Re: issue with Form based authentication

://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team

Re: issue with Form based authentication

Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try

RE: issue with Form based authentication

: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout

issue with Form based authentication

Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user

Re: AW: JASPIC Provider for FORM based Authentication

Mark, On 12/3/21 05:29, Mark Thomas wrote: On 03/12/2021 10:00, Keil, Matthias (ORISA Software GmbH) wrote: Hi Mark, sorry for the late reply. Unfortunately I was sick. Thanks for your advice. The error was in front of the computer . I had misspelled the context path in the appContext Now

Re: AW: JASPIC Provider for FORM based Authentication

for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. Not that I am aware of. Mark

AW: JASPIC Provider for FORM based Authentication

: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a topic of my own again. The point there was that I would like to >

AW: JASPIC Provider for FORM based Authentication

-Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a to

Re: JASPIC Provider for FORM based Authentication

for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. Not that I am aware of. Mark

JASPIC Provider for FORM based Authentication

or dynamically by implementing an AuthConfigProvider). Now here are my questions: 1. Is there a possibility to activate the JASPIC provider for only one of the two applications? 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. thanks in advance Matthias

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 9:45 AM, Christopher Schultz wrote: > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: >> I have found the cause of the problem. It seems that there is no >> null checking in the DataSourceRealm in Tomcat. What I mean is >> that if a

Fwd: HTTP 400 with Form based authentication

I have found the cause of the problem. It seems that there is no null checking in the DataSourceRealm in Tomcat. What I mean is that if a particular user does not exist in the database and is credentials are returned as a null string then no null checking is specified. I would like to open this

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 9:56 AM, Sreyan Chakravarty wrote: > I did what you said. That is pointing the web browser to a > protected resource without authentication and then logging in. It > works perfectly IF AND ONLY IF the credentials are ABSOLUTELY >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: > I have found the cause of the problem. It seems that there is no > null checking in the DataSourceRealm in Tomcat. What I mean is that > if a particular user does not exist in the database and

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 12:49 PM, Sreyan Chakravarty wrote: > Okay can you please guide me on how to log the bug. That would be > great. If possible you could do it yourself also. 1. Register for Bugzilla at bz.apache.org 2. Fill-out this form:

Re: HTTP 400 with Form based authentication

Okay can you please guide me on how to log the bug. That would be great. If possible you could do it yourself also. And as far as opinions go I really don't know. The whole process of Realms seem confusing to me and its overtly complicated. Thanks for testing out the issue. On Wed, Sep 9, 2015

Re: HTTP 400 with Form based authentication

Hi. I have notv really followed this thread from the beginning, but maybe I can contribute something here.. On 07.09.2015 15:56, Sreyan Chakravarty wrote: .. Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't

Re: HTTP 400 with Form based authentication

I did what you said. That is pointing the web browser to a protected resource without authentication and then logging in. It works perfectly IF AND ONLY IF the credentials are ABSOLUTELY correct. Otherwise I am getting undefined behavior an thats where I need your help now. First-: If I provide

Re: HTTP 400 with Form based authentication

Yes but what happens when the user passes a user-id that is not present in the DB. Or a password that is incorrect. How would the server handle that ? If I pass an incorrect user I am getting a NPE. And if I pass an invalid password but a valid user a am not being redirected to the

Re: HTTP 400 with Form based authentication

I have found the cause of the problem. It seems that there is no null checking in the DataSourceRealm in Tomcat. What I mean is that if a particular user does not exist in the database and is credentials are returned as a null string then no null checking is specified. I would like to open this

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > Ok I found FormAuthenticator and landingPage attribute in it in the > source. You shouldn't need to look at the source. > But how do I use that in my application ? What do I do ? You

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:16 PM, Sreyan Chakravarty wrote: > Well Christopher thanks for that eye opener. I didn't know that the > specs were so inconsistent. They aren't inconsistent... it's just that they don't cover a popular use case. Remember that

Re: HTTP 400 with Form based authentication

I don't understand where did I request the login page directly ? I just put as index.jsp and and the error page as index.jsp?error=true. So where is my error ? On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas wrote: > On 29/08/2015 22:16, Sreyan Chakravarty wrote: > > Okay this

Re: HTTP 400 with Form based authentication

Wait I am sure I am going wrong in a fundamental area. My security constraint is as follow-: TECHERS /teacher/success.jsp GET POST TEACHER FORM /index.jsp

RE: HTTP 400 with Form based authentication

> From: Sreyan Chakravarty [mailto:sreyan.mail...@gmail.com] > Subject: Re: HTTP 400 with Form based authentication > My security constraint is as follow-: > > FORM > > /index.jsp > /index.jsp?error=true > >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > Wait I am sure I am going wrong in a fundamental area. > > My security constraint is as follow-: > > > TECHERS > /teacher/success.jsp > GET POST > > > TEACHER > > > FORM >

Re: HTTP 400 with Form based authentication

First of all I did read the Servlet Spec, it provided no hint as to what I was doing wrong. So you are saying that I can't have a login form on the page when the welcome page ? Why not ? Tons of site have just that, like Twitter and Facebook. It seems weird why I can't have it on my welcome page.

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no hint as to > what I was doing wrong. > > So you are saying that I can't have a login form on the page when > the welcome page ? Why

Re: HTTP 400 with Form based authentication

On 31/08/2015 18:49, Christopher Schultz wrote: > Really the only thing the servlet spec is missing is a setting in > like or something like that, so > that if you try to login with j_security_check and you hadn't already > requested a protected resource, the container knows where to send the >

Re: HTTP 400 with Form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/31/15 2:01 PM, Mark Thomas wrote: > On 31/08/2015 18:49, Christopher Schultz wrote: > >> Really the only thing the servlet spec is missing is a setting >> in like or something like >> that, so that if you try to login with

Re: HTTP 400 with Form based authentication

Well Christopher thanks for that eye opener. I didn't know that the specs were so inconsistent. Okay now regarding your comment-: "Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the

Re: HTTP 400 with Form based authentication

Ok I found FormAuthenticator and landingPage attribute in it in the source. But how do I use that in my application ? What do I do ? Any documentation for this ? On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Well Christopher thanks for that eye opener.

Re: HTTP 400 with Form based authentication

On 31/08/2015 07:00, Sreyan Chakravarty wrote: > I don't understand where did I request the login page directly ? I just put > as index.jsp and and the error page as > index.jsp?error=true. > > So where is my error ? Did you request '/teacher/success.jsp' ? No, you did not. Did you request

Re: HTTP 400 with Form based authentication

On 29/08/2015 22:16, Sreyan Chakravarty wrote: Okay this is my first try at container based authentication using Realms in Tomcat. And things have gone wrong. Here is my login page -: snip/ My web.xml security configuration is -: security-constraint web-resource-collection

HTTP 400 with Form based authentication

Okay this is my first try at container based authentication using Realms in Tomcat. And things have gone wrong. Here is my login page -: html body h2Login/h2 form method=post action=j_security_check User ID: input type=text name=j_username / br / Password: input type=password

How to set Session Values with Form Based Authentication

Hi, I'm using form based authentication with j_security_check. I want to set some session values upon the user login. I can set them in the index page. But when user directly put some other url then it will redirect to login page and then back to the actual requested page. Therefore my logic

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 7:10 PM, rop wrote: Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Depending upon how you are storing the salt, you may be able to use Tomcat out of the box, now,

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

Finally, found the issue. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. /Rop On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz

Re: Form-based authentication breaks after upgrade to Tom 7.0.59

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when

Form-based authentication breaks after upgrade to Tom 7.0.59

We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. From our logging

Re: Passing additional parameters using j_security_check (Form based authentication)

On 12 March 2014 20:40, Christopher Schultz ch...@christopherschultz.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/12/14, 10:47 AM, Neeraj Sinha wrote: Thanks. Actually in the realm implementation, I make a call to backend authenticate () method which validates

Re: Passing additional parameters using j_security_check (Form based authentication)

, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his

Re: Passing additional parameters using j_security_check (Form based authentication)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/12/14, 10:47 AM, Neeraj Sinha wrote: Thanks. Actually in the realm implementation, I make a call to backend authenticate () method which validates various login rules and if any of them fails, it returns false and the user is not

Re: Passing additional parameters using j_security_check (Form based authentication)

is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3

Re: Passing additional parameters using j_security_check (Form based authentication)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has

Re: Passing additional parameters using j_security_check (Form based authentication)

Chris, On 7 March 2014 21:43, Christopher Schultz ch...@christopherschultz.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based

Passing additional parameters using j_security_check (Form based authentication)

I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

Greetings, On Wed, Jun 26, 2013 at 4:08 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is UTF-8 data, which

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

Shanti Suresh wrote: Greetings, On Wed, Jun 26, 2013 at 4:08 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is

Re: FORM based authentication and utf-8 encoding of credentials

charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

of them is appending charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication

Re: FORM based authentication and utf-8 encoding of credentials

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jan, On 6/26/13 7:14 AM, Jan Vávra wrote: Hello, When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type:

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

2013/6/26 Shanti Suresh sha...@umich.edu: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shanti, On 6/26/13 11:00 AM, Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years...

Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/26/13 11:40 AM, André Warnier wrote: Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix

FORM based authentication and utf-8 encoding of credentials

bytes of first letter are C3, 85 instead of expected C5, BD. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Thanks Jan

Re: FORM based authentication and utf-8 encoding of credentials

? De : Jan Vávra [va...@602.cz] Envoyé : lundi 24 juin 2013 13:36 À : Tomcat Users List Objet : FORM based authentication and utf-8 encoding of credentials Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. I

Re: FORM based authentication and utf-8 encoding of credentials

. This is a common failing of browsers and is covered in the FAQ. [1] Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user

FORM based authentication with MD5 encrypted password

Hello everyone, is there a way to do FORM based authentication in tomcat but with MD5 encrypted password ? thanks

Re: FORM based authentication with MD5 encrypted password

On 07/12/2010 11:14, mike lan wrote: Hello everyone, is there a way to do FORM based authentication in tomcat but with MD5 encrypted password ? Yes. Read the realm docs for details. Mark - To unsubscribe, e-mail: users

Basic/Form-based authentication with Tomat 6.0

I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost:8080/examples/jsp/security/protected) that bundled with the tomcat distribution. I've tried

Re: Basic/Form-based authentication with Tomat 6.0

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 2/11/2010 3:19 PM, Nicholas Duan wrote: I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost

Re: Basic/Form-based authentication with Tomat 6.0

Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 2/11/2010 3:19 PM, Nicholas Duan wrote: I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp

Re: Basic/Form-based authentication with Tomat 6.0

with your machine and JDK configuration. Thanks! ND - Original Message - From: André Warnier a...@ice-sa.com Date: Thursday, February 11, 2010 3:26 pm Subject: Re: Basic/Form-based authentication with Tomat 6.0 Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash

RE: Basic/Form-based authentication with Tomat 6.0

From: Nicholas Duan [mailto:nd...@gmu.edu] Subject: Re: Basic/Form-based authentication with Tomat 6.0 If my server caught fire, I would be calling 911 instead of asking for help here... Despite your protestations, you still haven't told us what *does* happen when you try to use

Re: RE: Basic/Form-based authentication with Tomat 6.0

Thanks Chuck! Indeed it was commented out. I must have overlooked the comment marker. Thanks! ND - Original Message - From: Caldarale, Charles R chuck.caldar...@unisys.com Date: Thursday, February 11, 2010 4:09 pm Subject: RE: Basic/Form-based authentication with Tomat 6.0 From

RE: RE: Basic/Form-based authentication with Tomat 6.0

From: Nicholas Duan [mailto:nd...@gmu.edu] Subject: Re: RE: Basic/Form-based authentication with Tomat 6.0 Thanks Chuck! Indeed it was commented out. I must have overlooked the comment marker. Thanks! Thank André, he suggested it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL

Re: doubts about tomcat form based authentication

?...if you really mean authentication, it sounds to me like you don't have something set up correctly...you should be getting a 403 access denied in both firefox and ie if login fails. Authorization has nothing to do with form based authentication and would be handled by the container based

Re: doubts about tomcat form based authentication

authorization or authentication?...if you really mean authentication, it sounds to me like you don't have something set up correctly...you should be getting a 403 access denied in both firefox and ie if login fails. Authorization has nothing to do with form based authentication and would

Re: doubts about tomcat form based authentication

Nirvann: I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses

Re: doubts about tomcat form based authentication

I would also google making internet explorer display your error page ...this is something I learned in the apache cookbook...IE will display it's own error message if your error page isn't at least 512 bytes...anyway you might want to research this a little Did you define a custom 403 page? Are

Re: doubts about tomcat form based authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nirvann, On 10/20/2009 2:50 AM, Nirvann wrote: The first thing is what mechanism can be used to handle authorization errors. For authentication we have control of jsp pages (Login and Login error pages). But there is nothing to let users know that

Re: doubts about tomcat form based authentication

On Tue, Oct 20, 2009 at 10:55 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nirvann, On 10/20/2009 2:50 AM, Nirvann wrote: The first thing is what mechanism can be used to handle authorization errors. For authentication we have

Re: doubts about tomcat form based authentication

. regards, nirvan. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25984106.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail

Re: doubts about tomcat form based authentication

in web.xml file but the page was not at proper location. Hence I was getting 404 file not found. Now I can access the role error page for authorization error. Thanks a lot for all your insights. regards, nirvan. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based

Re: Form-based authentication

Am Sonntag, 21. Juni 2009 01:34:29 schrieb Caldarale, Charles R: [...] you hard-code the single role name in the LoginModule, using whatever value you have in web.xml (currently User). You must have a role class that implements Principal and Serializable (in addition to the Principal class

Form-based authentication

Hello everybody, If this is not the appropriate mailing list, please tell me which mailing list I should use. I have writte a first jaas login module and it does authenticate users by logging into an imap server. If the credentials establish a connection and the inbox can be opened, the login

RE: Form-based authentication

From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Form-based authentication But now I do not see how to connect the authentication module to a security constraint. I mean, do I have to add every user that has an imap account to web.xml? No, each user would normally have a set

Re: Form-based authentication

Am Samstag, 20. Juni 2009 23:41:11 schrieb Caldarale, Charles R: From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Form-based authentication But now I do not see how to connect the authentication module to a security constraint. I mean, do I have to add every user that has

RE: Form-based authentication

From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Re: Form-based authentication Are the roles passed to the LoginModule? No, you hard-code the single role name in the LoginModule, using whatever value you have in web.xml (currently User). You must have a role class

Re: Form Based Authentication creates user session before it is authenticated?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 5/13/2009 8:16 AM, Caldarale, Charles R wrote: From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve

Re: Form Based Authentication creates user session before it is authenticated?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 5/13/2009 9:27 AM, Martin Gainty wrote: if you are asking how to overcome Man-in-the-middle fraudulent manipulation based on basic authentication? He's not. and or Man-in-the middle fraudulent manipulation based on Form-based

RE: Form Based Authentication creates user session before it is authenticated?

From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? - Chuck

RE: Form Based Authentication creates user session before it is authenticated?

http://www.cafesoft.com/products/cams/tomcat-security.html if you are asking how to overcome Man-in-the-middle fraudulent manipulation based on basic authentication? and or Man-in-the middle fraudulent manipulation based on Form-based authentication which uses j_username

Re: Form Based Authentication creates user session before it is authenticated?

in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515249.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users

Re: Form Based Authentication creates user session before it is authenticated?

Christopher, I got the solution. Thanks. Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html Sent from the Tomcat - User mailing list archive at Nabble.com

Re: Form Based Authentication creates user session before it is authenticated?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Umesh, On 5/8/2009 9:03 PM, umeshkavade wrote: In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page

Re: Form Based Authentication creates user session before it is authenticated?

umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session

Re: Form Based Authentication creates user session before it is authenticated?

Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates

RE: Form Based Authentication creates user session before it is authenticated?

Subject: Re: Form Based Authentication creates user session before it is authenticated? Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing

Form Based Authentication creates user session before it is authenticated?

Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web

  1   2   >