RE: Using multiple login pages
Ok. I think, I think I have it now to my satisfaction although much work remains. Thanks Chris and Charles. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 06 Oct 2011 01 45 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:50 PM, Martin O'Shea wrote: If I understand you correctly, I think I should have this: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check It's important to understand that the form-login-page is the resource returned when the user tries to access a protected resource but is not yet authenticated. The form-login-page does *not* perform any authentication itself. It merely requests credentials from the user (i.e. it contains a form with j_username and j_password fields). Should the servlet mapped to /login receive j_username and j_password? No. It should produce a page which contains a login form. Tomcat will handle the actual processing of j_username/j_password for you, and then send the user onto the originally-requested page. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8 sbAAn0R85xOID9LtrPCSwIk54uZgssT3 =ssS3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
On 05/10/2011 18:51, Martin O'Shea wrote: welcome-file-list welcome-file/jsp/index/newjsp.jsp/welcome-file /welcome-file-list This is incorrect, it should contain a list of welcome-file elements which indicated which files can be used as index files, when found in a directory. It shouldn't give a full path to a specific file: welcome-file-list welcome-fileindex.jsp/welcome-file welcome-fileindex.html/welcome-file welcome-filenewjsp.jsp/welcome-file /welcome-file-list p signature.asc Description: OpenPGP digital signature
RE: Using multiple login pages
This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I dont see my login page when I run the application? Login.jsp contains the following: form action = c:url value = 'j_security_check' / method = post table align = center border = 0 cellspacing = 0 tr th align = rightfont class = labelUsername/font/th td align = leftinput class = textInput name = j_username type = text/td /tr tr th align = rightfont class = labelPassword/font/th td align = leftinput class = textInput name = j_password type = password/td /tr tr td/td td input class = button type = submit value = Log in input class = button type = reset value = Clear /td /tr /table /form Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-namemyApp/web-resource-name description/ url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint user-data-constraint description/ transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role But when I run the application, all I get is the html of the page specified in the welcome file list? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: 04 Oct 2011 19 56 To: Tomcat Users List Subject: Re: Using multiple login pages app...@dsl.pipex.com wrote: Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. There's no sensitive or confidential info in the system either so protected page access may not be required. I don't know what you have in mind, but there are some basic principles to avoid wasting your time : 1) In Tomcat (and other servlet engines), there are 2 different ways of doing authentication : - declarative, as per web.xml. In that case Tomcat, /before it evens calls the webapp or any filter in it/, intercepts a non-authenticated call and returns *the* login form to the browser. It then (later) intercepts the submit of that form by the browser, checks the credentials, and if they pass muster, it allows the call to proceed to the webapp which the user wanted in the first place. - application- or filter-based authentication : in this case, Tomcat is not aware that there is an authentication taking place. It forwards the call to the webapp, and a filter /in the webapp/ intercepts the call and does whatever is needed to check the authentication, return a login form etc.. This second authentication scheme is probably more flexible for doing the kind of thing you seem to want to do (but also more complex to do). 2) There already exist a number of authentication systems on the market. Unless this is considered as an exercise, re-use an existing one instead of rolling you own. Web authentication looks deceptively simple, but is in fact quite complex and delicate, and open to many mistakes which completely defeat the purpose. (This being said, if it is an exercise, it is an interesting area). 3) anything that your server sends to a browser should be considered open and lost. Once you send something out there, the recipient can do with it what he wants : save it, analyse it, copy it, decompile it, falsify it, re-send it to your server and whatnot. There is no practical way to avoid that. (You don't even know that it is really a browser out there). 4) the only good way to secure things if you do form authentication, is to work over HTTPS. The customer is going to type
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 11:41 AM, Martin O'Shea wrote: This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I don’t see my login page when I run the application? Login.jsp contains the following: This isn't relevant if you're not seeing it. Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint web-resource-collection url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint /security-constraint login-config form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when I run the application, all I get is the html of the page specified in the welcome file list? Is that a question or a statement? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have url-pattern/*/url-pattern in your web-resource-collection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0 Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL =wbh5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
Maybe I've misunderstood something but I'm having a lot of trouble getting the login page to display with the following: welcome-file-list welcome-file/jsp/index/newjsp.jsp/welcome-file /welcome-file-list !-- Error pages. -- error-page error-code403/error-code location/jsp/error/error403.jsp/location /error-page error-page error-code404/error-code location/jsp/error/error404.jsp/location /error-page error-page error-code408/error-code location/jsp/error/error408.jsp/location /error-page error-page exception-typejava.lang.Throwable/exception-type location/jsp/error/error500.jsp/location /error-page !-- Accessibility. -- security-constraint display-nameSecurity Constraint/display-name web-resource-collection web-resource-namemyApp/web-resource-name description/ url-pattern/*/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint user-data-constraint description/ transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config security-role description/ role-nameADMIN/role-name /security-role All that newjsp.jsp in the welcome list contains is 'Hello World'. But running it in several browsers, all I get is a warning about redirection. Other applications of mine using a single log in page are fine. I can't see where this one is wrong. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 18 39 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 11:41 AM, Martin O'Shea wrote: This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I don’t see my login page when I run the application? Login.jsp contains the following: This isn't relevant if you're not seeing it. Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint web-resource-collection url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint /security-constraint login-config form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when I run the application, all I get is the html of the page specified in the welcome file list? Is that a question or a statement? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have url-pattern/*/url-pattern in your web-resource-collection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0 Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL =wbh5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
I have it now. There was a redirection going on in a method called from a scriptlet in the login page. It now seems to be OK. Thanks Chris. But one thing bugs me still: you said that you can have 'different login pages for different types of resources you're trying to reach.' Can you give any pointers about this? .-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 18 39 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 11:41 AM, Martin O'Shea wrote: This follows on from yesterday's discussion about whether in my application, I can have more than one page with an embedded login form or not. I've been looking over the servlet spec (V2.2) and it seems that I can't actually do this which is a shame. Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses. So I'm now looking at a more conventional log in from a login page. But can anyone explain to me why I don’t see my login page when I run the application? Login.jsp contains the following: This isn't relevant if you're not seeing it. Which corresponds to the following in web.xml: welcome-file-list welcome-file/jsp/about/concept.jsp/welcome-file /welcome-file-list security-constraint web-resource-collection url-pattern/aboutConcept/url-pattern /web-resource-collection auth-constraint description/ role-nameADMIN/role-name /auth-constraint /security-constraint login-config form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when I run the application, all I get is the html of the page specified in the welcome file list? Is that a question or a statement? But if I then invoke a link from the welcome file, I get the login page. Surely it should be the other way around? Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have url-pattern/*/url-pattern in your web-resource-collection. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0 Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL =wbh5 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 1:59 PM, Martin O'Shea wrote: I have it now. There was a redirection going on in a method called from a scriptlet in the login page. It now seems to be OK. Glad you got it going. But one thing bugs me still: you said that you can have 'different login pages for different types of resources you're trying to reach.' Can you give any pointers about this? A page is defined as whatever the server responds when you request a resource. The form-login-page you configure in your web.xml can be dynamic: you can do whatever you want in that page. It doesn't have to be a static form that always looks the same. You can include/forward/etc from that page. It doesn't even have to be a JSP. You can configure the login-form-page to be a servlet that makes decisions and forwards to some other .jsp file. Use your imagination. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j =A5GW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
Thanks for this Chris. It is food for thought. I was under the impression that form-login-page was static, because that's how I seen it used in apps I've worked on. But I am curious to try a filter as well, something like this mapped to the login: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws java.io.IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; // pre login action // get username String username = req.getParameter(j_username); // if user is in revoked list send error if ( revokeList.contains(username) ) { res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED); return; } // call next filter in the chain : let j_security_check authenticate // user chain.doFilter(request, response); // post login action } I wouldn't mind seeing a servlet specified as form-login-page if you know of an example. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 22 08 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 1:59 PM, Martin O'Shea wrote: I have it now. There was a redirection going on in a method called from a scriptlet in the login page. It now seems to be OK. Glad you got it going. But one thing bugs me still: you said that you can have 'different login pages for different types of resources you're trying to reach.' Can you give any pointers about this? A page is defined as whatever the server responds when you request a resource. The form-login-page you configure in your web.xml can be dynamic: you can do whatever you want in that page. It doesn't have to be a static form that always looks the same. You can include/forward/etc from that page. It doesn't even have to be a JSP. You can configure the login-form-page to be a servlet that makes decisions and forwards to some other .jsp file. Use your imagination. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j =A5GW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:06 PM, Martin O'Shea wrote: Thanks for this Chris. It is food for thought. I was under the impression that form-login-page was static, because that's how I seen it used in apps I've worked on. But I am curious to try a filter as well, something like this mapped to the login: That's not going to work: the authentication stuff happens before your Filter can get it's hands on the request. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M1nQACgkQ9CaO5/Lv0PAbvQCgsXcZD/J1FWCKl/LzuQOCEXr0 0qgAoJgNHrsZoD03AvFcDw0J6Euqaz3s =py59 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
That's a shame. It looked promising. I wouldn't mind seeing a servlet specified as form-login-page if you know of an example. -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 05 Oct 2011 23 13 To: Tomcat Users List Subject: Re: Using multiple login pages -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:06 PM, Martin O'Shea wrote: Thanks for this Chris. It is food for thought. I was under the impression that form-login-page was static, because that's how I seen it used in apps I've worked on. But I am curious to try a filter as well, something like this mapped to the login: That's not going to work: the authentication stuff happens before your Filter can get it's hands on the request. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M1nQACgkQ9CaO5/Lv0PAbvQCgsXcZD/J1FWCKl/LzuQOCEXr0 0qgAoJgNHrsZoD03AvFcDw0J6Euqaz3s =py59 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Using multiple login pages I wouldn't mind seeing a servlet specified as form-login-page if you know of an example. Simply set the url-pattern of some servlet-mapping to that of the login page. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
From: Martin O'Shea [mailto:app...@dsl.pipex.com] Subject: RE: Using multiple login pages Do you mean the login page as specified in web.xml's login-config as below: If you're already using a .jsp for the login, you have all the dynamic content capability you need. If instead you want the login to be handled by a servlet, just make the form-login-page setting target a previously defined url-pattern for some appropriate servlet of the webapp. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
From: Caldarale, Charles R Subject: RE: Using multiple login pages If you're already using a .jsp for the login, you have all the dynamic content capability you need. If instead you want the login to be handled by a servlet, just make the form-login-page setting target a previously defined url-pattern for some appropriate servlet of the webapp. In the interest of full disclosure, I have to say that I haven't actually tried doing that... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
If I understand you correctly, I think I should have this: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check Should the servlet mapped to /login receive j_username and j_password? -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: 05 Oct 2011 23 41 To: Tomcat Users List Subject: RE: Using multiple login pages From: Caldarale, Charles R Subject: RE: Using multiple login pages If you're already using a .jsp for the login, you have all the dynamic content capability you need. If instead you want the login to be handled by a servlet, just make the form-login-page setting target a previously defined url-pattern for some appropriate servlet of the webapp. In the interest of full disclosure, I have to say that I haven't actually tried doing that... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/5/2011 6:50 PM, Martin O'Shea wrote: If I understand you correctly, I think I should have this: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/login/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check It's important to understand that the form-login-page is the resource returned when the user tries to access a protected resource but is not yet authenticated. The form-login-page does *not* perform any authentication itself. It merely requests credentials from the user (i.e. it contains a form with j_username and j_password fields). Should the servlet mapped to /login receive j_username and j_password? No. It should produce a page which contains a login form. Tomcat will handle the actual processing of j_username/j_password for you, and then send the user onto the originally-requested page. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8 sbAAn0R85xOID9LtrPCSwIk54uZgssT3 =ssS3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Using multiple login pages
Hello I have a realm defined as follows in my application's web.xml file: login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/jsp/security/protected/login.jsp/form-login-page form-error-page/jsp/security/protected/error.jsp/form-error-page /form-login-config /login-config Which means that all users must log in from the page ...login.jsp. But is it possible with Tomcat 6.0.26 for multiple login pages to be specified? And could this be combined with specifying several welcome pages depending upon which login page I use? For example: loginPageA.jsp calls index.jsp loginPageB.jsp calls doThis.jsp loginPageC.jsp calls doThat.jsp Thanks Martin O'Shea. -- - Visit Pipex Business: The homepage for UK Small Businesses Go to http://www.pipex.co.uk/business-services - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Subject: Using multiple login pages is it possible with Tomcat 6.0.26 for multiple login pages to be specified? Read the servlet spec, especially section 13.2. A webapp may have only one login-config element, so there cannot be multiple login pages, if you stick with declarative security. Various frameworks (e.g., Spring) _might_ have the ability to display different login pages in a single webapp, but you'll have to look at the doc for those. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Using multiple login pages
Before I look at the specification, maybe I should clarify my question: can I have the login form embedded in different pages? This way, there would be only one login-config element where re- direction could resolve the welcome page issue once login is achieved. Each page would then be able to direct each of which calls the same login authentication, but Quoting Caldarale, Charles R chuck.caldar...@unisys.com: From: app...@dsl.pipex.com [mailto:app...@dsl.pipex.com] Subject: Using multiple login pages is it possible with Tomcat 6.0.26 for multiple login pages to be specified? Read the servlet spec, especially section 13.2. A webapp may have only one login-config element, so there cannot be multiple login pages, if you stick with declarative security. Various frameworks (e.g., Spring) _might_ have the ability to display different login pages in a single webapp, but you'll have to look at the doc for those. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- - Visit Pipex Business: The homepage for UK Small Businesses Go to http://www.pipex.co.uk/business-services - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/4/2011 1:12 PM, app...@dsl.pipex.com wrote: Before I look at the specification :( You should read the spec all the way through IMO. It's not that long, it's well-written and readable by real humans (and not techno-lawyers), and very informative. maybe I should clarify my question: can I have the login form embedded in different pages? You can put your login form wherever you want. Just be aware that the container is going to intercept any non-authenticated access attempts to protected resources and forward them to the one-and-only login page you have configured in form-login-page. This way, there would be only one login-config element where re- direction could resolve the welcome page issue once login is achieved. Each page would then be able to direct each of which calls the same login authentication, but But what? Your login.jsp page can forward/include anything it wants, as long as none of the resources it tries to include/forward to are protected. So, you can sniff the original request URI and serve-up whatever flavor of login page you want. To see how to do *that*, I'm going to make you read the spec :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LRtoACgkQ9CaO5/Lv0PDdiACgiXTpEM7sH9ttfSzyf2n4e+0v XsEAmwWgoS08TAcSwMzN5hI8ox+7SnDZ =Ihdu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
Thanks Chris. I'll be reading the spec soon enough. Quoting Christopher Schultz ch...@christopherschultz.net: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/4/2011 1:12 PM, app...@dsl.pipex.com wrote: Before I look at the specification :( You should read the spec all the way through IMO. It's not that long, it's well-written and readable by real humans (and not techno-lawyers), and very informative. maybe I should clarify my question: can I have the login form embedded in different pages? You can put your login form wherever you want. Just be aware that the container is going to intercept any non-authenticated access attempts to protected resources and forward them to the one-and-only login page you have configured in form-login-page. This way, there would be only one login-config element where re- direction could resolve the welcome page issue once login is achieved. Each page would then be able to direct each of which calls the same login authentication, but But what? Your login.jsp page can forward/include anything it wants, as long as none of the resources it tries to include/forward to are protected. So, you can sniff the original request URI and serve-up whatever flavor of login page you want. To see how to do *that*, I'm going to make you read the spec :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LRtoACgkQ9CaO5/Lv0PDdiACgiXTpEM7sH9ttfSzyf2n4e+0v XsEAmwWgoS08TAcSwMzN5hI8ox+7SnDZ =Ihdu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- - Visit Pipex Business: The homepage for UK Small Businesses Go to http://www.pipex.co.uk/business-services - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
Christopher Schultz wrote: ... (I agree with what precedes this) So, you can sniff the original request URI and serve-up whatever flavor of login page you want. But with declarative security, that's kind of hard to do, no ? Can't do that with a Servlet Filter. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. There's no sensitive or confidential info in the system either so protected page access may not be required. Thanks Andre and Chris. Quoting André Warnier a...@ice-sa.com: Christopher Schultz wrote: ... (I agree with what precedes this) So, you can sniff the original request URI and serve-up whatever flavor of login page you want. But with declarative security, that's kind of hard to do, no ? Can't do that with a Servlet Filter. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- - Visit Pipex Business: The homepage for UK Small Businesses Go to http://www.pipex.co.uk/business-services - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/4/2011 2:01 PM, André Warnier wrote: Christopher Schultz wrote: ... (I agree with what precedes this) So, you can sniff the original request URI and serve-up whatever flavor of login page you want. But with declarative security, that's kind of hard to do, no ? Can't do that with a Servlet Filter. Something like this: form-login-page/login.jsp/form-login-page login.jsp: % if(original_uri.equals(/one_thing)) { dispatcher.include(/login_form_A.jsp); } else if(original_uri.equals(/another_thing)) { dispatcher.include(/login_form_B.jsp); } else { dispatcher.include(/login_form_default.jsp); } % That's not terribly difficult to do. You can use whatever logic you want. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LVRAACgkQ9CaO5/Lv0PCn6QCgl/ncRiyICo1reGjEi7kK9x+S xh4AoIdC5yS+fX6AnbUP3Z4sn5N81yLU =jvTt -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 10/4/2011 2:06 PM, app...@dsl.pipex.com wrote: Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. Note that MD5 doesn't verify anything. It's just a hashing function that can be used to fingerprint data. I highly recommend: a. Switching to another hash function if you can: MD5 kind of sucks b. Limit the amount of data that can be hashed by some reasonable amount (we use a 4096-character limit on passwords) c. Salt your hashes in case someone steals your password database (Tomcat's realms are not sufficient for this: you'll have to build your own) Tomcat's realms are all capable of hashing credentials based upon any available hashing algorithm to the JVM. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LVlAACgkQ9CaO5/Lv0PBLsgCeMfQ1lCblNw0lJwHnaK+FnmUK zHEAn07N25ffZv5kwr679pk+zcIh6fOz =/oVk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using multiple login pages
app...@dsl.pipex.com wrote: Not sure about which version of security I will use but I would like to accommodate MD5 verification into things. There's no sensitive or confidential info in the system either so protected page access may not be required. I don't know what you have in mind, but there are some basic principles to avoid wasting your time : 1) In Tomcat (and other servlet engines), there are 2 different ways of doing authentication : - declarative, as per web.xml. In that case Tomcat, /before it evens calls the webapp or any filter in it/, intercepts a non-authenticated call and returns *the* login form to the browser. It then (later) intercepts the submit of that form by the browser, checks the credentials, and if they pass muster, it allows the call to proceed to the webapp which the user wanted in the first place. - application- or filter-based authentication : in this case, Tomcat is not aware that there is an authentication taking place. It forwards the call to the webapp, and a filter /in the webapp/ intercepts the call and does whatever is needed to check the authentication, return a login form etc.. This second authentication scheme is probably more flexible for doing the kind of thing you seem to want to do (but also more complex to do). 2) There already exist a number of authentication systems on the market. Unless this is considered as an exercise, re-use an existing one instead of rolling you own. Web authentication looks deceptively simple, but is in fact quite complex and delicate, and open to many mistakes which completely defeat the purpose. (This being said, if it is an exercise, it is an interesting area). 3) anything that your server sends to a browser should be considered open and lost. Once you send something out there, the recipient can do with it what he wants : save it, analyse it, copy it, decompile it, falsify it, re-send it to your server and whatnot. There is no practical way to avoid that. (You don't even know that it is really a browser out there). 4) the only good way to secure things if you do form authentication, is to work over HTTPS. The customer is going to type a login-id and a password, in the form, in clear. The browser is going to send this over HTTP to the server. Anyone who can sniff this traffic is going to see what is sent. And even if he does not understand it, he can record it and replay it. But not under HTTPS. 5) users always take the easy path. That means that, if they can choose their password, they will pick the same one as the one they use already for their network login, for their email account, for their bank account, etc.. So if anyone subverts /your/ login system - even if on /your/ server there is nothing vital to grab - the damage is probably not limited to your server. You don't want to be accused of facilitating the bad guy's job. 6) If you are thinking of encrypting the data in the browser, it's probably not worth the effort. For that, you will have to write some special code, and download it to the browser to run it there. Once you do that, it can be saved, analysed, replicated, falsified, disabled. So why bother ? HTH. Been there, etc.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org