Re: Form-based Container Security with SSL
Dear Chris, Thank you very much. What we really want is that the login username/password communicates encrypted. Everything else can be in clear-text. (We also need the log-out, so I cannot use the digest authentification.) Showing a non-secure login page isn't a problem, is it? You just need to make sure that the login form's action is HTTPS and you will get a secure login. But if this login page is reached by http, will the login username/password be sent out in clear-texted? Or should I specified the action j_security_check as https? Then after the authentication, change back to http. (By changing the secured cookie into unsecured? Where? In every pages as tomcat has redirect the link away from login?) Thank you very much? Sincerely Zhu, Guojun - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Container Security with SSL
Dear Chris,
I am sorry, but I am not sure that I understand what you mean. All
your solutions is to modify the login.jsp. But we have already reach
there by http unsecurely whenever I try to access any restricted
pages. I have set things like this with the form authentication as
last post. Am I doing the right thing? Or should I change it to
CONFIDENTIAL?
security-constraint
display-namenormal/display-name
web-resource-collection
web-resource-nameINFORM project/web-resource-name
description/
url-pattern*.do/url-pattern
http-methodGET/http-method
http-methodPOST/http-method
http-methodHEAD/http-method
http-methodPUT/http-method
http-methodOPTIONS/http-method
http-methodTRACE/http-method
http-methodDELETE/http-method
/web-resource-collection
auth-constraint
descriptionuser for all pages except the admin and
home/description
role-nameinform/role-name
/auth-constraint
/security-constraint
What do you mean You want to ensure a session is created in
non-secure more BEFORE the user
submits their credentials.?
Furthermore, in your solution, what cookie should I get? Is there any
special one?
I am sorry for the naiveness from me. I am also very much willing to
learn a bit more about all these stuff. If there is too much to
explain, could you please point me to some place to start to read and
understand my problem? Thank you and have a great weekend!
Sincerely
Zhu, Guojun
On Fri, May 8, 2009 at 9:48 AM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guojun,
On 5/8/2009 12:22 AM, Guojun Zhu wrote:
Thank you very much. I can get the link redirect. But the tomcat's
container security seems to happen before it.
The container's security mechanism will always execute before your code.
Keep that in mind when designing solutions.
Here is the stuff in
the web.xml. When I type
http://localhost:8080/InformProject/pages/login.jsp, it will redirect
to https://localhost:8443/. The browser will alert me because it
is self-certified. But when I go other pages, which should bring this
login page up, it just bring up the http plain version and bypass this
redirection.
web-resource-collection
web-resource-namelogin page/web-resource-name
url-pattern/pages/login.jsp/url-pattern
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
You don't want your login.jsp page to be set to CONFIDENTIAL. You want
to ensure a session is created in non-secure more BEFORE the user
submits their credentials. There are a couple of ways to do this:
1. Have login.jsp redirect to a bounce page in HTTP mode if the session
cookie is secure (something like:
if(sessionIdCookie.isSecure()) {
session.invalidate();
response.sendRedirect(BOUNCE); // use HTTP, not HTTPS
return;
}
Then your bounce page does this:
request.getSession(true);
response.sendRedirect(/login.jsp);
2. You could also try, in your login.jsp:
if(sessionIdCookie.isSecure()) {
sessionIdCookie.setSecure(false);
response.addCookie(sessionIdCookie);
}
I only just found the Cookie.setSecure method... I'm not sure how
browsers deal with a cookie changing secure-ness: you'll have to check.
3. Have login.jsp check for a (currently) secure request and redirect
to itself in non-secure mode (after adjusting/deleting the cookie).
Once in non-secure mode, create a new cookie/session and make sure
your login form submits to an HTTPS URL.
I would start with #2 and see if that works.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoERlAACgkQ9CaO5/Lv0PD6lQCePk/76Ob8J/as0mFPbR0DvGtX
AmwAnjCb3FIEDe44CAm2D5bXCiufa3Dn
=beOd
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based Container Security with SSL
Dear Chris,
Thank you very much. I can get the link redirect. But the tomcat's
container security seems to happen before it. Here is the stuff in
the web.xml. When I type
http://localhost:8080/InformProject/pages/login.jsp, it will redirect
to https://localhost:8443/. The browser will alert me because it
is self-certified. But when I go other pages, which should bring this
login page up, it just bring up the http plain version and bypass this
redirection.
web-resource-collection
web-resource-namelogin page/web-resource-name
url-pattern/pages/login.jsp/url-pattern
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/pages/login.jsp/form-login-page
form-error-page/pages/error.jsp/form-error-page
/form-login-config
/login-config
Sincerely yours
Zhu, Guojun
On Wed, May 6, 2009 at 8:54 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Guojun,
On 5/6/2009 3:05 PM, Guojun Zhu wrote:
We had a small web application on tomcat 5.5. We use tomcat realm
(MD5 digest) with the form-based login. I have a few questions on
this.
1. When we use http, does the form-based login page send the username
and password plainly or in the digested form?
Your web browser will send the credentials in cleartext. The only
digest being used here is the one used to hash the password before it
is checked against your database (all on the server side).
If you want the password sent securely, you'll need to either use HTTPS
or use DIGEST authentication, which uses HTTP Auth instead of forms. I
prefer HTTPS + form over DIGEST, FWIW.
2. We set up the ssl in 8443 port. All links in our application are
relative link without the specified scheme. So currently all the
links (including login page) go either through normal http or
encrypted https. Is there anyway to limit the ssl only for the login
page alone and make sure login page always go through ssl? Rest pages
are really fairly low-risk stuff and we do not worry about the leak on
them.
Are you comfortable with the possibility of session hijacking? If so,
there is a way to do this that I outlined a few weeks ago. Hmm... I
can't seem to find it in the archives; I'll give you the short-short
version. Try something like this:
web.xml:
form-login-page/login.jsp/form-login-page
...
security-constraint
web-resource-collection
url-pattern/login.jsp/url-pattern
/web-resource-collection
user-data-constraint
transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
security-constraint
login.jsp:
%
Cookie mySessionCookie = ...;
if(mySessionCookie.isSecure())
{
// We don't want a secure session cookie. Kill it,
// redirect to non-secure page and bounce back.
session.invalidate();
response.sendRedirect(response.encodeRedirectURL(BOUNCE_PAGE));
}
%
Your bounce page should simply create a session and redirect to
https://yourhost/login.jsp.
You should probably create a filter that watches every URL except your
login page and drives everything back to HTTP if it finds HTTPS in use.
This may interfere with the container's ability to store and re-play
requests for protected resources /after/ a successful login. YMMV. If
you can't get it working using this suggestion, feel free to hire me to
do it for you ;)
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoCPzoACgkQ9CaO5/Lv0PAPnwCcC9jIfZ9oc60imAgaw01sfcjJ
MlEAoIsyPZ9f6dXGo5IInzLXOMxh7vs0
=9YPw
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Form-based Container Security with SSL
Hi, We had a small web application on tomcat 5.5. We use tomcat realm (MD5 digest) with the form-based login. I have a few questions on this. 1. When we use http, does the form-based login page send the username and password plainly or in the digested form? 2. We set up the ssl in 8443 port. All links in our application are relative link without the specified scheme. So currently all the links (including login page) go either through normal http or encrypted https. Is there anyway to limit the ssl only for the login page alone and make sure login page always go through ssl? Rest pages are really fairly low-risk stuff and we do not worry about the leak on them. Our site (http://sulfite.lis.illinois.edu:8080/InformProjectDev, https://sulfite.lis.illinois.edu:8443/InformProjectDev) Thanks. Sincerely Zhu, Guojun - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Path (file)InputStream for an independent module in tomcat?
Hi, I am using tomat 5.5 in linux/windows mixed environment. The deploy target is both. I had a DAO module for which I would like to put some configuration into a separate file for easy access and modifying. However, I have some difficulty to figure out how to put the path in the FileInputStream, where I need to use jbdc configuration parameters such as driver name, server, user, password. According to some pages I have read, the only reliable way is to use the servletContext.getResourceAsStream(). So I need to pass the server object into the DAO to get the resource. However, my DAO module is almost independent with other parts in the web application and I would also like to use it for other non-web application. So I would much prefer not to pass any servlet into this module and package the configuration xml or propety file with this module separately. How should I get those? Thank you very much. Sincerely Zhu, Guojun - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Path (file)InputStream for an independent module in tomcat?
Thank you. That seems a good way out. Sincerely Zhu, Guojun On Tue, Oct 28, 2008 at 2:08 PM, David Smith [EMAIL PROTECTED] wrote: You could put together a constructor or method for your DAO that accepts an input stream to read. That would at least maintain it's independence from the servlet container. Just need to have whatever create's an instance of your DAO call servletContext.getResourceAsStream() and pass the resulting input stream to your DAO instance. That might be easily doable in a ServletContextListener. --David Guojun Zhu wrote: Hi, I am using tomat 5.5 in linux/windows mixed environment. The deploy target is both. I had a DAO module for which I would like to put some configuration into a separate file for easy access and modifying. However, I have some difficulty to figure out how to put the path in the FileInputStream, where I need to use jbdc configuration parameters such as driver name, server, user, password. According to some pages I have read, the only reliable way is to use the servletContext.getResourceAsStream(). So I need to pass the server object into the DAO to get the resource. However, my DAO module is almost independent with other parts in the web application and I would also like to use it for other non-web application. So I would much prefer not to pass any servlet into this module and package the configuration xml or propety file with this module separately. How should I get those? Thank you very much. Sincerely Zhu, Guojun - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Isn't there a PDF style document for v6?
Here is the official link. http://tomcat.apache.org/tomcat-6.0-doc/index.html. http://tomcat.apache.org/tomcat-6.0-doc/index.html But if you know nothing about tomcat before, a book might be a better place to start. Such as this one http://www.amazon.com/Tomcat-Definitive-Guide-Jason-Brittain/dp/0596101066/ref=pd_bbs_sr_1?ie=UTF8s=booksqid=1221237237sr=1-1 Guojun On Fri, Sep 12, 2008 at 3:21 AM, 叶双明 [EMAIL PROTECTED] wrote: Hi all! Can i download a PDF style document from somewhere, or other style? Please show me the url. Thanks! -- Sorry for my english!! 明 Please help me to correct my english expression and error in syntax
Re: What can url-pattern accept?
I ended up with something interesting with tomcat. I basically have two security-constraint, in the first one I put url-pattern*.do/url-pattern and in the second one, I put url-pattern/admin/*/url-pattern. Tomcat just did what I want, the user with role matching the first constraint does not have access to anything /admin/*. It works in both Tomcat 5.5 and 6.0. It is probably not the specification complied solution. But good enough for me now. On Sun, Aug 17, 2008 at 6:27 PM, Bill Barker [EMAIL PROTECTED] wrote: André Warnier [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Guojun Zhu wrote: [...] Unfortunately, it seems that the servlet API allows only this in url-pattern specs : - A string beginning with a / character and ending with a /* suffix is used for path mapping. - A string beginning with a *. prefix is used as an extension mapping. - A string containing only the / character indicates the default servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null. Actually, I don't think that Tomcat supports url-pattern//url-pattern (although it clearly should under the very brain-dead wording of the spec here). There seem to be other spec violations in Tomcat here, since if you have a one security-constraint for *.do, and another one for /admin/*, then Tomcat considers both of them for a request to /myapp/admin/foo.do. However, the spec (at least for v2.5) says that only the /admin/* constraint should be considered. And this is where the brain-dead part kicks in :(, since Tomcat's implementation makes more sense than the spec. Hopefully someone will fix this in the Servlet 3.0 spec. - All other strings are used for exact matches only. In other words, /admin/*.do is not a valid way to match what you want, since it will match only /admin/*.do, literally. For 20 years at least, there have been 2 widely-used pattern-matching variations in existence : - the file glob kind of pattern, where * anywhere matches any number of characters and ? anywhere matches one character - regular expressions Why the designers of the servlet API found it useful or necessary to invent yet their own different way of matching wildcards, and a rather brain-dead one at that, is beyond me. But so it seems to be. This being said, it seems that there exists a servlet filter which allows much more flexibility. I have not tried it myself yet, but I have seen a lot of nice things written about it. Check out : http://tuckey.org/urlrewrite/ André - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
What can url-pattern accept?
Hi, I am usging tomcat 5.5.26 and trying to set up some container security with it. I am using struts 1.2.9 for my project. Basically I have three-type links 1. open to everyone, like the welcome pages. 2. restricted to one type of user role, say A 3. admin part, more restrictive, so for role B I set a normal user only has role A, while an administrator user has both role A and role B. However, I have some difficulty to set up the url-pattern for security-constraint in web.xml. Both part 2 and 3 are realized by struts, part 2 takes the root address, such as /doAction1.do, etc; part 3 takes the admin subdirectory, such as /admin/user.do. I tried to set part 2 for url-pattern/*.do/url-pattern and part 3 for url-pattern/admin/*.do/url-patter. Tomcat refuses to parse it. I know url-pattern can do things like /admin/* for path or *.do for the extention match. Any other more finer things? One ugly solution I can think is to change all the part 2 into a path like /normal then put that part as /normal/*. But I would perfer not to do that since that invole lots of changes in strut-config.xml. Any other solution? Thank in advance! Sincerely Zhu, Guojun
Re: How to change Default URL to point to my application index.html page
you can change the $Catalina.home/conf/Catalina/(your host)/ROOT.xml file to direct to your webapp path instead of the ROOT. On Sun, Aug 17, 2008 at 1:36 PM, flytoarun [EMAIL PROTECTED] wrote: Hi All, I am using tomcat 5 version and my application's default page is www.domain.com\myDir\index.html which works fine when i enter full path however when i enter www.domain.com then the tomcat default server page opens. I want to change this default page by my application index.html (Default page). Can some one help me. I have tried few things but didn't work. Like adding entries in server.xml and web.xml Thanks in advance. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to change Default URL to point to my application index.html page
I am sorry. If there is no ROOT.xml, Tomcat will use the default and you
just need to do as Ken said. Or you can create the ROOT.xml in the
$Catalina.home/conf/Catalina/(your host)/ROOT.xml. Put Context path=
docBase=${catalina.home}/webapps/(your application path)/ in the file.
On Sun, Aug 17, 2008 at 2:12 PM, flytoarun [EMAIL PROTECTED] wrote:
Hi Guojun,
I have 2 files under path
/apache-tomcat-5.5.25/conf/Catalina/localhost
host-manager.xml
manager.xml
i don't have ROOT.xml.
--- On Mon, 8/18/08, Guojun Zhu [EMAIL PROTECTED] wrote:
From: Guojun Zhu [EMAIL PROTECTED]
Subject: Re: How to change Default URL to point to my application
index.html page
To: Tomcat Users List users@tomcat.apache.org, [EMAIL PROTECTED]
Date: Monday, August 18, 2008, 12:31 AM
you can change the $Catalina.home/conf/Catalina/(your
host)/ROOT.xml file to
direct to your webapp path instead of the ROOT.
On Sun, Aug 17, 2008 at 1:36 PM, flytoarun
[EMAIL PROTECTED] wrote:
Hi All,
I am using tomcat 5 version and my application's
default page is
www.domain.com\myDir\index.html which works
fine when i enter full path
however when i enter www.domain.com then the tomcat
default server page
opens. I want to change this default page by my
application index.html
(Default page).
Can some one help me.
I have tried few things but didn't work. Like
adding entries in server.xml
and web.xml
Thanks in advance.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: where to place context configuration
I am not sure about the second case. But I don't have context.xml in the war (META-INF/ directory) and the application works fine for me. On Thu, Aug 14, 2008 at 1:30 PM, Angus Mezick [EMAIL PROTECTED] wrote: Am I the only one that is REALLY disturbed about that idea of REQUIRING two identical files to run an app? One in the war file and one in the conf directory? If the only in the conf directory takes priority, why the one in the war file needed at all? I am just hoping this isn't in tomcat 6.0.. The idea of relying on the server to use the correct version of possibly different files in a production server makes me VERY nervous. --Angus Mezick -Original Message- From: Robert Dietrick [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2008 2:22 PM To: Tomcat Users List Subject: Re: where to place context configuration I would very much prefer to use only the one in mywebapp/META-INF/contex.xml, as this is much less invasive (does not require changing/adding anything to tomcat's global config directories). But this doesn't seem to work. I can leave it as is (and am becoming resigned to the fact that this is my only option), but this is sort of a maintenance nightmare since the two files need to be kept in sync. Plus, it just seems idiotic to need to declare the context and its resources in two locations. Does either of these files need a 'docBase' or 'path' parameter? It doesn't seem to make a difference either way. -rob On Thu, Aug 14, 2008 at 11:00 AM, Mark Thomas [EMAIL PROTECTED] wrote: Robert Dietrick wrote: Hi, I just noticed that I had a Context definition in both $CATALINA_HOME/conf/Catalina/localhost/mywebapp.xml and in $CATALINA_HOME/webapps/mywebapp.war/META-INF/context.xml. In both of these context definitions, I define a JNDI database connection pool with the same name and identical parameters. This was working fine, but it is confusing, redundant, and runs contrary to the recommendations in the official documentation. However, if i remove either one of these files, I get the dreaded Cannot create JDBC driver of class '' for connect URL 'null' error. Can anyone offer any advice? Just leave it as is? The one in conf will take priority. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Find out Who-I-Am for Realm User
Hi, I am using realm for the authorization of my web application. I would like to include a administration section for things like modifying the user profile or password. I have several different user names associated with two different roles. Both roles give the pass to the web pages. I am wondering whether I can find out who is the login user in realm? So I do not need the user to provide it again to entering the admin part. I am using Tomcat 5.5 on a linux box. Thanks. Sincerely Zhu, Guojun
Re: Find out Who-I-Am for Realm User
Thank you. I am using the basic authentication as the manager package of Tomcat. Something like this in the web.xml. login-config auth-methodBASIC/auth-method realm-nameTomcat INFORM Application/realm-name /login-config I only know how to use the realm in the web.xml and servel.xml. But I am really like to learn about this j_security. Honestly, I am not fully understand what you say in the second part. I know basic java stuff and know basic things about writing JSP web application and a little servlet. Where should I start to learn these? Thanks. Sincerely Zhu, Guojun On Wed, Jul 30, 2008 at 5:08 PM, Alessandro Ferrucci [EMAIL PROTECTED] wrote: What authentication method are you using? I'll take a wild guess at form. This thread provides a few workaround solutions for this: http://www.theserverside.com/discussions/thread.tss?thread_id=32033 I suggest looking into writing your own filter and placing it above SecurityFilter in the stack and intercepting the redirect made by the security filter by subclassing HttpServletResponseWrapper. On Wed, Jul 30, 2008 at 3:58 PM, Guojun Zhu [EMAIL PROTECTED] wrote: Hi, I am using realm for the authorization of my web application. I would like to include a administration section for things like modifying the user profile or password. I have several different user names associated with two different roles. Both roles give the pass to the web pages. I am wondering whether I can find out who is the login user in realm? So I do not need the user to provide it again to entering the admin part. I am using Tomcat 5.5 on a linux box. Thanks. Sincerely Zhu, Guojun -- Signed, Alessandro Ferrucci :)
Re: Configure authentication across an entire host...
This might be what you want. Single Sign on, http://tomcat.apache.org/tomcat-5.5-doc/config/host.html. It can let the different webapp share the same realm authentication. Guojun On Tue, Jul 22, 2008 at 11:00 PM, Nathan Wilhelmi [EMAIL PROTECTED] wrote: Hello - Is there any way to setup digest or basic authentication to cover an entire host.? Basically I would like to create a blanket authorization setup for a host without having to modify individual applications. So anything deployed in that host would require some simple level of authentication. Thanks! -Nate - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to Set up Role in Tomcat
Hi, We are using Tomcat 5.5 in a linux box. And I am trying to set up the Realm security for our webapp. I only want a password and username challenge for this webapp only. So I guess I need to set up a role corresponding to it directly. I look around and did not find much information about how to do this. I found a section in the servlet spec., but it is quite general and no specific details. Can anyone give me more specific information on this please? I am not minding spend a couple of days to read. I can program in java and know the basic things about the language, not as advanced as to the architecture level. But I am very much willing to learn it. Thanks. Sincerely zhu, Guojun
