RE: Form Based Authentication
From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:18 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
-Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:23 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
Although we are working in a Websphere/LDAP environment, we had the same requirement as you, and we managed to solve it. What we did (and I'm going from fairly distant memories, so hopefully I'm at least close to right) is this... user logs on. We have a filter that checks for password expired/reset (both a forced PW change) via flags set in a previous filter (values taken from LDAP) and redirects to the change screen if applicable. This all of course happens only after a successful logon, i.e., user entered valid credentials, including expired password already. We destroy the session before leaving that filter. Password is changed, all without creating a new session along the way. Once it is changed, we redirect back through the logon process as before. We decided that it was *better* to make the user log on again because it proves they remember the password they entered 2 seconds ago :) I suppose if I had to allow that automatic authentication, I would NOT destroy the session and instead just redirect to the first protected resource of the app from the change PW screen. Since the user was let in the first time around, they are really authenticated already. In essence, the filter that catches that forced PW change flag is acting like the container, intercepting all protected requests and redirecting to a change PW screen. If you did it smartly you should be able to grab what resource was requested when the filter fired so as to not have to hardcode where to go to after that forced PW screen is finished. Frank -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com AIM: fzammetti Yahoo: fzammetti MSN: [EMAIL PROTECTED] On Tue, October 11, 2005 12:24 pm, Peter Bright said: -Original Message- From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] Sent: 11 October 2005 17:23 To: Tomcat Users List Subject: RE: Form Based Authentication From: Peter Bright [mailto:[EMAIL PROTECTED] Subject: RE: Form Based Authentication It's point (c) that's proving problematic; there's no way to reauthenticate that I can see. What happens if you just invalidate the existing session? The user gets logged out. Exactly - and they then must reauthenticate with the updated password. Isn't that what you want? No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the new credentials /automatically/. Without making them have to reauthenticate /by hand/. *** The information contained in this electronic message may be confidential and/or privileged. Any unauthorized use, dissemination, distribution, or reproduction is strictly prohibited. If you have received this communication in error, please contact the sender by reply email and destroy all copies of the original message. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication
Never Mind - It was permissions on the tomcat-users.xml file. Duh! -Original Message- From: David B. Saul [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 7:37 PM To: 'Tomcat Users List' Subject: Form Based Authentication Having a problem being challenged on Linux. Form based using the tomcat-users.xml file works under windows. However, when same code is deployed to Linux the page is never challenged. I checked server.xml on both platforms as well as the specific webapp. Even built a Hello World example to eliminate other stuff. Any suggestions/ideas? thanks Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE : Form Based Authentication
If the authentication is realized by the container (the realm), you can't access the request before the authentication takes over. If you really want to do it, don't define the security constraint in your web.xml, and make your own application security mechanism (use filter, and forward or redirect on login page). -Message d'origine- De : Wade Chandler [mailto:[EMAIL PROTECTED] Envoyé : mercredi 11 mai 2005 07:10 À : Tomcat Users List Objet : Re: Form Based Authentication Wade Chandler wrote: I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ok, So I think I should be able to do this with a filter, but I need some help. Basically it looks like I should be able to use a filter to some how get the original target before the authentication form is displayedis this correct? Basically I need to some how know when a particular URL pattern is being displayed or is attempted to be accessed...before the login form is displayed. When it is displayed I'll set an attribute in the request in the filters doFilter method. However, now I need to know how I can access the Request before the authentication mechanism takes over I suppose because from my login form accessing the getPathInfo() method is returning the login form information when I really need to know the actual path the user was attempting to access. So, can I use a filter to do this, and if so how do I make sure my filter is called in time to give me the information I need? Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authentication
Wade Chandler wrote: I have form based authentication working. But, I need the login form to be a little more dynamic. For instance, I want to use different forms for different areas and not always use the same form. Is this possible? For instance, under one site I want to limit URLs to different logins. I realize I should just have a login and have a userid and a password, but my customer wants to simply have an access code to certain pages or directories. I would like to use form based authentication then I can have the userid as a hidden variable, and then have a password entered by the user, but for some admin screens I need the user to actually enter the userid and password both I hope that makes sense. I can't figure out how to setup a security constraint which can force a particular login form to be used if the user is not logged in yet. Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Ok, So I think I should be able to do this with a filter, but I need some help. Basically it looks like I should be able to use a filter to some how get the original target before the authentication form is displayedis this correct? Basically I need to some how know when a particular URL pattern is being displayed or is attempted to be accessed...before the login form is displayed. When it is displayed I'll set an attribute in the request in the filters doFilter method. However, now I need to know how I can access the Request before the authentication mechanism takes over I suppose because from my login form accessing the getPathInfo() method is returning the login form information when I really need to know the actual path the user was attempting to access. So, can I use a filter to do this, and if so how do I make sure my filter is called in time to give me the information I need? Thanks, Wade - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FORM based authentication config
Hi, see this this might help you http://www.webservertalk.com/message633890.html cheers Manish -Original Message- From: Chris Chappell [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 7:45 PM To: Tomcat Users List Subject: FORM based authentication config Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris *** Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the [EMAIL PROTECTED] and destroy the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication config
Thanks for that - but what it describes is what I have done, I think. The problem is: If you have the servlet definitions and mappings, the page isn't found - Since they are JSPs above web-inf in the context folder I think they don't need them. If you don't have the mappings then you get: HTTP Status 400 - Invalid direct reference to form login page - with a correct pw/un org.apache.catalina.authenticator.FormAuthenticator authenticate WARNING: Unexpected error forwarding to error page java.lang.NullPointerException with incorrect un/pw i.e. FormAuthenticator cannot forward to say the error page Chris - Original Message - From: Goel, Manish Kumar [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 2:26 PM Subject: RE: FORM based authentication config Hi, see this this might help you http://www.webservertalk.com/message633890.html cheers Manish -Original Message- From: Chris Chappell [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 21, 2004 7:45 PM To: Tomcat Users List Subject: FORM based authentication config Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet- name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris *** Information contained in this email message is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify the [EMAIL PROTECTED] and destroy the original message. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication config
On Tue, 2004-12-21 at 16:15, Chris Chappell wrote: Hi I'm having trouble getting form based authentication to work. Any help much appreciated. I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) I am using a JDBC Realm which works fine with BASIC auth. After changing to FORM and try http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get: The requested resource (/MyApp/security/protected/login.jsp) is not available. To set this up I copied the files from the JSP examples - login.jsp, error.jsp in folders \security\protected to \MyApp\security\protected\ I copied web.xml parts: servlet servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class /servlet servlet servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class /servlet and mappings servlet-mapping servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name url-pattern/security/protected/error.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name url-pattern/security/protected/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name url-pattern/security/protected/login.jsp/url-pattern /servlet-mapping with security-constraint web-resource-collection web-resource-nameCalendar/web-resource-name url-pattern/Calendar/url-pattern !-- ...more... -- /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name role-namesysadmin/role-name /auth-constraint /security-constraint and configured login-config auth-methodFORM/auth-method realm-nameMyApp/realm-name form-login-page/security/protected/login.jsp/form-login-page form-error-page/security/protected/error.jsp/form-error-page /login-config Chris Try to use static resources for the form-login-page and form-error-page. It works for me. And skip servlet mapping Viorel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form Based Authentication with Cookies?
Chris, For what it's worth, I spent ages trying to get a remember-me login thing going out of the box but never managed it. In the end I implemented my own user/role setup and use a Filter to ensure the user is logged in when accessing servlets/ JSPs with specifice URL paths. The login page sets cookies to do the remembering. If you get your's going (I'm now on Tomcat 5.0.28, maybe there's something new) I'd be interested in the details. Good luck. Best regards Chris -- Chris Ward, Horizon Asset Limited mailto:[EMAIL PROTECTED] Tel +44 (20) 7367 7028, Fax 7367 7029 -- THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E- MAIL. ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN. HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED BY THE FINANCIAL SERVICES AUTHORITY. -Original Message- From: Chris Forbis [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 12, 2004 7:45 PM To: [EMAIL PROTECTED] Subject: Form Based Authentication with Cookies? I have been looking for a way withing tomcat using a JDBCRealm to do form bases authentication and allow users to set some sort of Remember Me cookie, so they do not need to log into my application more than once a month or so. It looks like to me that FormAuthenticator is sort of hardcoded into tomcat without a way to allow for a context to allow for a CustomFormAuthenticator that would allow for this. Am I missing something, or is there no easy way to do this? Thanks! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based authentication - last login
On Fri, Sep 03, 2004 at 10:08:59AM +0200, [EMAIL PROTECTED] wrote: : IMHO the best sollution would be to intercept the authentication process (I'm working with Tomcat 4.x), to smuggle some custom code there that updates the appropriate column in the database. The question is.. how can I do this?? Or maybe someone has a better idea how to do this?? There are several ways to do this, I'm sure. My preferred method: map a Filter to the protected area(s) that checks for the presence of some session object. If the object isn't there, the person has just logged in, so you record the timestamp and store the object. Otherwise, the person's already logged in and the filter can pass the request/response down the chain. The marker object needn't be anything special: a simple Boolean will do, if you don't store any other objects for users who are logged in. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: form-based authentication question
It may be good for someone to answer this, but I figured out my problem. I accidentally used the login page name where the welcome page name should have been in the servlet configuration. Cockpit error. -Original Message- From: Koes, Derrick Sent: Tuesday, March 23, 2004 2:49 PM To: '[EMAIL PROTECTED]' Subject: form-based authentication question Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth to form-based. I'm having difficulty in one area. After creating the new form and posting to j_security_check, I wish to GET my welcome page. It appears to be doing this from the URL in the address bar, but the page looks exactly like my login page. That is, it seems to have posted to itself. What's the appropriate way to forward to the welcome page? A working example login page, welcome page, and deployment descriptor would be appreciated. Thanks, Derrick This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. This electronic transmission is strictly confidential to Smith Nephew and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on behalf of the addressee, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify the sender as soon as possible and destroy this message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form Based Authentication - Registration
On 02/14/2004 10:31 AM Alexander F. Hartner wrote: No we want to add registration and have the following happen 1.) Customer requests access to a realm 2.) Redirect to login page 3.) Customer doesn't have an account yet and accesses registration page 4.) Customer registers 5.) On successful registration the customer is redirected to the original request Now to get this working we need the following, both of which we are not sure are currently provided by the authentication framework. -Ability to access the original (SavedRequest) from a JSP / Servlet -Ability to auto/fake login from within the webapplication You cannot access the original request if the url is protected by a security-constraint and the user has not logged in. Tomcat will always jump in first with the CMS login. To fake it and keep CMS, reduce your real realm to a security constraint on one URL and set up a filter to check for the user's status. If not logged in, saved the parts of the request you need in the session, and redirect the user to the protected page to trigger the container login. Then after the login succeeds and the user gets through to that protected URL, check the session for the info and redirect them to their original destination. You can put a link on the login page to the registration URL - I'm not sure about the redirection logic but it should be possible to redirect them after registration back to the login page to login, and then on to their original destination. HTH Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: FORM based authentication referer
Ricardo García wrote: Here's some starting context for my question I have a war file that has been configured to use FORM based authentication. I have set the form-login-page in the web.xml of the war file to point to a jsp file in my war file. When a user invokes any jsp without being logged in the login jsp is displayed. The user enters the userid/password submits the page to j_security_check, is validated and redirected to the requested page. My question is ... Has anyone ever tried discovering the page that the user is trying to access from within the jsp page referenced as the form-login-page? I have tried checking the HTTP headers and session, but have not discovered it being saved anywhere. Usually when a page invokes another page the HTTP header REFERER exists with the URL to the previous page. I have noticed that once the user posts the login form on my login.jsp to j_security_check and is authenticated they are redirect to the correct location .. correct location being back to the page they wanted to access originally. This would mean that it has to be somewhere, but where?? We do this manually instead of using the form-login-page mechanism. In the header included at the top of every page for authentication, we capture session.setAttribute(login.target, request.getRequestURI() ); before redirecting to the login page. If you wait until you get to the page that is processing your login request, you've already lost the original request. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based authentication
Hello Atreya, Your stylesheet is returned after authentication because it is access restricted. If you make your stylesheet freely accessible it will work. grts, Patrick -Original Message- From: Atreya Basu [mailto:[EMAIL PROTECTED] Sent: Friday, November 28, 2003 8:01 AM To: Tomcat Users List Subject: Form based authentication Hi all, I thought I would share some of my experiences with JDBCRealm authentication. First what I wanted to do was see if JDBCRealm based authentication even worked. All I got was Tomcat quitting. My first problem was that my web.xml file wasn't in the right order. I went to BEA's website and used their web.xml file explanation page to get all of the spelling and order of the elements right. But Tomcat still wasn't running. It turned out my second problem was that for some reason the MySQL JDBC driver wasn't being found, even though I had placed it in the common\lib directory. So I edited the catalina file manually and added in the jar file. Next whenever I would authenticate I would get a stylesheet instead of my intended destination. Then one time I authenticated and accidentally hit the login page. It showed me a different styled login page. That happened because my stylesheet was kept inside the context directory it wasn't being retrieved till I authenticated. So instead of pulling up index.html after I authenticate it pulled up the stylesheet because my browser was waiting to load that file. Solution of course was to place the stylesheet in an unsecure directory. I hope that someone finds this useful. Cheers, -- _ Atreya Basu Developer, Greenfield Research Inc. e-mail: atreya (at) greenfieldresearch (dot) ca - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication pages
Sorry, tomcat doesn't provide that functionality. A simple workaround is to keep those pages in a shared area then on site build (I hope your using ant), copy those files into your webapp. -Tim Ricardo García wrote: I have setup Tomcat 4.1 to use FORM based auth, but I've found myself replicating login and error pages in every context I want to protect. The problem is that the path that point to the pages in the login-config tag in the web.xml file of the context is relative to the context. login-config auth-methodFORM/auth-method realm-nameForm-Based Authentication Area/realm-name form-login-config form-login-page/auth/login.html/form-login-page form-error-page/auth/error.html/form-error-page /form-login-config /login-config Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: FORM based authentication pages
Ricardo, Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file? You want the login pages for every webapp to look the same? If that's what you really want to do, I think you'll have to use symbolic links on the filesystem. You're much better off duplicatig the files. That has the advantage of allowing you to customize the login screens for each application. -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Although I've no real idea what an internal tomcat SessionEvent is, it sounds like it's a bug. Give me the word and I'll enter it in bugzilla. Adam On 10/12/2003 01:57 AM Tim Funk wrote: Hmm. I always thought that when using the SSO valve, logging out of one webapp automatically logs you out of all webapps. The 5 code looks broken based on *very quick* inspection compared to 4.1 based on lines 304-308. if ( event.getData() != null logout.equals( event.getData().toString() )) { // logout of all applications deregister(ssoId); } else { // invalidate just one session deregister(ssoId, session); } I haven't been able to locate how logout can be a value in a SessionEvent. -Tim Adam Hardy wrote: I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on. I have the following JSP: remote user %=request.getRemoteUser() % in session %= session.getId() % % session.invalidate(); % and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO. Now going to this page which has the stuff above, and refreshing over and over always showed the following: remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5 I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request. Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange. This is not correct behaviour for tomcat, is it? Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Authentication information is somewhat stored in the session for form based authentication. (I can't remember the specifics) So using session.invalidate should log the user out. This works since the session id which is a cookie or URL rewriting scheme is what the browser keys in on. By invalidating that id on the server, the browser is now sending an invalid credential and thus logged out. In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser. [Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ] -Tim Adam Hardy wrote: I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication. I saw the same issue in bugzilla but for basic authentication: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147 where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request. Is this the same for form-based authentication? I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on. I have the following JSP: remote user %=request.getRemoteUser() % in session %= session.getId() % % session.invalidate(); % and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO. Now going to this page which has the stuff above, and refreshing over and over always showed the following: remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5 I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request. Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange. This is not correct behaviour for tomcat, is it? Adam On 10/11/2003 06:04 PM Tim Funk wrote: Authentication information is somewhat stored in the session for form based authentication. (I can't remember the specifics) So using session.invalidate should log the user out. This works since the session id which is a cookie or URL rewriting scheme is what the browser keys in on. By invalidating that id on the server, the browser is now sending an invalid credential and thus logged out. In BASIC authentication, the credentials are stored in the web browser and sent when/if requested. So the only way to get rid of those stored credentials is by closing the web browser. [Of course, when the web server is restarted or web app restarted - I can't recall what happens to the authentication information. ] -Tim Adam Hardy wrote: I am using session.invalidate() to try to cause the user to receive another login request, using CMS form-based authentication. I saw the same issue in bugzilla but for basic authentication: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147 where the tomcat developer/bugzilla person resolved the issue saying that CMS basic authentication cannot be manipulated in this way since the browser sends the login info with every request, requiring the user to close the browser before seeing another login request. Is this the same for form-based authentication? I thought that in tomcat4 I was getting new login request for the users just by invalidating their sessions. Am I deluding myself? -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form-based authentication session.invalidate
Hmm. I always thought that when using the SSO valve, logging out of one webapp automatically logs you out of all webapps. The 5 code looks broken based on *very quick* inspection compared to 4.1 based on lines 304-308. if ( event.getData() != null logout.equals( event.getData().toString() )) { // logout of all applications deregister(ssoId); } else { // invalidate just one session deregister(ssoId, session); } I haven't been able to locate how logout can be a value in a SessionEvent. -Tim Adam Hardy wrote: I have just figured out that the SSO in JSESSIONIDSSO stands for single-sign-on. I have the following JSP: remote user %=request.getRemoteUser() % in session %= session.getId() % % session.invalidate(); % and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO cookies. I then go to a second site on my tomcat and get a second JSESSIONID without having to do a login coz of SSO. Now going to this page which has the stuff above, and refreshing over and over always showed the following: remote user adam in session EB2543D909D52551EA58C77E963CDD17 remote user adam in session EA33F35CCB3D1205A88226029C65939C remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17 remote user adam in session 1B7F0424190985F24A294EA2344888C5 I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. This shouldn't be the case I'm sure. If I delete the SSO cookie in mozilla, I get a login request on my next request. Also if I only login to one site, even though I get the SSO cookie, when I invalidate the session, I immediately get a login request. Strange. This is not correct behaviour for tomcat, is it? Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: form based authentication problem
I did something like that using struts. I wrote a base action class which all my other action classes extended. The base class performs any initialization (initializing objects in the session etc) as required. If you don't want to use struts you might consider using a filter. Hamish -Original Message- From: Ralf Lorenz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 04, 2003 1:13 PM To: [EMAIL PROTECTED] Subject: form based authentication problem guess that was to much of description last time! next try can anybody tell me how to do some action, say put an object in the session or/and update a list in the servlet context directly after a user was logged in successfully via form-based authentication (context) with a jdbc-realm? ralf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: form based authentication problem
thanks, that's exactly the solution i discussed right now with some other developers of my company. the question with the filter is whether it is called when the container forwards or redirects to the claimed resource after the authentication is done? theoretically i'd say yes but who knows? try and error i guess! ralf - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, February 04, 2003 1:35 PM Subject: RE: form based authentication problem I did something like that using struts. I wrote a base action class which all my other action classes extended. The base class performs any initialization (initializing objects in the session etc) as required. If you don't want to use struts you might consider using a filter. Hamish -Original Message- From: Ralf Lorenz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 04, 2003 1:13 PM To: [EMAIL PROTECTED] Subject: form based authentication problem guess that was to much of description last time! next try can anybody tell me how to do some action, say put an object in the session or/and update a list in the servlet context directly after a user was logged in successfully via form-based authentication (context) with a jdbc-realm? ralf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: form based authentication problem
If you map the filter to the same url-pattern as your protected resource, it will be called immediately after someone authenticates. HTH, Matt -Original Message- From: Ralf Lorenz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 04, 2003 6:59 AM To: Tomcat Users List Subject: Re: form based authentication problem thanks, that's exactly the solution i discussed right now with some other developers of my company. the question with the filter is whether it is called when the container forwards or redirects to the claimed resource after the authentication is done? theoretically i'd say yes but who knows? try and error i guess! ralf - Original Message - From: Barney Hamish [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, February 04, 2003 1:35 PM Subject: RE: form based authentication problem I did something like that using struts. I wrote a base action class which all my other action classes extended. The base class performs any initialization (initializing objects in the session etc) as required. If you don't want to use struts you might consider using a filter. Hamish -Original Message- From: Ralf Lorenz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 04, 2003 1:13 PM To: [EMAIL PROTECTED] Subject: form based authentication problem guess that was to much of description last time! next try can anybody tell me how to do some action, say put an object in the session or/and update a list in the servlet context directly after a user was logged in successfully via form-based authentication (context) with a jdbc-realm? ralf - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form-based authentication - can I get original URL?
On Mon, 25 Nov 2002, Matt Raible wrote: Date: Mon, 25 Nov 2002 17:02:21 -0700 From: Matt Raible [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: Form-based authentication - can I get original URL? On Tomcat 4/5, I am able to use the following configuration in my web.xml: login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp?error=true/form-error-page /form-login-config /login-config However, I know that there are app servers out there that do not support this - the form-error-page MUST be a different JSP. So I'm wondering, is there a value I can grab in my login.jsp that tells me the URL of the protected resource the user is trying to get to? I tried %=request.getRequestURL()%, but that gives me .../login.jsp - and I want mainMenu.do. I know iPlanet used to set a cookie and I could use that as specified at: http://husted.com/struts/resources/fb-auth.htm There is no portable mechanism to acquire the request URL that was originally requested, nor any guarantee that this is even possible. All you know is that the container has detected that a protected URL was requested, and that there was no currently authenticated user. Thanks, Matt Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Form-based authentication
Shouldnt the url format be http://url?user=xxxpassword=xxx ? Also, if you do this, you could encrypt the password it before calling sendRedirect and decrypt it at the url cgi. -- padhu Rajesh Kanderi wrote: how do you access a webpage which has a form-based authentication setup using java. i am able to do it using an href http://user:password@url... but the problem is it shows the passowrd. I tried to construct the above url in a servlet and then doing a sendRedirect. but the sendRedirect doesn't seem to like the format of the url,specifically having the user:password. Is there a way to do it using java classes URLconnection or HttpURLConnection __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Form Based Authentication, getting login and password
Externo wrote: Sorry by my English. How I can guess login and password strings of an user, from error page (JSP) using Form Based Authentication of Tomcat? I need know it to lock the count each 3 error tries (if login is ok but password is bad, insteed). Something like enhanced security mode in some OSes? Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of HttpServletRequest interface have this result: If no user has been authenticated, returns null, false and null respectly. For this reason, they aren't utils for me. If I don´t know login what user writed, I can't lock his/her count. Exist solution for this? Thanks Only to write your own authentication module. That shouldn't be too hard. Nix. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: form based authentication and remote user
PLEASE REMOVE ME FROM YOUR MAILING LIST. I DO NOT KNOW YOU. THANK YOU... - Original Message - From: Miguel Angel Medina Lopez [EMAIL PROTECTED] To: Tomcat Users [EMAIL PROTECTED] Sent: Wednesday, June 05, 2002 8:30 AM Subject: form based authentication and remote user Hi all: I'm using form-based authentication with tomcat 3.2.3. I have a form to register the users and I want to set the remote user and role when they register to they can access private zones that are protected with the form based authentication at this moment. How can I do that? Thank you all MAML -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Form-Based-Authentication with Tomcat 4.0.1
Hello all. I'm a little surprised how uncommon this problem seems to be on the list. Anyway, I'll tell you what I know and what to do about it. Until now we've been using a protected index.html page as the entrypoint for our app. However, we've had the same problem Frank had. Upon starting the browser, the first login will show the page just fine (the server returned status 200.) Subsequent logins using a different broswer instance/session would produce only a blank page where index.html should have been, even though the login was successful. In this case the server returned 304. The problem is the the browser (both Netscape 6.2 and IE 6) caches index.html the first time it sees it. However, the second attempt to access the protected index.html page causes the server to send a 302 (redirect) to the browser indicating that the browser should load the login form. For some reason that I don't understand, both Netscape and IE delete the cached index.html in response to the 302. Upon login, then the server responds with a redirect to index.html and finally a 304. Netscape then creates an empty cache file for index.html. IE doesn't even do that. Both display a page with no content. Choosing refresh in both browsers loads the page correctly. Our workaround was to make index.html a jsp by simply changing the extension. This seems to have solved our problem. The browser behavior here seems to be the problem but since both Netscape and IE do the same thing, maybe they're just following something in the HTTP spec. john -Original Message- From: Eichfelder, Frank [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 4:43 AM To: [EMAIL PROTECTED] Subject: Form-Based-Authentication with Tomcat 4.0.1 Hi, I have a problem with the form-based-authentication with Tomcat 4.0.1. The problem is: If I access a protected page for the first time, I am redirected to the login-page and asked for username and password. If my input is correct, I am redirected to the desired page. Now I close the browser (IE 5.5 - cookies are accepted) and restart it. Now I try the same procedure, reenter my username and password, and get as result an empty page. In the browser I can see that the correct URL was demanded, and if I press the Reload-Button, then I see the desired page. But this behaviour is not what I want, it should work automatically. Can I do this via server.xml or web.xml settings? Or do I have to rewrite my html-pages? I have already added META http-equiv=expires content=0 to the html-pages, without any effect. To see the difference between first login and second login, I add an extract of the access-logfile: First login: 27.0.0.1 - - [31/Oct/2001:11:07:30 1000] GET /logintest/ HTTP/1.1 302 654 127.0.0.1 - - [31/Oct/2001:11:07:30 1000] GET /logintest/index.html HTTP/1.1 304 - 127.0.0.1 - - [31/Oct/2001:11:07:32 1000] GET /logintest/secure/securepage.html HTTP/1.1 302 654 127.0.0.1 - - [31/Oct/2001:11:07:33 1000] GET /logintest/LoginForm.html HTTP/1.1 200 679 127.0.0.1 - - [31/Oct/2001:11:07:38 1000] POST /logintest/j_security_check HTTP/1.1 302 654 127.0.0.1 - tomcat [31/Oct/2001:11:07:38 1000] GET /logintest/secure/securepage.html HTTP/1.1 200 402 Second login: 127.0.0.1 - - [31/Oct/2001:11:07:50 1000] GET /logintest/ HTTP/1.1 302 654 127.0.0.1 - - [31/Oct/2001:11:07:50 1000] GET /logintest/index.html HTTP/1.1 304 - 127.0.0.1 - - [31/Oct/2001:11:07:51 1000] GET /logintest/secure/securepage.html HTTP/1.1 302 654 127.0.0.1 - - [31/Oct/2001:11:07:53 1000] GET /logintest/LoginForm.html HTTP/1.1 200 679 127.0.0.1 - - [31/Oct/2001:11:07:58 1000] POST /logintest/j_security_check HTTP/1.1 302 654 127.0.0.1 - tomcat [31/Oct/2001:11:07:58 1000] GET /logintest/secure/securepage.html HTTP/1.1 304 - As you can see, the difference is in the last line of each section: In the first time, tomcat returns HTTP-Code 200 (OK), the second time it returns 304 (Not Modified). It would be great if anybody would have any suggestions how I can change this behaviour. Thanks, Frank -- Frank Eichfelder, Dipl.-Inf. T-Systems Nova GmbH Entwicklungszentrum Darmstadt Bereich EP 1 - Bamberg Memmelsdorfer Straße 209a, 96052 Bamberg Germany MailTo:[EMAIL PROTECTED] -- -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Form based authentication
Hi I have been using Tomcat 3.2.3 with form based authentication. It works great. However, I have an additional requirement now. We need to have another home page with the username and password boxes on the home page directly which when submitted must access a protected resource. I understand that setting the form action to j_security_check here will not work because the login page will not be triggered and the URL path is not stored. One way I thought of doing this was to set the action to the protected URL to trigger the login page and try to retrieve the username and password instead of getting it from the user at this point. Just like tomcat stores the URL path does it also store other parameters from the request that triggered the login page? If so, how do I retrieve it? Is there any other way I can do this? Thanks in advance for the help. Suchi -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Form based Authentication / j_security_check not found
Wait, go back to the beginning and try very slow, I passed the same, the problem with servlet is only in the web.xml file in your app, it is transparent to Apache Web server, look at the standard examples that comes with the Tomcat installation, first try as exercise to install the tomcat from the beginning and run the standard applications, when you get it, try applying changes and changes, DO NOT JUMP TOO HIGH FROM THE BEGINNING, my prefered app server is the tomcat but in the begining is a headache, I can tell. You are right, if you want to learn you have to teach you yourself, start slow, with the standard and after apply few changes and so on. Regards, Guido. P.S: The final exercise for you is to configure it with Virtual Host Servlet mapping. -Original Message- From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 11:37 AM To: [EMAIL PROTECTED] Subject: Form based Authentication / j_security_check not found Hi everybody again. I'm getting mad on configuring tomcat for my application. My be I do not know enough about java, but I have to Learn it by doing, so please be friendly. I'm using form-based authentication and everything works until I submit my login-ID If I put LoginForm.html in the servlet-dir, it pops-up, but after entering my login-infos I get The requested URL /DSCservlet/j_security_check was not found on this server. I know, LoginForm.html should be outside the protected area. But in my special example, something seems wrong with alias in mod_jk.conf and/or some path in my config-files. I searched the mailing-list, but I do not understand the stuff. Please help before I'm getting mad Thanks Sabine my apps-DSC.xml: webapps Context path=/DSCservlet docBase=/webapps/SSL_apps/dsc/servlet debug=0 crossContext=false reloadable=true /Context /webapps my mod_jk.conf ... Alias /DSCservlet /webapps/SSL_apps/dsc/servlet Directory /webapps/SSL_apps/dsc/servlet Options Indexes FollowSymLinks /Directory JkMount /DSCservlet/servlet/* ajp13 JkMount /DSCservlet/*.jsp ajp13 Location /DSCservlet/WEB-INF/ AllowOverride None deny from all /Location Location /DSCservlet/META-INF/ AllowOverride None deny from all /Location /webapps/SSL_apps is HTTPS-protected by apache and document-root /webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload. After that, a login-screen should appear (it does). This page calls a servlet with form action=/DSCservlet/servlet/FileUpload.UploadServlet enctype=MULTIPART/FORM-DATA method=post name =EnterFiles Also in this directory dsc are the following files ResultPageFooter.htm ResultPageHeader.htm servlet servlet/LoginError.html servlet/LoginForm.html servlet/META-INF servlet/META-INF/MANIFEST.MF servlet/WEB-INF servlet/WEB-INF/web.xml servlet/WEB-INF/classes servlet/WEB-INF/classes/FileUpload servlet/WEB-INF/classes/FileUpload/FileUploader.class servlet/WEB-INF/classes/FileUpload/FileUploadException.class servlet/WEB-INF/classes/FileUpload/Message.class servlet/WEB-INF/classes/FileUpload/UploadServlet.class servlet/WEB-INF/classes/properties servlet/WEB-INF/classes/properties/FileUpload.properties servlet/WEB-INF/classes/properties/FileUploadMessages.properties servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties my web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app servlet servlet-nameUploadServlet/servlet-name servlet-classFileUpload.UploadServlet/servlet-class /servlet security-constraint web-resource-collection web-resource-nameDSC/web-resource-name url-pattern/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-nameer_kunden/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameEingangsregistratur DSC/realm-name form-login-config form-login-page/LoginForm.html/form-login-page form-error-page/LoginError.html/form-error-page /form-login-config /login-config /web-app -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Form based Authentication / j_security_check not found
There is a jsp based form login example in the examples directory. That whole directory over to your servlet directory, change the login-config to use form based login (look at the example in ~/webapps/examples/WEB-INF/web.xml) This is a copy and paste trick -- nothing else. so... mkdir ~/webapps/myservlet-home/jsp // this is all you need cp ~/webapps/examples/jsp/security ~/webapps/myservlet-home/jsp hack this into the appropriate portion of !/webapps/myservlet-home/WEB-INF/web.xml login-config auth-methodFORM/auth-method realm-nameForm based login/realm-name form-login-config form-login-page/jsp/protected/login.jsp/form-login-page form-error-page/jsp/protected/error.jsp/form-error-page /form-login-config /login-config //and comment out the BASIC login-config using !-- -- restart! easy as pie! This even does session caching for you! Chris -Original Message- From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: Form based Authentication / j_security_check not found Hi everybody again. I'm getting mad on configuring tomcat for my application. My be I do not know enough about java, but I have to Learn it by doing, so please be friendly. I'm using form-based authentication and everything works until I submit my login-ID If I put LoginForm.html in the servlet-dir, it pops-up, but after entering my login-infos I get The requested URL /DSCservlet/j_security_check was not found on this server. I know, LoginForm.html should be outside the protected area. But in my special example, something seems wrong with alias in mod_jk.conf and/or some path in my config-files. I searched the mailing-list, but I do not understand the stuff. Please help before I'm getting mad Thanks Sabine my apps-DSC.xml: webapps Context path=/DSCservlet docBase=/webapps/SSL_apps/dsc/servlet debug=0 crossContext=false reloadable=true /Context /webapps my mod_jk.conf ... Alias /DSCservlet /webapps/SSL_apps/dsc/servlet Directory /webapps/SSL_apps/dsc/servlet Options Indexes FollowSymLinks /Directory JkMount /DSCservlet/servlet/* ajp13 JkMount /DSCservlet/*.jsp ajp13 Location /DSCservlet/WEB-INF/ AllowOverride None deny from all /Location Location /DSCservlet/META-INF/ AllowOverride None deny from all /Location /webapps/SSL_apps is HTTPS-protected by apache and document-root /webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload. After that, a login-screen should appear (it does). This page calls a servlet with form action=/DSCservlet/servlet/FileUpload.UploadServlet enctype=MULTIPART/FORM-DATA method=post name =EnterFiles Also in this directory dsc are the following files ResultPageFooter.htm ResultPageHeader.htm servlet servlet/LoginError.html servlet/LoginForm.html servlet/META-INF servlet/META-INF/MANIFEST.MF servlet/WEB-INF servlet/WEB-INF/web.xml servlet/WEB-INF/classes servlet/WEB-INF/classes/FileUpload servlet/WEB-INF/classes/FileUpload/FileUploader.class servlet/WEB-INF/classes/FileUpload/FileUploadException.class servlet/WEB-INF/classes/FileUpload/Message.class servlet/WEB-INF/classes/FileUpload/UploadServlet.class servlet/WEB-INF/classes/properties servlet/WEB-INF/classes/properties/FileUpload.properties servlet/WEB-INF/classes/properties/FileUploadMessages.properties servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties my web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app servlet servlet-nameUploadServlet/servlet-name servlet-classFileUpload.UploadServlet/servlet-class /servlet security-constraint web-resource-collection web-resource-nameDSC/web-resource-name url-pattern/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-nameer_kunden/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameEingangsregistratur DSC/realm-name form-login-config form-login-page/LoginForm.html/form-login-page form-error-page/LoginError.html/form-error-page /form-login-config /login-config /web-app -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the
RE: Form based Authentication / j_security_check not found
I would recommend to first try sending all /DSCservlet requests to Tomcat and make sure everything works correctly that way. Once that is done, then try allowing Apache to serve some of the content. That way you will know if problems appear, they are configuration issues instead of web application problems. To map all requests to Tomcat, use: JkMount /DSCservlet ajp13 JkMount /DSCservlet/* ajp13 This is what would be included in the default generated conf/auto/mod_jk.conf. When you are ready to try Apache serving some of the content, add: forwardAll=false to the ApacheConfig ... element in the server.xml. This will write an conf/auto/mod_jk.conf more suitable for this case. It will include any servlet mappings you have specified in your web.xml plus some extras, like for j_security_check. Hope this helps, Cheers, Larry -Original Message- From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 18, 2001 10:37 AM To: [EMAIL PROTECTED] Subject: Form based Authentication / j_security_check not found Hi everybody again. I'm getting mad on configuring tomcat for my application. My be I do not know enough about java, but I have to Learn it by doing, so please be friendly. I'm using form-based authentication and everything works until I submit my login-ID If I put LoginForm.html in the servlet-dir, it pops-up, but after entering my login-infos I get The requested URL /DSCservlet/j_security_check was not found on this server. I know, LoginForm.html should be outside the protected area. But in my special example, something seems wrong with alias in mod_jk.conf and/or some path in my config-files. I searched the mailing-list, but I do not understand the stuff. Please help before I'm getting mad Thanks Sabine my apps-DSC.xml: webapps Context path=/DSCservlet docBase=/webapps/SSL_apps/dsc/servlet debug=0 crossContext=false reloadable=true /Context /webapps my mod_jk.conf ... Alias /DSCservlet /webapps/SSL_apps/dsc/servlet Directory /webapps/SSL_apps/dsc/servlet Options Indexes FollowSymLinks /Directory JkMount /DSCservlet/servlet/* ajp13 JkMount /DSCservlet/*.jsp ajp13 Location /DSCservlet/WEB-INF/ AllowOverride None deny from all /Location Location /DSCservlet/META-INF/ AllowOverride None deny from all /Location /webapps/SSL_apps is HTTPS-protected by apache and document-root /webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload. After that, a login-screen should appear (it does). This page calls a servlet with form action=/DSCservlet/servlet/FileUpload.UploadServlet enctype=MULTIPART/FORM-DATA method=post name =EnterFiles Also in this directory dsc are the following files ResultPageFooter.htm ResultPageHeader.htm servlet servlet/LoginError.html servlet/LoginForm.html servlet/META-INF servlet/META-INF/MANIFEST.MF servlet/WEB-INF servlet/WEB-INF/web.xml servlet/WEB-INF/classes servlet/WEB-INF/classes/FileUpload servlet/WEB-INF/classes/FileUpload/FileUploader.class servlet/WEB-INF/classes/FileUpload/FileUploadException.class servlet/WEB-INF/classes/FileUpload/Message.class servlet/WEB-INF/classes/FileUpload/UploadServlet.class servlet/WEB-INF/classes/properties servlet/WEB-INF/classes/properties/FileUpload.properties servlet/WEB-INF/classes/properties/FileUploadMessages.properties servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties my web.xml: ?xml version=1.0 encoding=ISO-8859-1? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN http://java.sun.com/j2ee/dtds/web-app_2_2.dtd; web-app servlet servlet-nameUploadServlet/servlet-name servlet-classFileUpload.UploadServlet/servlet-class /servlet security-constraint web-resource-collection web-resource-nameDSC/web-resource-name url-pattern/*/url-pattern http-methodPOST/http-method http-methodGET/http-method /web-resource-collection auth-constraint role-nameer_kunden/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameEingangsregistratur DSC/realm-name form-login-config form-login-page/LoginForm.html/form-login-page form-error-page/LoginError.html/form-error-page /form-login-config /login-config /web-app -- To unsubscribe: mailto:[EMAIL
Re: Form Based authentication problem
This might be (I had a probleme that look the same with Mysql) so this might be that it need to be autoReconnect=true: connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users became : connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=true Try and give me your feed back, please. At 09:32 27/09/2001 +0200, you wrote: Hi all: I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based authentication and i have included the next lines in the server.xml file: RequestInterceptor className=org.apache.tomcat.request.JDBCRealm debug=0 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users connectionName=tomcat connectionPassword=tomcat userTable=usuarios userNameCol=login userCredCol=password userRoleTable=usuarios roleNameCol=role / The connection to the db is opened succesfully but when I put a valid username and password the query doesn't work. The error in the tomcat.log file is: JDBCRealm: The database connection is null or was found to be closed. Trying to re-open it. and the user isn't authenticated. Thank you all - Miguel Ángel Medina López Logic Factory: www.logic-factory.com Granada - España
Re: Form Based authentication problem
Hi: Thanks Kaneda but the parameter autoReconnect doesn't work in Postgres. I have found the error in the server.xml file and now I can't authenticate fine. Now the problem is that I need the user name in differents context. How can I do that? How can I keep client state in different contexts? Miguel Ángel Medina López - Original Message - From: Kaneda K [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 27, 2001 10:01 AM Subject: Re: Form Based authentication problem This might be (I had a probleme that look the same with Mysql) so this might be that it need to be autoReconnect=true: connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users became : connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=tru e Try and give me your feed back, please. At 09:32 27/09/2001 +0200, you wrote: Hi all: I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based authentication and i have included the next lines in the server.xml file: RequestInterceptor className=org.apache.tomcat.request.JDBCRealm debug=0 driverName=org.postgresql.Driver connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users connectionName=tomcat connectionPassword=tomcat userTable=usuarios userNameCol=login userCredCol=password userRoleTable=usuarios roleNameCol=role / The connection to the db is opened succesfully but when I put a valid username and password the query doesn't work. The error in the tomcat.log file is: JDBCRealm: The database connection is null or was found to be closed. Trying to re-open it. and the user isn't authenticated. Thank you all - Miguel Ángel Medina López Logic Factory: www.logic-factory.com Granada - España
Re: FORM-based authentication question
On Fri, 7 Sep 2001, Kevin HaleBoyes wrote: Date: Fri, 7 Sep 2001 16:48:01 +0100 (BST) From: Kevin HaleBoyes [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: FORM-based authentication question I'm successfully using FORM-based logins in my application but I have a few questions. When a user logs in, I want to attach certain information to the session. Currently I use a filter that checks to see if the request.getRemoteUser is set (or has changed) and if so, I do a database call to get the User information, instantiate a UserClass and set it into the session. It works fine but... The filter gets called for every request but only acts when a user logs in. Sure the test (to see if anything needs to be done) is simple and fairly quick, but it is done for _every_ request. Is there a better way? I'm thinking something similar in style to the HttpSessionListener interface. Maybe an AuthenticationListener. Tomcat 4 (or any Servlet 2.3 container :) knows when a user has been authenticated (or, for that matter, when the authentication/session times out) but I don't see any way to hook into that event. The timed out session information can be had using the HttpSessionListener.sessionDestroyed() method and my application knows if, in the very rare case :-) that a user actually logs out. But notification of an authentification seems to be missing (from the spec). The HttpSessionListener.sessionCreated() method doesn't do what I want since a session is created even when a user is not authenticated. How do others attach information to the session once a user has been authenticated? You can use HttpSessionListener to detect when the session is created or destroyed, but there are no servlet API mechanisms that let you hook in to the user was authenticated event. You could write a Tomcat-specific mechanism to do that, but for a portable application the filter approach seems to me to be the best. Thanks, Kevin HaleBoyes Craig
Re: form-based authentication tomcat-apache
It worked! Thanks! -Mike - Original Message - From: Andrew Robson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, May 26, 2001 8:14 PM Subject: Re: form-based authentication tomcat-apache Try putting JkMount /examples/jsp/security/login/j_security_check ajp13 into httpd.conf andrew On Sun, 27 May 2001, you wrote: Hi everyone, Has anyone been able to get the form-based authentication example to work with tomcat? I can get it to work if I connect to tomcat's own http-server on port 8080 but when I connect to the same example via apache (via mod_jk to tomcat) after I log in I get http://localhost/examples/jsp/security/login/j_security_check with a message saying the page cannot be found. Is this a known bug in tomcat? Is there some subtle configuration thing I've missed? -Mike Jennings __ Mike Jennings Southgate Software Ltd. 250-382-6851 (ph) 250-382-6800 (fax) [EMAIL PROTECTED] -
Re: Form Based Authentication with Encryption
Hi Amit, I'm using 3.2 so details may vary. What you want to do is write your own authentication module. Easier than it sounds. Just take a copy of the authentication module you are using (SimpleRealm?) to use as a base for your own code. Add in the functionality you want, compile and include in TOMCAT_HOME/lib/webserver.jar Edit server.xml to use your custom authentication module. Also, I'd recommend you look at JDBCRealm so that you can store usernames and passwords in a database. Quite apart from the other advantages you may then be able to take advantage of the db's encryption facilities (e.g. MySql's Password function) and save yourself the bother of writing your own. Hope this helps Andrew On Wed, 07 Mar 2001, you wrote: Hi All, I'm using tomcat 4.0 Beta1. I successfully tested out the form based authentication provided with tomcat. But , the main problem with it is : It uses plain text to store users,roles and passwords in the "tomcat-users.xml" file placed in TOMCAT_HOME\conf. Is there any plugin for tomcat to encrypt the passwords stored in this file ? or is there any round-about to do so. Thanking you in advance. With Regards, -Amit E-Mail:[EMAIL PROTECTED] Sansui Software Pvt. Ltd.,Pune Content-Type: text/html; name="unnamed" Content-Transfer-Encoding: quoted-printable Content-Description: - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Form Based Authentication with Encryption
Thanks Andrew, But,I'm using XML to store my whole data (this is requirement of the product) We are not at all using any database. So with this regard,would u like to comment something more ? Also can usuggest some resource for :creating my own cutomized "authentication module" ? Thanks in advance. Regards, -Amit. - Original Message - From: Andrew Robson To: [EMAIL PROTECTED] Sent: Wednesday, March 07, 2001 3:37 PM Subject: Re: Form Based Authentication with Encryption Hi Amit, I'm using 3.2 so details may vary.What you want to do is write your own authentication module.Easier than it sounds. Just take a copy of the authentication module youare using (SimpleRealm?) to use as a base for your own code. Add inthe functionality you want, compile and include in TOMCAT_HOME/lib/webserver.jarEdit server.xml to use your custom authentication module.Also, I'd recommend you look at JDBCRealm so that you can store usernamesand passwords in a database. Quite apart from the other advantages you maythen be able to take advantage of the db's encryption facilities (e.g. MySql'sPassword function) and save yourself the bother of writing your own.Hope this helpsAndrewOn Wed, 07 Mar 2001, you wrote: Hi All, I'm using tomcat 4.0 Beta1. I successfully tested out the form based authentication provided with tomcat. But , the main problem with it is : It uses plain text to store users,roles and passwords in the "tomcat-users.xml" file placed in TOMCAT_HOME\conf. Is there any plugin for tomcat to encrypt the passwords stored in this file ? or is there any round-about to do so. Thanking you in advance. With Regards, -Amit E-Mail:[EMAIL PROTECTED] Sansui Software Pvt. Ltd.,Pune
Re: Form based authentication
I've run into the same problem. I created an industrial strength bandaid for this problem by writing a simple servlet, mapped to /null, that redirects them where I want to go (which is defined in the web.xml). I've been too lazy to investigate what is actually throwing this so if anyone has any insight, please speak up. If you need the bandaid code, let me know. /bill Dilip Dalton [EMAIL PROTECTED] on 02/08/2001 12:36:27 PM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Bill Fellows/MO/americancentury) Subject: Form based authentication Hi, I am running tomcat 3.2.1, and I have started to use form based authentication for my application. The 'examples' form based authentication works fine. But when I use if from my application I get the following: Not Found (404) Original request: /hyseq/jsp/null Not found request: /hyseq/jsp/null Could anybody shed some light on this, Thank you, Dilip. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Form based authentication and JDBC Realm with Interbase
Please post your server.xml JDBRealm config, to have a look at it.. Saludos , Ignacio J. Ortega -Mensaje original- De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]] Enviado el: martes 23 de enero de 2001 12:41 Para: '[EMAIL PROTECTED]' Asunto: Form based authentication and JDBC Realm with Interbase Hi I'am try to get form based authentication working with jBoss/Tomcat and interbase 5.6 but I'am getting the following error. Interbase is working fine for the CMP and code and general setup works fine with mySQL (our other trial database). It looks to me like the param being setup for the query by PreparedStatement.setString is Null and hence the error Version used Interclient 1.6 jBoss 2.0 Final Tomcat 3.2 Win 2000 2001-01-23 10:23:17 - ContextManager: JDBCRealm: JDBCRealm.authenticate: SELECT USER_PASS FROM USERS WHERE USER_NAME = ? 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + /member/test.jsp + null) - java.lang.NullPointerException at interbase.interclient.PreparedStatement.setString(Unknown Source) at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306) at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480) at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa nager.java, Compiled Code) at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341) at org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501) at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java, Compiled Code) at org.apache.tomcat.core.ContextManager.internalService(ContextM anager.java:78 9) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processCo nnection(HttpC onnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java, Compiled Code) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java, Compiled Code) at java.lang.Thread.run(Thread.java:479) Anybody got any ideas Thanks in advance Nigel Nigel Stirzaker Software Consultant SSA Softwright (01753) 811833 Ext 265 [EMAIL PROTECTED] www.Softwright.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Form based authentication and JDBC Realm with Interbase
Thanks I've posted it onto the list. Here is a copy aswell RequestInterceptor className="org.apache.tomcat.request.JDBCRealm" debug="99" driverName="interbase.interclient.Driver" connectionURL="jdbc:interbase://localhost:3060/D:/Development/DBs/authority. gdb" connectionName="sysdba" connectionPassword="masterkey" userTable="USERS" userNameCol="USER_NAME" userCredCol="USER_PASS" userRoleTable="USER_ROLES" roleNameCol="ROLE_NAME" / RequestInterceptor className="org.apache.tomcat.request.Jdk12Interceptor" debug="0" / thanks Nigel Stirzaker Software Consultant SSA Softwright (01753) 811833 Ext 265 [EMAIL PROTECTED] www.Softwright.co.uk -Original Message- From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]] Sent: Tuesday 23 January 2001 12:07 To: '[EMAIL PROTECTED]' Subject: RE: Form based authentication and JDBC Realm with Interbase Please post your server.xml JDBRealm config, to have a look at it.. Saludos , Ignacio J. Ortega -Mensaje original- De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]] Enviado el: martes 23 de enero de 2001 12:41 Para: '[EMAIL PROTECTED]' Asunto: Form based authentication and JDBC Realm with Interbase Hi I'am try to get form based authentication working with jBoss/Tomcat and interbase 5.6 but I'am getting the following error. Interbase is working fine for the CMP and code and general setup works fine with mySQL (our other trial database). It looks to me like the param being setup for the query by PreparedStatement.setString is Null and hence the error Version used Interclient 1.6 jBoss 2.0 Final Tomcat 3.2 Win 2000 2001-01-23 10:23:17 - ContextManager: JDBCRealm: JDBCRealm.authenticate: SELECT USER_PASS FROM USERS WHERE USER_NAME = ? 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + /member/test.jsp + null) - java.lang.NullPointerException at interbase.interclient.PreparedStatement.setString(Unknown Source) at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306) at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480) at org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa nager.java, Compiled Code) at org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341) at org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501) at org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java, Compiled Code) at org.apache.tomcat.core.ContextManager.internalService(ContextM anager.java:78 9) at org.apache.tomcat.core.ContextManager.service(ContextManager.java:743) at org.apache.tomcat.service.http.HttpConnectionHandler.processCo nnection(HttpC onnectionHandler.java:210) at org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java, Compiled Code) at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java, Compiled Code) at java.lang.Thread.run(Thread.java:479) Anybody got any ideas Thanks in advance Nigel Nigel Stirzaker Software Consultant SSA Softwright (01753) 811833 Ext 265 [EMAIL PROTECTED] www.Softwright.co.uk - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: FORM BASED AUTHENTICATION...
I was using 3.1 and then I found the following post http://mikal.org/interests/java/tomcat_users/msg02828.html in which they were having the same types of problems I was experencing. So I installed ver 3.2.1 and everything works as originally anticipated. All the form based logins work. Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 3:00 PM To: [EMAIL PROTECTED] Subject: FORM BASED AUTHENTICATION... Has anyone successfully setup form-based security authentication? Have you gotten the error page to display when the wrong username/password was entered? What do you recommend for implementing form-based security? Thanks in advance, Bob - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: FORM based Authentication and JDBC Realm
please sendthe excerpt of your server.xml file with the requestinterceptor Thanks Saludos , Ignacio J. Ortega -Mensaje original- De: Vincent Harcq [mailto:[EMAIL PROTECTED]] Enviado el: viernes 5 de enero de 2001 17:45 Para: [EMAIL PROTECTED] Asunto: FORM based Authentication and JDBC Realm Hi! Tomcat 3.2.1 Interbase 6 Database. I have setup JDBCRealm and I am trying to use the /examples/jsp/security/protected/index.jsp that is provided with Tomcat to validate it. So I only change server.xml, I use the original web.xml from the example application. When I go to the I receive Exception 2001-01-05 05:27:31 - ContextManager: JDBCRealm: JDBCRealm.authenticate: SELECT user_pass FROM j2eeusers WHERE user_name= ? 2001-01-05 05:27:31 - Ctx( /vmi ): Exception in: R( /vmi + /jsp/protected/index.html + null) - java.lang.NullPointerException at interbase.interclient.PreparedStatement.setString(PreparedStatement.java :973) at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306) When I first go to the login.jsp, I can log in and then go on the protected resources. Strange. Any ideas ? Vincent HARCQ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]