Re: How can the login page see parameters in the original request?
Do you mean set session attributes? How do you do that from the client side? --- On Wed, 12/31/08, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Re: How can the login page see parameters in the original request? To: Tomcat Users List users@tomcat.apache.org, removeps-gro...@yahoo.com Date: Wednesday, December 31, 2008, 5:43 AM 2008/12/30 removeps-gro...@yahoo.com: To hide the existence of the page from robots. --- On Tue, 12/30/08, Pid p...@pidster.com wrote: From: Pid p...@pidster.com Subject: Re: How can the login page see parameters in the original request? To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 30, 2008, 6:26 AM removeps-gro...@yahoo.com wrote: Only if certain secret fields and values are present, do I want to generate the login page. They're not really secret if you're passing them as parameters. It sounds like you're trying to over-engineer something, which often results in no security improvements and sometimes introduces flaws. What is your real goal? How about passing them with the Session? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
2009/1/1 removeps-gro...@yahoo.com: Do you mean set session attributes? How do you do that from the client side? a) You can set them in another page (an unprotected one) that is accessed before, or that redirects to this one. b) You can pass your secrets as a cookie, or as a request header. Cookies can be created on the client side. c) You can use RemoteAddrValve and block those clients that should not know about your service. d) You can throw away all the security constraints from web.xml and use alternative approaches, e.g. those that implement a Filter, e.g. securityfilter ([1]), that is ofter mentioned on this list and should be easy to adopt, or some others [1] http://securityfilter.sourceforge.net/ Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
Most thorough, thanks! --- On Thu, 1/1/09, Konstantin Kolinko knst.koli...@gmail.com wrote: From: Konstantin Kolinko knst.koli...@gmail.com Subject: Re: How can the login page see parameters in the original request? To: Tomcat Users List users@tomcat.apache.org Date: Thursday, January 1, 2009, 3:53 PM 2009/1/1 removeps-gro...@yahoo.com: Do you mean set session attributes? How do you do that from the client side? a) You can set them in another page (an unprotected one) that is accessed before, or that redirects to this one. b) You can pass your secrets as a cookie, or as a request header. Cookies can be created on the client side. c) You can use RemoteAddrValve and block those clients that should not know about your service. d) You can throw away all the security constraints from web.xml and use alternative approaches, e.g. those that implement a Filter, e.g. securityfilter ([1]), that is ofter mentioned on this list and should be easy to adopt, or some others [1] http://securityfilter.sourceforge.net/ Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
2008/12/30 removeps-gro...@yahoo.com: To hide the existence of the page from robots. --- On Tue, 12/30/08, Pid p...@pidster.com wrote: From: Pid p...@pidster.com Subject: Re: How can the login page see parameters in the original request? To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 30, 2008, 6:26 AM removeps-gro...@yahoo.com wrote: Only if certain secret fields and values are present, do I want to generate the login page. They're not really secret if you're passing them as parameters. It sounds like you're trying to over-engineer something, which often results in no security improvements and sometimes introduces flaws. What is your real goal? How about passing them with the Session? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
removeps-gro...@yahoo.com wrote: How can the login page see parameters in the original request? Without some hacking of the Tomcat internals, it can't. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
removeps-gro...@yahoo.com wrote: Only if certain secret fields and values are present, do I want to generate the login page. They're not really secret if you're passing them as parameters. It sounds like you're trying to over-engineer something, which often results in no security improvements and sometimes introduces flaws. What is your real goal? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can the login page see parameters in the original request?
To hide the existence of the page from robots. --- On Tue, 12/30/08, Pid p...@pidster.com wrote: From: Pid p...@pidster.com Subject: Re: How can the login page see parameters in the original request? To: Tomcat Users List users@tomcat.apache.org Date: Tuesday, December 30, 2008, 6:26 AM removeps-gro...@yahoo.com wrote: Only if certain secret fields and values are present, do I want to generate the login page. They're not really secret if you're passing them as parameters. It sounds like you're trying to over-engineer something, which often results in no security improvements and sometimes introduces flaws. What is your real goal? p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How can the login page see parameters in the original request?
How can the login page see parameters in the original request? In my app, I make a request to https://localhost/mywebservice/action.do. Because the user is not authenticated, Tomcat redirects them to the login page. I want the login page to be able to see the parameters passed in the original request. Only if certain secret fields and values are present, do I want to generate the login page. Otherwise, I want to send the response code 404. In FormAuthenticator.java, function saveRequest, they have if (POST.equalsIgnoreCase(request.getMethod())) { ByteChunk body = new ByteChunk(); body.setLimit(request.getConnector().getMaxSavePostSize()); byte[] buffer = new byte[4096]; int bytesRead; InputStream is = request.getInputStream(); while ( (bytesRead = is.read(buffer) ) = 0) { body.append(buffer, 0, bytesRead); } saved.setContentType(request.getContentType()); saved.setBody(body); } Maybe the act of reading the input stream through is.read uses it up, not sure. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org