RE: Form Based Authentication

2005-10-11 Thread Frank W. Zammetti 
Although we are working in a Websphere/LDAP environment, we had the same
requirement as you, and we managed to solve it.

What we did (and I'm going from fairly distant memories, so hopefully I'm
at least close to right) is this... user logs on.  We have a filter that
checks for password expired/reset (both a forced PW change) via flags set
in a previous filter (values taken from LDAP) and redirects to the change
screen if applicable.  This all of course happens only after a
"successful" logon, i.e., user entered valid credentials, including
expired password already.  We destroy the session before leaving that
filter.  Password is changed, all without creating a new session along the
way.  Once it is changed, we redirect back through the logon process as
before.  We decided that it was *better* to make the user log on again
because it proves they remember the password they entered 2 seconds ago :)

I suppose if I had to allow that automatic authentication, I would NOT
destroy the session and instead just redirect to the first protected
resource of the app from the change PW screen.  Since the user was let in
the first time around, they are really authenticated already.  In essence,
the filter that catches that forced PW change flag is acting like the
container, intercepting all protected requests and redirecting to a change
PW screen.  If you did it smartly you should be able to grab what resource
was requested when the filter fired so as to not have to hardcode where to
go to after that forced PW screen is finished.

Frank


-- 
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
MSN: [EMAIL PROTECTED]

On Tue, October 11, 2005 12:24 pm, Peter Bright said:
>
>> -Original Message-
>> From: Caldarale, Charles R [mailto:[EMAIL PROTECTED]
>> Sent: 11 October 2005 17:23
>> To: Tomcat Users List
>> Subject: RE: Form Based Authentication
>>
>> > From: Peter Bright [mailto:[EMAIL PROTECTED]
>> > Subject: RE: Form Based Authentication
>> >
>> > > >
>> > > > It's point (c) that's proving problematic; there's no way to
>> > > > reauthenticate that I can see.
>> > >
>> > > What happens if you just invalidate the existing session?
>> >
>> > The user gets logged out.
>>
>> Exactly - and they then must reauthenticate with the updated password.
>> Isn't that what you want?
>>
> No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the
> new credentials /automatically/.  Without making them have to
> reauthenticate /by hand/.
>
> ***
> The information contained in this electronic message may be confidential
> and/or privileged. Any unauthorized use, dissemination, distribution, or
> reproduction is strictly prohibited. If you have received this
> communication in error, please contact the sender by reply email and
> destroy all copies of the original message.
> ***
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication

2005-10-11 Thread Peter Bright 

> -Original Message-
> From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
> Sent: 11 October 2005 17:23
> To: Tomcat Users List
> Subject: RE: Form Based Authentication
> 
> > From: Peter Bright [mailto:[EMAIL PROTECTED]
> > Subject: RE: Form Based Authentication
> > 
> > > >  
> > > > It's point (c) that's proving problematic; there's no way to 
> > > > reauthenticate that I can see.
> > > 
> > > What happens if you just invalidate the existing session?
> > 
> > The user gets logged out.
> 
> Exactly - and they then must reauthenticate with the updated password.
> Isn't that what you want?
> 
No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the
new credentials /automatically/.  Without making them have to
reauthenticate /by hand/.

***
The information contained in this electronic message may be confidential and/or 
privileged. Any unauthorized use, dissemination, distribution, or reproduction 
is strictly prohibited. If you have received this communication in error, 
please contact the sender by reply email and destroy all copies of the original 
message.
***


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication

2005-10-11 Thread Caldarale, Charles R 
> From: Peter Bright [mailto:[EMAIL PROTECTED] 
> Subject: RE: Form Based Authentication
> 
> > >  
> > > It's point (c) that's proving problematic; there's no way to 
> > > reauthenticate that I can see.
> > 
> > What happens if you just invalidate the existing session?
> 
> The user gets logged out.

Exactly - and they then must reauthenticate with the updated password.
Isn't that what you want?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication

2005-10-11 Thread Peter Bright 

> -Original Message-
> From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
> Sent: 11 October 2005 17:18
> To: Tomcat Users List
> Subject: RE: Form Based Authentication
> 
> > From: Peter Bright [mailto:[EMAIL PROTECTED]
> > Subject: Form Based Authentication
> >  
> > It's point (c) that's proving problematic; there's no way to 
> > reauthenticate that I can see.
> 
> What happens if you just invalidate the existing session?
> 

The user gets logged out.

***
The information contained in this electronic message may be confidential and/or 
privileged. Any unauthorized use, dissemination, distribution, or reproduction 
is strictly prohibited. If you have received this communication in error, 
please contact the sender by reply email and destroy all copies of the original 
message.
***


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication

2005-10-11 Thread Caldarale, Charles R 
> From: Peter Bright [mailto:[EMAIL PROTECTED] 
> Subject: Form Based Authentication
>  
> It's point (c) that's proving problematic; there's no way to
> reauthenticate that I can see.

What happens if you just invalidate the existing session?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication

2005-05-12 Thread David B. Saul 
Never Mind - It was permissions on the tomcat-users.xml file. Duh!




-Original Message-
From: David B. Saul [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 12, 2005 7:37 PM
To: 'Tomcat Users List'
Subject: Form Based Authentication


Having a problem being challenged on Linux.

Form based using the tomcat-users.xml file works under windows.

However, when same code is deployed to Linux the page is never challenged.

I checked server.xml on both platforms as well as the specific webapp. Even
built a Hello World example to eliminate other stuff.

Any suggestions/ideas?

thanks
Dave


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE : Form Based Authentication

2005-05-11 Thread LERBSCHER Jean-Pierre 

If the authentication is realized by the container (the realm), you can't
access the request before the authentication takes over. If you really want
to do it, don't define the security constraint in your web.xml, and make
your own application security mechanism (use filter, and forward or redirect
on login page).

-Message d'origine-
De : Wade Chandler [mailto:[EMAIL PROTECTED] 
Envoyé : mercredi 11 mai 2005 07:10
À : Tomcat Users List
Objet : Re: Form Based Authentication

Wade Chandler wrote:
> I have form based authentication working.  But, I need the login form to 
> be a little more dynamic.  For instance, I want to use different forms 
> for different areas and not always use the same form.  Is this possible? 
>  For instance, under one site I want to limit URLs to different logins. 
>  I realize I should just have a login and have a userid and a password, 
> but my customer wants to simply have an access code to certain pages or 
> directories.  I would like to use form based authentication then I can 
> have the userid as a hidden variable, and then have a password entered 
> by the user, but for some admin screens I need the user to actually 
> enter the userid and password both
> 
> I hope that makes sense.  I can't figure out how to setup a security 
> constraint which can force a particular login form to be used if the 
> user is not logged in yet.
> 
> Thanks,
> 
> Wade
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

Ok,

So I think I should be able to do this with a filter, but I need some 
help.  Basically it looks like I should be able to use a filter to some 
how get the original target before the authentication form is 
displayedis this correct?  Basically I need to some how know when a 
particular URL pattern is being displayed or is attempted to be 
accessed...before the login form is displayed.  When it is displayed 
I'll set an attribute in the request in the filters doFilter method. 
However, now I need to know how I can access the Request before the 
authentication mechanism takes over I suppose because from my login form 
accessing the getPathInfo() method is returning the login form 
information when I really need to know the actual path the user was 
attempting to access.  So, can I use a filter to do this, and if so how 
do I make sure my filter is called in time to give me the information I 
need?

Thanks,

Wade

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Based Authentication

2005-05-10 Thread Wade Chandler 
Wade Chandler wrote:
I have form based authentication working.  But, I need the login form to 
be a little more dynamic.  For instance, I want to use different forms 
for different areas and not always use the same form.  Is this possible? 
 For instance, under one site I want to limit URLs to different logins. 
 I realize I should just have a login and have a userid and a password, 
but my customer wants to simply have an access code to certain pages or 
directories.  I would like to use form based authentication then I can 
have the userid as a hidden variable, and then have a password entered 
by the user, but for some admin screens I need the user to actually 
enter the userid and password both

I hope that makes sense.  I can't figure out how to setup a security 
constraint which can force a particular login form to be used if the 
user is not logged in yet.

Thanks,
Wade
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Ok,
So I think I should be able to do this with a filter, but I need some 
help.  Basically it looks like I should be able to use a filter to some 
how get the original target before the authentication form is 
displayedis this correct?  Basically I need to some how know when a 
particular URL pattern is being displayed or is attempted to be 
accessed...before the login form is displayed.  When it is displayed 
I'll set an attribute in the request in the filters doFilter method. 
However, now I need to know how I can access the Request before the 
authentication mechanism takes over I suppose because from my login form 
accessing the getPathInfo() method is returning the login form 
information when I really need to know the actual path the user was 
attempting to access.  So, can I use a filter to do this, and if so how 
do I make sure my filter is called in time to give me the information I 
need?

Thanks,
Wade
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: FORM based authentication config

2004-12-21 Thread Viorel C. 
On Tue, 2004-12-21 at 16:15, Chris Chappell wrote:
> Hi I'm having trouble getting form based authentication to work. Any help 
> much appreciated.
> I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) 
> 
> I am using a JDBC Realm which works fine with BASIC auth.
> 
> After changing to FORM and try 
> http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
> The requested resource (/MyApp/security/protected/login.jsp) is not available.
>  
> To set this up I copied the files from the JSP examples - login.jsp, 
> error.jsp in folders \security\protected to \MyApp\security\protected\
> I copied web.xml parts:
> 
>   
> 
> org.apache.jsp.security.protected_.error_jsp
> 
> org.apache.jsp.security.protected_.error_jsp
> 
> 
> 
> 
> org.apache.jsp.security.protected_.index_jsp
> 
> org.apache.jsp.security.protected_.index_jsp
> 
> 
> 
> 
> org.apache.jsp.security.protected_.login_jsp
> 
> org.apache.jsp.security.protected_.login_jsp
> 
> 
>   and mappings
> 
> 
> 
> org.apache.jsp.security.protected_.error_jsp
> /security/protected/error.jsp
> 
> 
> 
> 
> org.apache.jsp.security.protected_.index_jsp
> /security/protected/index.jsp
> 
> 
> 
> 
> org.apache.jsp.security.protected_.login_jsp
> /security/protected/login.jsp
> 
> 
> with 
> 
> 
> 
>   Calendar
>   /Calendar
>   
> 
> 
> 
> 
>   user
>   admin
>   sysadmin
> 
>   
> 
> and configured 
> 
> 
> FORM
> MyApp
> /security/protected/login.jsp
> /security/protected/error.jsp
>   
> 
> 
> 
> Chris
Try to use static resources for the form-login-page and form-error-page.
It works for me. And skip servlet mapping

Viorel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: FORM based authentication config

2004-12-21 Thread Chris Chappell 
Thanks for that - but what it describes is what I have done, I think.

The problem is:

If you have the servlet definitions and mappings, the page isn't found -
Since they are JSPs above web-inf in the context folder I think they don't
need them.
If you don't have the mappings then you get:

"HTTP Status 400 - Invalid direct reference to form login page" - with a
correct pw/un
org.apache.catalina.authenticator.FormAuthenticator authenticate

WARNING: Unexpected error forwarding to error page

java.lang.NullPointerException

with incorrect un/pw

i.e. FormAuthenticator cannot forward to say the error page

Chris

- Original Message -
From: "Goel, Manish Kumar" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, December 21, 2004 2:26 PM
Subject: RE: FORM based authentication config


Hi,
see this this might help you
http://www.webservertalk.com/message633890.html


cheers
Manish


-Original Message-
From: Chris Chappell [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 7:45 PM
To: Tomcat Users List
Subject: FORM based authentication config


Hi I'm having trouble getting form based authentication to work. Any help
much appreciated.
I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4)

I am using a JDBC Realm which works fine with BASIC auth.

After changing to FORM and try
http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
The requested resource (/MyApp/security/protected/login.jsp) is not
available.

To set this up I copied the files from the JSP examples - login.jsp,
error.jsp in folders \security\protected to \MyApp\security\protected\
I copied web.xml parts:

  

org.apache.jsp.security.protected_.error_jsp

org.apache.jsp.security.protected_.error_jsp



org.apache.jsp.security.protected_.index_jsp

org.apache.jsp.security.protected_.index_jsp




org.apache.jsp.security.protected_.login_jsp

org.apache.jsp.security.protected_.login_jsp


  and mappings



org.apache.jsp.security.protected_.error_jsp
/security/protected/error.jsp




org.apache.jsp.security.protected_.index_jsp
/security/protected/index.jsp




org.apache.jsp.security.protected_.login_jsp
/security/protected/login.jsp


with



  Calendar
  /Calendar
  




  user
  admin
  sysadmin

  

and configured


FORM
MyApp
/security/protected/login.jsp
/security/protected/error.jsp
  



Chris

***
Information contained in this email message is intended only for use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify the
[EMAIL PROTECTED] and destroy the original message.

**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: FORM based authentication config

2004-12-21 Thread Goel, Manish Kumar 
Hi,
see this this might help you
http://www.webservertalk.com/message633890.html


cheers
Manish


-Original Message-
From: Chris Chappell [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 7:45 PM
To: Tomcat Users List
Subject: FORM based authentication config


Hi I'm having trouble getting form based authentication to work. Any help much 
appreciated.
I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4)

I am using a JDBC Realm which works fine with BASIC auth.

After changing to FORM and try 
http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
The requested resource (/MyApp/security/protected/login.jsp) is not available.

To set this up I copied the files from the JSP examples - login.jsp, error.jsp 
in folders \security\protected to \MyApp\security\protected\
I copied web.xml parts:

  

org.apache.jsp.security.protected_.error_jsp

org.apache.jsp.security.protected_.error_jsp




org.apache.jsp.security.protected_.index_jsp

org.apache.jsp.security.protected_.index_jsp




org.apache.jsp.security.protected_.login_jsp

org.apache.jsp.security.protected_.login_jsp


  and mappings



org.apache.jsp.security.protected_.error_jsp
/security/protected/error.jsp




org.apache.jsp.security.protected_.index_jsp
/security/protected/index.jsp




org.apache.jsp.security.protected_.login_jsp
/security/protected/login.jsp


with



  Calendar
  /Calendar
  




  user
  admin
  sysadmin

  

and configured


FORM
MyApp
/security/protected/login.jsp
/security/protected/error.jsp
  



Chris
***
Information contained in this email message is intended only for use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify the
[EMAIL PROTECTED] and destroy the original message.
**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form Based Authentication with Cookies?

2004-10-12 Thread Chris Ward 
Chris,

For what it's worth, I spent ages trying to get a remember-me
login thing going "out of the box" but never managed it.

In the end I implemented my own user/role setup and use a 
Filter to ensure the user is logged in when accessing servlets/
JSPs with specifice URL paths.  The login page sets cookies to
do the "remembering".

If you get your's going (I'm now on Tomcat 5.0.28, maybe there's
something new) I'd be interested in the details.

Good luck.

Best regards
Chris

-- 

Chris Ward, Horizon Asset Limited

Tel +44 (20) 7367 7028, Fax 7367 7029

-- 


THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION.
IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL
IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E-
MAIL.  ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE
MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN.

 HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED
BY THE FINANCIAL SERVICES AUTHORITY.



> -Original Message-
> From: Chris Forbis [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, October 12, 2004 7:45 PM
> To: [EMAIL PROTECTED]
> Subject: Form Based Authentication with Cookies?
> 
> 
> I have been looking for a way withing tomcat using a 
> JDBCRealm to do form bases authentication and allow users to 
> set some sort of "Remember Me" cookie, so they do not need to 
> log into my application more than once a month or so.
> 
> It looks like to me that FormAuthenticator is sort of 
> hardcoded into tomcat without a way to allow for a context to 
> allow for a CustomFormAuthenticator that would allow for this.
> 
> Am I missing something, or is there no easy way to do this?
> 
> Thanks!
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form based authentication - "last login"

2004-09-03 Thread QM 
On Fri, Sep 03, 2004 at 10:08:59AM +0200, [EMAIL PROTECTED] wrote:
: IMHO the best sollution would be to intercept the authentication process (I'm 
working with Tomcat 4.x), to smuggle some custom code there that updates the 
appropriate column in the database. The question is.. how can I do this?? Or maybe 
someone has a better idea how to do this??

There are several ways to do this, I'm sure.  My preferred method:

map a Filter to the protected area(s) that checks for the presence of
some session object.  If the object isn't there, the person has just
logged in, so you record the timestamp and store the object.  Otherwise,
the person's already logged in and the filter can pass the
request/response down the chain.

The marker object needn't be anything special: a simple Boolean will do,
if you don't store any other objects for users who are logged in.

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: form-based authentication question

2004-03-23 Thread Koes, Derrick 


It may be good for someone to answer this, but I figured out my problem.  I
accidentally used the login page name where the welcome page name should
have been in the servlet configuration.

Cockpit error.



-Original Message-
From: Koes, Derrick 
Sent: Tuesday, March 23, 2004 2:49 PM
To: '[EMAIL PROTECTED]'
Subject: form-based authentication question

Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth
to
form-based.  I'm having difficulty in one area.  After creating the new
form
and posting to j_security_check, I wish to GET my "welcome" page.  It
appears to be doing this from the URL in the address bar, but the page
looks
exactly like my login page.  That is, it seems to have posted to itself.
What's the appropriate way to forward to the "welcome" page?

 

A working example login page, welcome page, and deployment descriptor
would
be appreciated.

 

Thanks,

Derrick

 

 

This electronic transmission is strictly confidential to Smith & Nephew
and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.
This electronic transmission is strictly confidential to Smith & Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Based Authentication - Registration

2004-02-14 Thread Adam Hardy 
On 02/14/2004 10:31 AM Alexander F. Hartner wrote:
No we want to add registration and have the following happen

1.) Customer requests access to a realm
2.) Redirect to login page
3.) Customer doesn't have an account yet and accesses registration page
4.) Customer registers
5.) On successful registration the customer is redirected to the 
original request

Now to get this working we need the following, both of which we are not 
sure are currently provided by the authentication framework.

-Ability to access the original (SavedRequest) from a JSP / Servlet

-Ability to "auto/fake" login from within the webapplication
You cannot access the original request if the url is protected by a 
security-constraint and the user has not logged in. Tomcat will always 
jump in first with the CMS login.

To fake it and keep CMS, reduce your real realm to a security constraint 
on one URL and set up a filter to check for the user's status. If not 
logged in, saved the parts of the request you need in the session, and 
redirect the user to the protected page to trigger the container login.

Then after the login succeeds and the user gets through to that 
protected URL, check the session for the info and redirect them to their 
original destination.

You can put a link on the login page to the registration URL - I'm not 
sure about the redirection logic but it should be possible to redirect 
them after registration back to the login page to login, and then on to 
their original destination.

HTH
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: FORM based authentication referer

2004-01-21 Thread Guy Rouillier 
Ricardo García wrote:
> Here's some starting context for my question 
> 
> I have a war file that has been configured to use FORM based
> authentication. I have set the  in the
> web.xml of the war file to point to a jsp file in my war
> file.  When a user invokes any jsp without being logged
> in the login jsp is displayed.  The user enters the
> userid/password submits the page to j_security_check, is
> validated and redirected to the requested page.
> 
> My question is ...
> 
> Has anyone ever tried discovering the page that the user is
> trying to access from within the jsp page referenced as the
> ?  I have tried checking the HTTP headers
> and session, but have not discovered it being saved anywhere.
>  Usually when a page invokes another page the HTTP header
> REFERER exists with the URL to the previous page.  I have
> noticed that once the user posts the login form on my
> login.jsp to j_security_check and is authenticated they are
> redirect to the correct location .. correct location being
> back to the page they wanted to access originally.  This
> would mean that it has to be somewhere, but where??

We do this manually instead of using the  mechanism.  In the header 
included at the top of every page for authentication, we capture

session.setAttribute("login.target", request.getRequestURI() );

before redirecting to the login page.  If you wait until you get to the page that is 
processing your login request, you've already lost the original request.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Form based authentication

2003-11-28 Thread Patrick Willart 
Hello Atreya,

Your stylesheet is returned after authentication because it is access
restricted. If you make your stylesheet freely accessible it will work.

grts,

Patrick

-Original Message-
From: Atreya Basu [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2003 8:01 AM
To: Tomcat Users List
Subject: Form based authentication


Hi all,

I thought I would share some of my experiences with JDBCRealm
authentication.

First what I wanted to do was see if JDBCRealm based authentication even
worked.  All I got was Tomcat quitting.  My first problem was that my
web.xml file wasn't in the right order.  I went to BEA's website and
used their web.xml file explanation page to get all of the spelling and
order of the elements right.
But Tomcat still wasn't running.  It turned out my second problem was
that for some reason the MySQL JDBC driver wasn't being found, even
though I had placed it in the common\lib directory.  So I edited the
catalina file manually and added in the jar file.

Next whenever I would authenticate I would get a stylesheet instead of
my intended destination.  Then one time I authenticated and accidentally
hit the login page.  It showed me a different styled login page.

That happened because my stylesheet was kept inside the context
directory it wasn't being retrieved till I authenticated.  So instead of
pulling up index.html after I authenticate it pulled up the stylesheet
because my browser was waiting to load that file.  Solution of course
was to place the stylesheet in an unsecure directory.

I hope that someone finds this useful.

Cheers,

--
_
Atreya Basu
Developer,
Greenfield Research Inc.
e-mail: atreya (at) greenfieldresearch (dot) ca




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: FORM based authentication pages

2003-11-12 Thread Christopher Schultz 
Ricardo,

Is there a way to put those two pages in a location that is
accessible by any context? If there is, how do I setup my web.xml
file?
You want the login pages for every webapp to look the same?

If that's what you really want to do, I think you'll have to use
symbolic links on the filesystem. You're much better off duplicatig the
files. That has the advantage of allowing you to customize the login
screens for each application.
-chris

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: FORM based authentication pages

2003-11-12 Thread Tim Funk 
Sorry, tomcat doesn't provide that functionality. A "simple" workaround is to 
  keep those pages in a shared area then on site build (I hope your using 
ant), copy those files into your webapp.

-Tim

Ricardo García wrote:

I have setup Tomcat 4.1 to use FORM based auth, but I've found myself replicating login and error pages in every context I want to protect. The problem is that the path that point to the pages in the  tag in the web.xml file of the context is relative to the context.

   
FORM
Form-Based Authentication Area

/auth/login.html
/auth/error.html


Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: form-based authentication & session.invalidate

2003-10-12 Thread Adam Hardy 
Although I've no real idea what an internal tomcat SessionEvent is, it 
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.

Adam

On 10/12/2003 01:57 AM Tim Funk wrote:
Hmm. I always thought that when using the SSO valve, logging out of one 
webapp automatically logs you out of all webapps.

The 5 code looks broken based on *very quick* inspection compared to 4.1 
based on lines 304-308.

if ( event.getData() != null
 && "logout".equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.

-Tim

Adam Hardy wrote:

I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>
<%
session.invalidate();
%>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, 
when I invalidate the session, I immediately get a login request. 
Strange.

This is not correct behaviour for tomcat, is it?

Adam


--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: form-based authentication & session.invalidate

2003-10-11 Thread Tim Funk 
Hmm. I always thought that when using the SSO valve, logging out of one 
webapp automatically logs you out of all webapps.

The 5 code looks broken based on *very quick* inspection compared to 4.1 
based on lines 304-308.

if ( event.getData() != null
 && "logout".equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.

-Tim

Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>
<%
session.invalidate();
%>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, when 
I invalidate the session, I immediately get a login request. Strange.

This is not correct behaviour for tomcat, is it?

Adam



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: form-based authentication & session.invalidate

2003-10-11 Thread Adam Hardy 
I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user <%=request.getRemoteUser() %> in
session <%= session.getId() %>
<%
session.invalidate();
%>
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, when 
I invalidate the session, I immediately get a login request. Strange.

This is not correct behaviour for tomcat, is it?

Adam

On 10/11/2003 06:04 PM Tim Funk wrote:
Authentication information is somewhat stored in the session for form 
based authentication. (I can't remember the specifics) So using 
session.invalidate should log the user out. This works since the session 
id which is a cookie or URL rewriting scheme is what the browser keys in 
on. By invalidating that id on the server, the browser is now sending an 
invalid credential and thus logged out.

In BASIC authentication, the credentials are stored in the web browser 
and sent when/if requested. So the only way to get rid of those stored 
credentials is by closing the web browser.

[Of course, when the web server is restarted or web app restarted - I 
can't recall what happens to the authentication information. ]

-Tim

Adam Hardy wrote:

I am using session.invalidate() to try to cause the user to receive 
another login request, using CMS form-based authentication.

I saw the same issue in bugzilla but for basic authentication:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147

where the tomcat developer/bugzilla person resolved the issue saying 
that CMS basic authentication cannot be manipulated in this way since 
the browser sends the login info with every request, requiring the 
user to close the browser before seeing another login request.

Is this the same for form-based authentication?

I thought that in tomcat4 I was getting new login request for the 
users just by invalidating their sessions. Am I deluding myself?


--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: form-based authentication & session.invalidate

2003-10-11 Thread Tim Funk 
Authentication information is somewhat stored in the session for form based 
authentication. (I can't remember the specifics) So using session.invalidate 
should log the user out. This works since the session id which is a cookie or 
URL rewriting scheme is what the browser keys in on. By invalidating that id 
on the server, the browser is now sending an invalid credential and thus 
logged out.

In BASIC authentication, the credentials are stored in the web browser and 
sent when/if requested. So the only way to get rid of those stored 
credentials is by closing the web browser.

[Of course, when the web server is restarted or web app restarted - I can't 
recall what happens to the authentication information. ]

-Tim

Adam Hardy wrote:
I am using session.invalidate() to try to cause the user to receive 
another login request, using CMS form-based authentication.

I saw the same issue in bugzilla but for basic authentication:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147

where the tomcat developer/bugzilla person resolved the issue saying 
that CMS basic authentication cannot be manipulated in this way since 
the browser sends the login info with every request, requiring the user 
to close the browser before seeing another login request.

Is this the same for form-based authentication?

I thought that in tomcat4 I was getting new login request for the users 
just by invalidating their sessions. Am I deluding myself?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: form based authentication problem

2003-02-04 Thread Raible, Matt 
If you map the filter to the same url-pattern as your protected resource, it
will be called immediately after someone authenticates.

HTH,

Matt

> -Original Message-
> From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 04, 2003 6:59 AM
> To: Tomcat Users List
> Subject: Re: form based authentication problem
> 
> 
> thanks, that's exactly the solution i discussed right now 
> with some other
> developers of my company.
> the question with the filter is whether it is called when the 
> container
> forwards or redirects to the
> claimed resource after the authentication is done? 
> theoretically i'd say yes
> but who knows?
> try and error i guess!
> ralf
> 
> 
> - Original Message -
> From: "Barney Hamish" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Tuesday, February 04, 2003 1:35 PM
> Subject: RE: form based authentication problem
> 
> 
> > I did something like that using struts. I wrote a base 
> action class which
> > all my other action classes extended. The base class performs any
> > initialization (initializing objects in the session etc) as 
> required.
> >
> > If you don't want to use struts you might consider using a filter.
> > Hamish
> >
> > > -Original Message-
> > > From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, February 04, 2003 1:13 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: form based authentication problem
> > >
> > >
> > > guess that was to much of description last time! next try
> > >
> > > can anybody tell me how to do some action, say put an object
> > > in the session
> > > or/and update a list in the servlet context directly after a
> > > user was logged
> > > in successfully via form-based authentication (context) with
> > > a jdbc-realm?
> > >
> > > ralf
> > >
> > >
> > >
> > > 
> -
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: 
> [EMAIL PROTECTED]
> > >
> >
> > 
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: form based authentication problem

2003-02-04 Thread Ralf Lorenz 
thanks, that's exactly the solution i discussed right now with some other
developers of my company.
the question with the filter is whether it is called when the container
forwards or redirects to the
claimed resource after the authentication is done? theoretically i'd say yes
but who knows?
try and error i guess!
ralf


- Original Message -
From: "Barney Hamish" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, February 04, 2003 1:35 PM
Subject: RE: form based authentication problem


> I did something like that using struts. I wrote a base action class which
> all my other action classes extended. The base class performs any
> initialization (initializing objects in the session etc) as required.
>
> If you don't want to use struts you might consider using a filter.
> Hamish
>
> > -Original Message-
> > From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, February 04, 2003 1:13 PM
> > To: [EMAIL PROTECTED]
> > Subject: form based authentication problem
> >
> >
> > guess that was to much of description last time! next try
> >
> > can anybody tell me how to do some action, say put an object
> > in the session
> > or/and update a list in the servlet context directly after a
> > user was logged
> > in successfully via form-based authentication (context) with
> > a jdbc-realm?
> >
> > ralf
> >
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: form based authentication problem

2003-02-04 Thread Barney Hamish 
I did something like that using struts. I wrote a base action class which
all my other action classes extended. The base class performs any
initialization (initializing objects in the session etc) as required.

If you don't want to use struts you might consider using a filter.
Hamish

> -Original Message-
> From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 04, 2003 1:13 PM
> To: [EMAIL PROTECTED]
> Subject: form based authentication problem
> 
> 
> guess that was to much of description last time! next try
> 
> can anybody tell me how to do some action, say put an object 
> in the session
> or/and update a list in the servlet context directly after a 
> user was logged
> in successfully via form-based authentication (context) with 
> a jdbc-realm?
> 
> ralf
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form-based authentication - can I get original URL?

2002-11-25 Thread Craig R. McClanahan 


On Mon, 25 Nov 2002, Matt Raible wrote:

> Date: Mon, 25 Nov 2002 17:02:21 -0700
> From: Matt Raible <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: 'Tomcat Users List' <[EMAIL PROTECTED]>
> Subject: Form-based authentication - can I get original URL?
>
> On Tomcat 4/5, I am able to use the following configuration in my
> web.xml:
>
> 
> FORM
> 
> /login.jsp
> /login.jsp?error=true
> 
> 
>
>
> However, I know that there are app servers out there that do not support
> this - the form-error-page MUST be a different JSP.  So I'm wondering,
> is there a value I can grab in my login.jsp that tells me the URL of the
> protected resource the user is trying to get to?
>
> I tried <%=request.getRequestURL()%>, but that gives me .../login.jsp -
> and I want mainMenu.do.
>
> I know iPlanet used to set a cookie and I could use that as specified
> at:
>
> http://husted.com/struts/resources/fb-auth.htm

There is no portable mechanism to acquire the request URL that was
originally requested, nor any guarantee that this is even possible.  All
you know is that the container has detected that a protected URL was
requested, and that there was no currently authenticated user.

>
> Thanks,
>
> Matt
>

Craig


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Form-based authentication

2002-10-09 Thread Padhu Vinirs 

Shouldnt the url format be http://url?user=xxx&password=xxx ? Also, if 
you do this, you could encrypt the password it before calling 
sendRedirect and decrypt it at the url cgi.

-- padhu


Rajesh Kanderi wrote:

>how do you access a webpage which has a form-based
>authentication setup using java.
>
>i am able to do it using an href
>http://:@url...
>but the problem is it shows the passowrd. 
>
>I tried to construct the above url in a servlet and
>then doing a sendRedirect. but the sendRedirect
>doesn't seem to like the format of the
>url,specifically having the user:password.
>
>Is there a way to do it using java classes
>URLconnection or HttpURLConnection
>
>
>
>__
>Do you Yahoo!?
>Faith Hill - Exclusive Performances, Videos & More
>http://faith.yahoo.com
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 
>
>
>  
>



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Form Based Authentication, getting login and password

2002-10-05 Thread Nikola Milutinovic 

Externo wrote:

> Sorry by my English.
> 
> How I can guess login and password strings of an user, from error page (JSP)
> using "Form Based Authentication of Tomcat"?
> 
> I need know it to lock the count each 3 error tries (if login is ok but
> password is bad, insteed).


Something like enhanced security mode in some OSes?


> Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
> HttpServletRequest interface have this result: If no user has been
> authenticated, returns null, false and null respectly. For this reason, they
> aren't utils for me.
> 
> If I don´t know login what user writed, I can't lock his/her count.
> 
> Exist solution for this? Thanks

Only to write your own authentication module. That shouldn't be too hard.

Nix.


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: form based authentication and remote user

2002-06-05 Thread anette mysel 

PLEASE REMOVE ME FROM YOUR MAILING LIST. I  DO NOT KNOW YOU. THANK YOU...
- Original Message -
From: "Miguel Angel Medina Lopez" <[EMAIL PROTECTED]>
To: "Tomcat Users" <[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 8:30 AM
Subject: form based authentication and remote user


> Hi all:
>
> I'm using form-based authentication with tomcat 3.2.3. I have a form to
> register the users and I want to set the remote user and role when they
> register to they can access private zones that are protected with the form
> based authentication at this moment. How can I do that?
>
> Thank you all
>
> MAML
>
>
> --
> To unsubscribe, e-mail:

> For additional commands, e-mail:

>


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: Form-Based-Authentication with Tomcat 4.0.1

2002-04-10 Thread John Gregg 

Hello all.

I'm a little surprised how uncommon this problem seems to be on the list.
Anyway, I'll tell you what I know and what to do about it.

Until now we've been using a protected index.html page as the entrypoint for
our app.  However, we've had the same problem Frank had.  Upon starting the
browser, the first login will show the page just fine (the server returned
status 200.)  Subsequent logins using a different broswer instance/session
would produce only a blank page where index.html should have been, even
though the login was successful.  In this case the server returned 304.

The problem is the the browser (both Netscape 6.2 and IE 6) caches
index.html the first time it sees it.  However, the second attempt to access
the protected index.html page causes the server to send a 302 (redirect) to
the browser indicating that the browser should load the login form.  For
some reason that I don't understand, both Netscape and IE delete the cached
index.html in response to the 302.  Upon login, then the server responds
with a redirect to index.html and finally a 304.  Netscape then creates an
empty cache file for index.html.  IE doesn't even do that.  Both display a
page with no content.  Choosing refresh in both browsers loads the page
correctly.

Our workaround was to make index.html a jsp by simply changing the
extension.  This seems to have solved our problem.  The browser behavior
here seems to be the problem but since both Netscape and IE do the same
thing, maybe they're just following something in the HTTP spec.

john


-Original Message-
From: Eichfelder, Frank [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 4:43 AM
To: [EMAIL PROTECTED]
Subject: Form-Based-Authentication with Tomcat 4.0.1


Hi,

I have a problem with the form-based-authentication with Tomcat 4.0.1.

The problem is:
If I access a protected page for the first time, I am redirected to the
login-page and asked for username and password. If my input is correct, I am
redirected to the desired page.

Now I close the browser (IE 5.5 - cookies are accepted) and restart it.
Now I try the same procedure, reenter my username and password, and get as
result an empty page. In the browser I can see that the correct URL was
demanded, and if I press the Reload-Button, then I see the desired page.
But this behaviour is not what I want, it should work automatically.

Can I do this via server.xml or web.xml settings? Or do I have to rewrite my
html-pages?
I have already added

to the html-pages, without any effect.

To see the difference between first login and second login, I add an extract
of the access-logfile:

First login:
27.0.0.1 - - [31/Oct/2001:11:07:30 1000] "GET /logintest/ HTTP/1.1" 302 654
127.0.0.1 - - [31/Oct/2001:11:07:30 1000] "GET /logintest/index.html
HTTP/1.1" 304 -
127.0.0.1 - - [31/Oct/2001:11:07:32 1000] "GET
/logintest/secure/securepage.html HTTP/1.1" 302 654
127.0.0.1 - - [31/Oct/2001:11:07:33 1000] "GET /logintest/LoginForm.html
HTTP/1.1" 200 679
127.0.0.1 - - [31/Oct/2001:11:07:38 1000] "POST /logintest/j_security_check
HTTP/1.1" 302 654
127.0.0.1 - tomcat [31/Oct/2001:11:07:38 1000] "GET
/logintest/secure/securepage.html HTTP/1.1" 200 402

Second login:
127.0.0.1 - - [31/Oct/2001:11:07:50 1000] "GET /logintest/ HTTP/1.1" 302 654
127.0.0.1 - - [31/Oct/2001:11:07:50 1000] "GET /logintest/index.html
HTTP/1.1" 304 -
127.0.0.1 - - [31/Oct/2001:11:07:51 1000] "GET
/logintest/secure/securepage.html HTTP/1.1" 302 654
127.0.0.1 - - [31/Oct/2001:11:07:53 1000] "GET /logintest/LoginForm.html
HTTP/1.1" 200 679
127.0.0.1 - - [31/Oct/2001:11:07:58 1000] "POST /logintest/j_security_check
HTTP/1.1" 302 654
127.0.0.1 - tomcat [31/Oct/2001:11:07:58 1000] "GET
/logintest/secure/securepage.html HTTP/1.1" 304 -

As you can see, the difference is in the last line of each section:
In the first time, tomcat returns HTTP-Code 200 (OK), the second time it
returns 304 (Not Modified).

It would be great if anybody would have any suggestions how I can change
this behaviour.

Thanks,

Frank

--
Frank Eichfelder, Dipl.-Inf.
T-Systems Nova GmbH
Entwicklungszentrum Darmstadt
Bereich EP 1 - Bamberg
Memmelsdorfer Straße 209a, 96052 Bamberg
Germany
MailTo:[EMAIL PROTECTED]
--



--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: Form based authentication

2002-01-29 Thread Suchi Somasekar 


Hi

I have been using Tomcat 3.2.3 with form based authentication. It works
great.

However, I have an additional requirement now. We need to have another home
page with the username and password boxes on the home page directly which
when submitted must access a protected resource. I understand that setting
the form action to "j_security_check"  here will not work because the login
page will not be triggered and the URL path is not stored.
One way I thought of doing this was to set the action to the protected URL
to trigger the login page and try to retrieve the username and password
instead of getting it from the user at this point. Just like tomcat stores
the URL path does it also store other parameters from the request that
triggered the login page? If so, how do I retrieve it? Is there any other
way I can do this?

Thanks in advance for the help.
Suchi




--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Larry Isaacs 

I would recommend to first try sending all "/DSCservlet"
requests to Tomcat and make sure everything works correctly
that way.  Once that is done, then try allowing Apache to serve
some of the content.  That way you will know if problems
appear, they are configuration issues instead of web
application problems.

To map all requests to Tomcat, use:

  JkMount /DSCservlet ajp13
  JkMount /DSCservlet/* ajp13

This is what would be included in the default generated
conf/auto/mod_jk.conf.  When you are ready to try Apache
serving some of the content, add:

forwardAll="false"

to the  element in the server.xml.  This
will write an conf/auto/mod_jk.conf more suitable for this
case.  It will include any servlet mappings you have specified
in your web.xml plus some extras, like for "j_security_check".

Hope this helps,

Cheers,
Larry

> -Original Message-
> From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 18, 2001 10:37 AM
> To: [EMAIL PROTECTED]
> Subject: Form based Authentication / j_security_check not found
> 
> 
> Hi everybody again.
> I'm getting mad on configuring tomcat for my application.
> My be I do not know enough about java, but I have to "Learn 
> it by doing", so please be friendly.
> 
> I'm using form-based authentication and everything works 
> until I submit my login-ID
> If I put LoginForm.html in the servlet-dir, it pops-up, but 
> after entering my login-infos I get 
> "The requested URL /DSCservlet/j_security_check was not found 
> on this server".
> I know, LoginForm.html should be outside the protected area.
> But in my special example, something seems wrong with alias 
> in mod_jk.conf and/or some path in my config-files.
> I searched the mailing-list, but I do not understand the stuff.
> Please help before I'm getting mad
> 
> Thanks Sabine
> 
> my apps-DSC.xml:
> 
>  docBase="/webapps/SSL_apps/dsc/servlet"
> debug="0"
> crossContext="false"
> reloadable="true" >
> 
> 
> 
> 
> my mod_jk.conf
> ...
> Alias /DSCservlet "/webapps/SSL_apps/dsc/servlet"
> 
> Options Indexes FollowSymLinks
> 
> JkMount /DSCservlet/servlet/* ajp13
> JkMount /DSCservlet/*.jsp ajp13
> 
> AllowOverride None
> deny from all
> 
> 
> AllowOverride None
> deny from all
> 
> 
> /webapps/SSL_apps is HTTPS-protected by apache and document-root
> 
> /webapps/SSL_apps/dsc/upload.htm is my page for selecting 
> files for upload. After that, a login-screen should appear (it does).
> This page calls a servlet with 
>  enctype="MULTIPART/FORM-DATA" method="post" name ="EnterFiles">
> 
> Also in this directory "dsc" are the following files
> 
> ResultPageFooter.htm
> ResultPageHeader.htm
> servlet
> servlet/LoginError.html
> servlet/LoginForm.html
> servlet/META-INF
> servlet/META-INF/MANIFEST.MF
> servlet/WEB-INF
> servlet/WEB-INF/web.xml
> servlet/WEB-INF/classes
> servlet/WEB-INF/classes/FileUpload
> servlet/WEB-INF/classes/FileUpload/FileUploader.class
> servlet/WEB-INF/classes/FileUpload/FileUploadException.class
> servlet/WEB-INF/classes/FileUpload/Message.class
> servlet/WEB-INF/classes/FileUpload/UploadServlet.class
> servlet/WEB-INF/classes/properties
> servlet/WEB-INF/classes/properties/FileUpload.properties
> servlet/WEB-INF/classes/properties/FileUploadMessages.properties
> servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties
> 
> my web.xml:
> 
>PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
>   "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>
> 
> 
> UploadServlet
> 
> FileUpload.UploadServlet
> 
> 
> 
> DSC
> /*
> POST
> GET
> 
> 
> er_kunden
> 
> 
>  
> CONFIDENTIAL
> 
> 
> 
> FORM
> Eingangsregistratur DSC
> 
> 
> /LoginForm.html
> 
> /LoginError.html
> 
> 
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe:   
> For additional commands: 
> Troubles with the list: 
> 

--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Bongiorno.Christian 

There is a jsp based form login example in the "examples" directory. That whole 
directory over to your servlet directory,
change the login-config to use form based login (look at the example in 
~/webapps/examples/WEB-INF/web.xml) This is a copy and paste trick -- nothing else.

so...

mkdir ~/webapps//jsp

// this is all you need
cp ~/webapps/examples/jsp/security ~/webapps//jsp

hack this into the appropriate portion of !/webapps//WEB-INF/web.xml


  FORM
  Form based login
  
/jsp/protected/login.jsp
/jsp/protected/error.jsp
  



//and comment out the BASIC login-config using 

restart!

easy as pie!

This even does session caching for you!

Chris

-Original Message-
From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 10:37 AM
To: [EMAIL PROTECTED]
Subject: Form based Authentication / j_security_check not found


Hi everybody again.
I'm getting mad on configuring tomcat for my application.
My be I do not know enough about java, but I have to "Learn it by doing", so please be 
friendly.

I'm using form-based authentication and everything works until I submit my login-ID
If I put LoginForm.html in the servlet-dir, it pops-up, but after entering my 
login-infos I get 
"The requested URL /DSCservlet/j_security_check was not found on this server".
I know, LoginForm.html should be outside the protected area.
But in my special example, something seems wrong with alias in mod_jk.conf and/or some 
path in my config-files.
I searched the mailing-list, but I do not understand the stuff.
Please help before I'm getting mad

Thanks Sabine

my apps-DSC.xml:






my mod_jk.conf
...
Alias /DSCservlet "/webapps/SSL_apps/dsc/servlet"

Options Indexes FollowSymLinks

JkMount /DSCservlet/servlet/* ajp13
JkMount /DSCservlet/*.jsp ajp13

AllowOverride None
deny from all


AllowOverride None
deny from all


/webapps/SSL_apps is HTTPS-protected by apache and document-root

/webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload. After 
that, a login-screen should appear (it does).
This page calls a servlet with 


Also in this directory "dsc" are the following files

ResultPageFooter.htm
ResultPageHeader.htm
servlet
servlet/LoginError.html
servlet/LoginForm.html
servlet/META-INF
servlet/META-INF/MANIFEST.MF
servlet/WEB-INF
servlet/WEB-INF/web.xml
servlet/WEB-INF/classes
servlet/WEB-INF/classes/FileUpload
servlet/WEB-INF/classes/FileUpload/FileUploader.class
servlet/WEB-INF/classes/FileUpload/FileUploadException.class
servlet/WEB-INF/classes/FileUpload/Message.class
servlet/WEB-INF/classes/FileUpload/UploadServlet.class
servlet/WEB-INF/classes/properties
servlet/WEB-INF/classes/properties/FileUpload.properties
servlet/WEB-INF/classes/properties/FileUploadMessages.properties
servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties

my web.xml:

http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>


UploadServlet
FileUpload.UploadServlet



DSC
/*
POST
GET


er_kunden


 CONFIDENTIAL



FORM
Eingangsregistratur DSC

/LoginForm.html
/LoginError.html








--
To unsubscribe:   
For additional commands: 
Troubles with the list: 


--
To unsubscribe:   
For additional commands: 
Troubles with the list:

RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Guido Medina 

Wait, go back to the beginning and try very slow, I passed the same, the
problem with servlet is only in the web.xml file in your app, it is
transparent to Apache Web server, look at the standard examples that comes
with the Tomcat installation, first try as exercise to install the tomcat
from the beginning and run the standard applications, when you get it, try
applying changes and changes, DO NOT JUMP TOO HIGH FROM THE BEGINNING, my
prefered app server is the tomcat but in the begining is a headache, I can
tell. You are right, if you want to learn you have to teach you yourself,
start slow, with the standard and after apply few changes and so on.

Regards,

Guido.

P.S: The final exercise for you is to configure it with Virtual Host &
Servlet mapping.

-Original Message-
From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 11:37 AM
To: [EMAIL PROTECTED]
Subject: Form based Authentication / j_security_check not found


Hi everybody again.
I'm getting mad on configuring tomcat for my application.
My be I do not know enough about java, but I have to "Learn it by doing", so
please be friendly.

I'm using form-based authentication and everything works until I submit my
login-ID
If I put LoginForm.html in the servlet-dir, it pops-up, but after entering
my login-infos I get 
"The requested URL /DSCservlet/j_security_check was not found on this
server".
I know, LoginForm.html should be outside the protected area.
But in my special example, something seems wrong with alias in mod_jk.conf
and/or some path in my config-files.
I searched the mailing-list, but I do not understand the stuff.
Please help before I'm getting mad

Thanks Sabine

my apps-DSC.xml:






my mod_jk.conf
...
Alias /DSCservlet "/webapps/SSL_apps/dsc/servlet"

Options Indexes FollowSymLinks

JkMount /DSCservlet/servlet/* ajp13
JkMount /DSCservlet/*.jsp ajp13

AllowOverride None
deny from all


AllowOverride None
deny from all


/webapps/SSL_apps is HTTPS-protected by apache and document-root

/webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload.
After that, a login-screen should appear (it does).
This page calls a servlet with 


Also in this directory "dsc" are the following files

ResultPageFooter.htm
ResultPageHeader.htm
servlet
servlet/LoginError.html
servlet/LoginForm.html
servlet/META-INF
servlet/META-INF/MANIFEST.MF
servlet/WEB-INF
servlet/WEB-INF/web.xml
servlet/WEB-INF/classes
servlet/WEB-INF/classes/FileUpload
servlet/WEB-INF/classes/FileUpload/FileUploader.class
servlet/WEB-INF/classes/FileUpload/FileUploadException.class
servlet/WEB-INF/classes/FileUpload/Message.class
servlet/WEB-INF/classes/FileUpload/UploadServlet.class
servlet/WEB-INF/classes/properties
servlet/WEB-INF/classes/properties/FileUpload.properties
servlet/WEB-INF/classes/properties/FileUploadMessages.properties
servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties

my web.xml:

http://java.sun.com/j2ee/dtds/web-app_2_2.dtd";>


UploadServlet
FileUpload.UploadServlet



DSC
/*
POST
GET


er_kunden


 CONFIDENTIAL



FORM
Eingangsregistratur DSC

/LoginForm.html
/LoginError.html








--
To unsubscribe:   
For additional commands: 
Troubles with the list:

Re: Form Based authentication problem

2001-09-27 Thread Miguel Angel Medina Lopez 

Hi:

Thanks Kaneda but the parameter autoReconnect doesn't work in Postgres.
I have found the error in the server.xml file and now I can't authenticate
fine. Now the problem is that I need the user name in differents context.
How can I do that? How can I keep client state in different contexts?

Miguel Ángel Medina López


- Original Message -
From: "Kaneda K" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 27, 2001 10:01 AM
Subject: Re: Form Based authentication problem


> This might be (I had a probleme that look the same with Mysql)
> so this might be that it need to be autoReconnect=true:
>
>   connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users"
>
> became :
>
connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=tru
e"
>
> Try and give me your feed back, please.
>
> At 09:32 27/09/2001 +0200, you wrote:
> >Hi all:
> >
> >I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based
> >authentication and i have included the next lines in the server.xml file:
> >  > className="org.apache.tomcat.request.JDBCRealm"
> > debug="0"
> > driverName="org.postgresql.Driver"
> > connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users"
> > connectionName="tomcat"
> > connectionPassword="tomcat"
> > userTable="usuarios"
> > userNameCol="login"
> > userCredCol="password"
> > userRoleTable="usuarios"
> > roleNameCol="role" />
> >
> >The connection to the db is opened succesfully but when I put a valid
> >username and password the query doesn't work. The error in the tomcat.log
> >file is:
> > JDBCRealm: The database connection is null or was found to be
closed.
> >Trying to re-open it.
> >
> >and the user isn't authenticated.
> >
> >Thank you all
> >
> >-
> >Miguel Ángel Medina López
> >Logic Factory: www.logic-factory.com
> >Granada - España

Re: Form Based authentication problem

2001-09-27 Thread Kaneda K 

This might be (I had a probleme that look the same with Mysql)
so this might be that it need to be autoReconnect=true:

  connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users"

became :
  connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=true"

Try and give me your feed back, please.

At 09:32 27/09/2001 +0200, you wrote:
>Hi all:
>
>I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based
>authentication and i have included the next lines in the server.xml file:
>  className="org.apache.tomcat.request.JDBCRealm"
> debug="0"
> driverName="org.postgresql.Driver"
> connectionURL="jdbc:postgresql://192.168.0.17/tomcat_users"
> connectionName="tomcat"
> connectionPassword="tomcat"
> userTable="usuarios"
> userNameCol="login"
> userCredCol="password"
> userRoleTable="usuarios"
> roleNameCol="role" />
>
>The connection to the db is opened succesfully but when I put a valid
>username and password the query doesn't work. The error in the tomcat.log
>file is:
> JDBCRealm: The database connection is null or was found to be closed.
>Trying to re-open it.
>
>and the user isn't authenticated.
>
>Thank you all
>
>-
>Miguel Ángel Medina López
>Logic Factory: www.logic-factory.com
>Granada - España

Re: FORM-based authentication question

2001-09-07 Thread Craig R. McClanahan 



On Fri, 7 Sep 2001, Kevin HaleBoyes wrote:

> Date: Fri, 7 Sep 2001 16:48:01 +0100 (BST)
> From: Kevin HaleBoyes <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: FORM-based authentication question
>
> I'm successfully using FORM-based logins in my application but I have
> a few questions.  When a user logs in, I want to attach certain information
> to the session.  Currently I use a filter that checks to see if the
> request.getRemoteUser is set (or has changed) and if so, I do a database
> call to get the User information, instantiate a UserClass and set it into
> the session.  It works fine but...
>
> The filter gets called for every request but only acts when a user logs in.
> Sure the test (to see if anything needs to be done) is simple and fairly
> quick, but it is done for _every_ request.
>
> Is there a better way?
>
> I'm thinking something similar in style to the HttpSessionListener
> interface. Maybe an AuthenticationListener.  Tomcat 4 (or any Servlet
> 2.3 container :) "knows" when a user has been authenticated (or, for
> that matter, when the authentication/session times out) but I don't
> see any way to hook into that event.  The timed out session
> information can be had using the
> HttpSessionListener.sessionDestroyed() method and my application knows
> if, in the very rare case :-) that a user actually logs out.  But
> notification of an authentification seems to be missing (from the
> spec).
>
> The HttpSessionListener.sessionCreated() method doesn't do what I want since
> a session is created even when a user is not authenticated.
>
> How do others attach information to the session once a user has been
> authenticated?
>

You can use HttpSessionListener to detect when the session is created or
destroyed, but there are no servlet API mechanisms that let you hook in to
the "user was authenticated" event.  You could write a Tomcat-specific
mechanism to do that, but for a portable application the filter approach
seems to me to be the best.

> Thanks,
> Kevin HaleBoyes
>

Craig

Re: form-based authentication tomcat->apache

2001-05-27 Thread Michael Jennings 

It worked!
Thanks!
-Mike

- Original Message -
From: "Andrew Robson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 26, 2001 8:14 PM
Subject: Re: form-based authentication tomcat->apache


> Try putting
> JkMount  /examples/jsp/security/login/j_security_check ajp13
> into httpd.conf
>
> andrew
>
> On Sun, 27 May 2001, you wrote:
> > Hi everyone,
> >
> > Has anyone been able to get the form-based authentication example to
work
> > with tomcat? I can get it to work if I connect to tomcat's own
http-server
> > on port 8080
> > but when I connect to the same example via apache (via mod_jk to tomcat)
> > after I log in I get
> > http://localhost/examples/jsp/security/login/j_security_check
> >
> > with a message saying "the page cannot be found".
> > Is this a known bug in tomcat? Is there some subtle configuration thing
> > I've missed?
> >
> > -Mike Jennings
> >
> > __
> > Mike Jennings
> > Southgate  Software Ltd.
> > 250-382-6851 (ph)
> > 250-382-6800 (fax)
> > [EMAIL PROTECTED]
> -

Re: form-based authentication tomcat->apache

2001-05-26 Thread Andrew Robson 

Try putting
JkMount  /examples/jsp/security/login/j_security_check ajp13
into httpd.conf

andrew

On Sun, 27 May 2001, you wrote:
> Hi everyone,
> 
> Has anyone been able to get the form-based authentication example to work
> with tomcat? I can get it to work if I connect to tomcat's own http-server
> on port 8080
> but when I connect to the same example via apache (via mod_jk to tomcat)
> after I log in I get
> http://localhost/examples/jsp/security/login/j_security_check
> 
> with a message saying "the page cannot be found".
> Is this a known bug in tomcat? Is there some subtle configuration thing
> I've missed?
> 
> -Mike Jennings
> 
> __
> Mike Jennings
> Southgate  Software Ltd.
> 250-382-6851 (ph)
> 250-382-6800 (fax)
> [EMAIL PROTECTED]
-

Re: Form Based Authentication with Encryption

2001-03-07 Thread Andrew Robson 

Hi Amit,
  Firstly I'm assuming your comfortable with java (rather than just jsp)
programming. 
  Also you are going to need a source distribution of tomcat.
If you have that then in TOMCAT_HOME/src/org/apache/tomcat/request
you will be able to see the source code for the authentication modules
provided. To create your own in 3.2 you create a subclass of BaseInterceptor. 
( in tomcat 4.0 I believe class hierachy has changed you need to subclass 
  org.apache.catalina.realm.RealmBase ). As I said the easiest way to do this
is just copy whichever Realm best fits your needs- I think SimpleRealm for you
- and create your own class by amending the source and adding the functionality
you need.
Now you are going to need to compile this class (with your encyrption
mechanism) and add it to tomcat. You can't just use javac to compile your
class becasue you need to include the other tomcat packages. I rather 
simplemindely added all the jar files in TOMCAT_HOME/lib into 
my CLASSPATH, then used javac and then added the class to webserver.jar
using jar. However I believee there is a better way - there is a build
script somewhere  which you can run to create a fresh copy of tomcat
which will have your new authentication module. However I can't find it in
my distribution.  As I said once you have added your custom functionality
into Tomcat then you need to edit server.xml to pick up your Realm class rather 
than the default. 
Sorry don't know of any documentation to help in any of this. 
As an aside if you are using the xml file you are going to have be careful
to deal with concurrency issues in the coding of your new Realm class and
your user registration servlet (assuming this is what you are doing). 

Andrew

On Wed, 07 Mar 2001, you wrote:
> 
> Thanks Andrew,
> 
> But,I'm using XML to store my whole data (this is requirement of the product)
> We are not at all using any database.
> 
> So with this regard, would u like to comment something more ?
> Also can u suggest some resource for : creating my own cutomized "authentication 
>module" ?
> 
> Thanks in advance.
> 
> Regards,
> -Amit.
> 
> - Original Message - 
>   From: Andrew Robson 
>   To: [EMAIL PROTECTED] 
>   Sent: Wednesday, March 07, 2001 3:37 PM
>   Subject: Re: Form Based Authentication with Encryption
> 
> 
> 
> 
>   Hi Amit,
> I'm using 3.2 so details may vary.
>   What you want to do is write your own authentication module.
>   Easier than it sounds. Just take a copy of the authentication module you
>   are using (SimpleRealm?) to use as a base for your own code. Add in
>   the functionality you want, compile and include in 
>   TOMCAT_HOME/lib/webserver.jar
>   Edit server.xml to use your custom authentication module.
>   Also, I'd recommend you look at JDBCRealm so that you can store usernames
>   and passwords in a database. Quite apart from the other advantages you may
>   then be able to take advantage of the db's encryption facilities (e.g. 
>   MySql's
>   Password function) and save yourself the bother of writing your own.
> 
>   Hope this helps
>   Andrew
> 
>   On Wed, 07 Mar 2001, you wrote:
>   >
>   > Hi All,
>   >
>   > I'm using tomcat 4.0 Beta1.
>   > I successfully tested out the form based authentication provided with 
>   tomcat.
>   >
>   > But , the main problem with it is : It uses plain text to store 
>   users,roles and passwords
>   > in the "tomcat-users.xml"   file placed  in TOMCAT_HOME\conf.
>   >
>   > Is there any plugin for tomcat to encrypt the passwords stored in this 
>   file ?
>   > or is there any round-about to do so.
>   >
>   > Thanking you in advance.
>   >
>   > With Regards,
>   > -Amit
>   > E-Mail:[EMAIL PROTECTED]
>   > Sansui Software Pvt. Ltd.,Pune
> 
> 


Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: quoted-printable
Content-Description: 


-- 
===
Andrew Robson 
2/1 
723 Pollockshaws Road
Glasgow G44 2AA
 
Tel: (0141) 424 0607
Mobile:  07759 430234 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Re: Form Based Authentication with Encryption

2001-03-07 Thread amit 



Thanks Andrew,
 
But,I'm using XML to store my whole data (this is requirement 
of the product)
We are not at all using any database.
 
So with this regard, would u like to comment something 
more ?
Also can u suggest some resource for 
: creating my own cutomized "authentication module" ?
 
Thanks in advance.
 
Regards,
-Amit.
 
- Original Message - 

  From: 
  Andrew Robson 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, March 07, 2001 3:37 
  PM
  Subject: Re: Form Based Authentication 
  with Encryption
  Hi Amit,  I'm using 3.2 so details 
  may vary.What you want to do is write your own authentication 
  module.Easier than it sounds. Just take a copy of the authentication 
  module youare using (SimpleRealm?) to use as a base for your own code. Add 
  inthe functionality you want, compile and include in 
  TOMCAT_HOME/lib/webserver.jarEdit server.xml to use your custom 
  authentication module.Also, I'd recommend you look at JDBCRealm so that 
  you can store usernamesand passwords in a database. Quite apart from the 
  other advantages you maythen be able to take advantage of the db's 
  encryption facilities (e.g. MySql'sPassword function) and save 
  yourself the bother of writing your own.Hope this 
  helpsAndrewOn Wed, 07 Mar 2001, you wrote:>> Hi 
  All,>> I'm using tomcat 4.0 Beta1.> I successfully tested 
  out the form based authentication provided with tomcat.>> 
  But , the main problem with it is : It uses plain text to store 
  users,roles and passwords> in the "tomcat-users.xml"   
  file placed  in TOMCAT_HOME\conf.>> Is there any plugin for 
  tomcat to encrypt the passwords stored in this file ?> or is there 
  any round-about to do so.>> Thanking you in 
  advance.>> With Regards,> -Amit> 
  E-Mail:[EMAIL PROTECTED]> Sansui Software Pvt. 
Ltd.,Pune

Re: Form Based Authentication with Encryption

2001-03-07 Thread Andrew Robson 

Hi Amit,
  I'm using 3.2 so details may vary.
What you want to do is write your own authentication module. 
Easier than it sounds. Just take a copy of the authentication module you 
are using (SimpleRealm?) to use as a base for your own code. Add in
the functionality you want, compile and include in TOMCAT_HOME/lib/webserver.jar
Edit server.xml to use your custom authentication module. 
Also, I'd recommend you look at JDBCRealm so that you can store usernames
and passwords in a database. Quite apart from the other advantages you may 
then be able to take advantage of the db's encryption facilities (e.g. MySql's
Password function) and save yourself the bother of writing your own.

Hope this helps
Andrew

On Wed, 07 Mar 2001, you wrote:
> 
> Hi All,
> 
> I'm using tomcat 4.0 Beta1.
> I successfully tested out the form based authentication provided with tomcat.
> 
> But , the main problem with it is : It uses plain text to store users,roles and 
>passwords
> in the "tomcat-users.xml"   file placed  in TOMCAT_HOME\conf.
> 
> Is there any plugin for tomcat to encrypt the passwords stored in this file ?
> or is there any round-about to do so.
> 
> Thanking you in advance.
> 
> With Regards,
> -Amit
> E-Mail:[EMAIL PROTECTED]
> Sansui Software Pvt. Ltd.,Pune
> 


Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: quoted-printable
Content-Description: 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: Form based authentication

2001-02-09 Thread Dilip Dalton 

This problem was solved. It was a problem with configuration.
The contexts were not set up properly. This was due to
introducing aliases.

Tomcat by default creates its own context by reading directories
in the webapps directory. If you have aliases it creates contexts
for them too, depending on their properties in the workers.properties
file.
-Dilip


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 08, 2001 4:23 PM
To: [EMAIL PROTECTED]
Subject: Re: Form based authentication




I've run into the same problem.  I created an industrial strength bandaid
for
this problem by writing a simple servlet, mapped to /null, that redirects
them
where I want to go (which is defined in the web.xml).  I've been too lazy to
investigate what is actually throwing this so if anyone has any insight,
please
speak up.  If you need the bandaid code, let me know.

/bill



Dilip Dalton <[EMAIL PROTECTED]> on 02/08/2001 12:36:27 PM



Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Bill Fellows/MO/americancentury)
Subject:  Form based authentication



Hi,

  I am running tomcat 3.2.1, and I have started to use form based
authentication for my application.

  The 'examples' form based authentication works fine. But when I use if
from my application I get
   the following:

Not Found (404)

Original request: /hyseq/jsp/null

Not found request: /hyseq/jsp/null

  Could anybody shed some light on this,

Thank you,
Dilip.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]









-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Re: Form based authentication

2001-02-08 Thread Bill_Fellows/MO/americancentury 



I've run into the same problem.  I created an industrial strength bandaid for
this problem by writing a simple servlet, mapped to /null, that redirects them
where I want to go (which is defined in the web.xml).  I've been too lazy to
investigate what is actually throwing this so if anyone has any insight, please
speak up.  If you need the bandaid code, let me know.

/bill



Dilip Dalton <[EMAIL PROTECTED]> on 02/08/2001 12:36:27 PM



Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Bill Fellows/MO/americancentury)
Subject:  Form based authentication



Hi,

  I am running tomcat 3.2.1, and I have started to use form based
authentication for my application.

  The 'examples' form based authentication works fine. But when I use if
from my application I get
   the following:

Not Found (404)

Original request: /hyseq/jsp/null

Not found request: /hyseq/jsp/null

  Could anybody shed some light on this,

Thank you,
Dilip.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]









-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: Form based authentication and JDBC Realm with Interbase

2001-01-23 Thread Nigel Stirzaker 

Thanks
I've posted it onto the list. Here is a copy aswell



   

thanks

Nigel Stirzaker
Software Consultant
SSA Softwright
(01753) 811833 Ext 265
[EMAIL PROTECTED]
www.Softwright.co.uk


-Original Message-
From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]]
Sent: Tuesday 23 January 2001 12:07
To: '[EMAIL PROTECTED]'
Subject: RE: Form based authentication and JDBC Realm with Interbase


Please post your server.xml JDBRealm config, to have a look at it..

Saludos ,
Ignacio J. Ortega


> -Mensaje original-
> De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]]
> Enviado el: martes 23 de enero de 2001 12:41
> Para: '[EMAIL PROTECTED]'
> Asunto: Form based authentication and JDBC Realm with Interbase
> 
> 
> Hi
> I'am try to get form based authentication working with 
> jBoss/Tomcat and
> interbase 5.6 but I'am getting the following error. Interbase 
> is working
> fine for the CMP
> and code and general setup works fine with mySQL (our other 
> trial database).
> It looks to me like the param being setup for the query by
> PreparedStatement.setString
> is Null and hence the error
> 
> Version used
> Interclient 1.6
> jBoss 2.0 Final
> Tomcat 3.2
> Win 2000
> 
> 
> 2001-01-23 10:23:17 - ContextManager: JDBCRealm: 
> JDBCRealm.authenticate:
> SELECT USER_PASS FROM USERS WHERE USER_NAME = ?
> 
> 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + 
> /member/test.jsp
> + null) - java.lang.NullPointerException
> at 
> interbase.interclient.PreparedStatement.setString(Unknown Source)
> at
> org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)
> at
> org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480)
> at
> org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa
> nager.java,
> Compiled Code)
> at
> org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
> at 
> org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501)
> at
> org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java,
> Compiled Code)
> at
> org.apache.tomcat.core.ContextManager.internalService(ContextM
> anager.java:78
> 9)
> at
> org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processCo
> nnection(HttpC
> onnectionHandler.java:210)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java,
> Compiled Code)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java,
> Compiled Code)
> at java.lang.Thread.run(Thread.java:479)
> 
> Anybody got any ideas
> Thanks in advance
> 
> Nigel
> 
> Nigel Stirzaker
> Software Consultant
> SSA Softwright
> (01753) 811833 Ext 265
> [EMAIL PROTECTED]
> www.Softwright.co.uk
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: Form based authentication and JDBC Realm with Interbase

2001-01-23 Thread Ignacio J. Ortega 

Please post your server.xml JDBRealm config, to have a look at it..

Saludos ,
Ignacio J. Ortega


> -Mensaje original-
> De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]]
> Enviado el: martes 23 de enero de 2001 12:41
> Para: '[EMAIL PROTECTED]'
> Asunto: Form based authentication and JDBC Realm with Interbase
> 
> 
> Hi
> I'am try to get form based authentication working with 
> jBoss/Tomcat and
> interbase 5.6 but I'am getting the following error. Interbase 
> is working
> fine for the CMP
> and code and general setup works fine with mySQL (our other 
> trial database).
> It looks to me like the param being setup for the query by
> PreparedStatement.setString
> is Null and hence the error
> 
> Version used
> Interclient 1.6
> jBoss 2.0 Final
> Tomcat 3.2
> Win 2000
> 
> 
> 2001-01-23 10:23:17 - ContextManager: JDBCRealm: 
> JDBCRealm.authenticate:
> SELECT USER_PASS FROM USERS WHERE USER_NAME = ?
> 
> 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + 
> /member/test.jsp
> + null) - java.lang.NullPointerException
> at 
> interbase.interclient.PreparedStatement.setString(Unknown Source)
> at
> org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)
> at
> org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480)
> at
> org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa
> nager.java,
> Compiled Code)
> at
> org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
> at 
> org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501)
> at
> org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java,
> Compiled Code)
> at
> org.apache.tomcat.core.ContextManager.internalService(ContextM
> anager.java:78
> 9)
> at
> org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
> at
> org.apache.tomcat.service.http.HttpConnectionHandler.processCo
> nnection(HttpC
> onnectionHandler.java:210)
> at
> org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java,
> Compiled Code)
> at
> org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java,
> Compiled Code)
> at java.lang.Thread.run(Thread.java:479)
> 
> Anybody got any ideas
> Thanks in advance
> 
> Nigel
> 
> Nigel Stirzaker
> Software Consultant
> SSA Softwright
> (01753) 811833 Ext 265
> [EMAIL PROTECTED]
> www.Softwright.co.uk
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
> 
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: FORM BASED AUTHENTICATION...

2001-01-16 Thread BBueckers 

I was using 3.1 and then I found the following post
http://mikal.org/interests/java/tomcat_users/msg02828.html in which they
were having the same types of problems I was experencing. So I installed ver
3.2.1 and everything works as originally anticipated. All the form based
logins work.

Bob


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 3:00 PM
To: [EMAIL PROTECTED]
Subject: FORM BASED AUTHENTICATION...


Has anyone successfully setup form-based security authentication? Have you
gotten the error page to display when the wrong username/password was
entered? What do you recommend for implementing form-based security?

Thanks in advance,

Bob

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: FORM based Authentication and JDBC Realm

2001-01-05 Thread Nacho 

please sendthe excerpt of your server.xml file with the
requestinterceptor 

Thanks

Saludos ,
Ignacio J. Ortega

-Mensaje original-
De: Vincent Harcq [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 5 de enero de 2001 17:45
Para: [EMAIL PROTECTED]
Asunto: FORM based Authentication and JDBC Realm


Hi!
Tomcat 3.2.1 Interbase 6 Database.
I have setup JDBCRealm and I am trying to use the
/examples/jsp/security/protected/index.jsp that is provided with Tomcat
to validate it.
So I only change server.xml, I use the original web.xml from the example
application.

When I go to the 
I receive Exception
2001-01-05 05:27:31 - ContextManager: JDBCRealm: JDBCRealm.authenticate:
SELECT user_pass FROM j2eeusers WHERE user_name= ?
2001-01-05 05:27:31 - Ctx( /vmi ): Exception in: R( /vmi +
/jsp/protected/index.html + null) - java.lang.NullPointerException
 at
interbase.interclient.PreparedStatement.setString(PreparedStatement.java
:973)
 at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)

When I first go to the login.jsp, I can log in and then go on the
protected resources.

Strange.

Any ideas ?

Vincent HARCQ





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]