Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Thanks for fixing this. Happy to help.
On 3 May 2018 at 21:31, Mark Thomas <ma...@apache.org> wrote:
> On 03/05/18 20:17, Mark Thomas wrote:
> > On 02/05/18 16:08, Dirk Ooms wrote:
> >> Mark,
> >>
> >> you can reproduce it using the FormAuthentication example in the
> >> examples (http://localhost:8080/examples/jsp/security/protected/)
> >>
> >> edit index.jsp
> >> 1. add the line "RequestURI: <%= request.getRequestURI() %>" in
> >> begin of body
> >> 2. change the method of the form from GET to POST
> >>
> >> scenario:
> >> 1. go to http://localhost:8080/examples/jsp/security/protected/
> >> 2. log in
> >> 3. open second tab/window to same url
> >> 4. log out in second tab/window
> >> 5. go to initial window and submit form
> >> 6. log in again
> >> 7. observe the malformed requestURI
> >
> > Thanks for the reproduction steps. They were a huge help.
> >
> > This was introduced in 8.5.x with some refactoring that reduced copying
> > between I/O buffers during request processing. Essentially, the saved
> > request body was over-writing the cached bytes for the URI.
>
> Correction. It affects 8.0.x and earlier as well.
>
> I'll back port the fix for 8.0.x and 7.0.x.
>
> Mark
>
>
> >
> > I'll be committing a fix shortly which will be available in 9.0.9 and
> > 8.5.32 onwards.
> >
> > Mark
> >
> >
> >>
> >> see also attached screenshots (if they make it to the mailing list).
> >>
> >> dirk
> >>
> >>
> >> On 1 May 2018 at 16:20, Dirk Ooms <dir...@gmail.com
> >> <mailto:dir...@gmail.com>> wrote:
> >>
> >> apologies for the incomplete info. it is tomcat 9.0.6
> >>
> >> i will try to set up a test case and get back to you.
> >>
> >> dirk
> >>
> >>
> >> On 1 May 2018 at 16:07, Mark Thomas <ma...@apache.org
> >> <mailto:ma...@apache.org>> wrote:
> >>
> >> On 01/05/18 14:36, Dirk Ooms wrote:
> >> > Hello,
> >> >
> >> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >> >
> >> > in tomcat5.5 when a user was not logged in and he/she
> requested a url, the
> >> > login page was returned and after logging in the user was
> given the
> >> > requested resource. when i requested request.getRequestURI()
> in my code the
> >> > returned uri was correct for both GET and POST.
> >> >
> >> > in tomcat9 this is not the case anymore for POST (for GET
> still ok). when i
> >> > call request.getRequestURI() after the user is logged in, it
> returns
> >> > "chString" in my case, which is a part of the name of the
> first form field
> >> > ("searchString") of the original POST.
> >> >
> >> > any idea? am i missing something?
> >>
> >> The exact Tomcat 9 version.
> >>
> >> A test case that demonstrates the issue.
> >>
> >> Mark
> >>
> >>
> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> <mailto:users-unsubscr...@tomcat.apache.org>
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >> <mailto:users-h...@tomcat.apache.org>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Mark,
you can reproduce it using the FormAuthentication example in the examples (
http://localhost:8080/examples/jsp/security/protected/)
edit index.jsp
1. add the line "RequestURI: <%= request.getRequestURI() %>" in
begin of body
2. change the method of the form from GET to POST
scenario:
1. go to http://localhost:8080/examples/jsp/security/protected/
2. log in
3. open second tab/window to same url
4. log out in second tab/window
5. go to initial window and submit form
6. log in again
7. observe the malformed requestURI
see also attached screenshots (if they make it to the mailing list).
dirk
On 1 May 2018 at 16:20, Dirk Ooms <dir...@gmail.com> wrote:
> apologies for the incomplete info. it is tomcat 9.0.6
>
> i will try to set up a test case and get back to you.
>
> dirk
>
>
> On 1 May 2018 at 16:07, Mark Thomas <ma...@apache.org> wrote:
>
>> On 01/05/18 14:36, Dirk Ooms wrote:
>> > Hello,
>> >
>> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
>> j_security_check.
>> >
>> > in tomcat5.5 when a user was not logged in and he/she requested a url,
>> the
>> > login page was returned and after logging in the user was given the
>> > requested resource. when i requested request.getRequestURI() in my code
>> the
>> > returned uri was correct for both GET and POST.
>> >
>> > in tomcat9 this is not the case anymore for POST (for GET still ok).
>> when i
>> > call request.getRequestURI() after the user is logged in, it returns
>> > "chString" in my case, which is a part of the name of the first form
>> field
>> > ("searchString") of the original POST.
>> >
>> > any idea? am i missing something?
>>
>> The exact Tomcat 9 version.
>>
>> A test case that demonstrates the issue.
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
apologies for the incomplete info. it is tomcat 9.0.6
i will try to set up a test case and get back to you.
dirk
On 1 May 2018 at 16:07, Mark Thomas <ma...@apache.org> wrote:
> On 01/05/18 14:36, Dirk Ooms wrote:
> > Hello,
> >
> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >
> > in tomcat5.5 when a user was not logged in and he/she requested a url,
> the
> > login page was returned and after logging in the user was given the
> > requested resource. when i requested request.getRequestURI() in my code
> the
> > returned uri was correct for both GET and POST.
> >
> > in tomcat9 this is not the case anymore for POST (for GET still ok).
> when i
> > call request.getRequestURI() after the user is logged in, it returns
> > "chString" in my case, which is a part of the name of the first form
> field
> > ("searchString") of the original POST.
> >
> > any idea? am i missing something?
>
> The exact Tomcat 9 version.
>
> A test case that demonstrates the issue.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
tomcat9 j_security_check request.getRequestURI() incorrect after POST
Hello,
i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
in tomcat5.5 when a user was not logged in and he/she requested a url, the
login page was returned and after logging in the user was given the
requested resource. when i requested request.getRequestURI() in my code the
returned uri was correct for both GET and POST.
in tomcat9 this is not the case anymore for POST (for GET still ok). when i
call request.getRequestURI() after the user is logged in, it returns
"chString" in my case, which is a part of the name of the first form field
("searchString") of the original POST.
any idea? am i missing something?
thanks,
dirk
Re: user switching or application interacting with container based authentication
Andre, thanks for your thoughts on this. i agree that this issue brings me to 'a loop of increasing contradictions'. it's probably good to go one step back and explain the real-life requirement: we have an application that is used by many small companies, each company has its own data and can have multiple users (typically 1 to 5). within a company there is a requirement to switch users in a fast way (e.g. using a badge or a fingerprint). think of a restaurant having 1 computer and several waiters. we want to trace what is done by which waiter and there is also an incentive for the waiter to switch users because his fee will be based on his logged activities. my reasoning was: i'll keep the standard proven AAA mechanism for the initial log in, but allow fast user switching within a company where there is more trust between users (which is security-wise probably a weak statement). still there is a need for some type of authentication because the users can have different roles. but this indeed leads to conflicts between the standard and the proprietary authentication/authorization mechanism. my current reasoning is: i need to keep a standard proven AAA mechanism also for fast user switching. correct? but how do i tackle this given that we now have form/container-based authentication. do i need a parallel standard container-based mechanism? what mechanism exists that allows to authenticate by scanning a barcode (i.e. a single (possibly long) string)? any pointer/suggestion will be much appreciated. dirk Without going into the technique itself, from your description above it looks to me as if this is a scenario so different from what a standard AAA mechanism is designed to achieve, that you are going to find yourself getting into a loop of increasing contradictions, if you try to fit this into the standard authentication mechanisms. (In other words : you are going to be using code that has been carefully designed and perfected to do things well in one scenario, and try to do something else with it. I would expect all kinds of side-effects, and an endless series of patches upon patches to avoid them). Maybe the first question to ask : why do you need the user to be authenticated /to the servlet container/ in the first place ? when, and for what, do you use the return values of getUserPrincipal() and/or isUserInRole() ? (I mean really, deep down) If you rethink the above, imagining that the user-id is just a request parameter like any other form parameter (*), and that Tomcat itself has no knowledge of an authenticated user, what breaks down ? (*) which according to your own explanation above, you are going to have to do at some point anyway. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user switching or application interacting with container based authentication
Chris, Andre, thanks for sharing your thoughts, it helped me to see things more clear. changing a user object in the session is something i already did. the problem with this was (and which was triggering my initial question) is that a new user could have access rights to more functionality than the first user, but that the access to this functionality is blocked by the container because of the role based security constraints i have defined in web.xml (the container does not know that there is a new user with other roles, so it still applying the access rules of the first user). anyway to move forward i decided to use the container-managed authentication just as yes/no to obtain access to the complete application and to move authorization to the application itself. thanks, dirk On Thu, 2012-05-24 at 10:37 -0400, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dirk, On 5/23/12 7:01 PM, dirk ooms wrote: any hint on fast-user-switching or applications-interacting-with-container-based-authentication are very welcome. We use securityfilter for AAA and the user is stored in the session: you can just replace the user object and boom: you are a new user. We support user impersonation in this way and allows administrators to masquerade as another user and then go back to their original login. Switching to securityfilter may not be a great plan for you, though it's not terribly hard to do. But, its a possibility. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk++R7gACgkQ9CaO5/Lv0PBVSQCePHZUW/l2Ybdcqegu206zfY+g 6rIAniyLbfpW0m96AeietxvHYXysOW7r =ROLF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user switching or application interacting with container based authentication
How about your barcode (or card or whatever) idea, to allow users to switch id on-the-fly ? I am curious as to how you implement that. after some user has logged in in a 'normal/standard' way (using e.g. form-based, container-managed), there is a text input field in the header of the secured web page. if another user scans his personal barcode which could be e.g. a hash of his username and his hashed password into this field, there will be a switch to this new user (just by setting its 'user object' in the session). to validate this hash, the application just loops over the limited number of users of that specific (small) company to find a match. the container is no longer involved in authorization, the existing session is reused by the new user. this method has the advantage that one can only switch between users of the same 'company/shop' and that someone of that company must have logged in in a standard way before any user switching becomes possible. dirk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
user switching or application interacting with container based authentication
Hello, we are running a web application with form based authentication. we now have a requirement to switch between users (for subsets of users) with a minimum of user interaction (log out and log in providing username password is way too much work for the user). so i was thinking of providing each user with a badge with a unique barcode (a hash of usernamepassword?) which they can scan into a dedicated field in the webpage and which will trigger the user switch. note that this barcode field will only be available once a person has logged in in the normal way (form based), so the user switch request is received within an authenticated session. the difficult part of the story is how can i tell the 'container based authentication' that the current session is transferred to another user with possibly other roles OR how can i create a new session for the new user (so applying the correct authorization and providing a HttpServletRequest returning the correct values of getUserPrincipal() and isUserInRole()). the application is able to retrieve the user and its roles, but how can the application inform the container about this. i've been googling and reading for hours now and i'm a bit lost (understatement) on how to proceed with this. it could also be the case that there are much better scenario's than the one i have in mind. any hint on fast-user-switching or applications-interacting-with-container-based-authentication are very welcome. cheers, dirk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat does not stay on as a windows service
there is another process that already uses port 8005. check whether there are other servers (apache?) or instances of tomcat running on your machine. dirk On Friday 14 December 2007 12:31, Ljuba Veselinova wrote: I am trying to get Tomcat going on a windows machine. There are running and woking installations of Java 2 Standard Edition Development Kit version 2, update 6, with JRE and Java Web Start Apache 2.0.58 Tomcat seems to install fine; I have created and checked the paths of the system variables CATALINA_HOME and JAVA_HOME for spelling errors. However, Tomcat does not stay on as a service. It starts and a second later it is off again. I have consulted the log files and really need help interpreting what they say Thanks, Ljuba catalina-2007-12-14.log 2007-dec-14 12:14:08 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 2007-dec-14 12:14:08 org.apache.coyote.ajp.AjpAprProtocol init INFO: Initializing Coyote AJP/1.3 on ajp-8009 2007-dec-14 12:14:08 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1594 ms 2007-dec-14 12:14:08 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 2007-dec-14 12:14:08 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.17 2007-dec-14 12:14:09 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 2007-dec-14 12:14:13 org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 2007-dec-14 12:14:14 org.apache.coyote.ajp.AjpAprProtocol start INFO: Starting Coyote AJP/1.3 on ajp-8009 2007-dec-14 12:14:14 org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource 2007-dec-14 12:14:14 org.apache.catalina.startup.Catalina start INFO: Server startup in 5734 ms 2007-dec-14 12:14:14 org.apache.catalina.core.StandardServer await ALLVARLIG: StandardServer.await: create[8005]: java.net.BindException: Address already in use: JVM_Bind at java.net.PlainSocketImpl.socketBind(Native Method) at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:359) at java.net.ServerSocket.bind(ServerSocket.java:319) at java.net.ServerSocket.init(ServerSocket.java:185) at org.apache.catalina.core.StandardServer.await(StandardServer.java:372) at org.apache.catalina.startup.Catalina.await(Catalina.java:615) at org.apache.catalina.startup.Catalina.start(Catalina.java:575) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) 2007-dec-14 12:14:14 org.apache.coyote.http11.Http11AprProtocol pause INFO: Pausing Coyote HTTP/1.1 on http-8080 localhost-2007-12-14.log INFO: org.apache.webapp.balancer.BalancerFilter: init(): ruleChain: [org.apache.webapp.balancer.RuleChain: [org.apache.webapp.balancer.rules.URLStringMatchRule: Target string: News / Redirect URL: http://www.cnn.com], [org.apache.webapp.balancer.rules.RequestParameterRule: Target param name: paramName / Target param value: paramValue / Redirect URL: http://www.yahoo.com], [org.apache.webapp.balancer.rules.AcceptEverythingRule: Redirect URL: http://jakarta.apache.org]] 2007-dec-14 12:14:12 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() 2007-dec-14 12:14:12 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() 2007-dec-14 12:14:13 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextInitialized() 2007-dec-14 12:14:13 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextInitialized() 2007-dec-14 12:14:15 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextDestroyed() 2007-dec-14 12:14:15 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextDestroyed() 2007-dec-14 12:14:15 org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextDestroyed() 2007-dec-14 12:14:15 org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextDestroyed() jakarta_service_20071214.log 2007-12-14 11:53:25] [info] Service Tomcat5 name Apache Tomcat [2007-12-14 11:53:25] [info] Service Tomcat5 installed [2007-12-14 11:53:25] [info] Procrun finished. [2007-12-14 11:53:25] [info] Updating service... [2007-12-14 11:53:25] [info] Service Tomcat5 updated [2007-12-14 11:53:25] [info] Update service finished. [2007-12-14 11:53:25] [info] Procrun finished. [2007-12-14 11:53:36] [info] Updating service...
extra field in form-based authentication
Hello, I would like to have an extra field in my form-based login page, but I'm wondering how I can retrieve the value of that extra field within my application (request.getParameter(blabla) does not work). I searched the web and a suggestion was to override authenticate() in FormAuthenticator. But I'm wondering how I tell the container to use my version of authenticate()? Are there other ways? This looks like something obvious, but after searching for a couple of hours, I haven't found a clear answer to this issue. Thanks in advance for any guidance, dirk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: extra field in form-based authentication
interesting suggestion, but in my case the extra field is not related to the username. i would like to have a field where the user indicates on what type of device he/she works, so we can offer the appropriate stylesheet. On Thursday 13 December 2007 13:00, David Delbecq wrote: Or have the username in a hidden field and have javascript build it from to fields. example: j_username=Domain\\user j_password=* Most pragmatic way imho. javascript disabled user could still enter the \\ manually :) En l'instant précis du 13/12/07 12:51, Tim Funk s'exprimait en ces termes: In form based authentication - you have no access to the processor other than your suggestion of overriding authenticate() in FormAuthenticator. Depending on the purpose of the field you could always perform a kludge of setting the 3rd value in a cookie and have a filter check for hte cookie to perform any extra work you need. (Somehow - I doubt that will work) -Tim dirk ooms wrote: Hello, I would like to have an extra field in my form-based login page, but I'm wondering how I can retrieve the value of that extra field within my application (request.getParameter(blabla) does not work). I searched the web and a suggestion was to override authenticate() in FormAuthenticator. But I'm wondering how I tell the container to use my version of authenticate()? Are there other ways? This looks like something obvious, but after searching for a couple of hours, I haven't found a clear answer to this issue. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: extra field in form-based authentication
On Thursday 13 December 2007 13:54, Tim Funk wrote: in that case ... wouldn't the User-Agent header do the trick? AFAIK not, the screenwidth is the main thing i want to adapt to and i can have Firefox/Linux running on a webtablet with 800px screen, but also on a desktop with 1900px. -Tim dirk ooms wrote: interesting suggestion, but in my case the extra field is not related to the username. i would like to have a field where the user indicates on what type of device he/she works, so we can offer the appropriate stylesheet. On Thursday 13 December 2007 13:00, David Delbecq wrote: Or have the username in a hidden field and have javascript build it from to fields. example: j_username=Domain\\user j_password=* Most pragmatic way imho. javascript disabled user could still enter the \\ manually :) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: symbolic links usage
make allowLinking=true an attribute of Context itself On Tuesday 18 July 2006 01:57, Phill O'Flynn wrote: I have a web app that needs to access directories outside of the context using symlinks. However these files are not visible to the servlet. I have looked at all the FAQ's and made the recommended changes but it still doen't work. I am using Tomcat 5.0.XX i have a context.xml file setup in the webapps META-INF directory as recommended for tomcat 5 on the web site. This is my context.xml ?xml version=1.0 encoding=UTF-8? Context path=/drawings docBase=drawings debug=0 / Resources className=org.apache.naming.resources.FileDirContext allowLinking=true / /Context this is the error I get org.apache.jasper.JasperException: /dwgList.jsp(12,0) File /downloads/info.jsp not found (downloads is a symbolic link and is a sub directory of the project directory) and this is the calling code [EMAIL PROTECTED] file='/downloads/info.jsp'% Regards Phill O'Flynn - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Symbolic Links
in your server.xml or context description Context .. allowLinking=true On Tuesday 11 July 2006 21:32, Mann, Bradley wrote: How do I instruct Tomcat to follow symbolic links within the file system? For instance, I need to have index.html be a symbolic link to another file. Thanks, Brad Mann Software Engineer - Information Access Services HARRIS Corporation / GCSD (321) 984-6292 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: only https on login form
Mark, Thanks for your answer. So is it common practice to keep the complete session encrypted even if one only desires encrypted authentication? cheers, dirk On Thursday 06 July 2006 03:01, Mark Thomas wrote: dirk ooms wrote: Is there a way to do this or am i missing something? Not without writing some custom code. Your first security-constraint will be ignored unless the user directly requests the login page (which will give a different error). Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
only https on login form
Hi List, I am using a form-based login in my Tomcat application. My intention was to use https on the login form page, but once the user is logged in, http would be ok for further interaction (my main concern was not to send the password in the clear). I had hoped to obtain this behavior with the below web.xml excerpt, but with this configuration everything happens over http (note that i know how to let everything happen over https). Is there a way to do this or am i missing something? cheers, dirk security-constraint web-resource-collection web-resource-nameLogin/web-resource-name url-pattern/login.html/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameSubscriber/web-resource-name url-pattern/subscriberCtrl/url-pattern /web-resource-collection auth-constraint role-namesubscriber/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.html/form-login-page form-error-page/errorLogin.html/form-error-page /form-login-config /login-config - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: how to implement complicated log on using container based security
i don't have an answer to your question, but you might consider using [EMAIL PROTECTED] as username ... On Saturday 01 July 2006 18:02, Andrew E. Davidson wrote: Hi I have a b2b portal. In my world, their may be multiple users with the same name. For example John that works for the xyz corp, and John that works for abc inc. The primary key is created by combining the user name and company name. Does anyone know how I can create a log on page with three fields on it and still use tomcat container security? We are planning to use the JDBC realm Name: Company: Password: The only way I could figure out how to do this is to play tricks with javascript. When the use presses the submit button, I could have run a function that concatenates the user and company fields together. Is there a better way to handle this? Andy - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Stateless Tomcat Application
AFAIK there are 2 situations in which Tomcat creates a HttpSession (generating JSESSIONIDS) without an explicit call to request.getSession(): - when the form-based login procedure is used - when jsp's are compiled, a session will automatically be created by the JSP engine (also for jsp's that have no security-constraint). if a session is not needed, this behaviour can be changed by including the line '%@ page session=false%' in each jsp dirk On Wednesday 28 June 2006 10:04, Andrew Miehs wrote: Dear List, I have an simple application that I would like to have cached by a squid server. My question is, is it possible to disable the Tomcat generating JSESSIONIDs, as these requests are all stateless. Thanks in advance, Regards Andrew - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple instances of load-on-startup classes
i had something similar and the reason then was that i had duplicate context definition files. it seems that your context definition is not in server.xml, so you might check whether there are duplicate context files somewhere in tomcat/conf/... dirk On Tuesday 27 June 2006 13:43, Mark Benussi wrote: We have a webapp running within Tomcat 5.0.28 on Linux. The message log indicates that any load-on-startup classes are loaded twice. Also, any singleton objects created by these load-on-startup classes are created twice. This has been confirmed by stepping through the code via a debugger. From what I have gathered from web search it looks like the webapp is being loaded twice - each instance of the webapp uses a seperate class-loader which accounts for seeing multiple instances of singleton objects. Can anyone shed any light on what may is going on here. Is the webapp being loaded twice? Is there a problem with Tomcat's server.xml? I have included the application log, server.xml and web.xml below: +Applic ation Log + DEBUG 10:37:29,411 CpmDigester:CpmDigester(...) - Config file name = '/usr/local/home/paphdv14/.cpm.xml' DEBUG 10:37:29,527 CpmDigester:loadResults() - About to parse config file DEBUG 10:37:29,682 CpmDigester:loadResults() - config file parsed DEBUG 10:37:30,279 Information on the connection pool 'WEBCP'... DEBUG 10:37:30,279 Number of active connections = 1 DEBUG 10:37:30,279 Number of idle connections = 0 INFO 10:37:31,369 Loading validation rules file from '/WEB-INF/validator-rules.xml' INFO 10:37:31,375 Loading validation rules file from '/WEB-INF/validation-web.xml' INFO 10:37:31,705 Tiles definition factory loaded for module '/web'. DEBUG 10:37:31,731 WebLoginInitialiserPlugIn:init() - START INFO 10:37:31,851 Tiles definition factory loaded for module '/imm'. INFO 10:37:31,851 Loading validation rules file from '/WEB-INF/validator-rules.xml' INFO 10:37:31,851 Loading validation rules file from '/WEB-INF/validation-imm.xml' INFO 10:37:32,039 WebApplicationInitialisation:init(...) - Web application initialisation starting... INFO 10:37:32,039 WebApplicationInitialisation:init(...) - Initialising context parameters. DEBUG 10:37:32,039 WebApplicationInitialisation:init(...) - param = ./web/mainPage.do DEBUG 10:37:33,114 CpmDigester:CpmDigester(...) - Config file name = '/usr/local/home/paphdv14/.cpm.xml' DEBUG 10:37:33,154 CpmDigester:loadResults() - About to parse config file DEBUG 10:37:33,279 CpmDigester:loadResults() - config file parsed DEBUG 10:37:33,816 Information on the connection pool 'WEBCP'... DEBUG 10:37:33,817 Number of active connections = 1 DEBUG 10:37:33,817 Number of idle connections = 0 INFO 10:37:34,473 Loading validation rules file from '/WEB-INF/validator-rules.xml' INFO 10:37:34,475 Loading validation rules file from '/WEB-INF/validation-web.xml' INFO 10:37:34,854 Tiles definition factory loaded for module '/web'. DEBUG 10:37:34,866 WebLoginInitialiserPlugIn:init() - START INFO 10:37:34,918 Tiles definition factory loaded for module '/imm'. INFO 10:37:34,918 Loading validation rules file from '/WEB-INF/validator-rules.xml' INFO 10:37:34,918 Loading validation rules file from '/WEB-INF/validation-imm.xml' INFO 10:37:34,982 WebApplicationInitialisation:init(...) - Web application initialisation starting... INFO 10:37:34,982 WebApplicationInitialisation:init(...) - Initialising context parameters. DEBUG 10:37:34,982 WebApplicationInitialisation:init(...) - param = ./web/mainPage.do #65279;?xml version=1.0 encoding=UTF-8? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 description/description filter filter-nameSessionFilter/filter-name filter-classuk.co.etc.web.session.filter.SessionFilter/filter-class /filter filter-mapping filter-nameSessionFilter/filter-name url-pattern*.do/url-pattern /filter-mapping filter-mapping filter-nameSessionFilter/filter-name url-pattern*.jsp/url-pattern /filter-mapping filter-mapping filter-nameSessionFilter/filter-name url-pattern/servlet/*/url-pattern /filter-mapping servlet servlet-nameweb-app-init/servlet-name servlet-classuk.co.etc.web.session.init.WebApplicationInitialisation/ser vlet-class init-param param-namemainPageUri/param-name param-value/web/mainPage.do/param-value /init-param ... load-on-startup0/load-on-startup /servlet servlet servlet-nameaction/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/struts-config-main.xml/param-value /init-param
