Ok, I merged with the latest from CVS, and have tested on WebLogic 7 and Tomcat.
Jason -----Original Message----- From: Robertson, Jason [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 5:53 PM To: 'Cactus Users List' Subject: RE: Form Authentication Hmmm, I've gotten it to work, but there is some strange behavior. I found an additional post saying you "can't" go directly to the login page or j_security_check because then Tomcat wouldn't know where to send you once you've authenticated. Therefore you _must_ go to a restricted resource first, so that once authenticated you can be redirected there. I understand the point, but would it really be that horrible to redirect to the defined welcome-page in lieu of a known location? That seems like a quite reasonable thing to do. But, that's not what it does. So I now get the servlet redirector and go there first, on the assumption that it is a restricted resource (which it must be for any of this to work). Vincent - is this safe? I'm thinking not because what if the person writing a JSP Redirector-only test case and they want to use form authentication? Can they? I've never done a JSP Redirector before. Once I get back the JSESSIONID from that request, I cache it, then log in. There is something strange with the 302, however. I get back I get this Location header: Location: http://localhost/simple-form-login/secure/ServletRedirector I'm using the stock Tomcat, so notice the fact that the port (:8080) is not present in this redirect. Thus, my compare to my original request fails. Is this a bug in Tomcat? How does my browser work (which is does)? So, for now, I've commented out the check and it all works. On WebLogic, too. I've attached my code that works which is a mod of the last code I sent in (i.e. not a mod of the latest in CVS). I hate to do it to ya Vincent, but I don't have CVS access from here at work, so if you want to merge my changes into your version you can (it's not much), or you can wait about 5 hours and I can do it when I get home... :) Jason -----Original Message----- From: Robertson, Jason [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 4:59 PM To: 'Vincent Massol'; 'Cactus Users List' Subject: RE: Form Authentication Yeah, I'm working on it in between meetings :), it seems like it's a Tomcat "feature". This is what is returned from tomcat when I try to go directly to j_security_check: HTTP Status 400 - Invalid direct reference to form login page Status report message: Invalid direct reference to form login page description: The request sent by the client was syntactically incorrect (Invalid direct reference to form login page). I read one web page that said you get this when you try to go directly to the login page (as opposed to going to a restricted resource first), and to me that seems like a bug but I didn't really find anything that said it was or should be a bug. I'm going to experiment, perhaps if I have the JSESSIONID when I go to the j_security_check page it'll be happy. I'll try to go the ServletRedirector first, get a JSESSIONID, then log in. We'll see. I'll pass on info as I find it... Jason -----Original Message----- From: Vincent Massol [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 4:45 PM To: 'Cactus Users List' Cc: 'Robertson, Jason' Subject: RE: Form Authentication Ok, we now have more info. The error you're getting in the stack trace is: "Unable to login, probably due to bad username/password. Received a [400] response code andwas expecting a [302]" This means that the URL used to login is not correct (400 - bad request). The default URL used is: cactus.contextURL + "j_security_check". Maybe this is not correct. I can't help you more here as I don't know enough about form-based authentication. I'll have to read up on that. Jason, any idea? Thanks -Vincent > -----Original Message----- > From: Qingxian Wang [mailto:[EMAIL PROTECTED]] > Sent: 16 September 2002 17:47 > To: 'Cactus Users List' > Subject: RE: Form Authentication > > I have tried the 1.5dev. I still cannot run the authenticate test. The > username, password and the role are set in tomcat-user.xml. My code is > like > this: > > public class CactusTest_WebDeployerActionServlet extends ServletTestCase { > > public CactusTest_WebDeployerActionServlet(String strName) { > super(strName); > } > > /** > * Start the tests. > * > * @param theArgs the arguments. Not used > */ > public static void main(String[] theArgs) > { > junit.textui.TestRunner.main(new String[]{ > CactusTest_WebDeployerActionServlet.class.getName()}); > } > > /** > * @return a test suite (<code>TestSuite</code>) that includes all > methods > * starting with "test" > */ > public static Test suite() > { > // All methods starting with "test" will be executed in the test > suite. > return new TestSuite(CactusTest_WebDeployerActionServlet.class); > } > > public void beginFormAuthentication(WebRequest theRequest) > { > theRequest.setRedirectorName("ServletRedirectorSecure"); > theRequest.setAuthentication(new FormAuthentication("sun", > "sunsys")); > } > > public void testFormAuthentication() > { > assertEquals("sun", request.getUserPrincipal().getName()); > assertEquals("sun", request.getRemoteUser()); > assertTrue("User not in 'everyone' role", > request.isUserInRole("everyone")); > } > > } > > > > The following are the error messages: > > 1) > testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser vl > et > .CactusTest_WebDeployerActionServlet)org.apache.cactus.util.ChainedRunti me > Ex > ception: Failed to authenticate the principal > at > org.apache.cactus.client.authentication.FormAuthentication.authenticate( Fo > rm > Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):297) > at > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc Po > st > Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj (1 > k) > :146) > at > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc Po > st > Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l og > /L > ogAspect.aj(1k)) > at > org.apache.cactus.client.authentication.FormAuthentication.configure(For mA > ut > hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145) > at > org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun d9 > (H > ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1 k) > :1 > 18) > at > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo nn > ec > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240) > at > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie nt > .j > ava;org/apache/cactus/util/log/LogAspect.aj(1k):184) > at > org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra ct > Ht > tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108) > at > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja va > ;o > rg/apache/cactus/util/log/LogAspect.aj(1k):1240) > at > org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav a: > 30 > 8) > at > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase .j > av > a:258) > at > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > at > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223) > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown Source) > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown Source) > org.apache.cactus.util.ChainedRuntimeException: Unable to login, probably > due to bad username/password. Received a [400] response code andwas > expecting a [302] > at > org.apache.cactus.client.authentication.FormAuthentication.authenticate( Fo > rm > Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):259) > at > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc Po > st > Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj (1 > k) > :146) > at > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc Po > st > Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l og > /L > ogAspect.aj(1k)) > at > org.apache.cactus.client.authentication.FormAuthentication.configure(For mA > ut > hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145) > at > org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun d9 > (H > ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1 k) > :1 > 18) > at > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo nn > ec > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240) > at > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie nt > .j > ava;org/apache/cactus/util/log/LogAspect.aj(1k):184) > at > org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra ct > Ht > tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108) > at > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja va > ;o > rg/apache/cactus/util/log/LogAspect.aj(1k):1240) > at > org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav a: > 30 > 8) > at > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase .j > av > a:258) > at > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > at > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223) > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown Source) > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown Source) > > > Qingxian > > -----Original Message----- > From: Vincent Massol [mailto:[EMAIL PROTECTED]] > Sent: 16 September 2002 15:47 > To: 'Cactus Users List' > Subject: RE: Form Authentication > > > Hi Qingxian, > > Can you try with the latest Cactus version (1.5dev) from CVS. I have > committed Jason's code in CVS yesterday and I have added some more > debugging information that could help. > > You can get the nightly distribution of yesterday here: > > http://jakarta.apache.org/builds/jakarta-cactus/nightly/2002-09-16/ > > Thanks > -Vincent > > > -----Original Message----- > > From: Qingxian Wang [mailto:[EMAIL PROTECTED]] > > Sent: 16 September 2002 11:24 > > To: 'Cactus Users List' > > Subject: RE: Form Authentication > > > > I have tried to use FormAuthentication class with the Cactus 1.4.1. I > got > > the following error although I have set up the correct username and > > password: > > > > 1) > > > testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser > vl > > et > > .CactusTest_WebDeployerActionServlet)java.lang.IllegalStateException: > > class > > java.lang.IllegalArgumentException: Unable to login, probably due to > bad > > username/password. [Bad Response Code] > > at > > > org.apache.cactus.client.authentication.FormAuthentication.authenticate( > Fo > > rm > > Authentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:193) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.dispatch9_con > fi > > gu > > > re(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:4 > 7) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.around9_confi > gu > > re > > > (FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:115 > 6) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure(For > mA > > ut > > hentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:43) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.dispatch26_connect(H > tt > > pC > > > lientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1 > 16 > > ) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.around26_connect(Htt > pC > > li > > > entConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:123 > 6) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo > nn > > ec > > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:106) > > at > > > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie > nt > > .j > > ava;org/apache/cactus/util/log/LogAspect.aj[1k]:186) > > at > > > org.apache.cactus.client.AbstractHttpClient.dispatch2_doTest(AbstractHtt > pC > > li > > ent.java;org/apache/cactus/util/log/LogAspect.aj[1k]:109) > > at > > > org.apache.cactus.client.AbstractHttpClient.around2_doTest(AbstractHttpC > li > > en > > t.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1236) > > at > > > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja > va > > ;o > > rg/apache/cactus/util/log/LogAspect.aj[1k]:104) > > at > > > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase > .j > > av > > a:260) > > at > > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > > at > > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:195) > > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown > Source) > > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown > Source) > > > > Any idear? > > > > Qingxian > > > > -----Original Message----- > > From: Qingxian Wang > > Sent: 16 September 2002 10:58 > > To: 'Cactus Users List' > > Subject: RE: Form Authentication > > > > > > I have tried to use the FormAuthentication class with the > > CactusStrutsTestCase of the Struts test case framework. My test case > has > > problem to find the user name and password. I got an > > IllegalArgumentException thrown from the FormAuthentication class. I > will > > try to use the Cactus directly, i.e. ServletTestCase class. > > > > Qingxian > > > > -----Original Message----- > > From: Vincent Massol [mailto:[EMAIL PROTECTED]] > > Sent: 15 September 2002 22:19 > > To: 'Cactus Users List' > > Subject: RE: Form Authentication > > > > > > Thanks Jason! I've committed your code (modified slightly to add > missing > > javadoc, and the checkstyle violations ... :)). > > > > I don't have any answer to your questions below. What we now need to > do > > is: > > > > 1- write a test case for it > > 2- try it on several application servers > > 3- add web site documentation to explain how to use it > > > > I guess 1 and 2 will give us the answers to your questions... > > > > Thanks again > > -Vincent > > > > > -----Original Message----- > > > From: Robertson, Jason [mailto:[EMAIL PROTECTED]] > > > Sent: 12 September 2002 23:04 > > > To: 'Cactus Users List' > > > Subject: RE: Form Authentication > > > > > > Ok, attached is a slightly updated file with some comments and such. > > > > > > The basic premise is: > > > 1. Is JSESSIONID non-null? If yes, stick it into a cookie and we're > > done. > > > 2. If it's null, authenticate. > > > 3. To authenticate, connect to ${ContextURL}/j_security_check with > the > > > username/password. This _should_ authenticate you. > > > 4. Cache the returned JSESSIONID. > > > 5. To verify we were authenticated, check a combination of the > > response > > > code > > > and maybe redirect location. See question below. > > > > > > A TestCase could create a new FormAuthentication object for each > test, > > or > > > could have a static one in the TestCase that will get initialized > once > > and > > > reused. The latter would provide quicker testcases at the expense of > > > keeping > > > state between test cases, which is a philosophical expense at best. > > The > > > cool > > > thing is in this case, though, that even if a single test case is > run > > in > > > the > > > middle of the sequence it will still work. It doesn't really rely on > > the > > > TestCase before it (the authentication will just happen when > needed), > > so > > > it > > > may not really violate any of the unit test philosophy. > > > > > > Only a couple questions: > > > > > > 1. Will all app servers send a 302 response with the location being > > the > > > ContextURL after a successful login? WebLogic does, and that's my > only > > > source right now. What about on an unsuccessful login? WebLogic > > returns a > > > 200 and the content is that of the login page, but I think it would > be > > > acceptable to return a 302 with a Location of the login page. I > think > > my > > > code will work with both, but testing will be the only proof. > > > > > > 2. Do I need the setSecurityCheck method? Or will > > > ${ContextURL}/j_security_check always work? It's really a safety > net, > > but > > > it > > > might be unnecessary. > > > > > > Jason > > > > > > -----Original Message----- > > > From: Erik Hatcher [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, September 12, 2002 9:17 AM > > > To: Cactus Users List > > > Subject: Re: Form Authentication > > > > > > > > > Wow, just in the nick of time too! I haven't looked at your code, > but > > > this is exactly what we need as well. > > > > > > I look forward to the Cactus committers having a look at this to see > > if > > > it fits in and getting it committed! :) > > > > > > Thanks Jason! > > > > > > Erik > > > > > > Robertson, Jason wrote: > > > > Here's a FormAuthentication implementation that doesn't need any > > rework > > > of > > > > the standard flow. The only modification needed to make this > compile > > is > > > to > > > > make the base class AbstractAuthentication's member variables > > 'theName' > > > and > > > > 'thePassword' protected instead of private. > > > > > > > > This is a first pass. It's short on comments, and has some > debugging > > > code > > > > temporarily commented out, but it works. At least for me, on > > WebLogic > > > 7.0. > > > > :) > > > > > > > > I'll comment it and express some minor concerns especially with > > regards > > > to > > > > various app servers in the coming days, but I thought I'd throw > this > > out > > > > now. > > > > > > > > I tried to include a sample ear that has a basic example, but the > > war's > > > lib > > > > directory is too big and it bounced. So I've included the project, > > just > > > > adjust the jar file properties in build.xml to make it all work. > > > > > > > > Jason > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > This e-mail and any files transmitted with it are confidential and > > intended > > solely for the use of the individual or entity to whom it is > addressed. If > > you have received this e-mail in error you must not copy, distribute > or > > take > > any action in reliance on it. Please notify the sender by e-mail or > > telephone. > > We utilise an anti-virus system and therefore any files sent via > e-mail > > will > > have been checked for known viruses. You are however advised to run > your > > own > > virus check before opening any attachments received as we will not in > any > > event accept any liability whatsoever once an e-mail and/or any > attachment > > is received. Any views expressed by an individual within this e-mail > do > > not > > necessarily reflect the views of Systems Union Group plc or any of its > > subsidiary companies. > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > This e-mail and any files transmitted with it are confidential and > > intended > > solely for the use of the individual or entity to whom it is > addressed. If > > you have received this e-mail in error you must not copy, distribute > or > > take > > any action in reliance on it. Please notify the sender by e-mail or > > telephone. > > We utilise an anti-virus system and therefore any files sent via > e-mail > > will > > have been checked for known viruses. You are however advised to run > your > > own > > virus check before opening any attachments received as we will not in > any > > event accept any liability whatsoever once an e-mail and/or any > attachment > > is received. Any views expressed by an individual within this e-mail > do > > not > > necessarily reflect the views of Systems Union Group plc or any of its > > subsidiary companies. > > > > > > -- > > To unsubscribe, e-mail: <mailto:cactus-user- > > [EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:cactus-user- > > [EMAIL PROTECTED]> > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > This e-mail and any files transmitted with it are confidential and > intended > solely for the use of the individual or entity to whom it is addressed. If > you have received this e-mail in error you must not copy, distribute or > take > any action in reliance on it. Please notify the sender by e-mail or > telephone. > We utilise an anti-virus system and therefore any files sent via e-mail > will > have been checked for known viruses. You are however advised to run your > own > virus check before opening any attachments received as we will not in any > event accept any liability whatsoever once an e-mail and/or any attachment > is received. Any views expressed by an individual within this e-mail do > not > necessarily reflect the views of Systems Union Group plc or any of its > subsidiary companies. > > > -- > To unsubscribe, e-mail: <mailto:cactus-user- > [EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:cactus-user- > [EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
FormAuthentication.java
Description: Binary data
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
