Re: Authentication and authorization questions
Below... I hope it helps Glenn Mc - Original Message - From: lightbulb432 [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Wednesday, August 29, 2007 2:33 PM Subject: Authentication and authorization questions I have several questions about authentication and authorization in Tomcat below, so answer only what you can :) Thanks. Where does Tomcat authentication fit into the request processing lifecycle? Does it happen before even the very first filter gets called? What happens just before and just after authentication? Where does the role-based authorization fit into this process? When you login using form-based authentication, where invalid login attempts redirect to the form-error-page, how do you add a custom message to that page saying Login Failed? I ask because common practice is to send the user to the same login page rather than a different page. These forms can be jsp's so I guess you can include whatever logic you like in them. I haven't tried, but you could theoretically put something like a retry count which forwards to a different failure page when the limit is reached. Is it configuration whether Tomcat uses redirects or forwards after successful or unsuccessful attempts? What's the default for both? How can you use JDBCRealm or DataSourceRealm with foreign keys from roles table to user table, rather than requiring the roles table to duplicate whatever field (e.g. username, email address) will actually be entered into the login screen? I ask because using simple text-matching rather than using the primary key of the user table seems a bit inefficient, but more importantly it may be disallowed from data standards in some organizations. I'm not sure what you are asking here. The JDBC realms assume the user ID is a primary key (PK). This makes sense as a PK must be unique. Since user id's should also be unique, you they would make sense as a natural primary key. I'm not sure I understand what the problem is that you are trying to solve here. If you are concerned about join performance to the roles table on a varchar, I don't think that that would be your major concern. First off most databases hash data values to a code (typically a 32, 64, 128 bit value or even larger) that is used to locate records on disk. So if you define a secondary index on the roles table access to it via the SI should be fairly efficient via the user ID irrespecitive of its data type. Second of all the database interactions you are going to perform, how many are going to be logons? I suspect that the rest of your application would put more of a load on the database than the query that determines the roles the user ID is associated with. Third consider I/O performance (i.e. reading a data block from disk) to the time it is going to take to compare a 64 character value. I suspect that most modern processors would be able to perform billions of such comparisons in the time it takes to read one data block! It sounds like you are looking for a surrogate key (i.e. another value - presumably system generated - to act as a substitute for the user id). If you did this, I doubt you would be saving anything as you would still require the database to retrieve user details by the id entered by the user. So I can't see how you will be saving anything. So once again, I tried to imagine what your concern is, but just can't pick it! Still if you wished to pursue this course of action I think you have two options. 1) Hide the surrogate relationships behind views and/or B) develop your own authentication scheme via JAAS. There is of course a third option: #) Just go with the flow a.k.a. if it aint broke, don't try to fix it :-) Thanks. -- View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12380709 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Java servlets
In a nutshell, once you forward you should ensure nothing else is sent to the output. Similarly once you start outputing a page, don't change your mind and forward. Thus your code should look something like this: if (errorMessage != null) { response.sendRedirect (request.getContextPath() + /someotherpage.jsp) ; return; } out.println (html); ... Not like this: if (errorMessage != null) { response.sendRedirect (request.getContextPath() + /someotherpage.jsp) ; } out.println (html); ... This is a common mistake. I suspect that you are doing the reverse with the exception you are getting. That is you are doing this: out.println (html); ... if (somethingBadHasHappened) { errorMessage = Uh Oh, something bad has happened.; } ... if (errorMessage != null) { response.sendRedirect (request.getContextPath() + /someotherpage.jsp) ; } As for documentation, there are a great many titles on Servlets at the local book store. Also try searching the web there are plenty of tutorials and samples out there. I hope this helps Glenn Mc - Original Message - From: Deepa Paranjpe [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, August 30, 2007 10:01 AM Subject: Java servlets Hi all, This is not a question specific to tomcat but more about servlets. I am using a dispatcher forward to invoke another servlet. Why do I get an exception -- java.lang.IllegalStateException: Cannot forward after response has been committed For some reason I am unable to find good documentation to do complicated servlets invocations. Does any one know? Ole Ersoy [EMAIL PROTECTED] wrote:Incidentally - since we are talking about pooling - should the executor configuration be a tip? It allows the connectors to share a single thread pool, rather than each connector having its own. This seems like a memory and performance slurpee to me. Cheers, - Ole
digest ignored in Data source realm
I have a problem where the digest element is seemingly being ignored when I move my web app from development to production. The application uses form based security and works just fine in development. Here are the details. Dev - tomcat 5.5.17 in Netbeans 5.5.1 Prod - tomcat 5.5.15 - this is the only difference I can see at this point. But there doesn't seem to be anything in changelogs indicating a problem relating to digested passwords being fixed. Here is my context.xml: ?xml version=1.0 encoding=UTF-8? Context path=/TDAssetRegister Realm className=org.apache.catalina.realm.DataSourceRealm dataSourceName=jdbc/TeraJDBC digest=SHA localDataSource=true roleNameCol=Role_ID userCredCol=User_Pwd userNameCol=User_ID userRoleTable=user_roles userTable=valid_users/ Resource name=jdbc/TeraJDBC auth=Container type=javax.sql.DataSource maxActive=100 maxIdle=30 maxWait=1 username=assetRegister password=pass driverClassName=com.ncr.teradata.TeraDriver url=jdbc:teradata://dbc/database=AssetRegisterDB/ /Context As mentioned this works in dev. I've tried messing with the case of the digest element and value (e.g. sha, Sha, SHA etc) and also tried MD5. I've also tried placing the digest in different parts of the Realm. So how do I know it is being ignored as opposed to simply not working? I tried pasting a SHA digested password into the password field and succesfully logged in. Then I tried changing the content of my valid_users table so that the password was simply set to pass then entered pass as my password - lo and behold, succesful login. The production system 5.5.15 is a default implementation. The one exception is a change to process *.jspf files as jsp's. I plan to update the prodn server to 5.5.17 to see if this will solve the problem. Unfortunately, I can not do this for a few days as the system is being used for some demo's. I was hoping someone would say, yes I had that problem and upgrading fixed it, or what you need to do is ...! TIA glennm
Enable file downloads outside the application tree
Hi I have a bulletin board scenarion (i.e. people can download files = that others have uploaded). The easiest solution is to simply save the uploaded files within my = application's directory tree (e.g. .../webapps/myapp/files or similar). = The problem with this is that if I deploy a new version of the web app, = any previously uploaded files are nuked with the rest of the old version = as my new version is being deployed. My preferred solution is (at this point) to map the path /myapp/files = to another directory. To do this, I'm looking for a mapping entry to = put into my web.xml that would map the /myapp/files path to a directory = outside my tomcat server (e.g. /myapp/files - /downloads or similar). = Unfortunately I just can't seem to find anything that would allow this = other than writing a servlet or creating a whole new application (I can = specify this alternate directory in the context ... element via the = docBase attribute) but it would be a whole new application and cause me = problems elsewhere. Can I achieve this with a mapping entry in my web.xml (or = context.xml)? And if so, how? Ideally this would return correct real = path for a call to ServletContext.GetRealPath (myapp/files). Thanks