Re: Form-based security
what happen if you load tour error page using the address bar? can you see it? Isn't a path matter? regards, Omar On Wed, 19 Jan 2005 00:06:20 -0500, Venkat Radha Venkataramanan [EMAIL PROTECTED] wrote: Hello: I just wrote my first form-based security control. It works fine if I sign with a user id that plays the permitted role. But when I enter a user id that does not play the permitted role, instead of getting my customized error page, autherr.html, I get a generic 403 error. Can somebody tell me what I am doing wrong? Thanks. Venkat Web.xml section: security-constraint web-resource-collection web-resource-nameMyFirst/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameMyFirst Protected Area/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/autherr.html/form-error-page /form-login-config /login-config security-role descriptionOnly 'tomcat' role is allowed to access this web application/description role-nametomcat/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form-based security
Omar! Aha! Even the autherr.html page seems to be protected by the form-based security. When I try to open autherr.html by the url, http://127.0.0.1:8080/MyFirst/autherr.html, I get the login page! How would I unprotect it? Thanks. -Original Message- From: Omar Adobati [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 19, 2005 3:31 AM To: Tomcat Users List Subject: Re: Form-based security what happen if you load tour error page using the address bar? can you see it? Isn't a path matter? regards, Omar On Wed, 19 Jan 2005 00:06:20 -0500, Venkat Radha Venkataramanan [EMAIL PROTECTED] wrote: Hello: I just wrote my first form-based security control. It works fine if I sign with a user id that plays the permitted role. But when I enter a user id that does not play the permitted role, instead of getting my customized error page, autherr.html, I get a generic 403 error. Can somebody tell me what I am doing wrong? Thanks. Venkat Web.xml section: security-constraint web-resource-collection web-resource-nameMyFirst/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameMyFirst Protected Area/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/autherr.html/form-error-page /form-login-config /login-config security-role descriptionOnly 'tomcat' role is allowed to access this web application/description role-nametomcat/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form-based security
Hello: I just wrote my first form-based security control. It works fine if I sign with a user id that plays the permitted role. But when I enter a user id that does not play the permitted role, instead of getting my customized error page, autherr.html, I get a generic 403 error. Can somebody tell me what I am doing wrong? Thanks. Venkat Web.xml section: security-constraint web-resource-collection web-resource-nameMyFirst/web-resource-name description accessible by authenticated users of the tomcat role/description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint descriptionThese roles are allowed access/description role-nametomcat/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameMyFirst Protected Area/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/autherr.html/form-error-page /form-login-config /login-config security-role descriptionOnly 'tomcat' role is allowed to access this web application/description role-nametomcat/role-name /security-role - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
URL encoding/decoding bug in form-based security?
I have been working on tracking down a problem with special characters in URLs that shows up when using form-based authentication in a security constraint. I have just about reached the limit of my ability to find the problem and am hoping that someone more familiar with the details of authentication can nail it down. My setups (same problem in each) windows 2000 IIS 5.0 isapi_redirector2.dll binary from apache j2sdk 1.4.2_03 tomcat 5.0.18 and redhat 9 linux apache 2.0.40 mod_jk j2sdk 1.4.2_02 tomcat 5.0.16 The problem is in files that have special characters in the name that require encoding. I discovered it with a file that has a '#' in the name. For example turtle#2.jpg. This is encodeded to turtle%232.jpg. I have setup several files to show the problem on my linux server: Using the redirector: http://www.oatka.com/test/turtle.jpg no special characters, no security http://www.oatka.com/test/turtle%232.jpg encoded '#', no security http://www.oatka.com/test/protected/turtle.jpg no special characters, secured with form-based security, user: test, pw:test http://www.oatka.com/test/protected/turtle%232.jpg encoded '#', security. Close your browser before trying this one to cause the form to display. After putting in the user and password (you enter them twice for some reason), it tries to load turtle#2.jpg which fails because # is the special char for an anchor. It thinks the file is turtle with an anchor of 2.jpg If you go direct to tomcat, they all work. http://www.oatka.com:8080/test/turtle.jpg http://www.oatka.com:8080/test/turtle%232.jpg http://www.oatka.com:8080/test/protected/turtle.jpg http://www.oatka.com:8080/test/protected/turtle%232.jpg The failure only occurs when the file containing the special char is the first thing loaded from the protected site, so exit the browser of otherwise invalidate the session to get it to occur. I haven't tested with other characters to see if they cause problems. My security settings were copied the ones for jsp-examples/security that comes with 5.0.18 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: URL encoding/decoding bug in form-based security?
Hey, check out the following section on URI/URL Standard Specification(RFC 2396). http://www.w3.org/Addressing/ 2.4.3. Excluded US-ASCII Characters Although they are disallowed within the URI syntax, we include here a description of those US-ASCII characters that have been excluded and the reasons for their exclusion. The control characters in the US-ASCII coded character set are not used within a URI, both because they are non-printable and because they are likely to be misinterpreted by some control mechanisms. control = US-ASCII coded characters 00-1F and 7F hexadecimal The space character is excluded because significant spaces may disappear and insignificant spaces may be introduced when URI are transcribed or typeset or subjected to the treatment of word- processing programs. Whitespace is also used to delimit URI in many contexts. space = US-ASCII coded character 20 hexadecimal The angle-bracket and and double-quote () characters are excluded because they are often used as the delimiters around URI in text documents and protocol fields. The character # is excluded because it is used to delimit a URI from a fragment identifier in URI references (Section 4). The percent character % is excluded because it is used for the encoding of escaped characters. delims = | | # | % | -Original Message- From: Bill Haake [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 2:13 PM To: Tomcat Users List Subject: URL encoding/decoding bug in form-based security? I have been working on tracking down a problem with special characters in URLs that shows up when using form-based authentication in a security constraint. I have just about reached the limit of my ability to find the problem and am hoping that someone more familiar with the details of authentication can nail it down. My setups (same problem in each) windows 2000 IIS 5.0 isapi_redirector2.dll binary from apache j2sdk 1.4.2_03 tomcat 5.0.18 and redhat 9 linux apache 2.0.40 mod_jk j2sdk 1.4.2_02 tomcat 5.0.16 The problem is in files that have special characters in the name that require encoding. I discovered it with a file that has a '#' in the name. For example turtle#2.jpg. This is encodeded to turtle%232.jpg. I have setup several files to show the problem on my linux server: Using the redirector: http://www.oatka.com/test/turtle.jpg no special characters, no security http://www.oatka.com/test/turtle%232.jpg encoded '#', no security http://www.oatka.com/test/protected/turtle.jpg no special characters, secured with form-based security, user: test, pw:test http://www.oatka.com/test/protected/turtle%232.jpg encoded '#', security. Close your browser before trying this one to cause the form to display. After putting in the user and password (you enter them twice for some reason), it tries to load turtle#2.jpg which fails because # is the special char for an anchor. It thinks the file is turtle with an anchor of 2.jpg If you go direct to tomcat, they all work. http://www.oatka.com:8080/test/turtle.jpg http://www.oatka.com:8080/test/turtle%232.jpg http://www.oatka.com:8080/test/protected/turtle.jpg http://www.oatka.com:8080/test/protected/turtle%232.jpg The failure only occurs when the file containing the special char is the first thing loaded from the protected site, so exit the browser of otherwise invalidate the session to get it to occur. I haven't tested with other characters to see if they cause problems. My security settings were copied the ones for jsp-examples/security that comes with 5.0.18 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Here's how I've done it -
First of all, I don't use j_security_check as my action, but rather
auth/ which maps to a LoginServlet. That servlet does some other things,
but here's the relevant code. The StringUtil.encodeString(password) method
changes to cookie to be base64 encrypted. Not a very good encryption, but
better than nothing.
LoginServlet.java
=
String username = request.getParameter(j_username).toLowerCase();
String password = request.getParameter(j_password);
if (request.getParameter(rememberMe) != null) {
response =
RequestUtil.setCookie(response, rememberMe, true, false);
response =
RequestUtil.setCookie(response, password,
StringUtil.encodeString(password),
false);
}
String req =
j_security_check?j_username= + RequestUtils.encodeURL(username)
+ j_password= + RequestUtils.encodeURL(password);
response.sendRedirect(response.encodeRedirectURL(req));
Then I have a filter mapped to /* and it has the following code:
Cookie rememberMe = RequestUtil.getCookie(request, rememberMe);
Cookie passCookie = RequestUtil.getCookie(request, password);
String password =
(passCookie != null)
? URLDecoder.decode(passCookie.getValue(), UTF-8) : null;
// form-error-page/login.jsp?error=true/form-error-page
boolean authFailed =
StringUtils.equals(request.getParameter(error), true);
// check to see if the user is logging out, if so, remove the
// rememberMe cookie and password Cookie
if ((request.getRequestURL().indexOf(logout) != -1) || authFailed) {
if (log.isDebugEnabled()) {
log.debug(deleting rememberMe-related cookies);
}
response =
RequestUtil.deleteCookie(response,
RequestUtil.getCookie(request,
rememberMe));
response = RequestUtil.deleteCookie(response, passCookie);
}
if ((request.getRequestURL().indexOf(login) != -1) !authFailed) {
// Check to see if we should automatically login the user
// container is routing user to login page, check for remember me cookie
Cookie userCookie = RequestUtil.getCookie(request, username);
String username =
(passCookie != null)
? URLDecoder.decode(userCookie.getValue(), UTF-8) : null;
if ((rememberMe != null) (password != null)) {
// authenticate user without displaying login page
String route =
j_security_check?j_username= + username
+ j_password= + StringUtil.decodeString(password);
if (log.isDebugEnabled()) {
log.debug(I remember you ' + username
+ ', attempting authentication...);
}
response.sendRedirect(response.encodeRedirectURL(route));
return;
}
}
chain.doFilter(req, resp);
This has been working great for me, but I've only tested it on Tomcat.
HTH,
Matt
-Original Message-
From: John Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 1:12 PM
To: [EMAIL PROTECTED]
Subject: Form based security and Remember Me
I seached the archive and only saw one message pertaining to this.
Is anyone doing this at all? And if so how?
Thanks,
John
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Form based security and Remember Me
I seached the archive and only saw one message pertaining to this. Is anyone doing this at all? And if so how? Thanks, John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans their cache
every time their browser is closed (12Ghosts auto wash is among the
greatest tools I've ever seen for any computing purpose, ever), so
Remember Me functionality doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You can
retrieve the information in a fairly cross-browser, server-independent
way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or whatever) or do it
in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do
you let the realm know that the user remembered so the login can be
bypassed?
John
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 3:23 PM
To: Tomcat Users List
Subject: RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans
their cache every time their browser is closed (12Ghosts auto
wash is among the greatest tools I've ever seen for any
computing purpose, ever), so Remember Me functionality
doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You
can retrieve the information in a fairly cross-browser,
server-independent way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or
whatever) or do it in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential
business communication, and may contain information that is
confidential, proprietary and/or privileged. This e-mail is
intended only for the individual(s) to whom it is addressed,
and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient,
please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security and Remember Me
From: John Trollinger [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 12:31 PM Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? This was touched on before, but the basic problem is that a Servlet does not have a portable way of actually setting the authentication details necessary for you to do what you want to do. What you want to do, essentially, is have a servlet do your authentication before in order to bypass the containers inherent authentication mechanism. But, the API doesn't let you do this. Which means you have to implement all of your own security some other way. Which is a drag. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
A thought (just started following the thread).
I can see a problem, in that the cookies may never get initialised because
of the use of the checkbox. If the checkbox hasn't been selected, you'll
always receive null from the form.
Would suggest using a radio button instead, where the parameter will always
return a value (null is definitely an error).
Hope this is relevant to the thread
Bill
-Original Message-
From: John Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Friday, 21 February 2003 7:32 AM
To: 'Tomcat Users List'
Subject: RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do
you let the realm know that the user remembered so the login can be
bypassed?
John
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 3:23 PM
To: Tomcat Users List
Subject: RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans
their cache every time their browser is closed (12Ghosts auto
wash is among the greatest tools I've ever seen for any
computing purpose, ever), so Remember Me functionality
doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You
can retrieve the information in a fairly cross-browser,
server-independent way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or
whatever) or do it in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential
business communication, and may contain information that is
confidential, proprietary and/or privileged. This e-mail is
intended only for the individual(s) to whom it is addressed,
and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient,
please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Redirecting all 400 errors to your index page is a questionable practice because not all 400 (SC_BAD_REQUEST) errors are Invalid direct reference ... errors. I wish that there was a legitimate configuration change to enable you to bookmark a login.jsp page--such as a j_success_url parameter which instructs Tomcat where to send users if not doing an automated login process. PS: Check the font size defined in the blog stylesheets. They were huge in IE6. - Original Message - From: Raible, Matt [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 08:48 Subject: RE: Form based security Here's how I solved your issue: http://tinyurl.com/5s4e HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:32 AM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
On Fri, Feb 14, 2003 at 03:42:21PM -0700, Sean Dockery wrote: Redirecting all 400 errors to your index page is a questionable practice because not all 400 (SC_BAD_REQUEST) errors are Invalid direct reference ... errors. I wish that there was a legitimate configuration change to enable you to bookmark a login.jsp page--such as a j_success_url parameter which instructs Tomcat where to send users if not doing an automated login process. One thought I had, which I have yet to follow up on, is to insert some sort of filter, either before the redirect-to-login-form or after the login (but before the invalid direct reference error gets thrown) that redirects the user to the welcome page. Steven J. Owens [EMAIL PROTECTED] I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt. - Me at http://darksleep.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
I could not see an easy way to determine if you were authenticated, however, using the struts tag libraries. The request tag library in the commons project does provide a means for creating a request bean, which you could then logic:test remoteUser against , but that's not exactly obvious when you want to do a simple... logic:... Welcome, bean:write ... property=remoteUser/! /logic logic:... Welcome, Guest! /logic:... :-) - Original Message - From: Raible, Matt [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 08:56 Subject: RE: Form based security Struts can hook into container-managed security - it has support for roles in it's logic:present ... tag, in a roles attribute on it's action mappings, and also in Tiles for displaying different pages based on roles. It really does nothing special - just hooks into what's already there. If you're using form-based authentication - Struts will play nicely with it. HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:52 AM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page
Form based security
I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security
Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
Here's how I solved your issue: http://tinyurl.com/5s4e HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:32 AM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security
No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
RE: Form based security
Struts can hook into container-managed security - it has support for roles in it's logic:present ... tag, in a roles attribute on it's action mappings, and also in Tiles for displaying different pages based on roles. It really does nothing special - just hooks into what's already there. If you're using form-based authentication - Struts will play nicely with it. HTH, Matt -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 8:52 AM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Form based security
Here is what I'm thinking: I'm going in configure a realm that uses a db to store the user information (I'll prob. end up posting questions about that one :) ). I'll use the taglib-request tags to provide security down to the 'within html' level. That along with the logic-present tags and tiles should get me where I need to go correct? I'll use the web.xml configuration to handle all the rest of the security. Thanks for all the help on that one. Here is another question for you: I have a servlet that I preload that loads all of my configuration info for my app. I want it to use the common-logging api to do the logging and actually use log4j. The issue I am having is that even though my log4j-conf.xml gets read in all my logging output goes to tomcat's logs and not the one's I have specified. So, two questions: Should I be preloading the servlet that way or is there someway in struts to do it? How do I get my code to use it's own log4j configuration? Again, thanks for all the help so far. - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:54 AM Subject: RE: Form based security No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username
Re: Form based security
Back to the validation stuff. Ok, it validates my user based on the user info in tomcat-users.xml but it doesn't seem to be putting them in their roles. When I use the request taglibs isUserInRole tag to check on things the role is always empty. Am I missing a step or do I manually have to put the use in the role? If so, How? Thanks again! -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:54 AM Subject: RE: Form based security No struts doesn't have a security model of its own but it does make it considerably easier to build your own if that's the path you want to go down -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:52 PM To: Tomcat Users List Subject: Re: Form based security Ok, I've got it now... Thanks for the information. Now my manager is saying he wasnted it all done in Struts and that Struts has a security model that I should be using. Is he wrong? I though struts was just tag libs and an MVC for hitting business logic. Time for me to learn struts now I guess... -- Sloan - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:33 AM Subject: RE: Form based security I think you've got the wrong idea about how the form-based security works. It is counter-intuitive I agree but anyway... Firstly the login form should not be in the secure area. Define as the default page something in the secure area. When the user tries to go to this default page tomcat will redirect them to the login page. After they've logged in successfully Tomcat wil redirect them to the page they originally asked for (i.e. the default page). You don't need a filter to do this. Tomcat does it automatically for you. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 4:32 PM To: Tomcat Users List Subject: Re: Form based security Ok, I figured most of the things out. My next question (along the same lines) is this: I have a link to the login.jsp which is now in a security-constraint area. When they use the login.jsp successfully it complains about: Invalid direct reference to form login page How do I use the login page and define a page for a successful login? Thanks! -- Sloan - Original Message - From: Sloan Seaman [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 10:01 AM Subject: Re: Form based security I have a filter set up so that if they don't go to the index.jsp or login.jsp it will redirect them to the login.jsp. (is that the best way?) So basically they either go to the index.jsp or login.jsp page. How do I list a page as secure? Do I have to wirte code for the j_security_check or is this something within tomcat? - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, February 13, 2003 9:50 AM Subject: RE: Form based security Are you going directly to the login page? If so then you need to go to a page in that's listed as being secure. You will then be forwarded to the login page. When you've logged in successfully then you will be forwarded to the page you originally requested. Hamish -Original Message- From: Sloan Seaman [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 3:48 PM To: [EMAIL PROTECTED] Subject: Form based security I'm attempting to do form based security and I keep getting a 404 error when I click the submit button. I'm guessing I'm missing some type of configuration in the server.xml. The form I am using is: form method=POST action=j_security_check input type=text name=j_username/ input type=password name=j_password/ input type=submit value=Submit /form And I have the following in my web.xml login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config Can anyone help me out here? -- Sloan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail
Saving Userid under Form-based Security
Subject: Saving Userid under Form-based Security
From: Dave Butler [EMAIL PROTECTED]
===
For convenience, I wish to save the userid in a cookie when the form-based
login.jsp is processed. I have tried a few different approaches, without
success. My current effort is to use a Filter, which includes the following
methods:
(The environment is Tomcat 4.0.2 running on AIX 4.3.3. The browser is IE 6.0
under Windows 2000)
//--
---
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
if (filterConfig == null)
return;
chain.doFilter(request, response);
HttpSession session = ((HttpServletRequest)request).getSession();
if (session.getAttribute(savedUserid) == null) {
saveUserid(request, response);
session.setAttribute(savedUserid, Boolean.TRUE);
}
}
public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
public void destroy() {}
private void saveUserid(ServletRequest request, ServletResponse response)
{
String userid = ((HttpServletRequest)request).getRemoteUser();
System.out.println(In Filter, saving userid ( + userid + ));
if ((userid != null) (userid.length() != 0)) {
Cookie frswebCookie = new LongLivedCookie(userid, userid);
((HttpServletResponse)response).addCookie(frswebCookie);
}
}
//--
---
My Catalina.out log shows In Filter, saving userid (name), but it does not
seem to be working. I find no evidence of a cookie being created. A couple
of questions:
1) Is this the best approach for what I am trying to accomplish?
2) Why does this approach not work? Any debugging suggestions?
Thanks,
Dave Butler
--
To unsubscribe: mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]
timeout on form based security
dear colleagues, i have noted that, when using form based security (tomcat 3.2.1), a kind of expiration is on: if i connect to a secured page (actually a servlet) and stay inactive for a while (not sure about the lapse) when i reload the page or try to connect to another resource, i have to re insert username and password. am i right? which parameter have i to change to prevent tomcat to do this? thanks, simone
RE: timeout on form based security
i have noted that, when using form based security (tomcat 3.2.1), a kind of expiration is on: if i connect to a secured page (actually a servlet) and stay inactive for a while (not sure about the lapse) when i reload the page or try to connect to another resource, i have to re insert username and password. am i right? which parameter have i to change to prevent tomcat to do this? Set your session timeout in your web.xml. Or you can set the session timeout in your jsp as well. --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com mailto:[EMAIL PROTECTED] - Punisher of those who cannot spell dumb!
RE: timeout on form based security
At 09:05 3/28/01 -0500, you wrote: i have noted that, when using form based security (tomcat 3.2.1), a kind of expiration is on: if i connect to a secured page (actually a servlet) and stay inactive for a while (not sure about the lapse) when i reload the page or try to connect to another resource, i have to re insert username and password. am i right? which parameter have i to change to prevent tomcat to do this? Set your session timeout in your web.xml. Or you can set the session timeout in your jsp as well. --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com mailto:[EMAIL PROTECTED] - Punisher of those who cannot spell dumb! thanks for your reply, but i am not using sessions any way. either this does not happen when i use simple basic authentication. it seems that session management is turned on some way, when i use form based sec. any hint? simone
Re: timeout on form based security
Hi, One possibility: you can set a sesson timout value in the web.xml for your application !-- session timeout -- session-config session-timeout30/session-timeout!-- 30 minutes -- /session-config Don't know what default is if you don't andrew On Wed, 28 Mar 2001, you wrote: dear colleagues, i have noted that, when using form based security (tomcat 3.2.1), a kind of expiration is on: if i connect to a secured page (actually a servlet) and stay inactive for a while (not sure about the lapse) when i reload the page or try to connect to another resource, i have to re insert username and password. am i right? which parameter have i to change to prevent tomcat to do this? thanks, simone
RE: timeout on form based security
thanks for your reply, but i am not using sessions any way. either this does not happen when i use simple basic authentication. it seems that session management is turned on some way, when i use form based sec. any hint? Not sure I understand what you mean by not using sessions? You mean you never access any instances of HttpSession? Did you do something like get rid of(from server.xml): RequestInterceptor className="org.apache.tomcat.session.StandardSessionInterceptor" / To the best of my knowledge Tomcat does session management despite whatever type of authentication you are using(correct me if I'm wrong anyone...). I believe your servlet would work fine, as long as you don't get an instance of HttpSession, if you removed the RequestInterceptor for the Session Manager; but jsp pages will still have a problem. Of course, this is all to the best of my knowledge... Anyone else have comments on this? --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com mailto:[EMAIL PROTECTED] - Punisher of those who cannot spell dumb!
RE: timeout on form based security
At 09:35 3/28/01 -0500, you wrote: thanks for your reply, but i am not using sessions any way. either this does not happen when i use simple basic authentication. it seems that session management is turned on some way, when i use form based sec. any hint? Not sure I understand what you mean by not using sessions? You mean you never access any instances of HttpSession? yes, this is what i mean. Did you do something like get rid of(from server.xml): RequestInterceptor className="org.apache.tomcat.session.StandardSessionInterceptor" / no, i haven't dared ;-) To the best of my knowledge Tomcat does session management despite whatever type of authentication you are using(correct me if I'm wrong anyone...). this is the answer i was looking for: by default, sessions are working under the hood. the basic authorization is likely to be a bit more slack dealing with timeout, since the client just has to send correct authorization headers. I believe your servlet would work fine, as long as you don't get an instance of HttpSession, if you removed the RequestInterceptor for the Session Manager; but jsp pages will still have a problem. Of course, this is all to the best of my knowledge... thanks again for your answer. btw: servlet specs v2.2 do not describe the authentication scheme used by form based auth. where can i find a tomcat-based description of it? simone Anyone else have comments on this? --- Michael Wentzel Software Developer Software As We Think - http://www.aswethink.com mailto:[EMAIL PROTECTED] - Punisher of those who cannot spell dumb!
