Re: Capturing User Passwords
Thanks Larry - that's worked for me!-Original Message-From: Larry Meadors [mailto:
[EMAIL PROTECTED]] Sent: 29 September 2005 04:01To: Tomcat Users List
Subject: Re: Capturing User PasswordsHere is the code (this is for tomcat 4.1.x):
if(log.isDebugEnabled()){ Principal
principal = req.getUserPrincipal(); PropertyDescriptor[] pds;
pds =PropertyUtils.getPropertyDescriptors(principal.getC
lass()); for(int i = 0; i pds.length; i++){
try {
String name = pds[i].getName();
Object value = PropertyUtils.getProperty(principal,name);
log.debug("pds." + name + " = " + value);
} catch (Exception e) {
e.printStackTrace();
} } }LarryOn
9/28/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I am trying to find a way of capturing a user's password so that
I canhave the user login to one of my web applications (which acts as a client),and
pass it to a second application (which acts as the server). I know that I
can retrieve the user from the ServletRequest using req.getUserPrincipal(). However, I do
not know how I can retrieve the password. Can anyone offer any advice on
whether this can be done and if so, thebest way of doing it? [ I did
attempt to use forms-based authentication and use a filter to capture the password whenever
the j_security_check action was invoked. However, I read in another post that Tomcat does
not allow filters tobe placed on j_security_check. ] Once I have the
password, I'd ideally be looking at converting it to a Credentials object, so that I could
pass that to my second app, ratherthan passing the raw password. Does anyone know
whether this can beachieved by using Tomcat's UserPasswordCredentials class?
Also, to prevent the password been exposed in the URL posted from thelogin page,
I'd also be looking to implement SSL. I presume that this willcause encryption
problems. Does anyone have any advice about how I couldwork around this?
- To
unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-To
unsubscribe, e-mail: [EMAIL PROTECTED]For additional
commands, e-mail: [EMAIL PROTECTED]IMPORTANT NOTICE
If you have received this e-mail in error or wish to read our e-mail disclaimer statement and
monitoring policy, please refer to the statement below or contact the sender.This communication
is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability
partnership registered in England and Wales with registered number OC303675. A list of
members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A
4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte
Touche LLP is authorised and regulated by the Financial Services Authority.This
communication and any attachments contain information which is confidential and may also be
privileged. It is for the exclusive use of the intended recipient(s). If you are not
the intended recipient(s) please note that any form of disclosure, distribution, copying or use of
this communication or the information in it or in any attachments is strictly prohibited and may be
unlawful. If you have received this communication in error, please return it with the title
"received in error" to [EMAIL PROTECTED] then delete the email and
destroy any copies of it.E-mail communications cannot be guaranteed to be secure or error free,
as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete,
or contain viruses. We do not accept liability for any such matters or their
consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing
so.When addressed to our clients, any opinions or advice contained in this e-mail and any
attachments are subject to the terms and conditions expressed in the governing Deloitte
Touche LLP client engagement letter.Opinions, conclusions and other information in this e-mail
and any attachments which do not relate to the official business of the firm are neither given nor
endorsed by it.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Hi Stephen, Aaron posted the link (Thanks Aaron!) - so I guess your request is best directed to him. Cheers, Greg -Original Message- From: Bovy, Stephen J [mailto:[EMAIL PROTECTED] Sent: Thu 29/09/2005 19:53 To: Tomcat Users List Cc: Subject: RE: Capturing User Passwords Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our
RE: Capturing User Passwords
Woops, sorry I misread Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Perry, Greg (UK - London) [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 11:58 AM To: Tomcat Users List Subject: RE: Capturing User Passwords Hi Stephen, Aaron posted the link (Thanks Aaron!) - so I guess your request is best directed to him. Cheers, Greg -Original Message- From: Bovy, Stephen J [mailto:[EMAIL PROTECTED] Sent: Thu 29/09/2005 19:53 To: Tomcat Users List Cc: Subject: RE: Capturing User Passwords Hi Greg , thanks for the link. Your download does not have any source, ( can you share it ?? ) Stephen Bovy Computer Associates 6100 Center Drive Suite 700 Los Angeles, CA 90045 Tel: (310) 957-3930 Fax: (310) 957-3917 e-mail: [EMAIL PROTECTED] -Original Message- From: Aaron Loucks [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 28, 2005 4:43 PM To: Tomcat Users List Subject: Re: Capturing User Passwords You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed
Capturing User Passwords
I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). I know that I can retrieve the user from the ServletRequest using req.getUserPrincipal(). However, I do not know how I can retrieve the password. Can anyone offer any advice on whether this can be done and if so, the best way of doing it? [ I did attempt to use forms-based authentication and use a filter to capture the password whenever the j_security_check action was invoked. However, I read in another post that Tomcat does not allow filters to be placed on j_security_check. ] Once I have the password, I'd ideally be looking at converting it to a Credentials object, so that I could pass that to my second app, rather than passing the raw password. Does anyone know whether this can be achieved by using Tomcat's UserPasswordCredentials class? Also, to prevent the password been exposed in the URL posted from the login page, I'd also be looking to implement SSL. I presume that this will cause encryption problems. Does anyone have any advice about how I could work around this? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
== Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Capturing User Passwords
Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
You could modify the FormAuthenticator class and have it cache the password. I believe it's in the org.apache.catalina.authenticator package of the tomcat source. I did something similar to provide programmatic login, although I've somewhat abandoned that project. It's available at http://palpatine.infinitedata.net/~loucks/projects/pfa/ Context ... Valve className=com.company.MyPasswordCachingFormAuthenticator/ /Context Perry, Greg (UK - London) wrote: Thanks - but I did try using single sign-on and got that working correctly with trial applications. However, I need to explicitly supply the password in the call to my second application. Again, any help would be greatly appreciated. -Original Message- From: Giuseppe Briotti [mailto:[EMAIL PROTECTED] Sent: 28 September 2005 14:45 To: Tomcat Users List Subject: Re: Capturing User Passwords == Date: Wed, 28 Sep 2005 14:29:04 +0100 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Subject: Capturing User Passwords == I am trying to find a way of capturing a user's password so that I can have the user login to one of my web applications (which acts as a client), and pass it to a second application (which acts as the server). It sounds like you are trying to implement a Single sign on... -- Giuseppe Briotti [EMAIL PROTECTED] Alme Sol, curru nitido diem qui promis et celas aliusque et idem nasceris, possis nihil urbe Roma visere maius. (Orazio) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] IMPORTANT NOTICE If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender. This communication is from Deloitte Touche LLP. Deloitte Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte Touche LLP is authorised and regulated by the Financial Services Authority. This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title received in error to [EMAIL PROTECTED] then delete the email and destroy any copies of it. E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so. When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte Touche LLP client engagement letter. Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Capturing User Passwords
Here is the code (this is for tomcat 4.1.x):
if(log.isDebugEnabled()){
Principal principal = req.getUserPrincipal();
PropertyDescriptor[] pds;
pds = PropertyUtils.getPropertyDescriptors(principal.getClass());
for(int i = 0; i pds.length; i++){
try {
String name = pds[i].getName();
Object value = PropertyUtils.getProperty(principal, name);
log.debug(pds. + name + = + value);
} catch (Exception e) {
e.printStackTrace();
}
}
}
Larry
On 9/28/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
I am trying to find a way of capturing a user's password so that I can have
the user login to one of my web applications (which acts as a client), and
pass it to a second application (which acts as the server).
I know that I can retrieve the user from the ServletRequest using
req.getUserPrincipal(). However, I do not know how I can retrieve the
password.
Can anyone offer any advice on whether this can be done and if so, the best
way of doing it?
[ I did attempt to use forms-based authentication and use a filter to
capture the password whenever the j_security_check action was invoked.
However, I read in another post that Tomcat does not allow filters to be
placed on j_security_check. ]
Once I have the password, I'd ideally be looking at converting it to a
Credentials object, so that I could pass that to my second app, rather than
passing the raw password. Does anyone know whether this can be achieved by
using Tomcat's UserPasswordCredentials class?
Also, to prevent the password been exposed in the URL posted from the login
page, I'd also be looking to implement SSL. I presume that this will cause
encryption problems. Does anyone have any advice about how I could work
around this?
-
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
