Re: HTTP 400 with Form based authentication

I don't understand where did I request the login page directly ? I just put as index.jsp and and the error page as index.jsp?error=true. So where is my error ? On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas wrote: > On 29/08/2015 22:16, Sreyan Chakravarty wrote: > > Okay this

Re: How do LockOutRealms work ?

In your opinion would a security framework help in doing this ? Like Apache Shiro ? On Sun, Aug 30, 2015 at 9:51 PM, Mark Thomas wrote: > On 29/08/2015 21:51, Sreyan Chakravarty wrote: > > Is there any way I can tell the user that what number of login attempt he > > is on ?

Re: Designating a home page while using Realms

Can you provide a link to the Servlet Spec the to which section you are referring to. On Sun, Aug 30, 2015 at 9:55 PM, Mark Thomas wrote: > On 29/08/2015 22:26, Sreyan Chakravarty wrote: > > Okay I have just started to use Realms and container managed > authentication > > and

Re: How do LockOutRealms work ?

I can't see what would be the risks with being able to explain "This account is locked for X minutes"... I experienced situations where the user calls the first level service desk and a ticket goes all its way to someone who can read the server logs and understand the issue... Not exactly

Re: Addding User to a Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/29/15 4:54 PM, Sreyan Chakravarty wrote: > Now can you tell me how do I write my own custom credential > handler. Planning one that uses sCrypt. Just create a new class that implements the CredentialHandler interface. Of course, that

Re: Webapp killing entire Tomcat process

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chuck, On 8/30/15 8:52 PM, Caldarale, Charles R wrote: >> From: Jerry Malcolm [mailto:techst...@malcolms.com] Subject: >> Webapp killing entire Tomcat process > >> But in my opinion, no matter what happens in the code, TC >> shouldn't completely

Re: How do LockOutRealms work ?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/31/15 6:42 AM, Mark Thomas wrote: > On 31/08/2015 07:32, Ludovic Pénet wrote: >> I can't see what would be the risks with being able to explain >> "This account is locked for X minutes"... > > An attacker performing a brute force attack

Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

Hi Chris, To cut a long story short openssl helped. Using openssl -connect showed the error below. When I added the -tls1 flag the error went away. 2104:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:.\ssl\s3_pkt.c:532: Configuring Tomcat with the JVM parameter

Re: Addding User to a Realm

Christopher what I am planning to do is getting the source of an open source sCrypt library and actually copy pasting the source code into the ScryptCredentialHandler.java. Since I am no security expert. Now this eliminates the compile time dependency but if the open source scrypt library is

Re: HTTP 400 with Form based authentication

Wait I am sure I am going wrong in a fundamental area. My security constraint is as follow-: TECHERS /teacher/success.jsp GET POST TEACHER FORM /index.jsp

RE: HTTP 400 with Form based authentication

> From: Sreyan Chakravarty [mailto:sreyan.mail...@gmail.com] > Subject: Re: HTTP 400 with Form based authentication > My security constraint is as follow-: > > FORM > > /index.jsp > /index.jsp?error=true > > > This is my understanding

Re: [OT] Tomcat 7.0.55/Jre 7u67: SEND TLSv1 ALERT: fatal, description = bad_record_mac

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Diarmuid, On 8/31/15 11:36 AM, dmccrthy wrote: > To cut a long story short openssl helped. Using openssl -connect > showed the error below. When I added the -tls1 flag the error went > away. > > 2104:error:1408F119:SSL

Re: Addding User to a Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyen, On 8/31/15 12:23 PM, Sreyan Chakravarty wrote: > Christopher what I am planning to do is getting the source of an > open source sCrypt library and actually copy pasting the source > code into the ScryptCredentialHandler.java. Since I am no

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > Wait I am sure I am going wrong in a fundamental area. > > My security constraint is as follow-: > > > TECHERS > /teacher/success.jsp > GET POST > > > TEACHER > > > FORM >

Re: HTTP 400 with Form based authentication

First of all I did read the Servlet Spec, it provided no hint as to what I was doing wrong. So you are saying that I can't have a login form on the page when the welcome page ? Why not ? Tons of site have just that, like Twitter and Facebook. It seems weird why I can't have it on my welcome page.

Re: Addding User to a Realm

Yup the API is very easy to but that keeps a compile time dependency. What I mean is that you also need to put the sCrypt jar into you /lib folder. If thats okay then things get really easy. Regards Sreyan Chakravarty On Mon, Aug 31, 2015 at 10:52 PM, Christopher Schultz <

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no hint as to > what I was doing wrong. > > So you are saying that I can't have a login form on the page when > the welcome page ? Why

Re: Addding User to a Realm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 1:42 PM, Sreyan Chakravarty wrote: > Yup the API is very easy to but that keeps a compile time > dependency. What I mean is that you also need to put the sCrypt jar > into you /lib folder. If thats okay then things get really

Re: HTTP 400 with Form based authentication

On 31/08/2015 18:49, Christopher Schultz wrote: > Really the only thing the servlet spec is missing is a setting in > like or something like that, so > that if you try to login with j_security_check and you hadn't already > requested a protected resource, the container knows where to send the >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/31/15 2:01 PM, Mark Thomas wrote: > On 31/08/2015 18:49, Christopher Schultz wrote: > >> Really the only thing the servlet spec is missing is a setting >> in like or something like >> that, so that if you try to login with

Re: HTTP 400 with Form based authentication

Well Christopher thanks for that eye opener. I didn't know that the specs were so inconsistent. Okay now regarding your comment-: "Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the

Re: HTTP 400 with Form based authentication

Ok I found FormAuthenticator and landingPage attribute in it in the source. But how do I use that in my application ? What do I do ? Any documentation for this ? On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Well Christopher thanks for that eye opener.

Re: How do LockOutRealms work ?

On 8/31/2015 8:54 AM, Christopher Schultz wrote: You also tell them how long they have to wait before they can resume their brute-force attack without wasting their own time. Must better to let a brute force attacker pound away at a locked account wasting their resources and probably tripping

Re: How do LockOutRealms work ?

The points you raise are, of course real and important. I would probably decide the same as you for a high profile, publicly available application. I however most often have to develop complex apps only used by, at most, 100s of corporate users. I know perimetric security is less and less

Re: HTTP 400 with Form based authentication

On 31/08/2015 07:00, Sreyan Chakravarty wrote: > I don't understand where did I request the login page directly ? I just put > as index.jsp and and the error page as > index.jsp?error=true. > > So where is my error ? Did you request '/teacher/success.jsp' ? No, you did not. Did you request

Re: Designating a home page while using Realms

On 31/08/2015 07:01, Sreyan Chakravarty wrote: > Can you provide a link to the Servlet Spec the to which section you are > referring to. You need to be doing a little more research yourself between asking questions rather than expecting the folks here to spoon feed you the answers. If you want

Re: How do LockOutRealms work ?

On 31/08/2015 07:32, Ludovic Pénet wrote: > I can't see what would be the risks with being able to explain "This account > is locked for X minutes"... An attacker performing a brute force attack has zero knowledge. They have to guess both user names and passwords. Telling an attacker an account