AW: User login logging (JDBC authentication)
Hi, yeah this is more or less OK. For my application i have a servlet acting as a controller (like a portal) - all functions are accessed thru the controller, which dispatches the request to the correct JSP (in your case), for my part i'm using Velocity and templates. This controller servlet initializes - initialize the user session - the logging system - messages - Database pools - The events the application can handle For every request to a protected resource (JSP), the controller checks if the user is identified. If not, the request is dispatched to the login event. After a successfull login, the login event redirects to the protected resources (which was saved from the controller before redirecting to the login JSP. I'm using a login object in the session context which knows about - the username - the language - preferences - . Hope this helps Reto -Ursprüngliche Nachricht- Von: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Gesendet: Freitag, 6. Juli 2001 07:20 An: '[EMAIL PROTECTED]' Betreff: RE: User login logging (JDBC authentication) Hi Reto, Could you please explain it more clearly And from your words i got one idea... please tell me whether it is right way or not... when ever a user access any JSP or Servlet other that LoginServlet(which is controller servlet).. I will check the session for some username if it is null then i redirect the request Login.jsp... Before this i will create a session in LogonServlet and set the username in the session whenever user is authenticated... is this OK -raj- -Original Message- From: Reto Badertscher [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 7:53 PM To: [EMAIL PROTECTED] Subject: AW: User login logging (JDBC authentication) Hello, If you have a controller servlet it can check for authenticated user and if a user is not logged in you can redirect to your login screen, and after a successfull login, redirect back to the protected target. For security reason (accessing a JSP directly without going thru the controller servlet), every protected resource can check if a user is logged in. Reto -Ursprüngliche Nachricht- Von: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 5. Juli 2001 15:33 An: '[EMAIL PROTECTED]' Betreff: RE: User login logging (JDBC authentication) Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page
Re: User login logging (JDBC authentication)
Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
RE: User login logging (JDBC authentication)
You can use the Realms security infrastructure of Tomcat to achieve what you are trying to do - you will need to modify your web.xml file, but its pretty easy. http://jakarta.apache.org/cvsweb/index.cgi/jakarta-tomcat/src/doc/ is the documentation for Tomcat in the CVS repository. A quick glance there shows a howto for the JDBCRealm (authenticating against a database). Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:33 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi randy, I would appreciate your patience... I am coming from first... This is my prblem I have 10 JSPs under myCon/jsp folder in Tomcat.. One of them is Login.jsp...which does authentication of user... i check the username and password against data which lies in SQLServer 7.0... Once the user is authenticated only...I want to give access to remaining JSPs.. But he/she should not access any JSP unless authenticated by Login.jsp... This is my problem... what is your best possible solution Is it anyway related to Java or Tomcat security? If yes, how can i achieve it? Or is there any other way around to achieve it... Thanks for listening... -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 6:18 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) From IIS you can only set the access to Tomcat as a whole, not individually. Tomcat controls access to the individual resources (IIS doesn't know what they are). You can view (and modify) the username and password in the session, I think the session field names are j_security_username and j_security_password, but don't remember right now - you can get a session object back for a secured user and then iterate over the fields. Randy -Original Message- From: Rajehswar V. Rao [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 9:11 AM To: '[EMAIL PROTECTED]' Subject: RE: User login logging (JDBC authentication) Hi Randy and all, if that is the case where can i set username and password And one more thing, i am using tomcat with IIS ...can i restrict resources(JSPs and Servlets) on tomcat from IIS... Any help would be appreciated -raj- -Original Message- From: Randy Layman [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 5:32 PM To: [EMAIL PROTECTED] Subject: RE: User login logging (JDBC authentication) What is happening is that Tomcat is using the user's credentials (username/password) in the Session to authenticate. If they are not there or invalid, then the user is prompted to log in again. Randy -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 8:33 AM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Raj and all I've managed to make the changes (very easy), but of course it doesn't work exactly as I wanted it (isn't life always like that...) I've got a database which is filling up fast since a new log gets written to it every time a user accesses a new page (probably about 100 times each session). Tomcat clearly knows what a session is (since it doesn't ask the user to log in again for each page) - any idea where it does this? Thanks for any help. Mark - Original Message - From: Rajehswar V. Rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:21 PM Subject: RE: User login logging (JDBC authentication) Hi Mark and all, I think my situation is also almost same I have set of JSPs under my \myContext\jsp... I dont want to give access to the users to these JSPs once they have been authnticated... One of the JSPs authenticate the user please do help... -raj- -Original Message- From: Mark Muffett [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 1:59 PM To: [EMAIL PROTECTED] Subject: Re: User login logging (JDBC authentication) Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message
Re: User login logging (JDBC authentication)
Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
Re: User login logging (JDBC authentication)
Sorry! - found it now (in tomcat_modules.jar). Mark - Original Message - From: Mark Muffett [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Antony Bowesman [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:37 AM Subject: Re: User login logging (JDBC authentication) Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Thanks Mark - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony
Re: User login logging (JDBC authentication)
Mark, Antony Many thanks for the suggestion, but where can I find this - I've looked through the jar files in the common and container directories of $TOMCAT_HOME/lib, but nothing stands out. Maybe I've missed it? Any help appreciated. Perhaps I should have elucidated a little more... I'm assuming you have configured JDBCRealm as your interceptor in conf/server.xml and we are talking about tomcat 3.x. The JDBCRealm is part of webserver.jar. You can either modify the source of JDBCRealm.java which is (org.apache.tomcat.request.JDBCRealm) to implement your own specific logging or set the debug level of the JDBCRealm to 2 or greater. At least the existing JDBCRealm with tomcat 3.2.2 supports logging success and failures by setting the debug level to 2 or greater. If you want to implement your own then modify the source, rebuild the class and add it to the $TOMCAT_HOME/classes HTH. Antony - Original Message - From: Antony Bowesman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, June 28, 2001 4:58 PM Subject: Re: User login logging (JDBC authentication) Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony -- Antony Bowesman Teamware Group [EMAIL PROTECTED] tel: +358 9 5128 2562 fax: +358 9 5128 2705
User login logging (JDBC authentication)
Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Any help would be appreciated Mark Muffett
RE: User login logging (JDBC authentication)
If you store the login information in the session object you could simply check that object on each of your pages (or you could include a page at the top of your pages which does this check) and redirect them back to the login page if the check fails -Original Message-From: Mark Muffett [mailto:[EMAIL PROTECTED]]Sent: Thursday, June 28, 2001 5:54 AMTo: [EMAIL PROTECTED]Subject: User login logging (JDBC authentication) Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Any help would be appreciated Mark Muffett
Re: User login logging (JDBC authentication)
Mark Muffett wrote: Any ideas how best to log succesful (or unsuccesful) logins via JDBC authentication. The big problem is that the user may have bookmarked any one of a number of protected pages, and it isn't practical to put code on each of them. Just change the JDBC realm authenticate() method to log the result of the authentication. Antony