Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 10/16/2011 1:55 PM, Chema wrote: Frankly, if you're using Spring Security, I'd stick with it. I myself am thinking of making the switch. Yes, I tried it and like it , but I need Single Sign On support and the solutions what Spring Security offers are complicated to implement by me sf does not support SSO at all, so there's definitely no reason for you to switch. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6cRs8ACgkQ9CaO5/Lv0PCtHwCgxA1AkaSclPEsb06SHcKaLF2F T4EAoIItWnxsiIAnzh+kKW6Lji2cjjVl =gqf5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chema, On 10/15/2011 4:18 PM, Chema wrote: This is one of the reasons I switched to SecurityFilter: there is a FlexibleRealmInterface that passes-in the HttpServletRequest that was used to attempt authentication. That allows you to get nice things like the ip address of the request for logging. I'm interested on what are talking about , where I can find info about SecurityFilter ? I've used Spring Security for reasons like you but I want try another options Frankly, if you're using Spring Security, I'd stick with it. I myself am thinking of making the switch. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6bC1QACgkQ9CaO5/Lv0PCQOgCfaFI5mg1TtXUa8OK3aWQfo/S1 Cu0AnRYPLLjdLF6v/G4hlFxSQbYDfvD4 =ZyEQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
Frankly, if you're using Spring Security, I'd stick with it. I myself am thinking of making the switch. Yes, I tried it and like it , but I need Single Sign On support and the solutions what Spring Security offers are complicated to implement by me
Re: filters on j_security_check
On 13/10/2011 20:53, Caldarale, Charles R wrote: If you want to do programmatic security in addition to declarative security, Or use the Servlet 3.0 APIs, supported by Tomcat. p signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
This is one of the reasons I switched to SecurityFilter: there is a FlexibleRealmInterface that passes-in the HttpServletRequest that was used to attempt authentication. That allows you to get nice things like the ip address of the request for logging. I'm interested on what are talking about , where I can find info about SecurityFilter ? I've used Spring Security for reasons like you but I want try another options Thanks
RE: filters on j_security_check
From: Chema [mailto:demablo...@gmail.com] Subject: Re: filters on j_security_check where I can find info about SecurityFilter ? The first hit on Google... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
On 13/10/2011 15:09, Alejandro Soto wrote: Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know how can I apply filters to j_security_check to verify the status of login before continue with my authentication process. You can't use Filters because the Authentication Valves act before the Filter chain. Why do you need to filter on j_security_check? p I was thinking to use valves, but I read on internet that valves will be replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do . Please, this is very important to me and any help will be appreciated. Best Regards. signature.asc Description: OpenPGP digital signature
Re: filters on j_security_check
Hi, thanks for reply, well, what i need is to know if the authentication was successful or not, I want to get the status of that authentication, I just need to know that status and has to be before the authentication mechanism continues. I am trying to invoke j_security_check from inside another servlet. Any suggestions about how resolve my requirement? Thanks in advance. Alejandro On Thu, Oct 13, 2011 at 12:50 PM, Pid p...@pidster.com wrote: On 13/10/2011 15:09, Alejandro Soto wrote: Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know how can I apply filters to j_security_check to verify the status of login before continue with my authentication process. You can't use Filters because the Authentication Valves act before the Filter chain. Why do you need to filter on j_security_check? p I was thinking to use valves, but I read on internet that valves will be replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do . Please, this is very important to me and any help will be appreciated. Best Regards. -- Alejandro Soto M. Cel: 705-63861
RE: filters on j_security_check
From: Alejandro Soto [mailto:smalejan...@gmail.com] Subject: Re: filters on j_security_check what i need is to know if the authentication was successful or not What are you going to do with said information? I just need to know that status and has to be before the authentication mechanism continues. Why? It seems like you might actually need to write a custom Realm, not a filter. I am trying to invoke j_security_check from inside another servlet. That sounds really, really wrong. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
Hi Chuck, call j_security_check from inside another servlet is just an idea,
why is bad idea?
If possible, I don't want a custom Realm, I want to use the authentication
mechanism of the container (JDBCRealm), use something like this:
.
Context context = (Context) host.findChild(myContext);
Realm realm = context.getRealm();
String username = request.getParameter(j_username);
String password = request.getParameter(j_password);
Principal principal = realm.authenticate(username, password);
if (principal == null)
{
// some tasks
} else {
//
}
But this give me problems with catalina.jar library inside of my .war file.
Thanks.
Alejandro
On Thu, Oct 13, 2011 at 2:11 PM, Caldarale, Charles R
chuck.caldar...@unisys.com wrote:
From: Alejandro Soto [mailto:smalejan...@gmail.com]
Subject: Re: filters on j_security_check
what i need is to know if the authentication was successful or not
What are you going to do with said information?
I just need to know that status and has to be before the authentication
mechanism continues.
Why? It seems like you might actually need to write a custom Realm, not
a filter.
I am trying to invoke j_security_check from inside another servlet.
That sounds really, really wrong.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: filters on j_security_check
From: Alejandro Soto [mailto:smalejan...@gmail.com] Subject: Re: filters on j_security_check call j_security_check from inside another servlet is just an idea, why is bad idea? Because it's not supported by the spec; please read SRV.12. If you want to do programmatic security in addition to declarative security, you can use the getRemoteUser(), isUserInRole(), and getUserPrincipal() methods of the object implementing HttpServletRequest. You can, of course, completely roll your own programmatic security, but in that case you must not configure any spec-defined declarative security elements in web.xml. The field names j_username and j_password are for use by the web server to handle form-based authentication. You may customize the content of the form, but not the processing of the submitted form. Since the spec leaves the implementation undefined, Tomcat chooses to handle that with Realms. If you want to perform additional checks, either create a custom Realm, or use the methods listed above. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: filters on j_security_check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 10/13/2011 2:11 PM, Caldarale, Charles R wrote: From: Alejandro Soto [mailto:smalejan...@gmail.com] Subject: Re: filters on j_security_check what i need is to know if the authentication was successful or not What are you going to do with said information? I just need to know that status and has to be before the authentication mechanism continues. Why? It seems like you might actually need to write a custom Realm, not a filter. Checking for authentication pass/fail can be done in a Realm, but you can't really do anything with the information other than write it to the database. And all you have is username/password (or other credential-only information) to log. This is one of the reasons I switched to SecurityFilter: there is a FlexibleRealmInterface that passes-in the HttpServletRequest that was used to attempt authentication. That allows you to get nice things like the ip address of the request for logging. I am trying to invoke j_security_check from inside another servlet. That sounds really, really wrong. Yes. Yes, it does. If you (Alejandro) want to trigger authentication manually, servlet 3.0 has added the HttpServletRequest.authenticate method to allow you to do this yourself. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6XRM4ACgkQ9CaO5/Lv0PBgoQCcC7SCZRzkx15PLBVLRxW45198 C6EAn2Q6RjtCy2VvbWBYvzIB4tkQZzqG =Y+bH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
