Antwort: Re: Security (using FormAuthentication) not working against WebSphere 5.1

Tue, 08 Jun 2004 06:07:08 -0700 



Thanks for your explanations!

As I am not at all familiar with any packet capture tool
I need some help of my collegues. We try this in the late afternoon ...

Do you think it is the right place to change the implementation of the
method
      getSecureSessionIdCookie()
in FormAuthentication to include step3) and step4) if no cookie is found in
step 2) ?

Regards,

Toni Grimm

---------------------------------------------------------------
Anton Grimm
MAN Nutzfahrzeuge AG
IDP - Software Produktionsumgebungen
Dachauerstr.667
D - 80995 M�nchen

Fon:       +49-89-1580-1054
Fax:       +49-89-1580-4550
mailto:    [EMAIL PROTECTED]
Internet: http://www.man-trucks.com
---------------------------------------------------------------




|---------+------------------------------->
|         |           Kazuhito SUGURI     |
|         |           <[EMAIL PROTECTED]|
|         |           .ntt.co.jp>         |
|         |                               |
|         |           06/08/2004 10:34 AM |
|         |           Bitte antworten an  |
|         |           "Cactus Users List" |
|         |                               |
|---------+------------------------------->
  
>------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                    
                                          |
  |       An:       [EMAIL PROTECTED]                                                  
                             |
  |       Kopie:                                                                       
                                          |
  |       Thema:    Re: Security (using FormAuthentication) not working against 
WebSphere 5.1                                    |
  
>------------------------------------------------------------------------------------------------------------------------------|




Hi,

In article
<[EMAIL PROTECTED]>,
Tue, 8 Jun 2004 09:35:31 +0200,
[EMAIL PROTECTED] wrote:
Anton_Grimm> When I run our suite against WebSphere 5.1.0.4 the tests using
Anton_Grimm> FormAuthentication fail reporting
Anton_Grimm>
Anton_Grimm>       "Failed to authenticate the principal."
[snip]
Anton_Grimm> ### WebSphere ###
Anton_Grimm>
Anton_Grimm> getCookie(theConnection, theTarget) - Header: null:HTTP/1.1
302 Found
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Date:Tue, 08 Jun
2004
Anton_Grimm> 06:24:12 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Server:IBM_HTTP_Server/2.0.47-PQ84017 Apache/2.0.47 (Unix)
DAV/2
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm>
Set-Cookie:WASReqURL=http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/ServletRedirectorSecure?;Path=/

Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Cache-Control:no-cache="set-cookie,set-cookie2"
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Expires:Thu, 01
Dec 1994
Anton_Grimm> 16:00:00 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Location:
http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/jsp/LoginForm.jsp
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Length:0
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Content-Type:text/html;
Anton_Grimm> charset=ISO-8859-1
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Content-Language:en-US
[snip]
Anton_Grimm> Anyway, when I request the Url (against WebSphere)
Anton_Grimm>       http://hostname:port/context/ServletRedirectoSecure?
Anton_Grimm> I get forwarded to the login-page.
Anton_Grimm>
Anton_Grimm> Before submitting the Login-Page I request
Anton_Grimm>       javascript:alert(document.cookie)
Anton_Grimm> and I get two cookies (WASReqURL and JSESSIONID).

WebSphere may set a Set-Cookie header for JSESSIONID in the response
for the login-page, which will not be accessed by FormAuthentication
implementation.


Could you trace HTTP messages for the following sequence
by using packet cature tool?
(1) C->S request the URL
http://hostname:port/context/ServletRedirectoSecure?
(2) S->C 302 response
(3) C->S request the login-page
(4) S->C 200 response with login-page
(5) C->S request j_security_check with username, password and JSESSIONID


Current implementation of the FormAuthentication class is assuming that
a Set-Cookie header for JSESSIONID exists in a response at (2).
Then, the FormAuthentication class does not perform (3)-(4),
but perfoms (5) immediately.

However, it's possible for AP server to start session tracking from
the first login-page request (3), and for that case,
AP server may send the Set-Cookie header for JSESSIONID at (4).


Regards,
----
Kazuhito SUGURI
mailto:[EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





This message and any attachments are confidential and may be privileged or otherwise 
protected from disclosure.
If you are not the intended recipient, please telephone or email the sender and delete 
this message and any attachment
from your system. If you are not the intended recipient, you must not copy this 
message or attachment or disclose the
contents to any other person.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to