subject:"Re\: Form Auth"

Re: Form Auth + xml users database

2005-02-06 Thread Omar Adobati

>But did you "connect" the UserDatabase
> with the web-application by specifying a realm in your context?
> (context.xml or server.xml)

How can I set the Realm in my Context to specity an xml database?
(maybe this is the main problem because it actually not exist)

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread Mario Winterer

You are right! I'm sorry for any confusion!
I thought  is just for environment variables (similiar 
to env-entry). I should have read the docu to its end... ;-)

Nevertheless, I think this resource reference is not required for 
servlet-security.

 Tex
sven morales schrieb:
Hi,
  It is not wrong to have that resource-env-ref
within his web.xml.  Look at the
manager/WEB_INF/web.xml for a working application
("manager") and you will see exact elements.
aka_sergio
--- Mario Winterer <[EMAIL PROTECTED]> wrote:
 

Hi again!
I've noticed one thing in your configuration - but I
do not know if this 
is the reason for your problem:
Remove the  entries from
web.xml. You do not need 
a JNDI-reference to your user database here! (Apart
from that this is 
wrong - it should be a -element
instead.)

Apart from that: You've specified a UserDatabase
that holds your 
login-data. You've specified which resources of your
web-application 
should be accessible by whom. But did you "connect"
the UserDatabase 
with the web-application by specifying a realm in
your context? 
(context.xml or server.xml)

Best regards,
 Tex
Omar Adobati schrieb:
   

Good Morning,
I'm trying to set up an authentication task using
 

the form method
   

and an xml files to store the users and their
 

roles.
   

Now, I've add this to the web.xml file:
==
[...]

 
 

PhotoUsers
 

 
 

org.apache.catalina.UserDatabase
 



  Photoalbum Security
 

Constraints
   

  
   
 

Photoalbum
   

/controlPanel.jsp
/photoUpload.jsp
/login.jsp  
DELETE
GET
POST
PUT
  
  
photoalbum
admin
  


FORM   
PhotoUsers   

 
 

/login.jsp
   

 
 

/error.jsp   

   


  

  photoalbum


  admin

[...]
==
then I've added the following lines to the between
 

the context tag of
   

the webapplication:
==


 

docBase="." relodable="true"
   

privileged="true">

 

className="org.apache.catalina.valves.AccessLogValve"
 

directory="logs/photoalbum/"
 

fileDateFormat="-MM-dd"
   

prefix="photoalbum_access_log." suffix=".txt"/>

  
 

type="java.lang.Integer" name="simpleValue"/>
   

  
 

type="org.apache.catalina.UserDatabase"
   

description="User database that can be updated and
 

saved"
   

auth="Container" name="PhotoUsers"/>
  

  factory
 
 

org.apache.catalina.users.MemoryUserDatabaseFactory
 



  pathname
  /photoalbum-users.xml

  



==
and I have putted the file photoalbum-users.xml in
 

the same folder as
   

the previous file.
Now, this seems to not work... does' anyone can
 

help me?
   

Omar
 

-
   

To unsubscribe, e-mail:
 

[EMAIL PROTECTED]
   

For additional commands, e-mail:
 

[EMAIL PROTECTED]
   


 

   

-
 

To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
   


		
__ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread Mario Winterer

Hi!
So when you try to access one of the protected resources via browser, 
are these resources protected (I mean can you access them, or does 
tomcat redirect you to your login-page, or do you get a "access denied" 
page?)

 Tex
Omar Adobati schrieb:
I'm very sorry,
"don't seems to work" mean that I can use the authentication
procedure with the names I have stored in my xml database... this is
what I mean saying that it's not works
hope this should be more helpfully
On Sun, 06 Feb 2005 18:43:45 +0100, Mario Winterer
<[EMAIL PROTECTED]> wrote:
 

Hi!
What does "Now, this seems to not work..." mean???
Please go more into detai! We cannot tell you how to fix it if you do
not tell us WHAT is going wrong! (e.g.: Tomcat can't start; Tomcat
starts but web-app. can't start; Tomcat starts, webapp starts but you
get exceptions each time you request your web-app; Everything fine but
the specified resource is not secured; Everything fine and the specified
resource is secured but even when I enter the correct username/password
I can't access it; ...).
Best regards,
Tex
Omar Adobati wrote:
   

Good Morning,
I'm trying to set up an authentication task using the form method
and an xml files to store the users and their roles.
Now, I've add this to the web.xml file:
==
[...]

  PhotoUsers
  
org.apache.catalina.UserDatabase


  Photoalbum Security Constraints
  
Photoalbum
/controlPanel.jsp
/photoUpload.jsp
/login.jsp
DELETE
GET
POST
PUT
  
  
photoalbum
admin
  


FORM
PhotoUsers

  /login.jsp
  /error.jsp

  

  photoalbum


  admin

[...]
==
then I've added the following lines to the between the context tag of
the webapplication:
==




  
  
  

  factory
  org.apache.catalina.users.MemoryUserDatabaseFactory


  pathname
  /photoalbum-users.xml

  



==
and I have putted the file photoalbum-users.xml in the same folder as
the previous file.
Now, this seems to not work... does' anyone can help me?
Omar
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
   


 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread sven morales

Hi,
   It is not wrong to have that resource-env-ref
within his web.xml.  Look at the
manager/WEB_INF/web.xml for a working application
("manager") and you will see exact elements.

aka_sergio

--- Mario Winterer <[EMAIL PROTECTED]> wrote:

> Hi again!
> 
> I've noticed one thing in your configuration - but I
> do not know if this 
> is the reason for your problem:
> Remove the  entries from
> web.xml. You do not need 
> a JNDI-reference to your user database here! (Apart
> from that this is 
> wrong - it should be a -element
> instead.)
> 
> Apart from that: You've specified a UserDatabase
> that holds your 
> login-data. You've specified which resources of your
> web-application 
> should be accessible by whom. But did you "connect"
> the UserDatabase 
> with the web-application by specifying a realm in
> your context? 
> (context.xml or server.xml)
> 
> Best regards,
>   Tex
> 
> Omar Adobati schrieb:
> 
> >Good Morning,
> >
> >  I'm trying to set up an authentication task using
> the form method
> >and an xml files to store the users and their
> roles.
> >Now, I've add this to the web.xml file:
> >
> >==
> >[...]
> >
> >   
>
PhotoUsers
> >   
>
org.apache.catalina.UserDatabase
> >  
> >  
> >Photoalbum Security
> Constraints
> >
> > 
> Photoalbum
> >  /controlPanel.jsp
> >  /photoUpload.jsp
> >  /login.jsp  
> >  DELETE
> >  GET
> >  POST
> >  PUT
> >
> >
> >  photoalbum
> >  admin
> >
> >  
> >  
> >  FORM   
> >  PhotoUsers   
> >  
> >   
> /login.jsp
> >   
> /error.jsp   
> 
> >  
> >
> >  
> >photoalbum
> >  
> >  
> >admin
> >  
> >[...]
> >==
> >
> >then I've added the following lines to the between
> the context tag of
> >the webapplication:
> >
> >==
> >
> > docBase="." relodable="true"
> >privileged="true">
> >  
className="org.apache.catalina.valves.AccessLogValve"
> >directory="logs/photoalbum/"
> fileDateFormat="-MM-dd"
> >prefix="photoalbum_access_log." suffix=".txt"/>
> >  
> > type="java.lang.Integer" name="simpleValue"/>
> > type="org.apache.catalina.UserDatabase"
> >description="User database that can be updated and
> saved"
> >auth="Container" name="PhotoUsers"/>
> >
> >  
> >factory
> >   
>
org.apache.catalina.users.MemoryUserDatabaseFactory
> >  
> >  
> >pathname
> >/photoalbum-users.xml
> >  
> >
> >  
> >   >type="org.apache.catalina.UserDatabase"/>
> >
> >==
> >
> >and I have putted the file photoalbum-users.xml in
> the same folder as
> >the previous file.
> >
> >Now, this seems to not work... does' anyone can
> help me?
> >
> >Omar
> >
>
>-
> >To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> >For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
> >
> >  
> >
> 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Do you Yahoo!? 
Take Yahoo! Mail with you! Get it on your mobile phone. 
http://mobile.yahoo.com/maildemo 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread Omar Adobati

I'm very sorry,
 "don't seems to work" mean that I can use the authentication
procedure with the names I have stored in my xml database... this is
what I mean saying that it's not works

hope this should be more helpfully


On Sun, 06 Feb 2005 18:43:45 +0100, Mario Winterer
<[EMAIL PROTECTED]> wrote:
> Hi!
> 
> What does "Now, this seems to not work..." mean???
> Please go more into detai! We cannot tell you how to fix it if you do
> not tell us WHAT is going wrong! (e.g.: Tomcat can't start; Tomcat
> starts but web-app. can't start; Tomcat starts, webapp starts but you
> get exceptions each time you request your web-app; Everything fine but
> the specified resource is not secured; Everything fine and the specified
> resource is secured but even when I enter the correct username/password
> I can't access it; ...).
> 
> Best regards,
>  Tex
> 
> Omar Adobati wrote:
> 
> >Good Morning,
> >
> >  I'm trying to set up an authentication task using the form method
> >and an xml files to store the users and their roles.
> >Now, I've add this to the web.xml file:
> >
> >==
> >[...]
> >
> >PhotoUsers
> >
> > org.apache.catalina.UserDatabase
> >  
> >  
> >Photoalbum Security Constraints
> >
> >  Photoalbum
> >  /controlPanel.jsp
> >  /photoUpload.jsp
> >  /login.jsp
> >  DELETE
> >  GET
> >  POST
> >  PUT
> >
> >
> >  photoalbum
> >  admin
> >
> >  
> >  
> >  FORM
> >  PhotoUsers
> >  
> >/login.jsp
> >/error.jsp
> >  
> >
> >  
> >photoalbum
> >  
> >  
> >admin
> >  
> >[...]
> >==
> >
> >then I've added the following lines to the between the context tag of
> >the webapplication:
> >
> >==
> >
> > >privileged="true">
> >   >directory="logs/photoalbum/" fileDateFormat="-MM-dd"
> >prefix="photoalbum_access_log." suffix=".txt"/>
> >  
> >
> > >description="User database that can be updated and saved"
> >auth="Container" name="PhotoUsers"/>
> >
> >  
> >factory
> >org.apache.catalina.users.MemoryUserDatabaseFactory
> >  
> >  
> >pathname
> >/photoalbum-users.xml
> >  
> >
> >  
> >   >type="org.apache.catalina.UserDatabase"/>
> >
> >==
> >
> >and I have putted the file photoalbum-users.xml in the same folder as
> >the previous file.
> >
> >Now, this seems to not work... does' anyone can help me?
> >
> >Omar
> >
> >-
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
> >
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 


-- 
Adobati Omar
[EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread Mario Winterer

Hi again!
I've noticed one thing in your configuration - but I do not know if this 
is the reason for your problem:
Remove the  entries from web.xml. You do not need 
a JNDI-reference to your user database here! (Apart from that this is 
wrong - it should be a -element instead.)

Apart from that: You've specified a UserDatabase that holds your 
login-data. You've specified which resources of your web-application 
should be accessible by whom. But did you "connect" the UserDatabase 
with the web-application by specifying a realm in your context? 
(context.xml or server.xml)

Best regards,
 Tex
Omar Adobati schrieb:
Good Morning,
 I'm trying to set up an authentication task using the form method
and an xml files to store the users and their roles.
Now, I've add this to the web.xml file:
==
[...]

   PhotoUsers
   org.apache.catalina.UserDatabase
 
 
   Photoalbum Security Constraints
   
 Photoalbum
 /controlPanel.jsp
 /photoUpload.jsp
 /login.jsp  
 DELETE
 GET
 POST
 PUT
   
   
 photoalbum
 admin
   
 
 
 FORM   
 PhotoUsers   
 
   /login.jsp
   /error.jsp
 
   
 
   photoalbum
 
 
   admin
 
[...]
==

then I've added the following lines to the between the context tag of
the webapplication:
==


 
 
   
   
   
 
   factory
   org.apache.catalina.users.MemoryUserDatabaseFactory
 
 
   pathname
   /photoalbum-users.xml
 
   
 
 

==
and I have putted the file photoalbum-users.xml in the same folder as
the previous file.
Now, this seems to not work... does' anyone can help me?
Omar
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread sven morales

Hi,
   At first glance your config seems to be okay. 
However, confirm that  can be a
sub-element within .   I suspect it is not. 
Consult this link:

http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/context.html

aka_sergio
--- Omar Adobati <[EMAIL PROTECTED]> wrote:

> Good Morning,
> 
>   I'm trying to set up an authentication task using
> the form method
> and an xml files to store the users and their roles.
> Now, I've add this to the web.xml file:
> 
> ==
> [...]
> 
>
>
PhotoUsers
>
>
org.apache.catalina.UserDatabase
>   
>   
> Photoalbum Security
> Constraints
> 
>  
> Photoalbum
>   /controlPanel.jsp
>   /photoUpload.jsp
>   /login.jsp  
>   DELETE
>   GET
>   POST
>   PUT
> 
> 
>   photoalbum
>   admin
> 
>   
>   
>   FORM   
>   PhotoUsers   
>   
>
> /login.jsp
>
> /error.jsp   
> 
>   
> 
>   
> photoalbum
>   
>   
> admin
>   
> [...]
> ==
> 
> then I've added the following lines to the between
> the context tag of
> the webapplication:
> 
> ==
> 
>  docBase="." relodable="true"
> privileged="true">
>   
className="org.apache.catalina.valves.AccessLogValve"
> directory="logs/photoalbum/"
> fileDateFormat="-MM-dd"
> prefix="photoalbum_access_log." suffix=".txt"/>
>   
>  name="simpleValue"/>
>  type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and
> saved"
> auth="Container" name="PhotoUsers"/>
> 
>   
> factory
>
>
org.apache.catalina.users.MemoryUserDatabaseFactory
>   
>   
> pathname
> /photoalbum-users.xml
>   
> 
>   
>type="org.apache.catalina.UserDatabase"/>
> 
> ==
> 
> and I have putted the file photoalbum-users.xml in
> the same folder as
> the previous file.
> 
> Now, this seems to not work... does' anyone can help
> me?
> 
> Omar
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__ 
Do you Yahoo!? 
Yahoo! Mail - Helps protect you from nasty viruses. 
http://promotions.yahoo.com/new_mail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth + xml users database

2005-02-06 Thread Mario Winterer

Hi!
What does "Now, this seems to not work..." mean???
Please go more into detai! We cannot tell you how to fix it if you do 
not tell us WHAT is going wrong! (e.g.: Tomcat can't start; Tomcat 
starts but web-app. can't start; Tomcat starts, webapp starts but you 
get exceptions each time you request your web-app; Everything fine but 
the specified resource is not secured; Everything fine and the specified 
resource is secured but even when I enter the correct username/password 
I can't access it; ...).

Best regards,
 Tex
Omar Adobati wrote:
Good Morning,
 I'm trying to set up an authentication task using the form method
and an xml files to store the users and their roles.
Now, I've add this to the web.xml file:
==
[...]

   PhotoUsers
   org.apache.catalina.UserDatabase
 
 
   Photoalbum Security Constraints
   
 Photoalbum
 /controlPanel.jsp
 /photoUpload.jsp
 /login.jsp  
 DELETE
 GET
 POST
 PUT
   
   
 photoalbum
 admin
   
 
 
 FORM   
 PhotoUsers   
 
   /login.jsp
   /error.jsp
 
   
 
   photoalbum
 
 
   admin
 
[...]
==

then I've added the following lines to the between the context tag of
the webapplication:
==


 
 
   
   
   
 
   factory
   org.apache.catalina.users.MemoryUserDatabaseFactory
 
 
   pathname
   /photoalbum-users.xml
 
   
 
 

==
and I have putted the file photoalbum-users.xml in the same folder as
the previous file.
Now, this seems to not work... does' anyone can help me?
Omar
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Michael D. Kirkpatrick

Thanks.  I will look into it.

Paul Yunusov wrote:

> On Tuesday 01 April 2003 10:05 am, Michael D. Kirkpatrick wrote:
> > I am not quite sure if this question is suitable for this mailing list.  If
> > not, please forgive me.
> >
> > I am using the form authentication for adding security to one of my apps.
> > Since this app will be in use with several web sites, I am forced to pass
> > something like "?site=somesite" in my url.
> > The problem that I am running into is that on the actual login form, I do
> > not have access to the original query string.
> > The login page has 2 links: Create account and Recover Password.
> > I need that original query string so I can reference the proper web site's
> > information.
> > What I have access to is the query string of
> > "/some_app/login.jsp?name=value" for displaying the login screen.
> > That query is what I have placed in web.xml.
> >
> > So here is my question.  How can I capture the original query string or
> > make the query string in web.xml dynamic?
>
> I have a gut feeling you want to know how to keep a parameter across requests.
> There is an abstraction called "session" for storing data across multiple
> servlet requests from the same client. Check the
> javax.servlet.http.HttpSession interface and, in particular, its setAttribute
> and getAttribute methods.
>
> Paul
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Paul Yunusov

On Tuesday 01 April 2003 10:05 am, Michael D. Kirkpatrick wrote:
> I am not quite sure if this question is suitable for this mailing list.  If
> not, please forgive me.
>
> I am using the form authentication for adding security to one of my apps.
> Since this app will be in use with several web sites, I am forced to pass
> something like "?site=somesite" in my url.
> The problem that I am running into is that on the actual login form, I do
> not have access to the original query string.
> The login page has 2 links: Create account and Recover Password.
> I need that original query string so I can reference the proper web site's
> information.
> What I have access to is the query string of
> "/some_app/login.jsp?name=value" for displaying the login screen.
> That query is what I have placed in web.xml.
>
> So here is my question.  How can I capture the original query string or
> make the query string in web.xml dynamic?

I have a gut feeling you want to know how to keep a parameter across requests. 
There is an abstraction called "session" for storing data across multiple 
servlet requests from the same client. Check the 
javax.servlet.http.HttpSession interface and, in particular, its setAttribute 
and getAttribute methods.

Paul

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Michael D. Kirkpatrick

Same thing...

Jeff Tulley wrote:

> It is done through server.xml.  I don't know what web server connector
> you were using, but if it was Apache and mod_jk, you can still use it.
>
> On Tomcat's side, comment out the Coyote connector, which looks like:
> port="8009" minProcessors="5" maxProcessors="75"
>enableLookups="true" redirectPort="8443"
>acceptCount="10" debug="0" connectionTimeout="0"
>useURIValidationHack="false"
>
> protocolHandlerClassName="org.apache.jk.server.JkCoyoteHandler"/>
>
> Instead, use:
> port="8009" minProcessors="5" maxProcessors="75"
>acceptCount="10" debug="0"/>
>
> The problem is that this connector is deprecated and probably will give
> you an MBean exception.
>
> If you want to just verify the problem, you can try it out on an older
> but still functional HTTP connector.  Comment out the connector that
> looks like:
> port="8080" minProcessors="5" maxProcessors="75"
>enableLookups="true" redirectPort="8443"
>acceptCount="100" debug="0" connectionTimeout="2"
>useURIValidationHack="false" disableUploadTimeout="true"
> />
>
> And uncomment the one that looks like:
>
>  className="org.apache.catalina.connector.http.HttpConnector"
>port="8083" minProcessors="5" maxProcessors="75"
>enableLookups="true" redirectPort="8443"
>acceptCount="10" debug="0" />
>
> You might want to change the port to 8080 and/or change some of the
> tuning parameters, max and minProcessors to be the same as they were on
> your other connector.
>
> If you form parameters are preserved, then you know that it is the same
> issue.
>
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> [EMAIL PROTECTED] 4/1/03 9:59:07 AM >>>
> Ok.
>
> For configuration and some implementation, I am still a newbie here.
> How
> do you change the connector to a non-Coyote one?  Which one would you
> recomend? Where can I find it?
>
> Jeff Tulley wrote:
>
> > I just found out that this is a known problem with the Coyote
> > connectors, both the HTTP connector and the JkHandler connector.
> > There is some code not implemented or something, and there is already
> a
> > bug report in bugzilla.
> >
> > To verify if we are talking about the same thing, go back to using
> an
> > old non-Coyote connector and see if your form parameters
> > are preserved across the login.
> >
> > This really needs to be fixed.  You can vote on the bug, it is
> #10229
> >
> > Jeff Tulley  ([EMAIL PROTECTED])
> > (801)861-5322
> > Novell, Inc., The Leading Provider of Net Business Solutions
> > http://www.novell.com
> >
> > >>> [EMAIL PROTECTED] 4/1/03 8:40:36 AM >>>
> > It returns "null".
> >
> > I noticed that it places all the POST/GET information into a session
> to
> > be
> > re-submitted to the actual page after successful login.  Know of a
> way
> > that I can
> > access the session information to extract a specific string in it?
> >
> > Henning Heil wrote:
> >
> > > Hi Michael,
> > >
> > >  Michael D. Kirkpatrick wrote on 01.04.2003 17:05 
> > >
> > > >I am not quite sure if this question is suitable for this mailing
> > list.  If
> > > >not, please forgive me.
> > > >
> > > >[snip]
> > > >
> > > >So here is my question.  How can I capture the original query
> string
> > or make
> > > >the query string in web.xml dynamic?
> > > >
> > > in general I would not recommend to set the string in the web.xml.
> > > first part of your question: you can read out any parameter of a
> post
> > or
> > > get string by request.getParameter(String parametername);
> > > second part: there are multiple ways to manipulate the request
> > > parameters: java -> request.setAttribute(String attributename,
> > String
> > > value); or by hidden fields in html forms or with select-fields
> > which
> > > are submitted . . .
> > >
> > > I would suggest:
> > >
> > > read out the site the user is coming from with
> > >
> > > String mysite = request.getParameter("site");
> > >
> > > (of course you have to add this to the string somewhere on the
> > original
> > > page)
> > >
> > > write it to newly generated links:
> > >
> > > out.println("passwordsubmitter.jsp?site=" + mysite);
> > >
> > > or sth like this . . .
> > >
> > > >I am also looking for mailing lists for the following:
> > > >Struts Questions
> > > >
> > > there's one on the apache.org site I think -> struts  . . .
> > >
> > > >General Java Questions
> > > >J2EE Questions
> > > >
> > > no mailing but extremely cool & helpful people there and also
> > mailing
> > > mechanisms to keep track of your threads:
> > > http://forums.java.sun.com/
> > >
> > > >If anyone can point me in the right direction, it would be
> greatly
> > > >appreciated.
> > > >
> > > >Thanks in advance.
> > > >
> >

Re: Form Auth

2003-04-01 Thread Jeff Tulley

It is done through server.xml.  I don't know what web server connector
you were using, but if it was Apache and mod_jk, you can still use it.

On Tomcat's side, comment out the Coyote connector, which looks like:


Instead, use:


The problem is that this connector is deprecated and probably will give
you an MBean exception.

If you want to just verify the problem, you can try it out on an older
but still functional HTTP connector.  Comment out the connector that
looks like:


And uncomment the one that looks like:



You might want to change the port to 8080 and/or change some of the
tuning parameters, max and minProcessors to be the same as they were on
your other connector.

If you form parameters are preserved, then you know that it is the same
issue.

Jeff Tulley  ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

>>> [EMAIL PROTECTED] 4/1/03 9:59:07 AM >>>
Ok.

For configuration and some implementation, I am still a newbie here. 
How
do you change the connector to a non-Coyote one?  Which one would you
recomend? Where can I find it?

Jeff Tulley wrote:

> I just found out that this is a known problem with the Coyote
> connectors, both the HTTP connector and the JkHandler connector.
> There is some code not implemented or something, and there is already
a
> bug report in bugzilla.
>
> To verify if we are talking about the same thing, go back to using
an
> old non-Coyote connector and see if your form parameters
> are preserved across the login.
>
> This really needs to be fixed.  You can vote on the bug, it is
#10229
>
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com 
>
> >>> [EMAIL PROTECTED] 4/1/03 8:40:36 AM >>>
> It returns "null".
>
> I noticed that it places all the POST/GET information into a session
to
> be
> re-submitted to the actual page after successful login.  Know of a
way
> that I can
> access the session information to extract a specific string in it?
>
> Henning Heil wrote:
>
> > Hi Michael,
> >
> >  Michael D. Kirkpatrick wrote on 01.04.2003 17:05 
> >
> > >I am not quite sure if this question is suitable for this mailing
> list.  If
> > >not, please forgive me.
> > >
> > >[snip]
> > >
> > >So here is my question.  How can I capture the original query
string
> or make
> > >the query string in web.xml dynamic?
> > >
> > in general I would not recommend to set the string in the web.xml.
> > first part of your question: you can read out any parameter of a
post
> or
> > get string by request.getParameter(String parametername);
> > second part: there are multiple ways to manipulate the request
> > parameters: java -> request.setAttribute(String attributename,
> String
> > value); or by hidden fields in html forms or with select-fields
> which
> > are submitted . . .
> >
> > I would suggest:
> >
> > read out the site the user is coming from with
> >
> > String mysite = request.getParameter("site");
> >
> > (of course you have to add this to the string somewhere on the
> original
> > page)
> >
> > write it to newly generated links:
> >
> > out.println("passwordsubmitter.jsp?site=" + mysite);
> >
> > or sth like this . . .
> >
> > >I am also looking for mailing lists for the following:
> > >Struts Questions
> > >
> > there's one on the apache.org site I think -> struts  . . .
> >
> > >General Java Questions
> > >J2EE Questions
> > >
> > no mailing but extremely cool & helpful people there and also
> mailing
> > mechanisms to keep track of your threads:
> > http://forums.java.sun.com/ 
> >
> > >If anyone can point me in the right direction, it would be
greatly
> > >appreciated.
> > >
> > >Thanks in advance.
> > >
> > >
> > Have fun,
> >
> > Henning
> >
> >
>
-
> > To unsubscribe, e-mail: [EMAIL PROTECTED]

> > For additional commands, e-mail:
[EMAIL PROTECTED] 
>
>
-
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED]

>
>
-
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Michael D. Kirkpatrick

Ok.

For configuration and some implementation, I am still a newbie here.  How
do you change the connector to a non-Coyote one?  Which one would you
recomend? Where can I find it?

Jeff Tulley wrote:

> I just found out that this is a known problem with the Coyote
> connectors, both the HTTP connector and the JkHandler connector.
> There is some code not implemented or something, and there is already a
> bug report in bugzilla.
>
> To verify if we are talking about the same thing, go back to using an
> old non-Coyote connector and see if your form parameters
> are preserved across the login.
>
> This really needs to be fixed.  You can vote on the bug, it is #10229
>
> Jeff Tulley  ([EMAIL PROTECTED])
> (801)861-5322
> Novell, Inc., The Leading Provider of Net Business Solutions
> http://www.novell.com
>
> >>> [EMAIL PROTECTED] 4/1/03 8:40:36 AM >>>
> It returns "null".
>
> I noticed that it places all the POST/GET information into a session to
> be
> re-submitted to the actual page after successful login.  Know of a way
> that I can
> access the session information to extract a specific string in it?
>
> Henning Heil wrote:
>
> > Hi Michael,
> >
> >  Michael D. Kirkpatrick wrote on 01.04.2003 17:05 
> >
> > >I am not quite sure if this question is suitable for this mailing
> list.  If
> > >not, please forgive me.
> > >
> > >[snip]
> > >
> > >So here is my question.  How can I capture the original query string
> or make
> > >the query string in web.xml dynamic?
> > >
> > in general I would not recommend to set the string in the web.xml.
> > first part of your question: you can read out any parameter of a post
> or
> > get string by request.getParameter(String parametername);
> > second part: there are multiple ways to manipulate the request
> > parameters: java -> request.setAttribute(String attributename,
> String
> > value); or by hidden fields in html forms or with select-fields
> which
> > are submitted . . .
> >
> > I would suggest:
> >
> > read out the site the user is coming from with
> >
> > String mysite = request.getParameter("site");
> >
> > (of course you have to add this to the string somewhere on the
> original
> > page)
> >
> > write it to newly generated links:
> >
> > out.println("passwordsubmitter.jsp?site=" + mysite);
> >
> > or sth like this . . .
> >
> > >I am also looking for mailing lists for the following:
> > >Struts Questions
> > >
> > there's one on the apache.org site I think -> struts  . . .
> >
> > >General Java Questions
> > >J2EE Questions
> > >
> > no mailing but extremely cool & helpful people there and also
> mailing
> > mechanisms to keep track of your threads:
> > http://forums.java.sun.com/
> >
> > >If anyone can point me in the right direction, it would be greatly
> > >appreciated.
> > >
> > >Thanks in advance.
> > >
> > >
> > Have fun,
> >
> > Henning
> >
> >
> -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Jeff Tulley

I just found out that this is a known problem with the Coyote
connectors, both the HTTP connector and the JkHandler connector.
There is some code not implemented or something, and there is already a
bug report in bugzilla.

To verify if we are talking about the same thing, go back to using an
old non-Coyote connector and see if your form parameters
are preserved across the login.

This really needs to be fixed.  You can vote on the bug, it is #10229

Jeff Tulley  ([EMAIL PROTECTED])
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

>>> [EMAIL PROTECTED] 4/1/03 8:40:36 AM >>>
It returns "null".

I noticed that it places all the POST/GET information into a session to
be
re-submitted to the actual page after successful login.  Know of a way
that I can
access the session information to extract a specific string in it?



Henning Heil wrote:

> Hi Michael,
>
>  Michael D. Kirkpatrick wrote on 01.04.2003 17:05 
>
> >I am not quite sure if this question is suitable for this mailing
list.  If
> >not, please forgive me.
> >
> >[snip]
> >
> >So here is my question.  How can I capture the original query string
or make
> >the query string in web.xml dynamic?
> >
> in general I would not recommend to set the string in the web.xml.
> first part of your question: you can read out any parameter of a post
or
> get string by request.getParameter(String parametername);
> second part: there are multiple ways to manipulate the request
> parameters: java -> request.setAttribute(String attributename,
String
> value); or by hidden fields in html forms or with select-fields
which
> are submitted . . .
>
> I would suggest:
>
> read out the site the user is coming from with
>
> String mysite = request.getParameter("site");
>
> (of course you have to add this to the string somewhere on the
original
> page)
>
> write it to newly generated links:
>
> out.println("passwordsubmitter.jsp?site=" + mysite);
>
> or sth like this . . .
>
> >I am also looking for mailing lists for the following:
> >Struts Questions
> >
> there's one on the apache.org site I think -> struts  . . .
>
> >General Java Questions
> >J2EE Questions
> >
> no mailing but extremely cool & helpful people there and also
mailing
> mechanisms to keep track of your threads:
> http://forums.java.sun.com/ 
>
> >If anyone can point me in the right direction, it would be greatly
> >appreciated.
> >
> >Thanks in advance.
> >
> >
> Have fun,
>
> Henning
>
>
-
> To unsubscribe, e-mail: [EMAIL PROTECTED] 
> For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Michael D. Kirkpatrick

Search for mod_jk

It is rather easy to setup.  You run your apache web server on port 80
(default).
You run Tomcat on port 8080 (default).
You use mod_jk to define *.do and *.jsp to be served with Tomcat.
Note: Tomcat's home directory is different then Apache's.  You will have
to play with some settings or create aliases.

Nelson Brito wrote:

> Hi,
> I'm very new with tomcat and perhaps this question is a bit too
> dumb... but i'd like to know if i can still use apache as my web
> server, and load some sort of a tomcat module to serv my jsp??
> like i do with php...
> i can't find any doc about this on the manual :-(
>
> Thank you very much,
> nb
>
> Nelson de Brito
> Dept. de Quimica  |
> Fac. de Ciencias do Porto | tel. +351226082841
> R. do Campo Alegre| fax. +351226082959
> 4169-007 Porto|
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Nelson Brito

Hi,
I'm very new with tomcat and perhaps this question is a bit too
dumb... but i'd like to know if i can still use apache as my web
server, and load some sort of a tomcat module to serv my jsp??
like i do with php...
i can't find any doc about this on the manual :-(

Thank you very much,
nb

Nelson de Brito
Dept. de Quimica  |
Fac. de Ciencias do Porto | tel. +351226082841
R. do Campo Alegre| fax. +351226082959
4169-007 Porto|


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Michael D. Kirkpatrick

It returns "null".

I noticed that it places all the POST/GET information into a session to be
re-submitted to the actual page after successful login.  Know of a way that I can
access the session information to extract a specific string in it?



Henning Heil wrote:

> Hi Michael,
>
>  Michael D. Kirkpatrick wrote on 01.04.2003 17:05 
>
> >I am not quite sure if this question is suitable for this mailing list.  If
> >not, please forgive me.
> >
> >[snip]
> >
> >So here is my question.  How can I capture the original query string or make
> >the query string in web.xml dynamic?
> >
> in general I would not recommend to set the string in the web.xml.
> first part of your question: you can read out any parameter of a post or
> get string by request.getParameter(String parametername);
> second part: there are multiple ways to manipulate the request
> parameters: java -> request.setAttribute(String attributename, String
> value); or by hidden fields in html forms or with select-fields which
> are submitted . . .
>
> I would suggest:
>
> read out the site the user is coming from with
>
> String mysite = request.getParameter("site");
>
> (of course you have to add this to the string somewhere on the original
> page)
>
> write it to newly generated links:
>
> out.println("passwordsubmitter.jsp?site=" + mysite);
>
> or sth like this . . .
>
> >I am also looking for mailing lists for the following:
> >Struts Questions
> >
> there's one on the apache.org site I think -> struts  . . .
>
> >General Java Questions
> >J2EE Questions
> >
> no mailing but extremely cool & helpful people there and also mailing
> mechanisms to keep track of your threads:
> http://forums.java.sun.com/
>
> >If anyone can point me in the right direction, it would be greatly
> >appreciated.
> >
> >Thanks in advance.
> >
> >
> Have fun,
>
> Henning
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form Auth

2003-04-01 Thread Henning Heil

Hi Michael,

 Michael D. Kirkpatrick wrote on 01.04.2003 17:05 

I am not quite sure if this question is suitable for this mailing list.  If
not, please forgive me.
[snip]

So here is my question.  How can I capture the original query string or make
the query string in web.xml dynamic?
in general I would not recommend to set the string in the web.xml.
first part of your question: you can read out any parameter of a post or 
get string by request.getParameter(String parametername);
second part: there are multiple ways to manipulate the request 
parameters: java -> request.setAttribute(String attributename, String 
value); or by hidden fields in html forms or with select-fields which 
are submitted . . .

I would suggest:

read out the site the user is coming from with

String mysite = request.getParameter("site");

(of course you have to add this to the string somewhere on the original 
page)

write it to newly generated links:

out.println("passwordsubmitter.jsp?site=" + mysite);

or sth like this . . .

I am also looking for mailing lists for the following:
   Struts Questions
there's one on the apache.org site I think -> struts  . . .

   General Java Questions
   J2EE Questions
no mailing but extremely cool & helpful people there and also mailing 
mechanisms to keep track of your threads:
http://forums.java.sun.com/

If anyone can point me in the right direction, it would be greatly
appreciated.
Thanks in advance.
 

Have fun,

Henning

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Form auth

2002-11-02 Thread Jan Agermose

well yes, this is actually the way I do it now - lets call this self
implementet security. I was just looking into using javas security features,
like the principal object and so on. Using a std. implementation insted of
my own. Right now, if someone logges in, I lookup a user object in the
database and if pressent I put it in the session. Then when a user tryes to
access some page or a page needs to know if it should render one part of the
page or another it look for this user object in the session. If pressent
then its ok, if not, redirect to a dedicated loginpage/errorpage.

But as stated. I would like to use a std. implementation and javas build in
security features.

But it looks like http://securityfilter.sourceforge.net/ has something to
offer... havent had a change to look closer at this implementation yet ...

Jan


- Original Message -
From: "Jose Alfonso Martinez" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Saturday, November 02, 2002 4:38 AM
Subject: Re: Form auth


> Jan, I guess I cannot understand your problem. The way I do it on my site
is very simple:
>
> A loginform on the front page.
> When the user logs in, get the user permissions from the database and
store them in the session.
> Then, JSPs are rendered accordingly depending on those permissions.
>
> I guess most sites use this approach. I think you could do it the same way
too. Couldn't you?? Simply:
>
> if the user has some permissions -> render the page some way
> if the user does not have permissions -> render it some other way
> if the user has not logged in at all -> render it some other way...
>
> Jose Alfonso
>
> On Nov 01, 2002 at 10:18:17AM +0100, Jan Agermose wrote:
> > Im used to work in a different way - not using declarative security.
Might
> > be the real problem :-) It seams, that this decleartive security thing
is
> > good for resources that are allways protected or not. My pages are
mostly
> > partly secured in that all users can access some page but some items on
the
> > page are displayed only if the user is logged in. Or a page that is
> > displayed in a context. In one context it is OK to see the page and
> > depending on some parameter (the context) it might not be ok. Runtime
> > checked security. I really need to have the user login at will not
foreced -
> > but allso foreced of cause. This idea of a button and a
fake-secured-page
> > that forces a login prompt. I really want a loginform on the frontpage.
I
> > dont want the user to have to klik a button only to get to the
loginscreen
> > af submit that one. I cannot change a design just because of a "design
flaw"
> > in the backend code ;-) I really should be possible to submit login
> > information on free will.
> >
> > Allso what You described below seams to be exacly what is allready
> > implementet in formauth method?
> >
> > Jan
> >
> >
> > - Original Message -
> > From: "Alfonso Martinez" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Friday, November 01, 2002 6:00 AM
> > Subject: Re: Form auth
> >
> >
> > > One way to do this is to create a filter for the protected resources.
When
> > accessing them, the filter gets invoked. It checks on the session wheter
the
> > user has already logged in or not. If not, it redirects to the login
page
> > which in turn redirects to the protected resouce. What do you guys think
> > about this approach???
> > >
> > > Jose Alfonso
> > >
> > > On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan wrote:
> > > >
> > > >
> > > > On Thu, 31 Oct 2002, Jan Agermose wrote:
> > > >
> > > > > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > > > > From: Jan Agermose <[EMAIL PROTECTED]>
> > > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > > To: 'Tomcat Users tomcat <[EMAIL PROTECTED]>
> > > > > Subject: Form auth
> > > > >
> > > > > I would like to use formbased auth for my application, but it
seams,
> > that it is based on
> > > > > 1. user trying to access som resource
> > > > > 2. if not logged in - prompt
> > > >
> > > > That's correct.  From the user point of view, it operates exactly
like
> > > > BASIC authentication does (where the browser pops up the login
dialog
> > the
> > > > first time you ask for a protected resource).
> > > >
> > > > >
> > > > > This

Re: Form auth

2002-11-01 Thread Jose Alfonso Martinez

Jan, I guess I cannot understand your problem. The way I do it on my site is very 
simple:

A loginform on the front page. 
When the user logs in, get the user permissions from the database and store them in 
the session.
Then, JSPs are rendered accordingly depending on those permissions. 

I guess most sites use this approach. I think you could do it the same way too. 
Couldn't you?? Simply:

if the user has some permissions -> render the page some way
if the user does not have permissions -> render it some other way
if the user has not logged in at all -> render it some other way...

Jose Alfonso

On Nov 01, 2002 at 10:18:17AM +0100, Jan Agermose wrote:
> Im used to work in a different way - not using declarative security. Might
> be the real problem :-) It seams, that this decleartive security thing is
> good for resources that are allways protected or not. My pages are mostly
> partly secured in that all users can access some page but some items on the
> page are displayed only if the user is logged in. Or a page that is
> displayed in a context. In one context it is OK to see the page and
> depending on some parameter (the context) it might not be ok. Runtime
> checked security. I really need to have the user login at will not foreced -
> but allso foreced of cause. This idea of a button and a fake-secured-page
> that forces a login prompt. I really want a loginform on the frontpage. I
> dont want the user to have to klik a button only to get to the loginscreen
> af submit that one. I cannot change a design just because of a "design flaw"
> in the backend code ;-) I really should be possible to submit login
> information on free will.
> 
> Allso what You described below seams to be exacly what is allready
> implementet in formauth method?
> 
> Jan
> 
> 
> - Original Message -
> From: "Alfonso Martinez" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Friday, November 01, 2002 6:00 AM
> Subject: Re: Form auth
> 
> 
> > One way to do this is to create a filter for the protected resources. When
> accessing them, the filter gets invoked. It checks on the session wheter the
> user has already logged in or not. If not, it redirects to the login page
> which in turn redirects to the protected resouce. What do you guys think
> about this approach???
> >
> > Jose Alfonso
> >
> > On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan wrote:
> > >
> > >
> > > On Thu, 31 Oct 2002, Jan Agermose wrote:
> > >
> > > > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > > > From: Jan Agermose <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: 'Tomcat Users tomcat <[EMAIL PROTECTED]>
> > > > Subject: Form auth
> > > >
> > > > I would like to use formbased auth for my application, but it seams,
> that it is based on
> > > > 1. user trying to access som resource
> > > > 2. if not logged in - prompt
> > >
> > > That's correct.  From the user point of view, it operates exactly like
> > > BASIC authentication does (where the browser pops up the login dialog
> the
> > > first time you ask for a protected resource).
> > >
> > > >
> > > > This is of cause good. But usualy you have a webpage that has a
> > > > login-form somewhere on the page to allow the user to log in at will.
> > > > Log in -before- a secured page is requested. How can I implement this?
> I
> > > > find only methods to getRemoteUser and isInRole and... no
> setRemoteUser
> > > > or the like...
> > > >
> > >
> > > You won't be able to have the login form itself on the unsecured page,
> but
> > > you can easily provide a "Log In" button (say, on your home page) like
> > > this:
> > >
> > > * Make the log in button link to a resource in a protected directory
> > >
> > > * Make that resource just do a redirect back to the home page
> > >
> > > When the user clicks the log in button, the form based login page gets
> > > displayed (because the resource is protected).  After login is complete,
> > > Tomcat then executes the protected resource, which redirects back to the
> > > home page with the user being logged on already.
> > >
> > > > Am I making sense :-)
> > > >
> > > > Jan
> > >
> > > Craig
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > > For additional commands, e-mail:
> <mailto:tomcat-user-help@;jakarta.apache.org>
> > >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > For additional commands, e-mail:
> <mailto:tomcat-user-help@;jakarta.apache.org>
> >
> >
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>

Re: Re: Form auth

2002-11-01 Thread Aniket B Sutaria

Jan,

Seems u have the same mentality as I have!

To solve your problem, download the "SECURITY FILTER" project 
from
http://securityfilter.sourceforge.net/

This project implements a security filter and allows the user to 
log in at his/her will.

Also mail me if u are using JDBC realm for authentication.

Aniket

On Fri, 01 Nov 2002 Jan Agermose wrote :
Im used to work in a different way - not using declarative 
security. Might
be the real problem :-) It seams, that this decleartive security 
thing is
good for resources that are allways protected or not. My pages 
are mostly
partly secured in that all users can access some page but some 
items on the
page are displayed only if the user is logged in. Or a page that 
is
displayed in a context. In one context it is OK to see the page 
and
depending on some parameter (the context) it might not be ok. 
Runtime
checked security. I really need to have the user login at will 
not foreced -
but allso foreced of cause. This idea of a button and a 
fake-secured-page
that forces a login prompt. I really want a loginform on the 
frontpage. I
dont want the user to have to klik a button only to get to the 
loginscreen
af submit that one. I cannot change a design just because of a 
"design flaw"
in the backend code ;-) I really should be possible to submit 
login
information on free will.

Allso what You described below seams to be exacly what is 
allready
implementet in formauth method?

Jan


- Original Message -
From: "Alfonso Martinez" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, November 01, 2002 6:00 AM
Subject: Re: Form auth


> One way to do this is to create a filter for the protected 
resources. When
accessing them, the filter gets invoked. It checks on the session 
wheter the
user has already logged in or not. If not, it redirects to the 
login page
which in turn redirects to the protected resouce. What do you 
guys think
about this approach???
>
> Jose Alfonso
>
> On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan 
wrote:
> >
> >
> > On Thu, 31 Oct 2002, Jan Agermose wrote:
> >
> > > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > > From: Jan Agermose <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List 
<[EMAIL PROTECTED]>
> > > To: 'Tomcat Users tomcat 
<[EMAIL PROTECTED]>
> > > Subject: Form auth
> > >
> > > I would like to use formbased auth for my application, but 
it seams,
that it is based on
> > > 1. user trying to access som resource
> > > 2. if not logged in - prompt
> >
> > That's correct.  From the user point of view, it operates 
exactly like
> > BASIC authentication does (where the browser pops up the 
login dialog
the
> > first time you ask for a protected resource).
> >
> > >
> > > This is of cause good. But usualy you have a webpage that 
has a
> > > login-form somewhere on the page to allow the user to log 
in at will.
> > > Log in -before- a secured page is requested. How can I 
implement this?
I
> > > find only methods to getRemoteUser and isInRole and... 
no
setRemoteUser
> > > or the like...
> > >
> >
> > You won't be able to have the login form itself on the 
unsecured page,
but
> > you can easily provide a "Log In" button (say, on your home 
page) like
> > this:
> >
> > * Make the log in button link to a resource in a protected 
directory
> >
> > * Make that resource just do a redirect back to the home 
page
> >
> > When the user clicks the log in button, the form based login 
page gets
> > displayed (because the resource is protected).  After login 
is complete,
> > Tomcat then executes the protected resource, which redirects 
back to the
> > home page with the user being logged on already.
> >
> > > Am I making sense :-)
> > >
> > > Jan
> >
> > Craig
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
> >
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: 
<mailto:tomcat-user-help@;jakarta.apache.org>

___
tomcat-users mailing list
[EMAIL PROTECTED]
https://mailman.real-time.com/mailman/listinfo/tomcat-users


Aniket Sutaria
Developer
Fortune Infotech Ltd

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>

Re: Form auth

2002-11-01 Thread Jan Agermose

Im used to work in a different way - not using declarative security. Might
be the real problem :-) It seams, that this decleartive security thing is
good for resources that are allways protected or not. My pages are mostly
partly secured in that all users can access some page but some items on the
page are displayed only if the user is logged in. Or a page that is
displayed in a context. In one context it is OK to see the page and
depending on some parameter (the context) it might not be ok. Runtime
checked security. I really need to have the user login at will not foreced -
but allso foreced of cause. This idea of a button and a fake-secured-page
that forces a login prompt. I really want a loginform on the frontpage. I
dont want the user to have to klik a button only to get to the loginscreen
af submit that one. I cannot change a design just because of a "design flaw"
in the backend code ;-) I really should be possible to submit login
information on free will.

Allso what You described below seams to be exacly what is allready
implementet in formauth method?

Jan


- Original Message -
From: "Alfonso Martinez" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Friday, November 01, 2002 6:00 AM
Subject: Re: Form auth


> One way to do this is to create a filter for the protected resources. When
accessing them, the filter gets invoked. It checks on the session wheter the
user has already logged in or not. If not, it redirects to the login page
which in turn redirects to the protected resouce. What do you guys think
about this approach???
>
> Jose Alfonso
>
> On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan wrote:
> >
> >
> > On Thu, 31 Oct 2002, Jan Agermose wrote:
> >
> > > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > > From: Jan Agermose <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: 'Tomcat Users tomcat <[EMAIL PROTECTED]>
> > > Subject: Form auth
> > >
> > > I would like to use formbased auth for my application, but it seams,
that it is based on
> > > 1. user trying to access som resource
> > > 2. if not logged in - prompt
> >
> > That's correct.  From the user point of view, it operates exactly like
> > BASIC authentication does (where the browser pops up the login dialog
the
> > first time you ask for a protected resource).
> >
> > >
> > > This is of cause good. But usualy you have a webpage that has a
> > > login-form somewhere on the page to allow the user to log in at will.
> > > Log in -before- a secured page is requested. How can I implement this?
I
> > > find only methods to getRemoteUser and isInRole and... no
setRemoteUser
> > > or the like...
> > >
> >
> > You won't be able to have the login form itself on the unsecured page,
but
> > you can easily provide a "Log In" button (say, on your home page) like
> > this:
> >
> > * Make the log in button link to a resource in a protected directory
> >
> > * Make that resource just do a redirect back to the home page
> >
> > When the user clicks the log in button, the form based login page gets
> > displayed (because the resource is protected).  After login is complete,
> > Tomcat then executes the protected resource, which redirects back to the
> > home page with the user being logged on already.
> >
> > > Am I making sense :-)
> > >
> > > Jan
> >
> > Craig
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
> >
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>

Re: Form auth

2002-10-31 Thread Alfonso Martinez

One way to do this is to create a filter for the protected resources. When accessing 
them, the filter gets invoked. It checks on the session wheter the user has already 
logged in or not. If not, it redirects to the login page which in turn redirects to 
the protected resouce. What do you guys think about this approach???

Jose Alfonso

On Thu, Oct 31, 2002 at 10:19:16AM -0800, Craig R. McClanahan wrote:
> 
> 
> On Thu, 31 Oct 2002, Jan Agermose wrote:
> 
> > Date: Thu, 31 Oct 2002 17:15:08 +0100
> > From: Jan Agermose <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: 'Tomcat Users tomcat <[EMAIL PROTECTED]>
> > Subject: Form auth
> >
> > I would like to use formbased auth for my application, but it seams, that it is 
>based on
> > 1. user trying to access som resource
> > 2. if not logged in - prompt
> 
> That's correct.  From the user point of view, it operates exactly like
> BASIC authentication does (where the browser pops up the login dialog the
> first time you ask for a protected resource).
> 
> >
> > This is of cause good. But usualy you have a webpage that has a
> > login-form somewhere on the page to allow the user to log in at will.
> > Log in -before- a secured page is requested. How can I implement this? I
> > find only methods to getRemoteUser and isInRole and... no setRemoteUser
> > or the like...
> >
> 
> You won't be able to have the login form itself on the unsecured page, but
> you can easily provide a "Log In" button (say, on your home page) like
> this:
> 
> * Make the log in button link to a resource in a protected directory
> 
> * Make that resource just do a redirect back to the home page
> 
> When the user clicks the log in button, the form based login page gets
> displayed (because the resource is protected).  After login is complete,
> Tomcat then executes the protected resource, which redirects back to the
> home page with the user being logged on already.
> 
> > Am I making sense :-)
> >
> > Jan
> 
> Craig
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 
> 

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Form auth

2002-10-31 Thread Jan Agermose

>
> You won't be able to have the login form itself on the unsecured page, but
> you can easily provide a "Log In" button (say, on your home page) like
> this:
>
> * Make the log in button link to a resource in a protected directory
>
> * Make that resource just do a redirect back to the home page
>
> When the user clicks the log in button, the form based login page gets
> displayed (because the resource is protected).  After login is complete,
> Tomcat then executes the protected resource, which redirects back to the
> home page with the user being logged on already.

Could I lookup the form action value somehow and insert it into my own form?
That way I could fake it - I think :-)


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Form auth

2002-10-31 Thread Craig R. McClanahan

On Thu, 31 Oct 2002, Jan Agermose wrote:

> Date: Thu, 31 Oct 2002 17:15:08 +0100
> From: Jan Agermose <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: 'Tomcat Users tomcat <[EMAIL PROTECTED]>
> Subject: Form auth
>
> I would like to use formbased auth for my application, but it seams, that it is 
>based on
> 1. user trying to access som resource
> 2. if not logged in - prompt

That's correct.  From the user point of view, it operates exactly like
BASIC authentication does (where the browser pops up the login dialog the
first time you ask for a protected resource).

>
> This is of cause good. But usualy you have a webpage that has a
> login-form somewhere on the page to allow the user to log in at will.
> Log in -before- a secured page is requested. How can I implement this? I
> find only methods to getRemoteUser and isInRole and... no setRemoteUser
> or the like...
>

You won't be able to have the login form itself on the unsecured page, but
you can easily provide a "Log In" button (say, on your home page) like
this:

* Make the log in button link to a resource in a protected directory

* Make that resource just do a redirect back to the home page

When the user clicks the log in button, the form based login page gets
displayed (because the resource is protected).  After login is complete,
Tomcat then executes the protected resource, which redirects back to the
home page with the user being logged on already.

> Am I making sense :-)
>
> Jan

Craig

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Form auth

2002-10-31 Thread Michael Nicholson

You could just have a button with a link to whatever your initial secured
resource is (it'll prompt them to log in when they follow the link), or
there might be someway to put the authorization information
(username/password) in the header by using a form on a page with the action
attribute mapped to a servlet that puts the fields in their appropriate
header place and then forwards to a secured resource.  But I haven't ever
used form based authentication.  Maybe check your headers when you've been
authenticated and it'll help?

Sorry, not a very 'coherent' response.  I think I'd just have a button w/ a
link to a secured resource, and let the form-based authentication take place
there

Mike
- Original Message -
From: "Jan Agermose" <[EMAIL PROTECTED]>
To: "'Tomcat Users tomcat" <[EMAIL PROTECTED]>
Sent: Thursday, October 31, 2002 11:15 AM
Subject: Form auth


I would like to use formbased auth for my application, but it seams, that it
is based on
1. user trying to access som resource
2. if not logged in - prompt

This is of cause good. But usualy you have a webpage that has a login-form
somewhere on the page to allow the user to log in at will. Log in -before- a
secured page is requested. How can I implement this? I find only methods to
getRemoteUser and isInRole and... no setRemoteUser or the like...

Am I making sense :-)

Jan


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: form auth: how to get user name if login was incorrect

2001-08-14 Thread Craig R. McClanahan

On Tue, 14 Aug 2001, Randy Layman wrote:

> 
>   I believe that its in the seesion.getAttribute("j_username").  I
> might be wrong about that (I have modified my local copy of that code.  The
> code now does this, but I believe that it originally did this.)
> 

That's specific to the way that one particular version of Tomcat does
it.  There is no portable way (through the servlet API) to retrieve the
username and password on a failed form-based login.

>   Randy
> 

Craig

RE: form auth: how to get user name if login was incorrect

2001-08-14 Thread Randy Layman




> -Original Message-
> From: Rob S. [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 14, 2001 9:32 AM
> To: [EMAIL PROTECTED]
> Subject: Re: form auth: how to get user name if login was incorrect
> 
> 
> 
> 
> On Tue, 14 Aug 2001 14:00:46 +0200 
> [EMAIL PROTECTED] wrote:
> > > > How to get a user name (and password) with form authentication,
> > > > if authentication was not successful and user was sent to error
> > > > page. Is this information lost at this moment or can I get it
> > > > somehow?
> > 
> > > From: Randy Layman>
> > > I believe that its in the seesion.getAttribute("j_username").
> > > I might be wrong about that (I have modified my local copy of that
> > > code.
> > 
> > If I call session.getAttribute("j_username") on an error page, the
> > result is null.
> > 
> > What modifications did you do?
> 
> If you have to modify Tomcat to do it, that means your web 
> app will only
> ever run on your modified copy of Tomcat.  If you move to 
> JRun, ServletExec,
> or any other commercial container, you will not be able to 
> modify the source
> code.  The servlet specification exists for a reason =)
> 

But if you need to do things that Tomcat can't allow you to do (have three
criteria for login), then you don't have much of a choice - at least you can
modify the source instead of complaining to Tech support and not having any
other options.

Randy

RE: form auth: how to get user name if login was incorrect

2001-08-14 Thread Randy Layman




> -Original Message-
> From: Taavi Tiirik [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 14, 2001 8:01 AM
> To: [EMAIL PROTECTED]
> Subject: RE: form auth: how to get user name if login was incorrect
> 
> 
> > > How to get a user name (and password) with form authentication,
> > > if authentication was not successful and user was sent to error
> > > page. Is this information lost at this moment or can I get it
> > > somehow?
> 
> > From: Randy Layman>
> > I believe that its in the seesion.getAttribute("j_username").
> > I might be wrong about that (I have modified my local copy of that
> > code.
> 
> If I call session.getAttribute("j_username") on an error page, the
> result is null.
> 
> What modifications did you do?
> 

In src\org\apache\tomcat\request\AccessInterceptor there is a class named
FormSecurityCheckHandler.  The doService method is where Tomcat moves the
values from the request to the session.  Here you could move the username to
the session. Also in that same file is a class FormAuthHandler.  Its
doService method is where Tomcat removes j_username from the session if the
user has an invalid login.  I've modified a lot of this code (I need to have
three things to identify a user, not just two) and am not sure which one was
the least intrusive change to allow me to get the username for an invalid
login.

Randy

Re: form auth: how to get user name if login was incorrect

2001-08-14 Thread Rob S.

On Tue, 14 Aug 2001 14:00:46 +0200 [EMAIL PROTECTED] wrote:
> > > How to get a user name (and password) with form authentication,
> > > if authentication was not successful and user was sent to error
> > > page. Is this information lost at this moment or can I get it
> > > somehow?
> 
> > From: Randy Layman>
> > I believe that its in the seesion.getAttribute("j_username").
> > I might be wrong about that (I have modified my local copy of that
> > code.
> 
> If I call session.getAttribute("j_username") on an error page, the
> result is null.
> 
> What modifications did you do?

If you have to modify Tomcat to do it, that means your web app will only
ever run on your modified copy of Tomcat.  If you move to JRun, ServletExec,
or any other commercial container, you will not be able to modify the source
code.  The servlet specification exists for a reason =)

- r

RE: form auth: how to get user name if login was incorrect

2001-08-14 Thread Taavi Tiirik


> > How to get a user name (and password) with form authentication,
> > if authentication was not successful and user was sent to error
> > page. Is this information lost at this moment or can I get it
> > somehow?

> From: Randy Layman>
> I believe that its in the seesion.getAttribute("j_username").
> I might be wrong about that (I have modified my local copy of that
> code.

If I call session.getAttribute("j_username") on an error page, the
result is null.

What modifications did you do?

with best wishes,
Taavi

RE: form auth: how to get user name if login was incorrect

2001-08-14 Thread Randy Layman



I believe that its in the seesion.getAttribute("j_username").  I
might be wrong about that (I have modified my local copy of that code.  The
code now does this, but I believe that it originally did this.)

Randy

> -Original Message-
> From: Taavi Tiirik [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 14, 2001 4:21 AM
> To: [EMAIL PROTECTED]
> Subject: form auth: how to get user name if login was incorrect
> 
> 
> Hullo,
> 
> How to get a user name (and password) with form authentication,
> if authentication was not successful and user was sent to error
> page. Is this information lost at this moment or can I get it
> somehow?
> 
> I am using tomcat 3.2.3 at the moment...
> 
> thanks,
> Taavi
> 
>

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth + xml users database

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form Auth

Re: Form auth

Re: Form auth

Re: Re: Form auth

Re: Form auth

Re: Form auth

Re: Form auth

Re: Form auth

Re: Form auth

RE: form auth: how to get user name if login was incorrect

RE: form auth: how to get user name if login was incorrect

RE: form auth: how to get user name if login was incorrect

Re: form auth: how to get user name if login was incorrect

RE: form auth: how to get user name if login was incorrect

RE: form auth: how to get user name if login was incorrect

32 matches

Site Navigation

Mail list logo

Footer information