Realm authentication - unconventional usage
Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication - unconventional usage
Hi The natural *post* should be http://localhost/realm-test /j_security_check?j_username=fooj_password=bar And should be OK. What are your need ? On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Souviens-toi qu'au moment de ta naissance tout le monde était dans la joie et toi dans les pleurs. Vis de manière qu'au moment de ta mort, tout le monde soit dans les pleurs et toi dans la joie.
Re: Realm authentication - unconventional usage
olivier nouguier wrote: Thanks. Hi The natural *post* should be http://localhost/realm-test /j_security_check?j_username=fooj_password=bar Let me make sure I got it right. So you mean the request should be something like this: - URL: - http://localhost/realm-test?j_security_check (method=POST) message body: - j_username=fooj_password=bar So appending a 'j_' will do the job? Also, in your case 'j_security_check' is the resource. But in my case, *'RealmTestServetlet'* is the resource. And should be OK. What are your need ? Till now, my authentication code used to be in the application layer. But now, I wish to offload the task to my container (Tomcat) without any changes to the application protocol; which is to send username and password as _plain key-value pairs_ in the request URL. On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication - unconventional usage
I just like to point you the usual / standard use of J2EE authentication in a web tier ! http://java.sun.com/products/servlet/download.html With restricted resources define in web.xml Login page (FORM) And a defined realm in context.xml (or server.xml) No more ... PS: I don't think it really smart to GET login password in (clear) URL ;-) On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: olivier nouguier wrote: Thanks. Hi The natural *post* should be http://localhost/realm-test /j_security_check?j_username=fooj_password=bar Let me make sure I got it right. So you mean the request should be something like this: - URL: - http://localhost/realm-test?j_security_check (method=POST) message body: - j_username=fooj_password=bar So appending a 'j_' will do the job? Also, in your case 'j_security_check' is the resource. But in my case, *'RealmTestServetlet'* is the resource. And should be OK. What are your need ? Till now, my authentication code used to be in the application layer. But now, I wish to offload the task to my container (Tomcat) without any changes to the application protocol; which is to send username and password as _plain key-value pairs_ in the request URL. On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Souviens-toi qu'au moment de ta naissance tout le monde était dans la joie et toi dans les pleurs. Vis de manière qu'au moment de ta mort, tout le monde soit dans les pleurs et toi dans la joie.
Re: Realm authentication - unconventional usage
There are only 5 ways to do authentification on a servlet application: The first, FORM, use form that POST to /j_security_check the j_username and the j_password |web.xml: web-app login-config auth-methodFORM/auth-method form-login-config form-error-page/Error.html /form-error-page form-login-page/SignOn.html /form-login-page /form-login-config /login-config /web-app| |html: form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password /form| The second and third, BASIC and DIGEST, use http protocol based identification: web-app login-config auth-methodBASIC|DIGEST/auth-method realm-namejpets/realm-name /login-config /web-app The fourth use a ssl certificate client side web-app login-config auth-methodCLIENT-CERT/auth-method /login-config /web-app And the fifth is to handle yourself all the work of authentification. You lose container managed security, you must do more work to securize your application but you can gain in flexibility. In the first four ways, using container managed security, it's impossible to attempt to force a login. It's when the user tries to access a security protected url that the container redirect user to the FORM or show the http login dialog or request the client SSL certificate. PS: i agree with Olivier, don't put that damn password in the url! olivier nouguier a écrit : I just like to point you the usual / standard use of J2EE authentication in a web tier ! http://java.sun.com/products/servlet/download.html With restricted resources define in web.xml Login page (FORM) And a defined realm in context.xml (or server.xml) No more ... PS: I don't think it really smart to GET login password in (clear) URL ;-) On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: olivier nouguier wrote: Thanks. Hi The natural *post* should be http://localhost/realm-test /j_security_check?j_username=fooj_password=bar Let me make sure I got it right. So you mean the request should be something like this: - URL: - http://localhost/realm-test?j_security_check (method=POST) message body: - j_username=fooj_password=bar So appending a 'j_' will do the job? Also, in your case 'j_security_check' is the resource. But in my case, *'RealmTestServetlet'* is the resource. And should be OK. What are your need ? Till now, my authentication code used to be in the application layer. But now, I wish to offload the task to my container (Tomcat) without any changes to the application protocol; which is to send username and password as _plain key-value pairs_ in the request URL. On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication - unconventional usage
David Delbecq wrote: There are only 5 ways to do authentification on a servlet application: The first, FORM, use form that POST to /j_security_check the j_username and the j_password |web.xml: web-app login-config auth-methodFORM/auth-method form-login-config form-error-page/Error.html /form-error-page form-login-page/SignOn.html /form-login-page /form-login-config /login-config /web-app| |html: form method=POST action=j_security_check input type=text name=j_username input type=password name=j_password /form| The second and third, BASIC and DIGEST, use http protocol based identification: web-app login-config auth-methodBASIC|DIGEST/auth-method realm-namejpets/realm-name /login-config /web-app The fourth use a ssl certificate client side web-app login-config auth-methodCLIENT-CERT/auth-method /login-config /web-app And the fifth is to handle yourself all the work of authentification. You lose container managed security, you must do more work to securize your application but you can gain in flexibility. In the first four ways, using container managed security, it's impossible to attempt to force a login. It's when the user tries to access a security protected url that the container redirect user to the FORM or show the http login dialog or request the client SSL certificate. Thanks you so much. That was certainly informative. PS: i agree with Olivier, don't put that damn password in the url! Yes. I agree with both Olivier and David. But that's why I called it *unconventional*. So seems like I *will* have to stick to application layer authentication, or is there a way out? olivier nouguier a écrit : I just like to point you the usual / standard use of J2EE authentication in a web tier ! http://java.sun.com/products/servlet/download.html With restricted resources define in web.xml Login page (FORM) And a defined realm in context.xml (or server.xml) No more ... PS: I don't think it really smart to GET login password in (clear) URL ;-) On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: olivier nouguier wrote: Thanks. Hi The natural *post* should be http://localhost/realm-test /j_security_check?j_username=fooj_password=bar Let me make sure I got it right. So you mean the request should be something like this: - URL: - http://localhost/realm-test?j_security_check (method=POST) message body: - j_username=fooj_password=bar So appending a 'j_' will do the job? Also, in your case 'j_security_check' is the resource. But in my case, *'RealmTestServetlet'* is the resource. And should be OK. What are your need ? Till now, my authentication code used to be in the application layer. But now, I wish to offload the task to my container (Tomcat) without any changes to the application protocol; which is to send username and password as _plain key-value pairs_ in the request URL. On 11/22/06, Santosh Puranshettiwar [EMAIL PROTECTED] wrote: Hello, I wish to user a JDBCRealm with the username password coming in the HTTP request as key-value pairs. Is it possible? Elaborate: - They request uri: - http://localhost/realm-test/RealmTestServetlet?username=foopassword=bar The Realm must authenticate with 'foo' 'bar'. -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Realm authentication - unconventional usage
From: Santosh Puranshettiwar [mailto:[EMAIL PROTECTED] Subject: Re: Realm authentication - unconventional usage So seems like I *will* have to stick to application layer authentication, or is there a way out? Why can't you use one of the standard, spec-defined, container-managed mechanisms? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication - unconventional usage
I think that will be my next attempt. There are two reasons I haven't done that. 1. The original code for this application was written with a direct-connect to the database because it was set up to run on either Oracle or MySql, and it has been working fine up until we went to Tomcat 5.5. 2. I am not an XML wizard, and the documentation for tomcat XML configuration files leaves something to be desired. So I am not exactly sure how to do that. Thanks again much, Dan Caldarale, Charles R wrote: From: Santosh Puranshettiwar [mailto:[EMAIL PROTECTED] Subject: Re: Realm authentication - unconventional usage So seems like I *will* have to stick to application layer authentication, or is there a way out? Why can't you use one of the standard, spec-defined, container-managed mechanisms? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication - unconventional usage
Caldarale, Charles R wrote: Thanks. From: Santosh Puranshettiwar [mailto:[EMAIL PROTECTED] Subject: Re: Realm authentication - unconventional usage So seems like I *will* have to stick to application layer authentication, or is there a way out? Why can't you use one of the standard, spec-defined, container-managed mechanisms? - Chuck That's because, the client in my case is not a generic browser but a application client. If I go for any of the standard techniques, I will have to make the appropriate changes in the client too, which is not feasible right now. THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Santosh. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]