RE: Form Based Authentication

2005-10-11 Thread Caldarale, Charles R
 From: Peter Bright [mailto:[EMAIL PROTECTED] 
 Subject: Form Based Authentication
  
 It's point (c) that's proving problematic; there's no way to
 reauthenticate that I can see.

What happens if you just invalidate the existing session?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication

2005-10-11 Thread Peter Bright

 -Original Message-
 From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
 Sent: 11 October 2005 17:18
 To: Tomcat Users List
 Subject: RE: Form Based Authentication
 
  From: Peter Bright [mailto:[EMAIL PROTECTED]
  Subject: Form Based Authentication
   
  It's point (c) that's proving problematic; there's no way to 
  reauthenticate that I can see.
 
 What happens if you just invalidate the existing session?
 

The user gets logged out.

***
The information contained in this electronic message may be confidential and/or 
privileged. Any unauthorized use, dissemination, distribution, or reproduction 
is strictly prohibited. If you have received this communication in error, 
please contact the sender by reply email and destroy all copies of the original 
message.
***


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication

2005-10-11 Thread Caldarale, Charles R
 From: Peter Bright [mailto:[EMAIL PROTECTED] 
 Subject: RE: Form Based Authentication
 

   It's point (c) that's proving problematic; there's no way to 
   reauthenticate that I can see.
  
  What happens if you just invalidate the existing session?
 
 The user gets logged out.

Exactly - and they then must reauthenticate with the updated password.
Isn't that what you want?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication

2005-10-11 Thread Peter Bright

 -Original Message-
 From: Caldarale, Charles R [mailto:[EMAIL PROTECTED] 
 Sent: 11 October 2005 17:23
 To: Tomcat Users List
 Subject: RE: Form Based Authentication
 
  From: Peter Bright [mailto:[EMAIL PROTECTED]
  Subject: RE: Form Based Authentication
  
 
It's point (c) that's proving problematic; there's no way to 
reauthenticate that I can see.
   
   What happens if you just invalidate the existing session?
  
  The user gets logged out.
 
 Exactly - and they then must reauthenticate with the updated password.
 Isn't that what you want?
 
No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the
new credentials /automatically/.  Without making them have to
reauthenticate /by hand/.

***
The information contained in this electronic message may be confidential and/or 
privileged. Any unauthorized use, dissemination, distribution, or reproduction 
is strictly prohibited. If you have received this communication in error, 
please contact the sender by reply email and destroy all copies of the original 
message.
***


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication

2005-10-11 Thread Frank W. Zammetti
Although we are working in a Websphere/LDAP environment, we had the same
requirement as you, and we managed to solve it.

What we did (and I'm going from fairly distant memories, so hopefully I'm
at least close to right) is this... user logs on.  We have a filter that
checks for password expired/reset (both a forced PW change) via flags set
in a previous filter (values taken from LDAP) and redirects to the change
screen if applicable.  This all of course happens only after a
successful logon, i.e., user entered valid credentials, including
expired password already.  We destroy the session before leaving that
filter.  Password is changed, all without creating a new session along the
way.  Once it is changed, we redirect back through the logon process as
before.  We decided that it was *better* to make the user log on again
because it proves they remember the password they entered 2 seconds ago :)

I suppose if I had to allow that automatic authentication, I would NOT
destroy the session and instead just redirect to the first protected
resource of the app from the change PW screen.  Since the user was let in
the first time around, they are really authenticated already.  In essence,
the filter that catches that forced PW change flag is acting like the
container, intercepting all protected requests and redirecting to a change
PW screen.  If you did it smartly you should be able to grab what resource
was requested when the filter fired so as to not have to hardcode where to
go to after that forced PW screen is finished.

Frank


-- 
Frank W. Zammetti
Founder and Chief Software Architect
Omnytex Technologies
http://www.omnytex.com
AIM: fzammetti
Yahoo: fzammetti
MSN: [EMAIL PROTECTED]

On Tue, October 11, 2005 12:24 pm, Peter Bright said:

 -Original Message-
 From: Caldarale, Charles R [mailto:[EMAIL PROTECTED]
 Sent: 11 October 2005 17:23
 To: Tomcat Users List
 Subject: RE: Form Based Authentication

  From: Peter Bright [mailto:[EMAIL PROTECTED]
  Subject: RE: Form Based Authentication
 
   
It's point (c) that's proving problematic; there's no way to
reauthenticate that I can see.
  
   What happens if you just invalidate the existing session?
 
  The user gets logged out.

 Exactly - and they then must reauthenticate with the updated password.
 Isn't that what you want?

 No, sorry, it was unclear. I want them to be reauthenticat/ed/ with the
 new credentials /automatically/.  Without making them have to
 reauthenticate /by hand/.

 ***
 The information contained in this electronic message may be confidential
 and/or privileged. Any unauthorized use, dissemination, distribution, or
 reproduction is strictly prohibited. If you have received this
 communication in error, please contact the sender by reply email and
 destroy all copies of the original message.
 ***


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication

2005-05-12 Thread David B. Saul
Never Mind - It was permissions on the tomcat-users.xml file. Duh!




-Original Message-
From: David B. Saul [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 12, 2005 7:37 PM
To: 'Tomcat Users List'
Subject: Form Based Authentication


Having a problem being challenged on Linux.

Form based using the tomcat-users.xml file works under windows.

However, when same code is deployed to Linux the page is never challenged.

I checked server.xml on both platforms as well as the specific webapp. Even
built a Hello World example to eliminate other stuff.

Any suggestions/ideas?

thanks
Dave


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE : Form Based Authentication

2005-05-11 Thread LERBSCHER Jean-Pierre

If the authentication is realized by the container (the realm), you can't
access the request before the authentication takes over. If you really want
to do it, don't define the security constraint in your web.xml, and make
your own application security mechanism (use filter, and forward or redirect
on login page).

-Message d'origine-
De : Wade Chandler [mailto:[EMAIL PROTECTED] 
Envoyé : mercredi 11 mai 2005 07:10
À : Tomcat Users List
Objet : Re: Form Based Authentication

Wade Chandler wrote:
 I have form based authentication working.  But, I need the login form to 
 be a little more dynamic.  For instance, I want to use different forms 
 for different areas and not always use the same form.  Is this possible? 
  For instance, under one site I want to limit URLs to different logins. 
  I realize I should just have a login and have a userid and a password, 
 but my customer wants to simply have an access code to certain pages or 
 directories.  I would like to use form based authentication then I can 
 have the userid as a hidden variable, and then have a password entered 
 by the user, but for some admin screens I need the user to actually 
 enter the userid and password both
 
 I hope that makes sense.  I can't figure out how to setup a security 
 constraint which can force a particular login form to be used if the 
 user is not logged in yet.
 
 Thanks,
 
 Wade
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 

Ok,

So I think I should be able to do this with a filter, but I need some 
help.  Basically it looks like I should be able to use a filter to some 
how get the original target before the authentication form is 
displayedis this correct?  Basically I need to some how know when a 
particular URL pattern is being displayed or is attempted to be 
accessed...before the login form is displayed.  When it is displayed 
I'll set an attribute in the request in the filters doFilter method. 
However, now I need to know how I can access the Request before the 
authentication mechanism takes over I suppose because from my login form 
accessing the getPathInfo() method is returning the login form 
information when I really need to know the actual path the user was 
attempting to access.  So, can I use a filter to do this, and if so how 
do I make sure my filter is called in time to give me the information I 
need?

Thanks,

Wade

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Form Based Authentication

2005-05-10 Thread Wade Chandler
Wade Chandler wrote:
I have form based authentication working.  But, I need the login form to 
be a little more dynamic.  For instance, I want to use different forms 
for different areas and not always use the same form.  Is this possible? 
 For instance, under one site I want to limit URLs to different logins. 
 I realize I should just have a login and have a userid and a password, 
but my customer wants to simply have an access code to certain pages or 
directories.  I would like to use form based authentication then I can 
have the userid as a hidden variable, and then have a password entered 
by the user, but for some admin screens I need the user to actually 
enter the userid and password both

I hope that makes sense.  I can't figure out how to setup a security 
constraint which can force a particular login form to be used if the 
user is not logged in yet.

Thanks,
Wade
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Ok,
So I think I should be able to do this with a filter, but I need some 
help.  Basically it looks like I should be able to use a filter to some 
how get the original target before the authentication form is 
displayedis this correct?  Basically I need to some how know when a 
particular URL pattern is being displayed or is attempted to be 
accessed...before the login form is displayed.  When it is displayed 
I'll set an attribute in the request in the filters doFilter method. 
However, now I need to know how I can access the Request before the 
authentication mechanism takes over I suppose because from my login form 
accessing the getPathInfo() method is returning the login form 
information when I really need to know the actual path the user was 
attempting to access.  So, can I use a filter to do this, and if so how 
do I make sure my filter is called in time to give me the information I 
need?

Thanks,
Wade
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


RE: FORM based authentication config

2004-12-21 Thread Goel, Manish Kumar
Hi,
see this this might help you
http://www.webservertalk.com/message633890.html


cheers
Manish


-Original Message-
From: Chris Chappell [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 7:45 PM
To: Tomcat Users List
Subject: FORM based authentication config


Hi I'm having trouble getting form based authentication to work. Any help much 
appreciated.
I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4)

I am using a JDBC Realm which works fine with BASIC auth.

After changing to FORM and try 
http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
The requested resource (/MyApp/security/protected/login.jsp) is not available.

To set this up I copied the files from the JSP examples - login.jsp, error.jsp 
in folders \security\protected to \MyApp\security\protected\
I copied web.xml parts:

  servlet

servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name

servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class
/servlet

servlet

servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name

servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class
/servlet

servlet

servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name

servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class
/servlet

  and mappings

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name
url-pattern/security/protected/error.jsp/url-pattern
/servlet-mapping

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name
url-pattern/security/protected/index.jsp/url-pattern
/servlet-mapping

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name
url-pattern/security/protected/login.jsp/url-pattern
/servlet-mapping

with

security-constraint
web-resource-collection
  web-resource-nameCalendar/web-resource-name
  url-pattern/Calendar/url-pattern
  !-- ...more... --

/web-resource-collection

auth-constraint
  role-nameuser/role-name
  role-nameadmin/role-name
  role-namesysadmin/role-name
/auth-constraint
  /security-constraint

and configured

login-config
auth-methodFORM/auth-method
realm-nameMyApp/realm-name
form-login-page/security/protected/login.jsp/form-login-page
form-error-page/security/protected/error.jsp/form-error-page
  /login-config



Chris
***
Information contained in this email message is intended only for use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify the
[EMAIL PROTECTED] and destroy the original message.
**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: FORM based authentication config

2004-12-21 Thread Chris Chappell
Thanks for that - but what it describes is what I have done, I think.

The problem is:

If you have the servlet definitions and mappings, the page isn't found -
Since they are JSPs above web-inf in the context folder I think they don't
need them.
If you don't have the mappings then you get:

HTTP Status 400 - Invalid direct reference to form login page - with a
correct pw/un
org.apache.catalina.authenticator.FormAuthenticator authenticate

WARNING: Unexpected error forwarding to error page

java.lang.NullPointerException

with incorrect un/pw

i.e. FormAuthenticator cannot forward to say the error page

Chris

- Original Message -
From: Goel, Manish Kumar [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 2:26 PM
Subject: RE: FORM based authentication config


Hi,
see this this might help you
http://www.webservertalk.com/message633890.html


cheers
Manish


-Original Message-
From: Chris Chappell [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 21, 2004 7:45 PM
To: Tomcat Users List
Subject: FORM based authentication config


Hi I'm having trouble getting form based authentication to work. Any help
much appreciated.
I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4)

I am using a JDBC Realm which works fine with BASIC auth.

After changing to FORM and try
http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
The requested resource (/MyApp/security/protected/login.jsp) is not
available.

To set this up I copied the files from the JSP examples - login.jsp,
error.jsp in folders \security\protected to \MyApp\security\protected\
I copied web.xml parts:

  servlet

servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name

servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class
/servlet

servlet
servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-
name

servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class
/servlet

servlet

servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name

servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class
/servlet

  and mappings

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name
url-pattern/security/protected/error.jsp/url-pattern
/servlet-mapping

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name
url-pattern/security/protected/index.jsp/url-pattern
/servlet-mapping

servlet-mapping

servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name
url-pattern/security/protected/login.jsp/url-pattern
/servlet-mapping

with

security-constraint
web-resource-collection
  web-resource-nameCalendar/web-resource-name
  url-pattern/Calendar/url-pattern
  !-- ...more... --

/web-resource-collection

auth-constraint
  role-nameuser/role-name
  role-nameadmin/role-name
  role-namesysadmin/role-name
/auth-constraint
  /security-constraint

and configured

login-config
auth-methodFORM/auth-method
realm-nameMyApp/realm-name
form-login-page/security/protected/login.jsp/form-login-page
form-error-page/security/protected/error.jsp/form-error-page
  /login-config



Chris

***
Information contained in this email message is intended only for use of the
individual or entity named above. If the reader of this message is not the
intended recipient, or the employee or agent responsible to deliver it to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately notify the
[EMAIL PROTECTED] and destroy the original message.

**

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: FORM based authentication config

2004-12-21 Thread Viorel C.
On Tue, 2004-12-21 at 16:15, Chris Chappell wrote:
 Hi I'm having trouble getting form based authentication to work. Any help 
 much appreciated.
 I'm missing something simple I'm sure. (TC 5.0.19, W2K, Mysql4) 
 
 I am using a JDBC Realm which works fine with BASIC auth.
 
 After changing to FORM and try 
 http://127.0.0.1:8080/MyApp/security/protected/login.jsp I get:
 The requested resource (/MyApp/security/protected/login.jsp) is not available.
  
 To set this up I copied the files from the JSP examples - login.jsp, 
 error.jsp in folders \security\protected to \MyApp\security\protected\
 I copied web.xml parts:
 
   servlet
 
 servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name
 
 servlet-classorg.apache.jsp.security.protected_.error_jsp/servlet-class
 /servlet
 
 servlet
 
 servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name
 
 servlet-classorg.apache.jsp.security.protected_.index_jsp/servlet-class
 /servlet
 
 servlet
 
 servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name
 
 servlet-classorg.apache.jsp.security.protected_.login_jsp/servlet-class
 /servlet
 
   and mappings
 
 servlet-mapping
 
 servlet-nameorg.apache.jsp.security.protected_.error_jsp/servlet-name
 url-pattern/security/protected/error.jsp/url-pattern
 /servlet-mapping
 
 servlet-mapping
 
 servlet-nameorg.apache.jsp.security.protected_.index_jsp/servlet-name
 url-pattern/security/protected/index.jsp/url-pattern
 /servlet-mapping
 
 servlet-mapping
 
 servlet-nameorg.apache.jsp.security.protected_.login_jsp/servlet-name
 url-pattern/security/protected/login.jsp/url-pattern
 /servlet-mapping
 
 with 
 
 security-constraint
 web-resource-collection
   web-resource-nameCalendar/web-resource-name
   url-pattern/Calendar/url-pattern
   !-- ...more... --
 
 /web-resource-collection
 
 auth-constraint
   role-nameuser/role-name
   role-nameadmin/role-name
   role-namesysadmin/role-name
 /auth-constraint
   /security-constraint
 
 and configured 
 
 login-config
 auth-methodFORM/auth-method
 realm-nameMyApp/realm-name
 form-login-page/security/protected/login.jsp/form-login-page
 form-error-page/security/protected/error.jsp/form-error-page
   /login-config
 
 
 
 Chris
Try to use static resources for the form-login-page and form-error-page.
It works for me. And skip servlet mapping

Viorel


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form Based Authentication with Cookies?

2004-10-12 Thread Chris Ward
Chris,

For what it's worth, I spent ages trying to get a remember-me
login thing going out of the box but never managed it.

In the end I implemented my own user/role setup and use a 
Filter to ensure the user is logged in when accessing servlets/
JSPs with specifice URL paths.  The login page sets cookies to
do the remembering.

If you get your's going (I'm now on Tomcat 5.0.28, maybe there's
something new) I'd be interested in the details.

Good luck.

Best regards
Chris

-- 

Chris Ward, Horizon Asset Limited
mailto:[EMAIL PROTECTED]
Tel +44 (20) 7367 7028, Fax 7367 7029

-- 


THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION.
IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL
IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E-
MAIL.  ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE
MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN.

 HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED
BY THE FINANCIAL SERVICES AUTHORITY.



 -Original Message-
 From: Chris Forbis [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, October 12, 2004 7:45 PM
 To: [EMAIL PROTECTED]
 Subject: Form Based Authentication with Cookies?
 
 
 I have been looking for a way withing tomcat using a 
 JDBCRealm to do form bases authentication and allow users to 
 set some sort of Remember Me cookie, so they do not need to 
 log into my application more than once a month or so.
 
 It looks like to me that FormAuthenticator is sort of 
 hardcoded into tomcat without a way to allow for a context to 
 allow for a CustomFormAuthenticator that would allow for this.
 
 Am I missing something, or is there no easy way to do this?
 
 Thanks!
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Form based authentication - last login

2004-09-03 Thread QM
On Fri, Sep 03, 2004 at 10:08:59AM +0200, [EMAIL PROTECTED] wrote:
: IMHO the best sollution would be to intercept the authentication process (I'm 
working with Tomcat 4.x), to smuggle some custom code there that updates the 
appropriate column in the database. The question is.. how can I do this?? Or maybe 
someone has a better idea how to do this??

There are several ways to do this, I'm sure.  My preferred method:

map a Filter to the protected area(s) that checks for the presence of
some session object.  If the object isn't there, the person has just
logged in, so you record the timestamp and store the object.  Otherwise,
the person's already logged in and the filter can pass the
request/response down the chain.

The marker object needn't be anything special: a simple Boolean will do,
if you don't store any other objects for users who are logged in.

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: form-based authentication question

2004-03-23 Thread Koes, Derrick


It may be good for someone to answer this, but I figured out my problem.  I
accidentally used the login page name where the welcome page name should
have been in the servlet configuration.

Cockpit error.



-Original Message-
From: Koes, Derrick 
Sent: Tuesday, March 23, 2004 2:49 PM
To: '[EMAIL PROTECTED]'
Subject: form-based authentication question

Using Tomcat 4.1.X, I'm attempting to switch a web app from basic auth
to
form-based.  I'm having difficulty in one area.  After creating the new
form
and posting to j_security_check, I wish to GET my welcome page.  It
appears to be doing this from the URL in the address bar, but the page
looks
exactly like my login page.  That is, it seems to have posted to itself.
What's the appropriate way to forward to the welcome page?

 

A working example login page, welcome page, and deployment descriptor
would
be appreciated.

 

Thanks,

Derrick

 

 

This electronic transmission is strictly confidential to Smith  Nephew
and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.
This electronic transmission is strictly confidential to Smith  Nephew and
intended solely for the addressee.  It may contain information which is
covered by legal, professional or other privilege.  If you are not the
intended addressee, or someone authorized by the intended addressee to
receive transmissions on behalf of the addressee, you must not retain,
disclose in any form, copy or take any action in reliance on this
transmission.  If you have received this transmission in error, please
notify the sender as soon as possible and destroy this message.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Form Based Authentication - Registration

2004-02-14 Thread Adam Hardy
On 02/14/2004 10:31 AM Alexander F. Hartner wrote:
No we want to add registration and have the following happen

1.) Customer requests access to a realm
2.) Redirect to login page
3.) Customer doesn't have an account yet and accesses registration page
4.) Customer registers
5.) On successful registration the customer is redirected to the 
original request

Now to get this working we need the following, both of which we are not 
sure are currently provided by the authentication framework.

-Ability to access the original (SavedRequest) from a JSP / Servlet

-Ability to auto/fake login from within the webapplication
You cannot access the original request if the url is protected by a 
security-constraint and the user has not logged in. Tomcat will always 
jump in first with the CMS login.

To fake it and keep CMS, reduce your real realm to a security constraint 
on one URL and set up a filter to check for the user's status. If not 
logged in, saved the parts of the request you need in the session, and 
redirect the user to the protected page to trigger the container login.

Then after the login succeeds and the user gets through to that 
protected URL, check the session for the info and redirect them to their 
original destination.

You can put a link on the login page to the registration URL - I'm not 
sure about the redirection logic but it should be possible to redirect 
them after registration back to the login page to login, and then on to 
their original destination.

HTH
Adam
--
struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


RE: FORM based authentication referer

2004-01-21 Thread Guy Rouillier
Ricardo García wrote:
 Here's some starting context for my question 
 
 I have a war file that has been configured to use FORM based
 authentication. I have set the form-login-page in the
 web.xml of the war file to point to a jsp file in my war
 file.  When a user invokes any jsp without being logged
 in the login jsp is displayed.  The user enters the
 userid/password submits the page to j_security_check, is
 validated and redirected to the requested page.
 
 My question is ...
 
 Has anyone ever tried discovering the page that the user is
 trying to access from within the jsp page referenced as the
 form-login-page?  I have tried checking the HTTP headers
 and session, but have not discovered it being saved anywhere.
  Usually when a page invokes another page the HTTP header
 REFERER exists with the URL to the previous page.  I have
 noticed that once the user posts the login form on my
 login.jsp to j_security_check and is authenticated they are
 redirect to the correct location .. correct location being
 back to the page they wanted to access originally.  This
 would mean that it has to be somewhere, but where??

We do this manually instead of using the form-login-page mechanism.  In the header 
included at the top of every page for authentication, we capture

session.setAttribute(login.target, request.getRequestURI() );

before redirecting to the login page.  If you wait until you get to the page that is 
processing your login request, you've already lost the original request.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Form based authentication

2003-11-28 Thread Patrick Willart
Hello Atreya,

Your stylesheet is returned after authentication because it is access
restricted. If you make your stylesheet freely accessible it will work.

grts,

Patrick

-Original Message-
From: Atreya Basu [mailto:[EMAIL PROTECTED]
Sent: Friday, November 28, 2003 8:01 AM
To: Tomcat Users List
Subject: Form based authentication


Hi all,

I thought I would share some of my experiences with JDBCRealm
authentication.

First what I wanted to do was see if JDBCRealm based authentication even
worked.  All I got was Tomcat quitting.  My first problem was that my
web.xml file wasn't in the right order.  I went to BEA's website and
used their web.xml file explanation page to get all of the spelling and
order of the elements right.
But Tomcat still wasn't running.  It turned out my second problem was
that for some reason the MySQL JDBC driver wasn't being found, even
though I had placed it in the common\lib directory.  So I edited the
catalina file manually and added in the jar file.

Next whenever I would authenticate I would get a stylesheet instead of
my intended destination.  Then one time I authenticated and accidentally
hit the login page.  It showed me a different styled login page.

That happened because my stylesheet was kept inside the context
directory it wasn't being retrieved till I authenticated.  So instead of
pulling up index.html after I authenticate it pulled up the stylesheet
because my browser was waiting to load that file.  Solution of course
was to place the stylesheet in an unsecure directory.

I hope that someone finds this useful.

Cheers,

--
_
Atreya Basu
Developer,
Greenfield Research Inc.
e-mail: atreya (at) greenfieldresearch (dot) ca




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: FORM based authentication pages

2003-11-12 Thread Tim Funk
Sorry, tomcat doesn't provide that functionality. A simple workaround is to 
  keep those pages in a shared area then on site build (I hope your using 
ant), copy those files into your webapp.

-Tim

Ricardo García wrote:

I have setup Tomcat 4.1 to use FORM based auth, but I've found myself replicating login and error pages in every context I want to protect. The problem is that the path that point to the pages in the login-config tag in the web.xml file of the context is relative to the context.

   login-config
auth-methodFORM/auth-method
realm-nameForm-Based Authentication Area/realm-name
form-login-config
form-login-page/auth/login.html/form-login-page
form-error-page/auth/error.html/form-error-page
/form-login-config
/login-config
Is there a way to put those two pages in a location that is accessible by any context? If there is, how do I setup my web.xml file?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: FORM based authentication pages

2003-11-12 Thread Christopher Schultz
Ricardo,

Is there a way to put those two pages in a location that is
accessible by any context? If there is, how do I setup my web.xml
file?
You want the login pages for every webapp to look the same?

If that's what you really want to do, I think you'll have to use
symbolic links on the filesystem. You're much better off duplicatig the
files. That has the advantage of allowing you to customize the login
screens for each application.
-chris

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: form-based authentication session.invalidate

2003-10-12 Thread Adam Hardy
Although I've no real idea what an internal tomcat SessionEvent is, it 
sounds like it's a bug. Give me the word and I'll enter it in bugzilla.

Adam

On 10/12/2003 01:57 AM Tim Funk wrote:
Hmm. I always thought that when using the SSO valve, logging out of one 
webapp automatically logs you out of all webapps.

The 5 code looks broken based on *very quick* inspection compared to 4.1 
based on lines 304-308.

if ( event.getData() != null
  logout.equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.

-Tim

Adam Hardy wrote:

I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, 
when I invalidate the session, I immediately get a login request. 
Strange.

This is not correct behaviour for tomcat, is it?

Adam


--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: form-based authentication session.invalidate

2003-10-11 Thread Tim Funk
Authentication information is somewhat stored in the session for form based 
authentication. (I can't remember the specifics) So using session.invalidate 
should log the user out. This works since the session id which is a cookie or 
URL rewriting scheme is what the browser keys in on. By invalidating that id 
on the server, the browser is now sending an invalid credential and thus 
logged out.

In BASIC authentication, the credentials are stored in the web browser and 
sent when/if requested. So the only way to get rid of those stored 
credentials is by closing the web browser.

[Of course, when the web server is restarted or web app restarted - I can't 
recall what happens to the authentication information. ]

-Tim

Adam Hardy wrote:
I am using session.invalidate() to try to cause the user to receive 
another login request, using CMS form-based authentication.

I saw the same issue in bugzilla but for basic authentication:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147

where the tomcat developer/bugzilla person resolved the issue saying 
that CMS basic authentication cannot be manipulated in this way since 
the browser sends the login info with every request, requiring the user 
to close the browser before seeing another login request.

Is this the same for form-based authentication?

I thought that in tomcat4 I was getting new login request for the users 
just by invalidating their sessions. Am I deluding myself?



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: form-based authentication session.invalidate

2003-10-11 Thread Adam Hardy
I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, when 
I invalidate the session, I immediately get a login request. Strange.

This is not correct behaviour for tomcat, is it?

Adam

On 10/11/2003 06:04 PM Tim Funk wrote:
Authentication information is somewhat stored in the session for form 
based authentication. (I can't remember the specifics) So using 
session.invalidate should log the user out. This works since the session 
id which is a cookie or URL rewriting scheme is what the browser keys in 
on. By invalidating that id on the server, the browser is now sending an 
invalid credential and thus logged out.

In BASIC authentication, the credentials are stored in the web browser 
and sent when/if requested. So the only way to get rid of those stored 
credentials is by closing the web browser.

[Of course, when the web server is restarted or web app restarted - I 
can't recall what happens to the authentication information. ]

-Tim

Adam Hardy wrote:

I am using session.invalidate() to try to cause the user to receive 
another login request, using CMS form-based authentication.

I saw the same issue in bugzilla but for basic authentication:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12147

where the tomcat developer/bugzilla person resolved the issue saying 
that CMS basic authentication cannot be manipulated in this way since 
the browser sends the login info with every request, requiring the 
user to close the browser before seeing another login request.

Is this the same for form-based authentication?

I thought that in tomcat4 I was getting new login request for the 
users just by invalidating their sessions. Am I deluding myself?


--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: form-based authentication session.invalidate

2003-10-11 Thread Tim Funk
Hmm. I always thought that when using the SSO valve, logging out of one 
webapp automatically logs you out of all webapps.

The 5 code looks broken based on *very quick* inspection compared to 4.1 
based on lines 304-308.

if ( event.getData() != null
  logout.equals( event.getData().toString() )) {
// logout of all applications
deregister(ssoId);
} else {
// invalidate just one session
deregister(ssoId, session);
}
I haven't been able to locate how logout can be a value in a SessionEvent.

-Tim

Adam Hardy wrote:
I have just figured out that the SSO in JSESSIONIDSSO stands for 
single-sign-on.

I have the following JSP:

remote user %=request.getRemoteUser() % in
session %= session.getId() %
%
session.invalidate();
%
and after doing a login, I saw I got JSESSIONID and JSESSIONIDSSO 
cookies. I then go to a second site on my tomcat and get a second 
JSESSIONID without having to do a login coz of SSO.

Now going to this page which has the stuff above, and refreshing over 
and over always showed the following:

remote user adam in session EB2543D909D52551EA58C77E963CDD17
remote user adam in session EA33F35CCB3D1205A88226029C65939C
remote user adam in session 8814C0365D3F0BDD97B1DE9B7EAECD17
remote user adam in session 1B7F0424190985F24A294EA2344888C5
I see the JSESSIONIDSSO cookie is keeping my remoteUser info active. 
This shouldn't be the case I'm sure. If I delete the SSO cookie in 
mozilla, I get a login request on my next request.

Also if I only login to one site, even though I get the SSO cookie, when 
I invalidate the session, I immediately get a login request. Strange.

This is not correct behaviour for tomcat, is it?

Adam



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


RE: form based authentication problem

2003-02-04 Thread Barney Hamish
I did something like that using struts. I wrote a base action class which
all my other action classes extended. The base class performs any
initialization (initializing objects in the session etc) as required.

If you don't want to use struts you might consider using a filter.
Hamish

 -Original Message-
 From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, February 04, 2003 1:13 PM
 To: [EMAIL PROTECTED]
 Subject: form based authentication problem
 
 
 guess that was to much of description last time! next try
 
 can anybody tell me how to do some action, say put an object 
 in the session
 or/and update a list in the servlet context directly after a 
 user was logged
 in successfully via form-based authentication (context) with 
 a jdbc-realm?
 
 ralf
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: form based authentication problem

2003-02-04 Thread Ralf Lorenz
thanks, that's exactly the solution i discussed right now with some other
developers of my company.
the question with the filter is whether it is called when the container
forwards or redirects to the
claimed resource after the authentication is done? theoretically i'd say yes
but who knows?
try and error i guess!
ralf


- Original Message -
From: Barney Hamish [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Tuesday, February 04, 2003 1:35 PM
Subject: RE: form based authentication problem


 I did something like that using struts. I wrote a base action class which
 all my other action classes extended. The base class performs any
 initialization (initializing objects in the session etc) as required.

 If you don't want to use struts you might consider using a filter.
 Hamish

  -Original Message-
  From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, February 04, 2003 1:13 PM
  To: [EMAIL PROTECTED]
  Subject: form based authentication problem
 
 
  guess that was to much of description last time! next try
 
  can anybody tell me how to do some action, say put an object
  in the session
  or/and update a list in the servlet context directly after a
  user was logged
  in successfully via form-based authentication (context) with
  a jdbc-realm?
 
  ralf
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 

 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




RE: form based authentication problem

2003-02-04 Thread Raible, Matt
If you map the filter to the same url-pattern as your protected resource, it
will be called immediately after someone authenticates.

HTH,

Matt

 -Original Message-
 From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, February 04, 2003 6:59 AM
 To: Tomcat Users List
 Subject: Re: form based authentication problem
 
 
 thanks, that's exactly the solution i discussed right now 
 with some other
 developers of my company.
 the question with the filter is whether it is called when the 
 container
 forwards or redirects to the
 claimed resource after the authentication is done? 
 theoretically i'd say yes
 but who knows?
 try and error i guess!
 ralf
 
 
 - Original Message -
 From: Barney Hamish [EMAIL PROTECTED]
 To: 'Tomcat Users List' [EMAIL PROTECTED]
 Sent: Tuesday, February 04, 2003 1:35 PM
 Subject: RE: form based authentication problem
 
 
  I did something like that using struts. I wrote a base 
 action class which
  all my other action classes extended. The base class performs any
  initialization (initializing objects in the session etc) as 
 required.
 
  If you don't want to use struts you might consider using a filter.
  Hamish
 
   -Original Message-
   From: Ralf Lorenz [mailto:[EMAIL PROTECTED]]
   Sent: Tuesday, February 04, 2003 1:13 PM
   To: [EMAIL PROTECTED]
   Subject: form based authentication problem
  
  
   guess that was to much of description last time! next try
  
   can anybody tell me how to do some action, say put an object
   in the session
   or/and update a list in the servlet context directly after a
   user was logged
   in successfully via form-based authentication (context) with
   a jdbc-realm?
  
   ralf
  
  
  
   
 -
   To unsubscribe, e-mail: [EMAIL PROTECTED]
   For additional commands, e-mail: 
 [EMAIL PROTECTED]
  
 
  
 -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: Form-based authentication - can I get original URL?

2002-11-25 Thread Craig R. McClanahan


On Mon, 25 Nov 2002, Matt Raible wrote:

 Date: Mon, 25 Nov 2002 17:02:21 -0700
 From: Matt Raible [EMAIL PROTECTED]
 Reply-To: Tomcat Users List [EMAIL PROTECTED]
 To: 'Tomcat Users List' [EMAIL PROTECTED]
 Subject: Form-based authentication - can I get original URL?

 On Tomcat 4/5, I am able to use the following configuration in my
 web.xml:

 login-config
 auth-methodFORM/auth-method
 form-login-config
 form-login-page/login.jsp/form-login-page
 form-error-page/login.jsp?error=true/form-error-page
 /form-login-config
 /login-config


 However, I know that there are app servers out there that do not support
 this - the form-error-page MUST be a different JSP.  So I'm wondering,
 is there a value I can grab in my login.jsp that tells me the URL of the
 protected resource the user is trying to get to?

 I tried %=request.getRequestURL()%, but that gives me .../login.jsp -
 and I want mainMenu.do.

 I know iPlanet used to set a cookie and I could use that as specified
 at:

 http://husted.com/struts/resources/fb-auth.htm

There is no portable mechanism to acquire the request URL that was
originally requested, nor any guarantee that this is even possible.  All
you know is that the container has detected that a protected URL was
requested, and that there was no currently authenticated user.


 Thanks,

 Matt


Craig


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




Re: Form-based authentication

2002-10-09 Thread Padhu Vinirs

Shouldnt the url format be http://url?user=xxxpassword=xxx ? Also, if 
you do this, you could encrypt the password it before calling 
sendRedirect and decrypt it at the url cgi.

-- padhu


Rajesh Kanderi wrote:

how do you access a webpage which has a form-based
authentication setup using java.

i am able to do it using an href
http://user:password@url...
but the problem is it shows the passowrd. 

I tried to construct the above url in a servlet and
then doing a sendRedirect. but the sendRedirect
doesn't seem to like the format of the
url,specifically having the user:password.

Is there a way to do it using java classes
URLconnection or HttpURLConnection



__
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos  More
http://faith.yahoo.com

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]


  




--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




Re: Form Based Authentication, getting login and password

2002-10-05 Thread Nikola Milutinovic

Externo wrote:

 Sorry by my English.
 
 How I can guess login and password strings of an user, from error page (JSP)
 using Form Based Authentication of Tomcat?
 
 I need know it to lock the count each 3 error tries (if login is ok but
 password is bad, insteed).


Something like enhanced security mode in some OSes?


 Methods 'getRemoteUser', 'isUserInRole' and 'getUserPrincipal' of
 HttpServletRequest interface have this result: If no user has been
 authenticated, returns null, false and null respectly. For this reason, they
 aren't utils for me.
 
 If I don´t know login what user writed, I can't lock his/her count.
 
 Exist solution for this? Thanks

Only to write your own authentication module. That shouldn't be too hard.

Nix.


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




Re: form based authentication and remote user

2002-06-05 Thread anette mysel

PLEASE REMOVE ME FROM YOUR MAILING LIST. I  DO NOT KNOW YOU. THANK YOU...
- Original Message -
From: Miguel Angel Medina Lopez [EMAIL PROTECTED]
To: Tomcat Users [EMAIL PROTECTED]
Sent: Wednesday, June 05, 2002 8:30 AM
Subject: form based authentication and remote user


 Hi all:

 I'm using form-based authentication with tomcat 3.2.3. I have a form to
 register the users and I want to set the remote user and role when they
 register to they can access private zones that are protected with the form
 based authentication at this moment. How can I do that?

 Thank you all

 MAML


 --
 To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
 For additional commands, e-mail:
mailto:[EMAIL PROTECTED]



--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




RE: Form-Based-Authentication with Tomcat 4.0.1

2002-04-10 Thread John Gregg

Hello all.

I'm a little surprised how uncommon this problem seems to be on the list.
Anyway, I'll tell you what I know and what to do about it.

Until now we've been using a protected index.html page as the entrypoint for
our app.  However, we've had the same problem Frank had.  Upon starting the
browser, the first login will show the page just fine (the server returned
status 200.)  Subsequent logins using a different broswer instance/session
would produce only a blank page where index.html should have been, even
though the login was successful.  In this case the server returned 304.

The problem is the the browser (both Netscape 6.2 and IE 6) caches
index.html the first time it sees it.  However, the second attempt to access
the protected index.html page causes the server to send a 302 (redirect) to
the browser indicating that the browser should load the login form.  For
some reason that I don't understand, both Netscape and IE delete the cached
index.html in response to the 302.  Upon login, then the server responds
with a redirect to index.html and finally a 304.  Netscape then creates an
empty cache file for index.html.  IE doesn't even do that.  Both display a
page with no content.  Choosing refresh in both browsers loads the page
correctly.

Our workaround was to make index.html a jsp by simply changing the
extension.  This seems to have solved our problem.  The browser behavior
here seems to be the problem but since both Netscape and IE do the same
thing, maybe they're just following something in the HTTP spec.

john


-Original Message-
From: Eichfelder, Frank [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 4:43 AM
To: [EMAIL PROTECTED]
Subject: Form-Based-Authentication with Tomcat 4.0.1


Hi,

I have a problem with the form-based-authentication with Tomcat 4.0.1.

The problem is:
If I access a protected page for the first time, I am redirected to the
login-page and asked for username and password. If my input is correct, I am
redirected to the desired page.

Now I close the browser (IE 5.5 - cookies are accepted) and restart it.
Now I try the same procedure, reenter my username and password, and get as
result an empty page. In the browser I can see that the correct URL was
demanded, and if I press the Reload-Button, then I see the desired page.
But this behaviour is not what I want, it should work automatically.

Can I do this via server.xml or web.xml settings? Or do I have to rewrite my
html-pages?
I have already added
META http-equiv=expires content=0
to the html-pages, without any effect.

To see the difference between first login and second login, I add an extract
of the access-logfile:

First login:
27.0.0.1 - - [31/Oct/2001:11:07:30 1000] GET /logintest/ HTTP/1.1 302 654
127.0.0.1 - - [31/Oct/2001:11:07:30 1000] GET /logintest/index.html
HTTP/1.1 304 -
127.0.0.1 - - [31/Oct/2001:11:07:32 1000] GET
/logintest/secure/securepage.html HTTP/1.1 302 654
127.0.0.1 - - [31/Oct/2001:11:07:33 1000] GET /logintest/LoginForm.html
HTTP/1.1 200 679
127.0.0.1 - - [31/Oct/2001:11:07:38 1000] POST /logintest/j_security_check
HTTP/1.1 302 654
127.0.0.1 - tomcat [31/Oct/2001:11:07:38 1000] GET
/logintest/secure/securepage.html HTTP/1.1 200 402

Second login:
127.0.0.1 - - [31/Oct/2001:11:07:50 1000] GET /logintest/ HTTP/1.1 302 654
127.0.0.1 - - [31/Oct/2001:11:07:50 1000] GET /logintest/index.html
HTTP/1.1 304 -
127.0.0.1 - - [31/Oct/2001:11:07:51 1000] GET
/logintest/secure/securepage.html HTTP/1.1 302 654
127.0.0.1 - - [31/Oct/2001:11:07:53 1000] GET /logintest/LoginForm.html
HTTP/1.1 200 679
127.0.0.1 - - [31/Oct/2001:11:07:58 1000] POST /logintest/j_security_check
HTTP/1.1 302 654
127.0.0.1 - tomcat [31/Oct/2001:11:07:58 1000] GET
/logintest/secure/securepage.html HTTP/1.1 304 -

As you can see, the difference is in the last line of each section:
In the first time, tomcat returns HTTP-Code 200 (OK), the second time it
returns 304 (Not Modified).

It would be great if anybody would have any suggestions how I can change
this behaviour.

Thanks,

Frank

--
Frank Eichfelder, Dipl.-Inf.
T-Systems Nova GmbH
Entwicklungszentrum Darmstadt
Bereich EP 1 - Bamberg
Memmelsdorfer Straße 209a, 96052 Bamberg
Germany
MailTo:[EMAIL PROTECTED]
--



--
To unsubscribe:   mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]




RE: Form based authentication

2002-01-29 Thread Suchi Somasekar


Hi

I have been using Tomcat 3.2.3 with form based authentication. It works
great.

However, I have an additional requirement now. We need to have another home
page with the username and password boxes on the home page directly which
when submitted must access a protected resource. I understand that setting
the form action to j_security_check  here will not work because the login
page will not be triggered and the URL path is not stored.
One way I thought of doing this was to set the action to the protected URL
to trigger the login page and try to retrieve the username and password
instead of getting it from the user at this point. Just like tomcat stores
the URL path does it also store other parameters from the request that
triggered the login page? If so, how do I retrieve it? Is there any other
way I can do this?

Thanks in advance for the help.
Suchi




--
To unsubscribe:   mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]




RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Guido Medina

Wait, go back to the beginning and try very slow, I passed the same, the
problem with servlet is only in the web.xml file in your app, it is
transparent to Apache Web server, look at the standard examples that comes
with the Tomcat installation, first try as exercise to install the tomcat
from the beginning and run the standard applications, when you get it, try
applying changes and changes, DO NOT JUMP TOO HIGH FROM THE BEGINNING, my
prefered app server is the tomcat but in the begining is a headache, I can
tell. You are right, if you want to learn you have to teach you yourself,
start slow, with the standard and after apply few changes and so on.

Regards,

Guido.

P.S: The final exercise for you is to configure it with Virtual Host 
Servlet mapping.

-Original Message-
From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 11:37 AM
To: [EMAIL PROTECTED]
Subject: Form based Authentication / j_security_check not found


Hi everybody again.
I'm getting mad on configuring tomcat for my application.
My be I do not know enough about java, but I have to Learn it by doing, so
please be friendly.

I'm using form-based authentication and everything works until I submit my
login-ID
If I put LoginForm.html in the servlet-dir, it pops-up, but after entering
my login-infos I get 
The requested URL /DSCservlet/j_security_check was not found on this
server.
I know, LoginForm.html should be outside the protected area.
But in my special example, something seems wrong with alias in mod_jk.conf
and/or some path in my config-files.
I searched the mailing-list, but I do not understand the stuff.
Please help before I'm getting mad

Thanks Sabine

my apps-DSC.xml:
webapps
Context path=/DSCservlet
docBase=/webapps/SSL_apps/dsc/servlet
debug=0
crossContext=false
reloadable=true 
/Context
/webapps


my mod_jk.conf
...
Alias /DSCservlet /webapps/SSL_apps/dsc/servlet
Directory /webapps/SSL_apps/dsc/servlet
Options Indexes FollowSymLinks
/Directory
JkMount /DSCservlet/servlet/* ajp13
JkMount /DSCservlet/*.jsp ajp13
Location /DSCservlet/WEB-INF/
AllowOverride None
deny from all
/Location
Location /DSCservlet/META-INF/
AllowOverride None
deny from all
/Location

/webapps/SSL_apps is HTTPS-protected by apache and document-root

/webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload.
After that, a login-screen should appear (it does).
This page calls a servlet with 
form action=/DSCservlet/servlet/FileUpload.UploadServlet
enctype=MULTIPART/FORM-DATA method=post name =EnterFiles

Also in this directory dsc are the following files

ResultPageFooter.htm
ResultPageHeader.htm
servlet
servlet/LoginError.html
servlet/LoginForm.html
servlet/META-INF
servlet/META-INF/MANIFEST.MF
servlet/WEB-INF
servlet/WEB-INF/web.xml
servlet/WEB-INF/classes
servlet/WEB-INF/classes/FileUpload
servlet/WEB-INF/classes/FileUpload/FileUploader.class
servlet/WEB-INF/classes/FileUpload/FileUploadException.class
servlet/WEB-INF/classes/FileUpload/Message.class
servlet/WEB-INF/classes/FileUpload/UploadServlet.class
servlet/WEB-INF/classes/properties
servlet/WEB-INF/classes/properties/FileUpload.properties
servlet/WEB-INF/classes/properties/FileUploadMessages.properties
servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties

my web.xml:
?xml version=1.0 encoding=ISO-8859-1?
!DOCTYPE web-app
  PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN
  http://java.sun.com/j2ee/dtds/web-app_2_2.dtd;
web-app
servlet
servlet-nameUploadServlet/servlet-name
servlet-classFileUpload.UploadServlet/servlet-class
/servlet
security-constraint
web-resource-collection
web-resource-nameDSC/web-resource-name
url-pattern/*/url-pattern
http-methodPOST/http-method
http-methodGET/http-method
/web-resource-collection
auth-constraint
role-nameer_kunden/role-name
/auth-constraint
user-data-constraint
 transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
realm-nameEingangsregistratur DSC/realm-name
form-login-config
form-login-page/LoginForm.html/form-login-page
form-error-page/LoginError.html/form-error-page
/form-login-config
/login-config
/web-app





--
To unsubscribe:   mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]



RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Bongiorno.Christian

There is a jsp based form login example in the examples directory. That whole 
directory over to your servlet directory,
change the login-config to use form based login (look at the example in 
~/webapps/examples/WEB-INF/web.xml) This is a copy and paste trick -- nothing else.

so...

mkdir ~/webapps/myservlet-home/jsp

// this is all you need
cp ~/webapps/examples/jsp/security ~/webapps/myservlet-home/jsp

hack this into the appropriate portion of !/webapps/myservlet-home/WEB-INF/web.xml

login-config
  auth-methodFORM/auth-method
  realm-nameForm based login/realm-name
  form-login-config
form-login-page/jsp/protected/login.jsp/form-login-page
form-error-page/jsp/protected/error.jsp/form-error-page
  /form-login-config
/login-config


//and comment out the BASIC login-config using !--  --

restart!

easy as pie!

This even does session caching for you!

Chris

-Original Message-
From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 10:37 AM
To: [EMAIL PROTECTED]
Subject: Form based Authentication / j_security_check not found


Hi everybody again.
I'm getting mad on configuring tomcat for my application.
My be I do not know enough about java, but I have to Learn it by doing, so please be 
friendly.

I'm using form-based authentication and everything works until I submit my login-ID
If I put LoginForm.html in the servlet-dir, it pops-up, but after entering my 
login-infos I get 
The requested URL /DSCservlet/j_security_check was not found on this server.
I know, LoginForm.html should be outside the protected area.
But in my special example, something seems wrong with alias in mod_jk.conf and/or some 
path in my config-files.
I searched the mailing-list, but I do not understand the stuff.
Please help before I'm getting mad

Thanks Sabine

my apps-DSC.xml:
webapps
Context path=/DSCservlet
docBase=/webapps/SSL_apps/dsc/servlet
debug=0
crossContext=false
reloadable=true 
/Context
/webapps


my mod_jk.conf
...
Alias /DSCservlet /webapps/SSL_apps/dsc/servlet
Directory /webapps/SSL_apps/dsc/servlet
Options Indexes FollowSymLinks
/Directory
JkMount /DSCservlet/servlet/* ajp13
JkMount /DSCservlet/*.jsp ajp13
Location /DSCservlet/WEB-INF/
AllowOverride None
deny from all
/Location
Location /DSCservlet/META-INF/
AllowOverride None
deny from all
/Location

/webapps/SSL_apps is HTTPS-protected by apache and document-root

/webapps/SSL_apps/dsc/upload.htm is my page for selecting files for upload. After 
that, a login-screen should appear (it does).
This page calls a servlet with 
form action=/DSCservlet/servlet/FileUpload.UploadServlet 
enctype=MULTIPART/FORM-DATA method=post name =EnterFiles

Also in this directory dsc are the following files

ResultPageFooter.htm
ResultPageHeader.htm
servlet
servlet/LoginError.html
servlet/LoginForm.html
servlet/META-INF
servlet/META-INF/MANIFEST.MF
servlet/WEB-INF
servlet/WEB-INF/web.xml
servlet/WEB-INF/classes
servlet/WEB-INF/classes/FileUpload
servlet/WEB-INF/classes/FileUpload/FileUploader.class
servlet/WEB-INF/classes/FileUpload/FileUploadException.class
servlet/WEB-INF/classes/FileUpload/Message.class
servlet/WEB-INF/classes/FileUpload/UploadServlet.class
servlet/WEB-INF/classes/properties
servlet/WEB-INF/classes/properties/FileUpload.properties
servlet/WEB-INF/classes/properties/FileUploadMessages.properties
servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties

my web.xml:
?xml version=1.0 encoding=ISO-8859-1?
!DOCTYPE web-app
  PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN
  http://java.sun.com/j2ee/dtds/web-app_2_2.dtd;
web-app
servlet
servlet-nameUploadServlet/servlet-name
servlet-classFileUpload.UploadServlet/servlet-class
/servlet
security-constraint
web-resource-collection
web-resource-nameDSC/web-resource-name
url-pattern/*/url-pattern
http-methodPOST/http-method
http-methodGET/http-method
/web-resource-collection
auth-constraint
role-nameer_kunden/role-name
/auth-constraint
user-data-constraint
 transport-guaranteeCONFIDENTIAL/transport-guarantee
/user-data-constraint
/security-constraint
login-config
auth-methodFORM/auth-method
realm-nameEingangsregistratur DSC/realm-name
form-login-config
form-login-page/LoginForm.html/form-login-page
form-error-page/LoginError.html/form-error-page
/form-login-config
/login-config
/web-app





--
To unsubscribe:   mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the 

RE: Form based Authentication / j_security_check not found

2001-12-18 Thread Larry Isaacs

I would recommend to first try sending all /DSCservlet
requests to Tomcat and make sure everything works correctly
that way.  Once that is done, then try allowing Apache to serve
some of the content.  That way you will know if problems
appear, they are configuration issues instead of web
application problems.

To map all requests to Tomcat, use:

  JkMount /DSCservlet ajp13
  JkMount /DSCservlet/* ajp13

This is what would be included in the default generated
conf/auto/mod_jk.conf.  When you are ready to try Apache
serving some of the content, add:

forwardAll=false

to the ApacheConfig ... element in the server.xml.  This
will write an conf/auto/mod_jk.conf more suitable for this
case.  It will include any servlet mappings you have specified
in your web.xml plus some extras, like for j_security_check.

Hope this helps,

Cheers,
Larry

 -Original Message-
 From: EDV Systembetrieb [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, December 18, 2001 10:37 AM
 To: [EMAIL PROTECTED]
 Subject: Form based Authentication / j_security_check not found
 
 
 Hi everybody again.
 I'm getting mad on configuring tomcat for my application.
 My be I do not know enough about java, but I have to Learn 
 it by doing, so please be friendly.
 
 I'm using form-based authentication and everything works 
 until I submit my login-ID
 If I put LoginForm.html in the servlet-dir, it pops-up, but 
 after entering my login-infos I get 
 The requested URL /DSCservlet/j_security_check was not found 
 on this server.
 I know, LoginForm.html should be outside the protected area.
 But in my special example, something seems wrong with alias 
 in mod_jk.conf and/or some path in my config-files.
 I searched the mailing-list, but I do not understand the stuff.
 Please help before I'm getting mad
 
 Thanks Sabine
 
 my apps-DSC.xml:
 webapps
 Context path=/DSCservlet
 docBase=/webapps/SSL_apps/dsc/servlet
 debug=0
 crossContext=false
 reloadable=true 
 /Context
 /webapps
 
 
 my mod_jk.conf
 ...
 Alias /DSCservlet /webapps/SSL_apps/dsc/servlet
 Directory /webapps/SSL_apps/dsc/servlet
 Options Indexes FollowSymLinks
 /Directory
 JkMount /DSCservlet/servlet/* ajp13
 JkMount /DSCservlet/*.jsp ajp13
 Location /DSCservlet/WEB-INF/
 AllowOverride None
 deny from all
 /Location
 Location /DSCservlet/META-INF/
 AllowOverride None
 deny from all
 /Location
 
 /webapps/SSL_apps is HTTPS-protected by apache and document-root
 
 /webapps/SSL_apps/dsc/upload.htm is my page for selecting 
 files for upload. After that, a login-screen should appear (it does).
 This page calls a servlet with 
 form action=/DSCservlet/servlet/FileUpload.UploadServlet 
 enctype=MULTIPART/FORM-DATA method=post name =EnterFiles
 
 Also in this directory dsc are the following files
 
 ResultPageFooter.htm
 ResultPageHeader.htm
 servlet
 servlet/LoginError.html
 servlet/LoginForm.html
 servlet/META-INF
 servlet/META-INF/MANIFEST.MF
 servlet/WEB-INF
 servlet/WEB-INF/web.xml
 servlet/WEB-INF/classes
 servlet/WEB-INF/classes/FileUpload
 servlet/WEB-INF/classes/FileUpload/FileUploader.class
 servlet/WEB-INF/classes/FileUpload/FileUploadException.class
 servlet/WEB-INF/classes/FileUpload/Message.class
 servlet/WEB-INF/classes/FileUpload/UploadServlet.class
 servlet/WEB-INF/classes/properties
 servlet/WEB-INF/classes/properties/FileUpload.properties
 servlet/WEB-INF/classes/properties/FileUploadMessages.properties
 servlet/WEB-INF/classes/properties/FileUploadMessages_en.properties
 
 my web.xml:
 ?xml version=1.0 encoding=ISO-8859-1?
 !DOCTYPE web-app
   PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN
   http://java.sun.com/j2ee/dtds/web-app_2_2.dtd;
 web-app
 servlet
 servlet-nameUploadServlet/servlet-name
 
 servlet-classFileUpload.UploadServlet/servlet-class
 /servlet
 security-constraint
 web-resource-collection
 web-resource-nameDSC/web-resource-name
 url-pattern/*/url-pattern
 http-methodPOST/http-method
 http-methodGET/http-method
 /web-resource-collection
 auth-constraint
 role-nameer_kunden/role-name
 /auth-constraint
 user-data-constraint
  
 transport-guaranteeCONFIDENTIAL/transport-guarantee
 /user-data-constraint
 /security-constraint
 login-config
 auth-methodFORM/auth-method
 realm-nameEingangsregistratur DSC/realm-name
 form-login-config
 
 form-login-page/LoginForm.html/form-login-page
 
 form-error-page/LoginError.html/form-error-page
 /form-login-config
 /login-config
 /web-app
 
 
 
 
 
 --
 To unsubscribe:   mailto:[EMAIL 

Re: Form Based authentication problem

2001-09-27 Thread Kaneda K

This might be (I had a probleme that look the same with Mysql)
so this might be that it need to be autoReconnect=true:

  connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users

became :
  connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=true

Try and give me your feed back, please.

At 09:32 27/09/2001 +0200, you wrote:
Hi all:

I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based
authentication and i have included the next lines in the server.xml file:
 RequestInterceptor
 className=org.apache.tomcat.request.JDBCRealm
 debug=0
 driverName=org.postgresql.Driver
 connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users
 connectionName=tomcat
 connectionPassword=tomcat
 userTable=usuarios
 userNameCol=login
 userCredCol=password
 userRoleTable=usuarios
 roleNameCol=role /

The connection to the db is opened succesfully but when I put a valid
username and password the query doesn't work. The error in the tomcat.log
file is:
 JDBCRealm: The database connection is null or was found to be closed.
Trying to re-open it.

and the user isn't authenticated.

Thank you all

-
Miguel Ángel Medina López
Logic Factory: www.logic-factory.com
Granada - España




Re: Form Based authentication problem

2001-09-27 Thread Miguel Angel Medina Lopez

Hi:

Thanks Kaneda but the parameter autoReconnect doesn't work in Postgres.
I have found the error in the server.xml file and now I can't authenticate
fine. Now the problem is that I need the user name in differents context.
How can I do that? How can I keep client state in different contexts?

Miguel Ángel Medina López


- Original Message -
From: Kaneda K [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 27, 2001 10:01 AM
Subject: Re: Form Based authentication problem


 This might be (I had a probleme that look the same with Mysql)
 so this might be that it need to be autoReconnect=true:

   connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users

 became :

connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users?autoReconnect=tru
e

 Try and give me your feed back, please.

 At 09:32 27/09/2001 +0200, you wrote:
 Hi all:
 
 I'm working with Tomcat 3.2.3 and postgres 7.0. I want to use form-based
 authentication and i have included the next lines in the server.xml file:
  RequestInterceptor
  className=org.apache.tomcat.request.JDBCRealm
  debug=0
  driverName=org.postgresql.Driver
  connectionURL=jdbc:postgresql://192.168.0.17/tomcat_users
  connectionName=tomcat
  connectionPassword=tomcat
  userTable=usuarios
  userNameCol=login
  userCredCol=password
  userRoleTable=usuarios
  roleNameCol=role /
 
 The connection to the db is opened succesfully but when I put a valid
 username and password the query doesn't work. The error in the tomcat.log
 file is:
  JDBCRealm: The database connection is null or was found to be
closed.
 Trying to re-open it.
 
 and the user isn't authenticated.
 
 Thank you all
 
 -
 Miguel Ángel Medina López
 Logic Factory: www.logic-factory.com
 Granada - España




Re: FORM-based authentication question

2001-09-07 Thread Craig R. McClanahan



On Fri, 7 Sep 2001, Kevin HaleBoyes wrote:

 Date: Fri, 7 Sep 2001 16:48:01 +0100 (BST)
 From: Kevin HaleBoyes [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: FORM-based authentication question

 I'm successfully using FORM-based logins in my application but I have
 a few questions.  When a user logs in, I want to attach certain information
 to the session.  Currently I use a filter that checks to see if the
 request.getRemoteUser is set (or has changed) and if so, I do a database
 call to get the User information, instantiate a UserClass and set it into
 the session.  It works fine but...

 The filter gets called for every request but only acts when a user logs in.
 Sure the test (to see if anything needs to be done) is simple and fairly
 quick, but it is done for _every_ request.

 Is there a better way?

 I'm thinking something similar in style to the HttpSessionListener
 interface. Maybe an AuthenticationListener.  Tomcat 4 (or any Servlet
 2.3 container :) knows when a user has been authenticated (or, for
 that matter, when the authentication/session times out) but I don't
 see any way to hook into that event.  The timed out session
 information can be had using the
 HttpSessionListener.sessionDestroyed() method and my application knows
 if, in the very rare case :-) that a user actually logs out.  But
 notification of an authentification seems to be missing (from the
 spec).

 The HttpSessionListener.sessionCreated() method doesn't do what I want since
 a session is created even when a user is not authenticated.

 How do others attach information to the session once a user has been
 authenticated?


You can use HttpSessionListener to detect when the session is created or
destroyed, but there are no servlet API mechanisms that let you hook in to
the user was authenticated event.  You could write a Tomcat-specific
mechanism to do that, but for a portable application the filter approach
seems to me to be the best.

 Thanks,
 Kevin HaleBoyes


Craig




Re: form-based authentication tomcat-apache

2001-05-27 Thread Michael Jennings

It worked!
Thanks!
-Mike

- Original Message -
From: Andrew Robson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 26, 2001 8:14 PM
Subject: Re: form-based authentication tomcat-apache


 Try putting
 JkMount  /examples/jsp/security/login/j_security_check ajp13
 into httpd.conf

 andrew

 On Sun, 27 May 2001, you wrote:
  Hi everyone,
 
  Has anyone been able to get the form-based authentication example to
work
  with tomcat? I can get it to work if I connect to tomcat's own
http-server
  on port 8080
  but when I connect to the same example via apache (via mod_jk to tomcat)
  after I log in I get
  http://localhost/examples/jsp/security/login/j_security_check
 
  with a message saying the page cannot be found.
  Is this a known bug in tomcat? Is there some subtle configuration thing
  I've missed?
 
  -Mike Jennings
 
  __
  Mike Jennings
  Southgate  Software Ltd.
  250-382-6851 (ph)
  250-382-6800 (fax)
  [EMAIL PROTECTED]
 -




Re: Form Based Authentication with Encryption

2001-03-07 Thread Andrew Robson

Hi Amit,
  I'm using 3.2 so details may vary.
What you want to do is write your own authentication module. 
Easier than it sounds. Just take a copy of the authentication module you 
are using (SimpleRealm?) to use as a base for your own code. Add in
the functionality you want, compile and include in TOMCAT_HOME/lib/webserver.jar
Edit server.xml to use your custom authentication module. 
Also, I'd recommend you look at JDBCRealm so that you can store usernames
and passwords in a database. Quite apart from the other advantages you may 
then be able to take advantage of the db's encryption facilities (e.g. MySql's
Password function) and save yourself the bother of writing your own.

Hope this helps
Andrew

On Wed, 07 Mar 2001, you wrote:
 
 Hi All,
 
 I'm using tomcat 4.0 Beta1.
 I successfully tested out the form based authentication provided with tomcat.
 
 But , the main problem with it is : It uses plain text to store users,roles and 
passwords
 in the "tomcat-users.xml"   file placed  in TOMCAT_HOME\conf.
 
 Is there any plugin for tomcat to encrypt the passwords stored in this file ?
 or is there any round-about to do so.
 
 Thanking you in advance.
 
 With Regards,
 -Amit
 E-Mail:[EMAIL PROTECTED]
 Sansui Software Pvt. Ltd.,Pune
 


Content-Type: text/html; name="unnamed"
Content-Transfer-Encoding: quoted-printable
Content-Description: 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]




Re: Form Based Authentication with Encryption

2001-03-07 Thread amit



Thanks Andrew,

But,I'm using XML to store my whole data (this is requirement 
of the product)
We are not at all using any database.

So with this regard,would u like to comment something 
more ?
Also can usuggest some resource for 
:creating my own cutomized "authentication module" ?

Thanks in advance.

Regards,
-Amit.

- Original Message - 

  From: 
  Andrew Robson 
  To: [EMAIL PROTECTED] 
  
  Sent: Wednesday, March 07, 2001 3:37 
  PM
  Subject: Re: Form Based Authentication 
  with Encryption
  Hi Amit, I'm using 3.2 so details 
  may vary.What you want to do is write your own authentication 
  module.Easier than it sounds. Just take a copy of the authentication 
  module youare using (SimpleRealm?) to use as a base for your own code. Add 
  inthe functionality you want, compile and include in 
  TOMCAT_HOME/lib/webserver.jarEdit server.xml to use your custom 
  authentication module.Also, I'd recommend you look at JDBCRealm so that 
  you can store usernamesand passwords in a database. Quite apart from the 
  other advantages you maythen be able to take advantage of the db's 
  encryption facilities (e.g. MySql'sPassword function) and save 
  yourself the bother of writing your own.Hope this 
  helpsAndrewOn Wed, 07 Mar 2001, you wrote: Hi 
  All, I'm using tomcat 4.0 Beta1. I successfully tested 
  out the form based authentication provided with tomcat. 
  But , the main problem with it is : It uses plain text to store 
  users,roles and passwords in the "tomcat-users.xml" 
  file placed in TOMCAT_HOME\conf. Is there any plugin for 
  tomcat to encrypt the passwords stored in this file ? or is there 
  any round-about to do so. Thanking you in 
  advance. With Regards, -Amit 
  E-Mail:[EMAIL PROTECTED] Sansui Software Pvt. 
Ltd.,Pune


Re: Form based authentication

2001-02-08 Thread Bill_Fellows/MO/americancentury



I've run into the same problem.  I created an industrial strength bandaid for
this problem by writing a simple servlet, mapped to /null, that redirects them
where I want to go (which is defined in the web.xml).  I've been too lazy to
investigate what is actually throwing this so if anyone has any insight, please
speak up.  If you need the bandaid code, let me know.

/bill



Dilip Dalton [EMAIL PROTECTED] on 02/08/2001 12:36:27 PM



Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Bill Fellows/MO/americancentury)
Subject:  Form based authentication



Hi,

  I am running tomcat 3.2.1, and I have started to use form based
authentication for my application.

  The 'examples' form based authentication works fine. But when I use if
from my application I get
   the following:

Not Found (404)

Original request: /hyseq/jsp/null

Not found request: /hyseq/jsp/null

  Could anybody shed some light on this,

Thank you,
Dilip.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]









-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]




RE: Form based authentication and JDBC Realm with Interbase

2001-01-23 Thread Ignacio J. Ortega

Please post your server.xml JDBRealm config, to have a look at it..

Saludos ,
Ignacio J. Ortega


 -Mensaje original-
 De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]]
 Enviado el: martes 23 de enero de 2001 12:41
 Para: '[EMAIL PROTECTED]'
 Asunto: Form based authentication and JDBC Realm with Interbase
 
 
 Hi
 I'am try to get form based authentication working with 
 jBoss/Tomcat and
 interbase 5.6 but I'am getting the following error. Interbase 
 is working
 fine for the CMP
 and code and general setup works fine with mySQL (our other 
 trial database).
 It looks to me like the param being setup for the query by
 PreparedStatement.setString
 is Null and hence the error
 
 Version used
 Interclient 1.6
 jBoss 2.0 Final
 Tomcat 3.2
 Win 2000
 
 
 2001-01-23 10:23:17 - ContextManager: JDBCRealm: 
 JDBCRealm.authenticate:
 SELECT USER_PASS FROM USERS WHERE USER_NAME = ?
 
 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + 
 /member/test.jsp
 + null) - java.lang.NullPointerException
 at 
 interbase.interclient.PreparedStatement.setString(Unknown Source)
 at
 org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)
 at
 org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480)
 at
 org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa
 nager.java,
 Compiled Code)
 at
 org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
 at 
 org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501)
 at
 org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java,
 Compiled Code)
 at
 org.apache.tomcat.core.ContextManager.internalService(ContextM
 anager.java:78
 9)
 at
 org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
 at
 org.apache.tomcat.service.http.HttpConnectionHandler.processCo
 nnection(HttpC
 onnectionHandler.java:210)
 at
 org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java,
 Compiled Code)
 at
 org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java,
 Compiled Code)
 at java.lang.Thread.run(Thread.java:479)
 
 Anybody got any ideas
 Thanks in advance
 
 Nigel
 
 Nigel Stirzaker
 Software Consultant
 SSA Softwright
 (01753) 811833 Ext 265
 [EMAIL PROTECTED]
 www.Softwright.co.uk
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, email: [EMAIL PROTECTED]
 
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]




RE: Form based authentication and JDBC Realm with Interbase

2001-01-23 Thread Nigel Stirzaker

Thanks
I've posted it onto the list. Here is a copy aswell

RequestInterceptor 
className="org.apache.tomcat.request.JDBCRealm" 
debug="99" 
driverName="interbase.interclient.Driver"

connectionURL="jdbc:interbase://localhost:3060/D:/Development/DBs/authority.
gdb"
connectionName="sysdba"
connectionPassword="masterkey"
userTable="USERS" 
userNameCol="USER_NAME" 
userCredCol="USER_PASS" 
userRoleTable="USER_ROLES" 
roleNameCol="ROLE_NAME" /

 RequestInterceptor
className="org.apache.tomcat.request.Jdk12Interceptor"
debug="0" 
  /  

thanks

Nigel Stirzaker
Software Consultant
SSA Softwright
(01753) 811833 Ext 265
[EMAIL PROTECTED]
www.Softwright.co.uk


-Original Message-
From: Ignacio J. Ortega [mailto:[EMAIL PROTECTED]]
Sent: Tuesday 23 January 2001 12:07
To: '[EMAIL PROTECTED]'
Subject: RE: Form based authentication and JDBC Realm with Interbase


Please post your server.xml JDBRealm config, to have a look at it..

Saludos ,
Ignacio J. Ortega


 -Mensaje original-
 De: Nigel Stirzaker [mailto:[EMAIL PROTECTED]]
 Enviado el: martes 23 de enero de 2001 12:41
 Para: '[EMAIL PROTECTED]'
 Asunto: Form based authentication and JDBC Realm with Interbase
 
 
 Hi
 I'am try to get form based authentication working with 
 jBoss/Tomcat and
 interbase 5.6 but I'am getting the following error. Interbase 
 is working
 fine for the CMP
 and code and general setup works fine with mySQL (our other 
 trial database).
 It looks to me like the param being setup for the query by
 PreparedStatement.setString
 is Null and hence the error
 
 Version used
 Interclient 1.6
 jBoss 2.0 Final
 Tomcat 3.2
 Win 2000
 
 
 2001-01-23 10:23:17 - ContextManager: JDBCRealm: 
 JDBCRealm.authenticate:
 SELECT USER_PASS FROM USERS WHERE USER_NAME = ?
 
 2001-01-23 10:23:18 - Ctx( /war ): Exception in: R( /war + 
 /member/test.jsp
 + null) - java.lang.NullPointerException
 at 
 interbase.interclient.PreparedStatement.setString(Unknown Source)
 at
 org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)
 at
 org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:480)
 at
 org.apache.tomcat.core.ContextManager.doAuthenticate(ContextMa
 nager.java,
 Compiled Code)
 at
 org.apache.tomcat.core.RequestImpl.getRemoteUser(RequestImpl.java:341)
 at 
 org.apache.tomcat.request.JDBCRealm.authorize(JDBCRealm.java:501)
 at
 org.apache.tomcat.core.ContextManager.doAuthorize(ContextManager.java,
 Compiled Code)
 at
 org.apache.tomcat.core.ContextManager.internalService(ContextM
 anager.java:78
 9)
 at
 org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
 at
 org.apache.tomcat.service.http.HttpConnectionHandler.processCo
 nnection(HttpC
 onnectionHandler.java:210)
 at
 org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java,
 Compiled Code)
 at
 org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java,
 Compiled Code)
 at java.lang.Thread.run(Thread.java:479)
 
 Anybody got any ideas
 Thanks in advance
 
 Nigel
 
 Nigel Stirzaker
 Software Consultant
 SSA Softwright
 (01753) 811833 Ext 265
 [EMAIL PROTECTED]
 www.Softwright.co.uk
 
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, email: [EMAIL PROTECTED]
 
 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]




RE: FORM BASED AUTHENTICATION...

2001-01-16 Thread BBueckers

I was using 3.1 and then I found the following post
http://mikal.org/interests/java/tomcat_users/msg02828.html in which they
were having the same types of problems I was experencing. So I installed ver
3.2.1 and everything works as originally anticipated. All the form based
logins work.

Bob


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 3:00 PM
To: [EMAIL PROTECTED]
Subject: FORM BASED AUTHENTICATION...


Has anyone successfully setup form-based security authentication? Have you
gotten the error page to display when the wrong username/password was
entered? What do you recommend for implementing form-based security?

Thanks in advance,

Bob

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]




RE: FORM based Authentication and JDBC Realm

2001-01-05 Thread Nacho

please sendthe excerpt of your server.xml file with the
requestinterceptor 

Thanks

Saludos ,
Ignacio J. Ortega

-Mensaje original-
De: Vincent Harcq [mailto:[EMAIL PROTECTED]]
Enviado el: viernes 5 de enero de 2001 17:45
Para: [EMAIL PROTECTED]
Asunto: FORM based Authentication and JDBC Realm


Hi!
Tomcat 3.2.1 Interbase 6 Database.
I have setup JDBCRealm and I am trying to use the
/examples/jsp/security/protected/index.jsp that is provided with Tomcat
to validate it.
So I only change server.xml, I use the original web.xml from the example
application.

When I go to the 
I receive Exception
2001-01-05 05:27:31 - ContextManager: JDBCRealm: JDBCRealm.authenticate:
SELECT user_pass FROM j2eeusers WHERE user_name= ?
2001-01-05 05:27:31 - Ctx( /vmi ): Exception in: R( /vmi +
/jsp/protected/index.html + null) - java.lang.NullPointerException
 at
interbase.interclient.PreparedStatement.setString(PreparedStatement.java
:973)
 at org.apache.tomcat.request.JDBCRealm.authenticate(JDBCRealm.java:306)

When I first go to the login.jsp, I can log in and then go on the
protected resources.

Strange.

Any ideas ?

Vincent HARCQ





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]