Applied. Thanks -Vincent
PS: In the future, could you please provide a unified diff (diff -u). That helps when applying patches. > -----Original Message----- > From: Robertson, Jason [mailto:[EMAIL PROTECTED]] > Sent: 17 September 2002 14:55 > To: 'Cactus Users List' > Subject: RE: Form Authentication > > Ok, I merged with the latest from CVS, and have tested on WebLogic 7 and > Tomcat. > > Jason > > -----Original Message----- > From: Robertson, Jason [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 16, 2002 5:53 PM > To: 'Cactus Users List' > Subject: RE: Form Authentication > > > Hmmm, I've gotten it to work, but there is some strange behavior. > > I found an additional post saying you "can't" go directly to the login > page > or j_security_check because then Tomcat wouldn't know where to send you > once > you've authenticated. Therefore you _must_ go to a restricted resource > first, so that once authenticated you can be redirected there. I > understand > the point, but would it really be that horrible to redirect to the defined > welcome-page in lieu of a known location? That seems like a quite > reasonable > thing to do. > > But, that's not what it does. > > So I now get the servlet redirector and go there first, on the assumption > that it is a restricted resource (which it must be for any of this to > work). > > > Vincent - is this safe? I'm thinking not because what if the person > writing > a JSP Redirector-only test case and they want to use form authentication? > Can they? I've never done a JSP Redirector before. > > Once I get back the JSESSIONID from that request, I cache it, then log in. > There is something strange with the 302, however. I get back I get this > Location header: > > Location: http://localhost/simple-form-login/secure/ServletRedirector > > I'm using the stock Tomcat, so notice the fact that the port (:8080) is > not > present in this redirect. Thus, my compare to my original request fails. > Is > this a bug in Tomcat? How does my browser work (which is does)? > > So, for now, I've commented out the check and it all works. On WebLogic, > too. > > I've attached my code that works which is a mod of the last code I sent in > (i.e. not a mod of the latest in CVS). I hate to do it to ya Vincent, but > I > don't have CVS access from here at work, so if you want to merge my > changes > into your version you can (it's not much), or you can wait about 5 hours > and > I can do it when I get home... :) > > Jason > > -----Original Message----- > From: Robertson, Jason [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 16, 2002 4:59 PM > To: 'Vincent Massol'; 'Cactus Users List' > Subject: RE: Form Authentication > > > Yeah, I'm working on it in between meetings :), it seems like it's a > Tomcat > "feature". > > This is what is returned from tomcat when I try to go directly to > j_security_check: > > HTTP Status 400 - Invalid direct reference to form login page > Status report > message: Invalid direct reference to form login page > description: The request sent by the client was syntactically incorrect > (Invalid direct reference to form login page). > > I read one web page that said you get this when you try to go directly to > the login page (as opposed to going to a restricted resource first), and > to > me that seems like a bug but I didn't really find anything that said it > was > or should be a bug. > > I'm going to experiment, perhaps if I have the JSESSIONID when I go to the > j_security_check page it'll be happy. I'll try to go the ServletRedirector > first, get a JSESSIONID, then log in. We'll see. > > I'll pass on info as I find it... > > Jason > > -----Original Message----- > From: Vincent Massol [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 16, 2002 4:45 PM > To: 'Cactus Users List' > Cc: 'Robertson, Jason' > Subject: RE: Form Authentication > > > Ok, we now have more info. The error you're getting in the stack trace > is: > > "Unable to login, probably due to bad username/password. Received a > [400] response code andwas expecting a [302]" > > This means that the URL used to login is not correct (400 - bad > request). The default URL used is: cactus.contextURL + > "j_security_check". Maybe this is not correct. > > I can't help you more here as I don't know enough about form-based > authentication. I'll have to read up on that. > > Jason, any idea? > Thanks > -Vincent > > > -----Original Message----- > > From: Qingxian Wang [mailto:[EMAIL PROTECTED]] > > Sent: 16 September 2002 17:47 > > To: 'Cactus Users List' > > Subject: RE: Form Authentication > > > > I have tried the 1.5dev. I still cannot run the authenticate test. > The > > username, password and the role are set in tomcat-user.xml. My code > is > > like > > this: > > > > public class CactusTest_WebDeployerActionServlet extends > ServletTestCase { > > > > public CactusTest_WebDeployerActionServlet(String strName) { > > super(strName); > > } > > > > /** > > * Start the tests. > > * > > * @param theArgs the arguments. Not used > > */ > > public static void main(String[] theArgs) > > { > > junit.textui.TestRunner.main(new String[]{ > > CactusTest_WebDeployerActionServlet.class.getName()}); > > } > > > > /** > > * @return a test suite (<code>TestSuite</code>) that includes all > > methods > > * starting with "test" > > */ > > public static Test suite() > > { > > // All methods starting with "test" will be executed in the > test > > suite. > > return new > TestSuite(CactusTest_WebDeployerActionServlet.class); > > } > > > > public void beginFormAuthentication(WebRequest theRequest) > > { > > theRequest.setRedirectorName("ServletRedirectorSecure"); > > theRequest.setAuthentication(new FormAuthentication("sun", > > "sunsys")); > > } > > > > public void testFormAuthentication() > > { > > assertEquals("sun", request.getUserPrincipal().getName()); > > assertEquals("sun", request.getRemoteUser()); > > assertTrue("User not in 'everyone' role", > > request.isUserInRole("everyone")); > > } > > > > } > > > > > > > > The following are the error messages: > > > > 1) > > > testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser > vl > > et > > > .CactusTest_WebDeployerActionServlet)org.apache.cactus.util.ChainedRunti > me > > Ex > > ception: Failed to authenticate the principal > > at > > > org.apache.cactus.client.authentication.FormAuthentication.authenticate( > Fo > > rm > > Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):297) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc > Po > > st > > > Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj > (1 > > k) > > :146) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc > Po > > st > > > Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l > og > > /L > > ogAspect.aj(1k)) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure(For > mA > > ut > > hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun > d9 > > (H > > > ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1 > k) > > :1 > > 18) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo > nn > > ec > > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240) > > at > > > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie > nt > > .j > > ava;org/apache/cactus/util/log/LogAspect.aj(1k):184) > > at > > > org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra > ct > > Ht > > tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108) > > at > > > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja > va > > ;o > > rg/apache/cactus/util/log/LogAspect.aj(1k):1240) > > at > > > org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav > a: > > 30 > > 8) > > at > > > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase > .j > > av > > a:258) > > at > > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > > at > > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223) > > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown > Source) > > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown > Source) > > org.apache.cactus.util.ChainedRuntimeException: Unable to login, > probably > > due to bad username/password. Received a [400] response code andwas > > expecting a [302] > > at > > > org.apache.cactus.client.authentication.FormAuthentication.authenticate( > Fo > > rm > > Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):259) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc > Po > > st > > > Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj > (1 > > k) > > :146) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure$ajc > Po > > st > > > Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l > og > > /L > > ogAspect.aj(1k)) > > at > > > org.apache.cactus.client.authentication.FormAuthentication.configure(For > mA > > ut > > hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun > d9 > > (H > > > ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1 > k) > > :1 > > 18) > > at > > > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo > nn > > ec > > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240) > > at > > > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie > nt > > .j > > ava;org/apache/cactus/util/log/LogAspect.aj(1k):184) > > at > > > org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra > ct > > Ht > > tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108) > > at > > > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja > va > > ;o > > rg/apache/cactus/util/log/LogAspect.aj(1k):1240) > > at > > > org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav > a: > > 30 > > 8) > > at > > > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase > .j > > av > > a:258) > > at > > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > > at > > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223) > > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown > Source) > > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown > Source) > > > > > > Qingxian > > > > -----Original Message----- > > From: Vincent Massol [mailto:[EMAIL PROTECTED]] > > Sent: 16 September 2002 15:47 > > To: 'Cactus Users List' > > Subject: RE: Form Authentication > > > > > > Hi Qingxian, > > > > Can you try with the latest Cactus version (1.5dev) from CVS. I have > > committed Jason's code in CVS yesterday and I have added some more > > debugging information that could help. > > > > You can get the nightly distribution of yesterday here: > > > > http://jakarta.apache.org/builds/jakarta-cactus/nightly/2002-09-16/ > > > > Thanks > > -Vincent > > > > > -----Original Message----- > > > From: Qingxian Wang [mailto:[EMAIL PROTECTED]] > > > Sent: 16 September 2002 11:24 > > > To: 'Cactus Users List' > > > Subject: RE: Form Authentication > > > > > > I have tried to use FormAuthentication class with the Cactus 1.4.1. > I > > got > > > the following error although I have set up the correct username and > > > password: > > > > > > 1) > > > > > > testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser > > vl > > > et > > > > .CactusTest_WebDeployerActionServlet)java.lang.IllegalStateException: > > > class > > > java.lang.IllegalArgumentException: Unable to login, probably due to > > bad > > > username/password. [Bad Response Code] > > > at > > > > > > org.apache.cactus.client.authentication.FormAuthentication.authenticate( > > Fo > > > rm > > > Authentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:193) > > > at > > > > > > org.apache.cactus.client.authentication.FormAuthentication.dispatch9_con > > fi > > > gu > > > > > > re(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:4 > > 7) > > > at > > > > > > org.apache.cactus.client.authentication.FormAuthentication.around9_confi > > gu > > > re > > > > > > (FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:115 > > 6) > > > at > > > > > > org.apache.cactus.client.authentication.FormAuthentication.configure(For > > mA > > > ut > > > hentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:43) > > > at > > > > > > org.apache.cactus.client.HttpClientConnectionHelper.dispatch26_connect(H > > tt > > > pC > > > > > > lientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1 > > 16 > > > ) > > > at > > > > > > org.apache.cactus.client.HttpClientConnectionHelper.around26_connect(Htt > > pC > > > li > > > > > > entConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:123 > > 6) > > > at > > > > > > org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo > > nn > > > ec > > > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:106) > > > at > > > > > > org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie > > nt > > > .j > > > ava;org/apache/cactus/util/log/LogAspect.aj[1k]:186) > > > at > > > > > > org.apache.cactus.client.AbstractHttpClient.dispatch2_doTest(AbstractHtt > > pC > > > li > > > ent.java;org/apache/cactus/util/log/LogAspect.aj[1k]:109) > > > at > > > > > > org.apache.cactus.client.AbstractHttpClient.around2_doTest(AbstractHttpC > > li > > > en > > > t.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1236) > > > at > > > > > > org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja > > va > > > ;o > > > rg/apache/cactus/util/log/LogAspect.aj[1k]:104) > > > at > > > > > > org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase > > .j > > > av > > > a:260) > > > at > > > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133) > > > at > > > > org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:195) > > > at com.systemsunion.build.junitx.SSTestRunner.start(Unknown > > Source) > > > at com.systemsunion.build.junitx.SSTestRunner.main(Unknown > > Source) > > > > > > Any idear? > > > > > > Qingxian > > > > > > -----Original Message----- > > > From: Qingxian Wang > > > Sent: 16 September 2002 10:58 > > > To: 'Cactus Users List' > > > Subject: RE: Form Authentication > > > > > > > > > I have tried to use the FormAuthentication class with the > > > CactusStrutsTestCase of the Struts test case framework. My test > case > > has > > > problem to find the user name and password. I got an > > > IllegalArgumentException thrown from the FormAuthentication class. > I > > will > > > try to use the Cactus directly, i.e. ServletTestCase class. > > > > > > Qingxian > > > > > > -----Original Message----- > > > From: Vincent Massol [mailto:[EMAIL PROTECTED]] > > > Sent: 15 September 2002 22:19 > > > To: 'Cactus Users List' > > > Subject: RE: Form Authentication > > > > > > > > > Thanks Jason! I've committed your code (modified slightly to add > > missing > > > javadoc, and the checkstyle violations ... :)). > > > > > > I don't have any answer to your questions below. What we now need to > > do > > > is: > > > > > > 1- write a test case for it > > > 2- try it on several application servers > > > 3- add web site documentation to explain how to use it > > > > > > I guess 1 and 2 will give us the answers to your questions... > > > > > > Thanks again > > > -Vincent > > > > > > > -----Original Message----- > > > > From: Robertson, Jason [mailto:[EMAIL PROTECTED]] > > > > Sent: 12 September 2002 23:04 > > > > To: 'Cactus Users List' > > > > Subject: RE: Form Authentication > > > > > > > > Ok, attached is a slightly updated file with some comments and > such. > > > > > > > > The basic premise is: > > > > 1. Is JSESSIONID non-null? If yes, stick it into a cookie and > we're > > > done. > > > > 2. If it's null, authenticate. > > > > 3. To authenticate, connect to ${ContextURL}/j_security_check with > > the > > > > username/password. This _should_ authenticate you. > > > > 4. Cache the returned JSESSIONID. > > > > 5. To verify we were authenticated, check a combination of the > > > response > > > > code > > > > and maybe redirect location. See question below. > > > > > > > > A TestCase could create a new FormAuthentication object for each > > test, > > > or > > > > could have a static one in the TestCase that will get initialized > > once > > > and > > > > reused. The latter would provide quicker testcases at the expense > of > > > > keeping > > > > state between test cases, which is a philosophical expense at > best. > > > The > > > > cool > > > > thing is in this case, though, that even if a single test case is > > run > > > in > > > > the > > > > middle of the sequence it will still work. It doesn't really rely > on > > > the > > > > TestCase before it (the authentication will just happen when > > needed), > > > so > > > > it > > > > may not really violate any of the unit test philosophy. > > > > > > > > Only a couple questions: > > > > > > > > 1. Will all app servers send a 302 response with the location > being > > > the > > > > ContextURL after a successful login? WebLogic does, and that's my > > only > > > > source right now. What about on an unsuccessful login? WebLogic > > > returns a > > > > 200 and the content is that of the login page, but I think it > would > > be > > > > acceptable to return a 302 with a Location of the login page. I > > think > > > my > > > > code will work with both, but testing will be the only proof. > > > > > > > > 2. Do I need the setSecurityCheck method? Or will > > > > ${ContextURL}/j_security_check always work? It's really a safety > > net, > > > but > > > > it > > > > might be unnecessary. > > > > > > > > Jason > > > > > > > > -----Original Message----- > > > > From: Erik Hatcher [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, September 12, 2002 9:17 AM > > > > To: Cactus Users List > > > > Subject: Re: Form Authentication > > > > > > > > > > > > Wow, just in the nick of time too! I haven't looked at your code, > > but > > > > this is exactly what we need as well. > > > > > > > > I look forward to the Cactus committers having a look at this to > see > > > if > > > > it fits in and getting it committed! :) > > > > > > > > Thanks Jason! > > > > > > > > Erik > > > > > > > > Robertson, Jason wrote: > > > > > Here's a FormAuthentication implementation that doesn't need any > > > rework > > > > of > > > > > the standard flow. The only modification needed to make this > > compile > > > is > > > > to > > > > > make the base class AbstractAuthentication's member variables > > > 'theName' > > > > and > > > > > 'thePassword' protected instead of private. > > > > > > > > > > This is a first pass. It's short on comments, and has some > > debugging > > > > code > > > > > temporarily commented out, but it works. At least for me, on > > > WebLogic > > > > 7.0. > > > > > :) > > > > > > > > > > I'll comment it and express some minor concerns especially with > > > regards > > > > to > > > > > various app servers in the coming days, but I thought I'd throw > > this > > > out > > > > > now. > > > > > > > > > > I tried to include a sample ear that has a basic example, but > the > > > war's > > > > lib > > > > > directory is too big and it bounced. So I've included the > project, > > > just > > > > > adjust the jar file properties in build.xml to make it all work. > > > > > > > > > > Jason > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > To unsubscribe, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > > For additional commands, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > > > > > -- > > > > To unsubscribe, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > For additional commands, e-mail: > > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > This e-mail and any files transmitted with it are confidential and > > > intended > > > solely for the use of the individual or entity to whom it is > > addressed. If > > > you have received this e-mail in error you must not copy, distribute > > or > > > take > > > any action in reliance on it. Please notify the sender by e-mail or > > > telephone. > > > We utilise an anti-virus system and therefore any files sent via > > e-mail > > > will > > > have been checked for known viruses. You are however advised to run > > your > > > own > > > virus check before opening any attachments received as we will not > in > > any > > > event accept any liability whatsoever once an e-mail and/or any > > attachment > > > is received. Any views expressed by an individual within this e-mail > > do > > > not > > > necessarily reflect the views of Systems Union Group plc or any of > its > > > subsidiary companies. > > > > > > > > > -- > > > To unsubscribe, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > This e-mail and any files transmitted with it are confidential and > > > intended > > > solely for the use of the individual or entity to whom it is > > addressed. If > > > you have received this e-mail in error you must not copy, distribute > > or > > > take > > > any action in reliance on it. Please notify the sender by e-mail or > > > telephone. > > > We utilise an anti-virus system and therefore any files sent via > > e-mail > > > will > > > have been checked for known viruses. You are however advised to run > > your > > > own > > > virus check before opening any attachments received as we will not > in > > any > > > event accept any liability whatsoever once an e-mail and/or any > > attachment > > > is received. Any views expressed by an individual within this e-mail > > do > > > not > > > necessarily reflect the views of Systems Union Group plc or any of > its > > > subsidiary companies. > > > > > > > > > -- > > > To unsubscribe, e-mail: <mailto:cactus-user- > > > [EMAIL PROTECTED]> > > > For additional commands, e-mail: <mailto:cactus-user- > > > [EMAIL PROTECTED]> > > > > > > > > -- > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > This e-mail and any files transmitted with it are confidential and > > intended > > solely for the use of the individual or entity to whom it is > addressed. If > > you have received this e-mail in error you must not copy, distribute > or > > take > > any action in reliance on it. Please notify the sender by e-mail or > > telephone. > > We utilise an anti-virus system and therefore any files sent via > e-mail > > will > > have been checked for known viruses. You are however advised to run > your > > own > > virus check before opening any attachments received as we will not in > any > > event accept any liability whatsoever once an e-mail and/or any > attachment > > is received. Any views expressed by an individual within this e-mail > do > > not > > necessarily reflect the views of Systems Union Group plc or any of its > > subsidiary companies. > > > > > > -- > > To unsubscribe, e-mail: <mailto:cactus-user- > > [EMAIL PROTECTED]> > > For additional commands, e-mail: <mailto:cactus-user- > > [EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
