RE: formbased security
I am answering my own question...if anyone cares... What I realized is that j_username and j_password are just strings on the session... -Original Message- From: John de la Garza [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 07, 2000 1:17 PM To: Tomcat-Users (E-mail) Subject: formbased security I am using formbased security as my main security for the site I'm working on... I have a option on the menu that lets users change their info... The problem happens when they change their password. As soon as the password is updated in the database the user is no longer logged in... I am using the JDBC Realm... any suggestions? I was thinking of have the servlet that does the jdbc stuff post to j_security_check...this probably wont work though...
Re: formbased security
John de la Garza wrote: Can someone tell me what the difference is between remote user and principal name is? For example at: http://127.0.0.1/examples/jsp/security/protected/index.jsp I see: You are logged in as remote user johnd Your user principal name is johnd It depends on how your servlet container implements security. For Tomcat, the following rules apply: * For BASIC, DIGEST, or FORM-BASED authentication, using the default SimpleRealm (i.e. the names and roles in the tomcat-users.xml file), Tomcat constructs a very simple java.security.Principal implementation, using the authenticated username as the name, and returns it to you. * For CLIENT-CERT authentication (Tomcat 4.0 only), this will be the java.security.Principal object from the first certificate in the client certificate chain that was submitted by the client. * If you define your own custom authenticator Realm implementation, the returned Principal can be some environment-specific object (implements java.security.Principal) containing other security related information relevant to your environment. Craig McClanahan
Re: formbased security
"Edara, Indira" wrote: I am using tomcat as standalone webserver. When I send simple GET request I am always getting HTTP 1.0 request back. How do I get HTTP 1.1 response? I am using Tomcat 3.1, I placed jsptest.jsp file under /tomcat/ROOT folder and requesting this file using telnet. Thank you (NOTE: You will get better response if you create a new message instead of replying to one, and you change the message subject to something relevant). Tomcat 3.1 (and 3.2) do not support HTTP/1.1 in standalone mode, although Tomcat 4.0 does. To get an HTTP/1.1 response from 3.1 or 3.2, you will need to run it behind a web server like Apache that supports this. Craig McClanahan
RE: formbased security
Can I manually stick the username/passwd into the server container? So the user is not asked? for example they log into my app...then they can browser around with out being asked to 'login' again... Also can I keep the user/passwd list in a database instead of the tomcatusers.xml file? -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 4:43 PM To: [EMAIL PROTECTED] Subject: Re: formbased security John de la Garza wrote: arg! I meant insufficient...sorry I wondered if that's what you really meant :-) Is there more than the servlet 2.2 spec? You might look into some of the new books and articles coming out that talk about servlet 2.2. Or, you could ask specific questions on issues that are not clear. Form based login started making sense for me after I understood the basic philosophy. Have you ever accessed a web site that uses BASIC security to pop up a username/password dialog box? And then, after you were successfully authenticated, the server gave you the requested page? Form based login should feel very much like that from the user's perspective. The first time he or she tries to access a protected page, the login page will be shown first -- once they log on successfully, the originally requested page will be shown. It's not any more or less secure than BASIC authentication -- but form based login lets you customize the look and feel of the login page, where BASIC authentication does not. Craig McClanahan
Re: formbased security
John de la Garza wrote: Can I manually stick the username/passwd into the server container? So the user is not asked? for example they log into my app...then they can browser around with out being asked to 'login' again... Well, that is what actually happens. Once you log on, your identity is recognized until you exit your browser (or the server is restarted). Also can I keep the user/passwd list in a database instead of the tomcatusers.xml file? There are comments in the "conf/server.xml" file illustrating how you can replace the SimpleRealm interceptor (that processes "conf/tomcat-users.xml") with one that uses JDBC to access a database. Examples of configuration for several different databases are included. Craig McClanahan
Re: formbased security
John de la Garza wrote: What I meant was how can I never have them see the tomcat login...I want to validate the manually from my own code? I have a web based app that the user must log into...I want log the user in to tomcat once they are logged into to application. What I meant about being asked twice was that they would be asked to login to my app...then asked once to log into tomcat's thing.. If you want the user to experience a single login, you need to choose one approach or the other -- either have your application do it all, or have Tomcat do it all. In the former case, your application would need to do it's own checking (on every request) that the user is still logged in, and redirect them to the login page if needed. You would not have an security-constraint or login-config entries in your web.xml file. For Tomcat-managed security, you would install such directives, and set up your users and roles appropriately (by default in the "conf/tomcat-users.xml" file). You can customize the look and feel of the login page if you choose form-based authentication. See the servlet specification http://java.sun.com/products/servlet/download.html for more information on this. Craig McClanahan
RE: formbased security
I am using tomcat as standalone webserver. When I send simple GET request I am always getting HTTP 1.0 request back. How do I get HTTP 1.1 response? I am using Tomcat 3.1, I placed jsptest.jsp file under /tomcat/ROOT folder and requesting this file using telnet. Thank you -Original Message- From: John de la Garza [mailto:[EMAIL PROTECTED]] Sent: Monday, December 04, 2000 1:45 PM To: [EMAIL PROTECTED] Subject: RE: formbased security Thanks! You've been super helpful, just wanted to let you know I really appreciate it and have got alot out of your quick responses! I normally don't get support this good, even we it is billed at $100 a question. -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Monday, December 04, 2000 11:04 AM To: [EMAIL PROTECTED] Subject: Re: formbased security John de la Garza wrote: What I meant was how can I never have them see the tomcat login...I want to validate the manually from my own code? I have a web based app that the user must log into...I want log the user in to tomcat once they are logged into to application. What I meant about being asked twice was that they would be asked to login to my app...then asked once to log into tomcat's thing.. If you want the user to experience a single login, you need to choose one approach or the other -- either have your application do it all, or have Tomcat do it all. In the former case, your application would need to do it's own checking (on every request) that the user is still logged in, and redirect them to the login page if needed. You would not have an security-constraint or login-config entries in your web.xml file. For Tomcat-managed security, you would install such directives, and set up your users and roles appropriately (by default in the "conf/tomcat-users.xml" file). You can customize the look and feel of the login page if you choose form-based authentication. See the servlet specification http://java.sun.com/products/servlet/download.html for more information on this. Craig McClanahan
Re: formbased security
John de la Garza wrote: where can I get complete documentation on formbased security? The servlet 2.2 spec is sufficient. http://java.sun.com/products/servlet/download.html Craig
Re: formbased security
John de la Garza wrote: arg! I meant insufficient...sorry I wondered if that's what you really meant :-) Is there more than the servlet 2.2 spec? You might look into some of the new books and articles coming out that talk about servlet 2.2. Or, you could ask specific questions on issues that are not clear. Form based login started making sense for me after I understood the basic philosophy. Have you ever accessed a web site that uses BASIC security to pop up a username/password dialog box? And then, after you were successfully authenticated, the server gave you the requested page? Form based login should feel very much like that from the user's perspective. The first time he or she tries to access a protected page, the login page will be shown first -- once they log on successfully, the originally requested page will be shown. It's not any more or less secure than BASIC authentication -- but form based login lets you customize the look and feel of the login page, where BASIC authentication does not. Craig McClanahan
