the password whenever the j_security_check action was invoked. However, I read in another post that Tomcat does not allow filters to be placed on j_security_check. ] Once I have the password, I'd ideally be looking at converting it to a Credentials object, so that I could pass that to my second app, rather than passing the raw password. Does anyone know whether this can be achieved by using Tomcat's UserPasswordCredentials class? Also, to prevent the password been exposed in the URL posted from the login page, I'd also be looking to implement SSL. I presume that this will cause encryption problems. Does anyone have any advice about how I could work around this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
== Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
Here is the code (this is for tomcat 4.1.x): if(log.isDebugEnabled()){ Principal principal = req.getUserPrincipal(); PropertyDescriptor[] pds; pds = PropertyUtils.getPropertyDescriptors(principal.getClass()); for(int i = 0; i pds.length; i++){ try { String name = pds[i].getName(); Object value = PropertyUtils.getProperty(principal, name); log.debug(pds. + name + = + value); } catch (Exception e) { e.printStackTrace(); } } } Larry On 9/28/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). I know that I can retrieve the user from the ServletRequest using req.getUserPrincipal(). However, I do not know how I can retrieve the password. Can anyone offer any advice on whether this can be done and if so, the best way of doing it? [ I did attempt to use forms-based authentication and use a filter to capture the password whenever the j_security_check action was invoked. However, I read in another post that Tomcat does not allow filters to be placed on j_security_check. ] Once I have the password, I'd ideally be looking at converting it to a Credentials object, so that I could pass that to my second app, rather than passing the raw password. Does anyone know whether this can be achieved by using Tomcat's UserPasswordCredentials class? Also, to prevent the password been exposed in the URL posted from the login page, I'd also be looking to implement SSL. I presume that this will cause encryption problems. Does anyone have any advice about how I could work around this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]