Re: issue with Form based authentication
Mark, Rajendra, On 12/30/21 06:13, Mark Thomas wrote: This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that once authentication is triggered, no further requests are made until authentication is complete. +1 An easy way to do this is to make sure that all requests for static resources such as images, etc. are explicitly defined to NOT require any authentication, perhaps like this: unauthenticated-stuff /path/to/static/a/* /path/to/static/a/* /path/to/static/b/* ... -chris On 30/12/2021 11:02, Rathore, Rajendra wrote: Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: issue with Form based authentication
This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that once authentication is triggered, no further requests are made until authentication is complete. Mark On 30/12/2021 11:02, Rathore, Rajendra wrote: Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: issue with Form based authentication
Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore
issue with Form based authentication
Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore
Re: AW: JASPIC Provider for FORM based Authentication
Mark, On 12/3/21 05:29, Mark Thomas wrote: On 03/12/2021 10:00, Keil, Matthias (ORISA Software GmbH) wrote: Hi Mark, sorry for the late reply. Unfortunately I was sick. Thanks for your advice. The error was in front of the computer . I had misspelled the context path in the appContext Now it works as expected Glad you fixed it and thanks for reporting back. It is always good to have the solution in the archives. +1 And Matthias, I would really love it if you would consider doing a presentation on JASPIC for the next ApacheCon. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: JASPIC Provider for FORM based Authentication
On 03/12/2021 10:00, Keil, Matthias (ORISA Software GmbH) wrote: Hi Mark, sorry for the late reply. Unfortunately I was sick. Thanks for your advice. The error was in front of the computer . I had misspelled the context path in the appContext Now it works as expected Glad you fixed it and thanks for reporting back. It is always good to have the solution in the archives. Mark Best regards Matthias Keil -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: Hello everyone, I take up a topic of my own again. The point there was that I would like to accommodate both the configuration and the actual Server Auth module within the application. That worked well with your advice. Unfortunately, I have now reached the point where this solution works for one application, but a parallel application on the same Tomcat then also uses the Server Auth module. There is a entry in the web.xml of the second application. In my opinion, this is ignored as soon as JASPIC is configured for this Tomcat (either statically with jaspic-providers.xml or dynamically by implementing an AuthConfigProvider). Now here are my questions: 1. Is there a possibility to activate the JASPIC provider for only one of the two applications? The intention is that the appContext attribute for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. Not that I am aware of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JASPIC Provider for FORM based Authentication
Hi Mark, sorry for the late reply. Unfortunately I was sick. Thanks for your advice. The error was in front of the computer . I had misspelled the context path in the appContext Now it works as expected Best regards Matthias Keil -Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a topic of my own again. The point there was that I would like to > accommodate both the configuration and the actual Server Auth module within > the application. > That worked well with your advice. > > Unfortunately, I have now reached the point where this solution works for one > application, but a parallel application on the same Tomcat then also uses the > Server Auth module. There is a entry in the web.xml of the > second application. > In my opinion, this is ignored as soon as JASPIC is configured for this > Tomcat (either statically with jaspic-providers.xml or dynamically by > implementing an AuthConfigProvider). > > Now here are my questions: > 1. Is there a possibility to activate the JASPIC provider for only one of the > two applications? The intention is that the appContext attribute for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. > 2. OR there is an AuthConfigProvider that could implement the FORM based > authentication. Not that I am aware of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: JASPIC Provider for FORM based Authentication
-Ursprüngliche Nachricht- Von: Mark Thomas Gesendet: Montag, 22. November 2021 18:28 An: users@tomcat.apache.org Betreff: Re: JASPIC Provider for FORM based Authentication On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: > Hello everyone, > > I take up a topic of my own again. The point there was that I would like to > accommodate both the configuration and the actual Server Auth module within > the application. > That worked well with your advice. > > Unfortunately, I have now reached the point where this solution works for one > application, but a parallel application on the same Tomcat then also uses the > Server Auth module. There is a entry in the web.xml of the > second application. > In my opinion, this is ignored as soon as JASPIC is configured for this > Tomcat (either statically with jaspic-providers.xml or dynamically by > implementing an AuthConfigProvider). > > Now here are my questions: > 1. Is there a possibility to activate the JASPIC provider for only one of the > two applications? The intention is that the appContext attribute for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. > 2. OR there is an AuthConfigProvider that could implement the FORM based > authentication. Not that I am aware of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JASPIC Provider for FORM based Authentication
On 22/11/2021 12:00, Keil, Matthias (ORISA Software GmbH) wrote: Hello everyone, I take up a topic of my own again. The point there was that I would like to accommodate both the configuration and the actual Server Auth module within the application. That worked well with your advice. Unfortunately, I have now reached the point where this solution works for one application, but a parallel application on the same Tomcat then also uses the Server Auth module. There is a entry in the web.xml of the second application. In my opinion, this is ignored as soon as JASPIC is configured for this Tomcat (either statically with jaspic-providers.xml or dynamically by implementing an AuthConfigProvider). Now here are my questions: 1. Is there a possibility to activate the JASPIC provider for only one of the two applications? The intention is that the appContext attribute for the provider in the jaspic-providers.xml file limits the JASPIC configuration to a single web application. 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. Not that I am aware of. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JASPIC Provider for FORM based Authentication
Hello everyone, I take up a topic of my own again. The point there was that I would like to accommodate both the configuration and the actual Server Auth module within the application. That worked well with your advice. Unfortunately, I have now reached the point where this solution works for one application, but a parallel application on the same Tomcat then also uses the Server Auth module. There is a entry in the web.xml of the second application. In my opinion, this is ignored as soon as JASPIC is configured for this Tomcat (either statically with jaspic-providers.xml or dynamically by implementing an AuthConfigProvider). Now here are my questions: 1. Is there a possibility to activate the JASPIC provider for only one of the two applications? 2. OR there is an AuthConfigProvider that could implement the FORM based authentication. thanks in advance Matthias
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 9:45 AM, Christopher Schultz wrote: > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: >> I have found the cause of the problem. It seems that there is no >> null checking in the DataSourceRealm in Tomcat. What I mean is >> that if a particular user does not exist in the database and is >> credentials are returned as a null string then no null checking >> is specified. > >> I would like to open this as a bug. > > https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 > > Before you file a bug: > > 1. Make sure you test on Tomcat 8.0.26 2. Make sure you post a > stack trace from the NPE 3. If you can provide a simple test-case, > it would be helpful > >> The easiest solution is to write a custom Realm that provides >> the null checking. The only problem is that now why am I not >> being redirected to the error page if I provide a valid user with >> a wrong password. > > If the authenticate() method returns false, then Tomcat should > send the user to the form-error-page. It may not issue a redirect, > but instead perform a forward. Is that a problem? > >> Please if anyone can tell me how to write a custom Realm then it >> would be really appreciated. > > If this really is a bug, it should be fixed. I'm skeptical at this > point, since nobody has reported this yet. It would be a fairly big > bug. Confirmed by code inspection that Tomcat does not check the return value from DataSourceRealm.getPassword. Exactly where the bug lies is a matter of opinion: 1. DataSourceRealm blindly passes the stored credential to the CredentialHandler 2. MessageDigestCredentialHandler.matches() performs null-checking of its arguments 3. SecretKeyCredentialHandler.matches() does not perform such null-checking I think it's appropriate for the entire system to waste a little time performing the credential-checking algorithm when the username is invalid because it mitigates timing-analysis used to perform user enumeration. That could be done in each of the individual CredentialHandler classes, or it could be done in the Realm itself. I would argue it makes sense to do in the Realm, but the handler itself could implement such a mechanism, too. Opinions are welcome. Please log the bug. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8Do2AAoJEBzwKT+lPKRYNQEP/R1W9tPPrkmRCJMpy+JT63Y1 GcUblu/0ho1xGd0/NQerpOrePJlAL94RPTkEBCw26DjHZOZ6ehYjgXHBApCIFmze LIMlI/x1xe63YgYx19VTCmGv48kLJa97XuoDgHa0Uo2RrAvtG7SaoIiBbFGoI+ID J+Ki0ntNvRZshrp4I9GvN9o+HpX19MVmW0Sj58P5a2DpdxwavF3gFRzgpkq8Rxdy W+Unbpx4/klI5Gp1W/bp+5j5u8xAS0+KxtsWxzD9ujjHhCCteDqr+2xZVmv4pR3P NUlHIdNa6ufOAP6TPM0eQTlFiyx2zRAAJlogCJ1jdYgWe2buaFvmPmFUG8q8JCLQ ggdVhtYo4qT1NNr+C0JWvYpmE25IlQN462cIXbcLV43wTReVaNDeeaVWQgwZLiMa 3TVS9C5UNGhSVKwPJriHsOECogaswA2fgJSUmDo25zaUAPTul7tT4TsxWbvKuTMI QUhAwsm5kqWhv8j9SbphMkmTG2lBBJDczZlemdjHGxofO3dH6q0TtLeR/1ipy9MN FML+r3P3D/l08pIPFbU1d2WT32Fvk77f2+x7Zijjx7XJH0gzZT3cGL4z3VtQPfFn 6ulWUT6EMsW4g59NEsWyWUPwoQxdyzbXq3QTgygHslEC4vNlOmoewz3uCJLWm0Gd MjZcERouuPKa+PiNJBuE =l21+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: HTTP 400 with Form based authentication
I have found the cause of the problem. It seems that there is no null checking in the DataSourceRealm in Tomcat. What I mean is that if a particular user does not exist in the database and is credentials are returned as a null string then no null checking is specified. I would like to open this as a bug. The easiest solution is to write a custom Realm that provides the null checking. The only problem is that now why am I not being redirected to the error page if I provide a valid user with a wrong password. Please if anyone can tell me how to write a custom Realm then it would be really appreciated. Regards, Sreyan Chakravarty On Mon, Sep 7, 2015 at 10:51 PM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Yes but what happens when the user passes a user-id that is not present in > the DB. Or a password that is incorrect. How would the server handle that ? > > If I pass an incorrect user I am getting a NPE. And if I pass an invalid > password but a valid user a am not being redirected to the form-login-error > page. > > That was my question. How do I do that ? > > On Mon, Sep 7, 2015 at 9:52 PM, André Warnier (tomcat)> wrote: > >> Hi. >> >> I have notv really followed this thread from the beginning, but maybe I >> can contribute something here.. >> >> On 07.09.2015 15:56, Sreyan Chakravarty wrote: >> .. >> >>> >>> Also can I webapp have different realms ? If so how do you distinguish >>> them >>> ? I was looking at the RealmBase source and I haven't noticed a place for >>> realmName. If not then what is the use of the element in >>> web.xml ? >>> >>> >> One webapp can only have one realm, but several webapps (or let's say >> more generically several areas in "URL space" on the server) can share the >> same realm. >> >> The "realm" is something that the server sends back to the browser in the >> "401 Authorization required response". It is just a "label", which in >> terms of AAA, identifies a certain collection of resources on the server, >> covered by the same authentication/authorization requirements. >> In the server configuration, you can choose yourself which resources are >> covered by the same realm (label). >> >> It is easier to explain this by example, in the general context of the >> HTTP protocol. >> The basic way in which AAA works in a webserver is this : >> >> 1) the client/browser sends a request to the server, with a specific URL, >> which resolves on the server to some resource >> 2) the server evaluates the request, and resolves the resource to which >> it applies (e.g. a static html page, a servlet, ..). The server then >> checks in its configuration, if this resource is protected. If not, it >> returns the requested resouerces to the client, and that's it. >> 3) if the request is protected, the server checks if the request contains >> some form of authentication. If yes, the server checks if this >> authentication is valid, and applicable to this resource. If yes, the >> server returns the requested resource, and that's it. >> If not, the server returns a "forbidden" response. >> 4) If the request did not contain an authentication, the server returns a >> response to the client : "401 Authorization required", along with a realm >> (the "label" applicable to this resource, as per the server configuration), >> *and* the required authentication method (e.g. "Basic" or "Digest"). >> 5) the client sees this response, and interacts with the user to obtain >> the required user-id/password. Once obtained, the client/browser repeats >> the same request to the server, but this time with some additional HTTP >> header(s) containing the requested authentication. At the same time, the >> client/browser "remembers" this authentication, and remembers to which >> "realm" it applies. >> >> Then go back to (1) above. >> >> If the client/browser (within the same browser session), later accesses >> the same or another resource, and it receives from the server another 401 >> "auth required" response with a realm in it, and the browser knows that >> *for this same realm* it already had a remembered authentication, then it >> can send the same one again to the server, without needing to ask the user >> again to fill-in a login dialog. >> >> This is a pure HTTP-level mechanism, which works independently of any >> "session" that one may have on the server (as long as the authentication >> method is "Basic" or "Digest"). >> >> >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 9:56 AM, Sreyan Chakravarty wrote: > I did what you said. That is pointing the web browser to a > protected resource without authentication and then logging in. It > works perfectly IF AND ONLY IF the credentials are ABSOLUTELY > correct. Otherwise I am getting undefined behavior an thats where I > need your help now. > > First-: If I provide an invalid user-id and valid/invalid password > I am getting the following error-: > > HTTP Status 500 - > > java.lang.NullPointerException > org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltItera tionsEncoded(DigestCredentialHandlerBase.java:147) What > version of Tomcat are you running? That line number is a javadoc comment in both Tomcat 8/trunk and Tomcat 9/trunk. > Now I thought that when invalid credentials of any kind are given > Tomcat is supposed to take you to the . Then why > is it I am getting a 500 error. Clearly something is wrong from my > side or else the is invoked under different > circumstances. It's possible there is a bug in there; the CredentialHandlers are fairly new. But I'm gong to need a test case to check it out. Can you create a quick WAR file containing whatever is necessary to reproduce this on an up-to-date Tomcat 7/8/trunk? I'll need a copy of your custom credential handler as well, and any configuration from server.xml that is necessary. > Secondly-: If I provide a valid user-id and invalid password I am > again not redirected to the form-error-page I am kept in > j_security_check. What do you mean by that? Were you expecting a formal redirect response? > How do I show the user that is credentials are wrong? The form-error-page should be used when credentials are invalid. > Also can I webapp have different realms? Yes and no. The web application can only have a single Realm, but there is a Realm called CombinedRealm that allows you to register as many realms with it as you want. > If so how do you distinguish them? - From client code, I'm not sure it's possible. > I was looking at the RealmBase source and I haven't noticed a > place for realmName. If not then what is the use of the > element in web.xml? That's for HTTP Basic and HTTP Digest authentication: it's the "realm" name that is displayed to the user when the username/password pop-up is shown to them. > The example that you have provided -: > > request.login(req.getParameter("username"), > req.getParameter("password")); > > Which realm would it use if there were multiple realms available ? The only realm for the web application (which may be a CombinedRealm, in which case you won't be able to tell which realm successfully performed the authentication). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8DcwAAoJEBzwKT+lPKRYWIgP/jd1st1bvPD5xojhLl/D+fdz zVQGejG9dCIW7RHNIt8BrHi/CL+Nf2Q1bEFrnIPbCHsBMQwsCvKdCf8dR9iWf6jH LHiX9hHakf04aFc0LEkYHUkFIU9rFNKNTggSv1OKMb4JIcBZYyTS9bB8PZsWeWJM qCJmn0Ga9zntDUzBwpnJXT8LKxAGqV1N980crmIjXLLVcbPhNSaK/+PmMn2cnYVc nLuFOcO2ssrCp6/AcQrrP7w0sD9duzPIesLsebbxbiyw9ME15o0OTFbJ902itzPF oBmH48sgh6z3vYzGoQHT7uh+jl8iCKLn3AqSucC2dkCcEiIWjRC4g2vtdbPtUyiy 3diqXYiDUonIRk4Xat3wScxmriOSbcX/LCgNIHTagpcXbfGnt40QgfjKuO+dm4bV 65SK/iJjswcmvJa1J0aRXs8gmPQ9Y1UbTdDIOZ5gMfCxY6rF4HkzroW8r7+zuuqF ZUq870vCsAJk3+VOfzS0Uv3SoKBZgTc+6tReIp/CWT7gLoCysoqeXeWvDLB82v71 bHe5s+UQNYxDSJhrLZ+Y4ic1YzwffJEbI0+1+DvSuq3SaE+WFjZiinPjIhv1R6i7 WNVp25v5cyfdC6ihRztmlrVKwEniUUjm9ocKAcZgASXPOdAXrkwJ7ybBa5Ez8DbS gi/jxgOSZZw7ddZC0rzK =5Uty -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: > I have found the cause of the problem. It seems that there is no > null checking in the DataSourceRealm in Tomcat. What I mean is that > if a particular user does not exist in the database and is > credentials are returned as a null string then no null checking is > specified. > > I would like to open this as a bug. https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 Before you file a bug: 1. Make sure you test on Tomcat 8.0.26 2. Make sure you post a stack trace from the NPE 3. If you can provide a simple test-case, it would be helpful > The easiest solution is to write a custom Realm that provides the > null checking. The only problem is that now why am I not being > redirected to the error page if I provide a valid user with a wrong > password. If the authenticate() method returns false, then Tomcat should send the user to the form-error-page. It may not issue a redirect, but instead perform a forward. Is that a problem? > Please if anyone can tell me how to write a custom Realm then it > would be really appreciated. If this really is a bug, it should be fixed. I'm skeptical at this point, since nobody has reported this yet. It would be a fairly big bug. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8DgVAAoJEBzwKT+lPKRYTfwP/A1tstT6mwueYnnjIT34HSji Tu8OasywHIVPmVQ07jC7pkvysCGtOegGyWuymAilDWNEqiBsNuUmnMMuL/jJNm1D 8GLb0V8tazbxlNWsHyQ7Gg8XPEDvuRWjzJVNpCrHDbdrwOhKz0DnejxjPyXpSGkq b2xyS+ay7iD8VLfohmclM6LD1Kp7+MdIwtnTPag5GvkAErwRQ9XmoByTVV1cZPbC JToYerhP1kMepfF1M9K+XSotkod1xWYvq21sz2AC7sV/0kdcwOyZ/NWYqZSSdvbt VlwQxcLqkliV6GRD/TRWduXrk36KwbNsgLNISTqjMwgBmL5HjLV7LmegL/kfK97u J0ijssLVs/NA5BahEzmmDN/q3PfYrc7HWYJTeutt4T9obwuLqIFOoHZHPVKHj5vr BZxWrgBVWULWw2MRpFooE4QiMaFHsLun7U/vLsKHT4ledJwPOt65UM0ARF06nZwV htQfMkVFzqaM51+ZyJn4WBtGSwkQM1Mk8BARl5dOcH319GERRQB3ttLqJbSfmSca PO38R6t3u0uvRmFHQqD11WHECEDWrt7rZbohyQSAX8acQb31pytrDPy4YsDDOk/o fLpJ3v92ZGlnr22E1epziE5/bVzUywVmPkBTymJDKotOvYApu1FjUBINfyftsK71 rc3wYFqoC35+Oy29vvek =ocBg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 9/9/15 12:49 PM, Sreyan Chakravarty wrote: > Okay can you please guide me on how to log the bug. That would be > great. If possible you could do it yourself also. 1. Register for Bugzilla at bz.apache.org 2. Fill-out this form: https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 (You can get here from inside BZ, of course, but here's the link just in case you need it.) 3. Take care to describe this as best as you can. Feel free to reference this thread on the list; links to things like markmail.org are great because readers can easily follow them to get the context of the discussion, even if it's not fully contained in the bug report 4. If you're up for it, propose a patch. You'll get your name into the changelog for all eternity :) > And as far as opinions go I really don't know. The whole process of > Realms seem confusing to me and its overtly complicated. Presumably you mean "overly complicated". It's actually not once you understand the complexity of what's being implemented. The Authenticator/Realm split exists because any combination of authentication mechanism (HTTP Basic, HTTP Digest, FORM, TLS-CERT, etc.) and credential-storage mechanism (e.g. JDBC database, Java Truststore, flat-file, etc.) needs to be supported. I've always thought that the names (authenticator and realm) were bad and confusing (especially because HTTP Basic/Digest uses the term "realm" to describe the general thing-to-which-you-are-authenticating). Perhaps better names would be: authenticator = credential soliciter realm = credential validator But these names are far too historic to change, now. The good news now is that the realms support better than the least effort possible for a security system. The best you could do a year ago was to use a single run-through of a supported hash algorithm, and the default was MD5. Yuck. So, the fact that you can plug-in your own algorithms for credential mutation is a really great system. To wire-in scrypt a year ago would have been a mess, unless you just wanted to write your own Realm that only supported a single authenticato r. Anyhow, things are getting better thank to contributions from the community. Welcome to the community :) - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8JYgAAoJEBzwKT+lPKRYIoAP/0ibxPVquauuMJK/qf05H+iy pUpfplwh1U0WyzhC/B1V2NV7WIxf5QzaX4ld/3EJUu7yZLujA7qRrhMVN+WsCoKw KghKyXgaLq0kWXQMXn1Aoe/9hiG32XQA59aR3Um+i8fNBv66aoIMj7albHeVFhTG Dzf3QJAgjU3EKB4vxf+UKomfJkbr4SBOo12NXcQ37Pb5TPgFeHX//5RJBe0xS3Uh XD+OSYDWi0gMOJfJK5bTar0gpSumzeOu+mX7iPJ6j7QLX1z73bcwG0WTRU0KRqlO BQjZMe7qLL4Q+G4cbN4UV1lRdO7NYQ7IStHV8r05orY6BZmglaLKTEOHaqRKw2MQ coaMArpu9eZOz0PN8HdhPT4u6N4EpYlahDZgqrY8hQlwGjatQHGAzdWeQ0i0Mmr+ BnVZT6vozA1d0tx8OUdmyWucgVy252s5iwCa9SZiaMpjugQbEpX9tYu8EQVQREZy 1UWrKcIlOGJ5be1iPWHq1yk6MEdAMDffHvhZdgzCshtzMy/tJ+VgntSjUzsJnu16 TmnlOgcWr5B/DK/ixH6BriHr4fWMLZAhsBR/WST5zgO/4CP0eZeoAGjma5B6V3pJ Dcw3WvSpgq6dxbHJu8UxFjX3h6bwAEpLtyFo1fH2LwIfzkLN4UEikq7Rxfmcg9K/ j2lu4amIXCn5pmxzahH7 =Ux0j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
Okay can you please guide me on how to log the bug. That would be great. If possible you could do it yourself also. And as far as opinions go I really don't know. The whole process of Realms seem confusing to me and its overtly complicated. Thanks for testing out the issue. On Wed, Sep 9, 2015 at 7:25 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sreyan, > > On 9/9/15 9:45 AM, Christopher Schultz wrote: > > On 9/7/15 2:17 PM, Sreyan Chakravarty wrote: > >> I have found the cause of the problem. It seems that there is no > >> null checking in the DataSourceRealm in Tomcat. What I mean is > >> that if a particular user does not exist in the database and is > >> credentials are returned as a null string then no null checking > >> is specified. > > > >> I would like to open this as a bug. > > > > https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208 > > > > Before you file a bug: > > > > 1. Make sure you test on Tomcat 8.0.26 2. Make sure you post a > > stack trace from the NPE 3. If you can provide a simple test-case, > > it would be helpful > > > >> The easiest solution is to write a custom Realm that provides > >> the null checking. The only problem is that now why am I not > >> being redirected to the error page if I provide a valid user with > >> a wrong password. > > > > If the authenticate() method returns false, then Tomcat should > > send the user to the form-error-page. It may not issue a redirect, > > but instead perform a forward. Is that a problem? > > > >> Please if anyone can tell me how to write a custom Realm then it > >> would be really appreciated. > > > > If this really is a bug, it should be fixed. I'm skeptical at this > > point, since nobody has reported this yet. It would be a fairly big > > bug. > > Confirmed by code inspection that Tomcat does not check the return > value from DataSourceRealm.getPassword. Exactly where the bug lies is > a matter of opinion: > > 1. DataSourceRealm blindly passes the stored credential to the > CredentialHandler > 2. MessageDigestCredentialHandler.matches() performs null-checking of > its arguments > 3. SecretKeyCredentialHandler.matches() does not perform such > null-checking > > I think it's appropriate for the entire system to waste a little time > performing the credential-checking algorithm when the username is > invalid because it mitigates timing-analysis used to perform user > enumeration. That could be done in each of the individual > CredentialHandler classes, or it could be done in the Realm itself. I > would argue it makes sense to do in the Realm, but the handler itself > could implement such a mechanism, too. > > Opinions are welcome. > > Please log the bug. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV8Do2AAoJEBzwKT+lPKRYNQEP/R1W9tPPrkmRCJMpy+JT63Y1 > GcUblu/0ho1xGd0/NQerpOrePJlAL94RPTkEBCw26DjHZOZ6ehYjgXHBApCIFmze > LIMlI/x1xe63YgYx19VTCmGv48kLJa97XuoDgHa0Uo2RrAvtG7SaoIiBbFGoI+ID > J+Ki0ntNvRZshrp4I9GvN9o+HpX19MVmW0Sj58P5a2DpdxwavF3gFRzgpkq8Rxdy > W+Unbpx4/klI5Gp1W/bp+5j5u8xAS0+KxtsWxzD9ujjHhCCteDqr+2xZVmv4pR3P > NUlHIdNa6ufOAP6TPM0eQTlFiyx2zRAAJlogCJ1jdYgWe2buaFvmPmFUG8q8JCLQ > ggdVhtYo4qT1NNr+C0JWvYpmE25IlQN462cIXbcLV43wTReVaNDeeaVWQgwZLiMa > 3TVS9C5UNGhSVKwPJriHsOECogaswA2fgJSUmDo25zaUAPTul7tT4TsxWbvKuTMI > QUhAwsm5kqWhv8j9SbphMkmTG2lBBJDczZlemdjHGxofO3dH6q0TtLeR/1ipy9MN > FML+r3P3D/l08pIPFbU1d2WT32Fvk77f2+x7Zijjx7XJH0gzZT3cGL4z3VtQPfFn > 6ulWUT6EMsW4g59NEsWyWUPwoQxdyzbXq3QTgygHslEC4vNlOmoewz3uCJLWm0Gd > MjZcERouuPKa+PiNJBuE > =l21+ > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP 400 with Form based authentication
Hi. I have notv really followed this thread from the beginning, but maybe I can contribute something here.. On 07.09.2015 15:56, Sreyan Chakravarty wrote: .. Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't noticed a place for realmName. If not then what is the use of the element in web.xml ? One webapp can only have one realm, but several webapps (or let's say more generically several areas in "URL space" on the server) can share the same realm. The "realm" is something that the server sends back to the browser in the "401 Authorization required response". It is just a "label", which in terms of AAA, identifies a certain collection of resources on the server, covered by the same authentication/authorization requirements. In the server configuration, you can choose yourself which resources are covered by the same realm (label). It is easier to explain this by example, in the general context of the HTTP protocol. The basic way in which AAA works in a webserver is this : 1) the client/browser sends a request to the server, with a specific URL, which resolves on the server to some resource 2) the server evaluates the request, and resolves the resource to which it applies (e.g. a static html page, a servlet, ..). The server then checks in its configuration, if this resource is protected. If not, it returns the requested resouerces to the client, and that's it. 3) if the request is protected, the server checks if the request contains some form of authentication. If yes, the server checks if this authentication is valid, and applicable to this resource. If yes, the server returns the requested resource, and that's it. If not, the server returns a "forbidden" response. 4) If the request did not contain an authentication, the server returns a response to the client : "401 Authorization required", along with a realm (the "label" applicable to this resource, as per the server configuration), *and* the required authentication method (e.g. "Basic" or "Digest"). 5) the client sees this response, and interacts with the user to obtain the required user-id/password. Once obtained, the client/browser repeats the same request to the server, but this time with some additional HTTP header(s) containing the requested authentication. At the same time, the client/browser "remembers" this authentication, and remembers to which "realm" it applies. Then go back to (1) above. If the client/browser (within the same browser session), later accesses the same or another resource, and it receives from the server another 401 "auth required" response with a realm in it, and the browser knows that *for this same realm* it already had a remembered authentication, then it can send the same one again to the server, without needing to ask the user again to fill-in a login dialog. This is a pure HTTP-level mechanism, which works independently of any "session" that one may have on the server (as long as the authentication method is "Basic" or "Digest"). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
I did what you said. That is pointing the web browser to a protected resource without authentication and then logging in. It works perfectly IF AND ONLY IF the credentials are ABSOLUTELY correct. Otherwise I am getting undefined behavior an thats where I need your help now. First-: If I provide an invalid user-id and valid/invalid password I am getting the following error-: HTTP Status 500 - java.lang.NullPointerException org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltIterationsEncoded(DigestCredentialHandlerBase.java:147) org.apache.catalina.realm.SecretKeyCredentialHandler.matches(SecretKeyCredentialHandler.java:73) org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:297) org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:267) org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:272) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:452) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658) org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:745) Now I thought that when invalid credentials of any kind are given Tomcat is supposed to take you to the . Then why is it I am getting a 500 error. Clearly something is wrong from my side or else the is invoked under different circumstances. Secondly-: If I provide a valid user-id and invalid password I am again not redirected to the form-error-page I am kept in j_security_check. How do I show the user that is credentials are wrong ? Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't noticed a place for realmName. If not then what is the use of the element in web.xml ? The example that you have provided -: request.login(req.getParameter("username"), req.getParameter("password")); Which realm would it use if there were multiple realms available ? Thanks for your patience in helping me Christopher. Regards Sreyan Chakravarty On Tue, Sep 1, 2015 at 9:44 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sreyan, > > On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > > Ok I found FormAuthenticator and landingPage attribute in it in the > > source. > > You shouldn't need to look at the source. > > > But how do I use that in my application ? What do I do ? > > You configure the FormAuthenticationValve in your application's > META-INF/context.xml file. > http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction > > The intro says you can configure any Valve in any of the following > "Catalina container[s] (Engine, Host, or Context)." Just make it a new > child of the element you should already have. > > > Any documentation for this ? > > Just what you have already read: > > >... other configuration attributes ... > /> > > > - -chris > > > On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < > > sreyan.mail...@gmail.com> wrote: > > > >> Well Christopher thanks for that eye opener. I didn't know that > >> the specs were so inconsistent. > >> > >> Okay now regarding your comment-: > >> > >> "Servlet 3.0 added the HttpServletRequest.login() method would > >> improved the situation greatly: you can implement your own login > >> handler that plugs-into the authentication services of the > >> container. It's just that the container doesn't handle any > >> redirection to a login page (none is required) or credential > >> capturing (easily done with a servlet)." > >> > >> How do you implement your own login handler and how do you plug > >> that into Tomcat Auth services. Can you provide some info as to > >> how I would do that ? > >> > >> And what is the extension to FORM Authenticator that Mark is > >> talking about ? > >> > >> Also correct me if I am wrong, then the page that I use to login > >> and the page that will contain j_security_check as an action must > >> be two different pages. > >> > >> Also can I have two elements in my web.xml ? > >> > >> On Mon, Aug 31, 2015 at 11:19 PM,
Re: HTTP 400 with Form based authentication
Yes but what happens when the user passes a user-id that is not present in the DB. Or a password that is incorrect. How would the server handle that ? If I pass an incorrect user I am getting a NPE. And if I pass an invalid password but a valid user a am not being redirected to the form-login-error page. That was my question. How do I do that ? On Mon, Sep 7, 2015 at 9:52 PM, André Warnier (tomcat)wrote: > Hi. > > I have notv really followed this thread from the beginning, but maybe I > can contribute something here.. > > On 07.09.2015 15:56, Sreyan Chakravarty wrote: > .. > >> >> Also can I webapp have different realms ? If so how do you distinguish >> them >> ? I was looking at the RealmBase source and I haven't noticed a place for >> realmName. If not then what is the use of the element in >> web.xml ? >> >> > One webapp can only have one realm, but several webapps (or let's say more > generically several areas in "URL space" on the server) can share the same > realm. > > The "realm" is something that the server sends back to the browser in the > "401 Authorization required response". It is just a "label", which in > terms of AAA, identifies a certain collection of resources on the server, > covered by the same authentication/authorization requirements. > In the server configuration, you can choose yourself which resources are > covered by the same realm (label). > > It is easier to explain this by example, in the general context of the > HTTP protocol. > The basic way in which AAA works in a webserver is this : > > 1) the client/browser sends a request to the server, with a specific URL, > which resolves on the server to some resource > 2) the server evaluates the request, and resolves the resource to which it > applies (e.g. a static html page, a servlet, ..). The server then checks > in its configuration, if this resource is protected. If not, it returns > the requested resouerces to the client, and that's it. > 3) if the request is protected, the server checks if the request contains > some form of authentication. If yes, the server checks if this > authentication is valid, and applicable to this resource. If yes, the > server returns the requested resource, and that's it. > If not, the server returns a "forbidden" response. > 4) If the request did not contain an authentication, the server returns a > response to the client : "401 Authorization required", along with a realm > (the "label" applicable to this resource, as per the server configuration), > *and* the required authentication method (e.g. "Basic" or "Digest"). > 5) the client sees this response, and interacts with the user to obtain > the required user-id/password. Once obtained, the client/browser repeats > the same request to the server, but this time with some additional HTTP > header(s) containing the requested authentication. At the same time, the > client/browser "remembers" this authentication, and remembers to which > "realm" it applies. > > Then go back to (1) above. > > If the client/browser (within the same browser session), later accesses > the same or another resource, and it receives from the server another 401 > "auth required" response with a realm in it, and the browser knows that > *for this same realm* it already had a remembered authentication, then it > can send the same one again to the server, without needing to ask the user > again to fill-in a login dialog. > > This is a pure HTTP-level mechanism, which works independently of any > "session" that one may have on the server (as long as the authentication > method is "Basic" or "Digest"). > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP 400 with Form based authentication
I have found the cause of the problem. It seems that there is no null checking in the DataSourceRealm in Tomcat. What I mean is that if a particular user does not exist in the database and is credentials are returned as a null string then no null checking is specified. I would like to open this as a bug. The easiest solution is to write a custom Realm that provides the null checking. The only problem is that now why am I not being redirected to the error page if I provide a valid user with a wrong password. Please if anyone can tell me how to write a custom Realm then it would be really appreciated. Regards, Sreyan Chakravarty On Mon, Sep 7, 2015 at 10:51 PM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Yes but what happens when the user passes a user-id that is not present in > the DB. Or a password that is incorrect. How would the server handle that ? > > If I pass an incorrect user I am getting a NPE. And if I pass an invalid > password but a valid user a am not being redirected to the form-login-error > page. > > That was my question. How do I do that ? > > On Mon, Sep 7, 2015 at 9:52 PM, André Warnier (tomcat)> wrote: > >> Hi. >> >> I have notv really followed this thread from the beginning, but maybe I >> can contribute something here.. >> >> On 07.09.2015 15:56, Sreyan Chakravarty wrote: >> .. >> >>> >>> Also can I webapp have different realms ? If so how do you distinguish >>> them >>> ? I was looking at the RealmBase source and I haven't noticed a place for >>> realmName. If not then what is the use of the element in >>> web.xml ? >>> >>> >> One webapp can only have one realm, but several webapps (or let's say >> more generically several areas in "URL space" on the server) can share the >> same realm. >> >> The "realm" is something that the server sends back to the browser in the >> "401 Authorization required response". It is just a "label", which in >> terms of AAA, identifies a certain collection of resources on the server, >> covered by the same authentication/authorization requirements. >> In the server configuration, you can choose yourself which resources are >> covered by the same realm (label). >> >> It is easier to explain this by example, in the general context of the >> HTTP protocol. >> The basic way in which AAA works in a webserver is this : >> >> 1) the client/browser sends a request to the server, with a specific URL, >> which resolves on the server to some resource >> 2) the server evaluates the request, and resolves the resource to which >> it applies (e.g. a static html page, a servlet, ..). The server then >> checks in its configuration, if this resource is protected. If not, it >> returns the requested resouerces to the client, and that's it. >> 3) if the request is protected, the server checks if the request contains >> some form of authentication. If yes, the server checks if this >> authentication is valid, and applicable to this resource. If yes, the >> server returns the requested resource, and that's it. >> If not, the server returns a "forbidden" response. >> 4) If the request did not contain an authentication, the server returns a >> response to the client : "401 Authorization required", along with a realm >> (the "label" applicable to this resource, as per the server configuration), >> *and* the required authentication method (e.g. "Basic" or "Digest"). >> 5) the client sees this response, and interacts with the user to obtain >> the required user-id/password. Once obtained, the client/browser repeats >> the same request to the server, but this time with some additional HTTP >> header(s) containing the requested authentication. At the same time, the >> client/browser "remembers" this authentication, and remembers to which >> "realm" it applies. >> >> Then go back to (1) above. >> >> If the client/browser (within the same browser session), later accesses >> the same or another resource, and it receives from the server another 401 >> "auth required" response with a realm in it, and the browser knows that >> *for this same realm* it already had a remembered authentication, then it >> can send the same one again to the server, without needing to ask the user >> again to fill-in a login dialog. >> >> This is a pure HTTP-level mechanism, which works independently of any >> "session" that one may have on the server (as long as the authentication >> method is "Basic" or "Digest"). >> >> >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > Ok I found FormAuthenticator and landingPage attribute in it in the > source. You shouldn't need to look at the source. > But how do I use that in my application ? What do I do ? You configure the FormAuthenticationValve in your application's META-INF/context.xml file. http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction The intro says you can configure any Valve in any of the following "Catalina container[s] (Engine, Host, or Context)." Just make it a new child of the element you should already have. > Any documentation for this ? Just what you have already read: - -chris > On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < > sreyan.mail...@gmail.com> wrote: > >> Well Christopher thanks for that eye opener. I didn't know that >> the specs were so inconsistent. >> >> Okay now regarding your comment-: >> >> "Servlet 3.0 added the HttpServletRequest.login() method would >> improved the situation greatly: you can implement your own login >> handler that plugs-into the authentication services of the >> container. It's just that the container doesn't handle any >> redirection to a login page (none is required) or credential >> capturing (easily done with a servlet)." >> >> How do you implement your own login handler and how do you plug >> that into Tomcat Auth services. Can you provide some info as to >> how I would do that ? >> >> And what is the extension to FORM Authenticator that Mark is >> talking about ? >> >> Also correct me if I am wrong, then the page that I use to login >> and the page that will contain j_security_check as an action must >> be two different pages. >> >> Also can I have two elements in my web.xml ? >> >> On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < >> ch...@christopherschultz.net> wrote: >> > Sreyan, > > On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no > hint as to what I was doing wrong. > > So you are saying that I can't have a login form on the > page when the welcome page ? Why not ? Tons of site have > just that, like Twitter and Facebook. It seems weird why I > can't have it on my welcome page. > > Oh, you can do it, but you'll have to implement it yourself. Go > re-read the spec's section on how FORM authentication works. Note > that you are required to attempt to access a protected page before > being asked for authentication. I think it's a big hole in the spec > that should be filled, but anything Tomcat would do for you here > is, by definition, out-of-spec. > > And wait a minute. You are telling me that I have to first > point my web browser to /teacher/success.jsp and then when > I get the login page and login ? > > Yes. > > What can't I do the following-: > > First login from the login page and then go to > success.jsp? > > You sure can do that, but you can't use j_security_check as > yourPOST target. Instead, you have to write your own Servlet and > then (probably) call HttpServletRequest.login() from there, then > redirect the user to wherever you want them to go. > > Why do I have to first hit an auth error and then be > redirected back to login and then provide my user/pass > combo ? > > This is spec-defined behavior. > > So how do you code a login module ? Where I can login first > and then go to my resources ? > > What's a "login module"? > > This is indeed weird. > > It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But > certainly not weird. > > Servlet 3.0 added the HttpServletRequest.login() method would > improved the situation greatly: you can implement your own login > handler that plugs-into the authentication services of the > container. It's just that the container doesn't handle any > redirection to a login page (none is required) or credential > capturing (easily done with a servlet). > > Really the only thing the servlet spec is missing is a setting in > like or something like that, > so that if you try to login with j_security_check and you hadn't > already requested a protected resource, the container knows where > to send the user after authentication. > > -chris >>> >>> - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> > -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5c7LAAoJEBzwKT+lPKRYBkoP/RCzs3LjRGedna+GYX1KP7nD eeQseNjfe+nCC9w0hkUUklTxA7ikC92IJHxfoBNKOwjEzIBBrT1stoR1rwUAjMRp dBZ44EjxybDYHQgCJkLdFQXD0q3+SH4kYDguVNJNSl8vpYQ4ehTj7RDV0mlf7USz rLgwZ/4WZh/QU3VMf0R+xYbnz/nkbzAMiIn9ZGMa/R26tBWT1AEWbP7ntGw6qFgM i4FhElMb21cJYSrU6eAvTvJpJR97ziBnCLauZxBmfiioIH09iutXqrG8F/q3Ou42
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 3:16 PM, Sreyan Chakravarty wrote: > Well Christopher thanks for that eye opener. I didn't know that the > specs were so inconsistent. They aren't inconsistent... it's just that they don't cover a popular use case. Remember that container-managed authentication has to cover types of authentication other than "FORM". The client can't, for instance, force HTTP Basic credentials into a server without knowing what the server's "realm" is for HTTP Basic. The server won't ask for authentication unless it's necessary, and authentication isn't necessary unless the user tries to access a protected resource. The same is true for SSL client certificates. When you consider all the types of authentication that the servlet spec covers, it makes more sense why the authentication is done the way it is. (It doesn't make it any less irritating, though.) > Okay now regarding your comment-: > > "Servlet 3.0 added the HttpServletRequest.login() method would > improved the situation greatly: you can implement your own login > handler that plugs-into the authentication services of the > container. It's just that the container doesn't handle any > redirection to a login page (none is required) or credential > capturing (easily done with a servlet)." (Note that the word "would" should have been "which has" above.) > How do you implement your own login handler and how do you plug > that into Tomcat Auth services. > > Can you provide some info as to how I would do that ? You write your own servlet and point your "main" login at it: public class MyLoginServlet extends HttpServlet { public void doPost(HttpServletRequest req, HttpServletResponse rsp) { request.login(req.getParameter("username"), req.getParameter("password")); } } It's up to you to decide what else should happen after authentication succeeds. This hooks-into the container's authentication system by using whatever Realm has been defined to actually do the authentication (e.g. DataSourceRealm) and will also use the CredentialHandlers we've been discussing. > And what is the extension to FORM Authenticator that Mark is > talking about ? Check out the documentation for the FORM Authenticator and you'll see that you don't actually need to write your own servlet like the above if all you want to do is allow drive-by logins and always forward to the same URI: http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Form_Authentic ator_Valve Unfortunately, that feature is buried in the configuration reference for the FormAuthenticatorValve and not somewhere more easily accessible like under "Realms and AAA" for example. > Also correct me if I am wrong, then the page that I use to login > and the page that will contain j_security_check as an action must > be two different pages. If you use the form/servlet I outlined above, then yes: your "main" login page should be separate from the one you use for Tomcat's automated authentication. Of course, you can page a single parameterized page or a complex series of JSPs that include each other to avoid duplication, or you can just make two pages. If you use Mark's technique to configure the FormAuthenticationValve, then you can use a single form for everything. I would highly recommend simply using the FormAuthenticationValve configuration because you have to do a whole lot less work. > Also can I have two elements in my web.xml ? Nope. How would the container know when to pick one over the other? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5c4wAAoJEBzwKT+lPKRYX08QAJKuEE9N2ifMuZp2uOtXNkDz VNPZBnZonXfqI/MKjYlhn2ox9IHpTOZ6sYVGaMgBKYV4ILHPN4kOvSHi3ud/azDh igSpSEYJ52vcK1EAoYgr1f56hyUjSTZhxbQlNuf0cIfyF/nNLUB/fz9x5VMDUPEY s8KH3UZ62OR5UI6rcwWE/QfnyneHyWoDqp0s831DxMRkH90XdzGGHn4xaICUK68f fdZPJmQslgm6rdyh/MuVA/NVS9IGADEF4hlD7TbyGhl8sOupSv51pjivl594hjhX znYT/wE8iO+sNft2oPb9A5LUWDS2le9dfA4S0zrA9TVsWFQvnUOs3dNkgEIW7aYO fba0F9wUqRY0hUfoqiQ+mvCaBQP8a6P2YDy9P9PnShwxOTo6grd8UAXGYvsxyaae D/TZkak1mSkYT/7HQ14OwXhDjtK00GflQ3I+p/qYAO7xCxeWJvfcxWp7y19Zc+8B Zc3Vz+NQhneJHeltp6V0xK2xfamGrFCrpcuDMIpyu3Szi/15shpJaPTYWAuam8Pk 4Ld8OC0MCB5C7mgu58bJuKm54cr2GJgBlcgsfG6XwUkn3oeCAZDFBuqNoR7YMyQ6 e8gzUYvAwpb1IsNO1mELJIUKY8N+NDCdNnvjQ05X3rUsBhPS0tg6b3USdvs+TDIG vb/DhPr4hguee6nFoX7Y =iT9j -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
I don't understand where did I request the login page directly ? I just put as index.jsp and and the error page as index.jsp?error=true. So where is my error ? On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomaswrote: > On 29/08/2015 22:16, Sreyan Chakravarty wrote: > > Okay this is my first try at container based authentication using Realms > in > > Tomcat. And things have gone wrong. Here is my login page -: > > > > > > My web.xml security configuration is -: > > > > > > > > TECHERS > > /teacher/success.jsp > > GET > > POST > > > > Remove the methods. By enumerating methods ONLY those methods are > protected. PUT, HEAD, DELETE, etc. aould all be permitted. > > > > > > Now when I click on submit I get the following error page in Tomcat -: > > > > > > *HTTP Status 400 - Invalid direct reference to form login page* > > > > *message* *Invalid direct reference to form login page* > > > > *description* *The request sent by the client was syntactically > incorrect.* > > > > > > Why is this happening ? Any help would be greatly appreciated. > > Because you requested the login page directly. You need to request the > protected page and Tomcat will handle the redirects. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP 400 with Form based authentication
Wait I am sure I am going wrong in a fundamental area. My security constraint is as follow-: TECHERS /teacher/success.jsp GET POST TEACHER FORM /index.jsp /index.jsp?error=true TEACHER Now let me tell you what I understand from this-: - The /teacher/success.jsp is protected via a FORM login page that is index.jsp - Therefore the page after login which the user will land to is /teacher/success.jsp. I don't need to specify that elsewhere. - element designates the login page. - element designates the page to go to if login has failed. This is my understanding of the whole process. Please don't tell me that I have to put as /teacher/success.jsp. If so then where do I designate the login page ? Forgive my noobishness. Just starting out with servlet security. Regards Sreyan Chakravarty On Mon, Aug 31, 2015 at 3:59 PM, Mark Thomaswrote: > On 31/08/2015 07:00, Sreyan Chakravarty wrote: > > I don't understand where did I request the login page directly ? I just > put > > as index.jsp and and the error page as > > index.jsp?error=true. > > > > So where is my error ? > > Did you request '/teacher/success.jsp' ? No, you did not. > > Did you request '/index.jsp' (or '/' that because of welcome page > processing would forward to '/index.jsp') ? Yes, you did. And that is > your error. > > Mark > > > > > > On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomas wrote: > > > >> On 29/08/2015 22:16, Sreyan Chakravarty wrote: > >>> Okay this is my first try at container based authentication using > Realms > >> in > >>> Tomcat. And things have gone wrong. Here is my login page -: > >> > >> > >> > >> > >>> My web.xml security configuration is -: > >>> > >>> > >>> > >>> TECHERS > >>> /teacher/success.jsp > >>> GET > >>> POST > >>> > >> > >> Remove the methods. By enumerating methods ONLY those methods are > >> protected. PUT, HEAD, DELETE, etc. aould all be permitted. > >> > >> > >> > >> > >>> Now when I click on submit I get the following error page in Tomcat -: > >>> > >>> > >>> *HTTP Status 400 - Invalid direct reference to form login page* > >>> > >>> *message* *Invalid direct reference to form login page* > >>> > >>> *description* *The request sent by the client was syntactically > >> incorrect.* > >>> > >>> > >>> Why is this happening ? Any help would be greatly appreciated. > >> > >> Because you requested the login page directly. You need to request the > >> protected page and Tomcat will handle the redirects. > >> > >> Mark > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: HTTP 400 with Form based authentication
> From: Sreyan Chakravarty [mailto:sreyan.mail...@gmail.com] > Subject: Re: HTTP 400 with Form based authentication > My security constraint is as follow-: > > FORM > > /index.jsp > /index.jsp?error=true > > > This is my understanding of the whole process. Please don't tell me that I > have to put as /teacher/success.jsp. If so then where do > I designate the login page ? One problem is that you have designated a welcome-file as the login page, pretty much forcing an infinite loop if a client doesn't request a specific resource. You want your login page to be completely separate (e.g., login.jsp) - it should never be directly referenced by a client. The server handles the replay of the original request once the login has been satisfied. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > Wait I am sure I am going wrong in a fundamental area. > > My security constraint is as follow-: > > > TECHERS > /teacher/success.jsp > GET POST > > > TEACHER > > > FORM > /index.jsp > /index.jsp?error=true > > > TEACHER > > Now let me tell you what I understand from this-: > > > - The /teacher/success.jsp is protected > via a FORM login page that is index.jsp - Therefore the page after > login which the user will land to is /teacher/success.jsp. I don't > need to specify that elsewhere. - element > designates the login page. - element designates > the page to go to if login has failed. > > This is my understanding of the whole process. Please don't tell me > that I have to put as /teacher/success.jsp. If so > then where do I designate the login page ? > > Forgive my noobishness. Just starting out with servlet security. With your above configuration, you have to point your web browser at https://yourhost/teacher/success.jsp This will cause Tomcat to send you to the login page, and you can ener your username and password. Once you enter the right username and password, Tomcat will actually send you to /teacher/success.jsp You really should read the Servlet Spec's section on authentication. In fact, read the whole spec. It's quite readable and if you are going to be writing web applications, you really ought to have read it. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5I30AAoJEBzwKT+lPKRYNvUQAIQOP8ShOVFnGkia8kAE2HMO mDbr7f54havmRECpC2mCbxvIr3YphXMcDBZJpmuD1IS6ybNIa0hzvX/L2hSmxBYA l2oDgInsm+jX+ndkHfZMtKcYp0Fku1Zg4VbSI13z+kTxObBd3tMN0ngkWGqO8YJC 4lwV62ho+wx0Xg9r7tpHgqjYfLGDBwJiKkKyG47FNbDtkZFp/BukVMY2QJWKwDuj Jb68wQ90jL4xBBLP6zCaJwpNXYjawAdJCCnFJkm90/6DhGzybnWMMQ736CVYdV/T 64npEeglSytj/KUJlzsO5aCEMK5CZi13D2CYYP2Svh/bGvrlUoHn3sGuAScavgn5 NKT5KdyiXkvXV5YOghTaycje9pXBUkQmhHsIWFMj1vuJOU8E0X+Rl+MJ2fSGrgic D0x/zM58pUAPKnA2TD8xcUwLCDSo4akqCt64OPZNmM+i2hi2wXYVF4xfKBUD39GV oau/MeEj4c8xYHoswC/vC3X1Ol2a3Kliubbb1owXIQUEzILCPFf8tfB/awFMwVDj SfYR7nFtPvkHygqVY15Q38w3bxmobwlV/6Zb4mpmPER/OLQuWfNbdT7z/qVIZ53G FSOaFfsWOgFFD3mjn1IUezVOjTUSpaTRU5xCIoM6LC7XdOxYLTMFKIyk1rjEEWbh 0+wJHnsU1MbmxszEHMxd =5ou+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
First of all I did read the Servlet Spec, it provided no hint as to what I was doing wrong. So you are saying that I can't have a login form on the page when the welcome page ? Why not ? Tons of site have just that, like Twitter and Facebook. It seems weird why I can't have it on my welcome page. And wait a minute. You are telling me that I have to first point my web browser to /teacher/success.jsp and then when I get the login page and login ? What can't I do the following-: First login from the login page and then go to success.jsp ? Why do I have to first hit an auth error and then be redirected back to login and then provide my user/pass combo ? So how do you code a login module ? Where I can login first and then go to my resources ? This is indeed weird. On Mon, Aug 31, 2015 at 10:55 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sreyan, > > On 8/31/15 12:34 PM, Sreyan Chakravarty wrote: > > Wait I am sure I am going wrong in a fundamental area. > > > > My security constraint is as follow-: > > > > > > TECHERS > > /teacher/success.jsp > > GET POST > > > > > > TEACHER > > > > > > FORM > > /index.jsp > > /index.jsp?error=true > > > > > > TEACHER > > > > Now let me tell you what I understand from this-: > > > > > > - The /teacher/success.jsp is protected > > via a FORM login page that is index.jsp - Therefore the page after > > login which the user will land to is /teacher/success.jsp. I don't > > need to specify that elsewhere. - element > > designates the login page. - element designates > > the page to go to if login has failed. > > > > This is my understanding of the whole process. Please don't tell me > > that I have to put as /teacher/success.jsp. If so > > then where do I designate the login page ? > > > > Forgive my noobishness. Just starting out with servlet security. > > With your above configuration, you have to point your web browser at > https://yourhost/teacher/success.jsp > > This will cause Tomcat to send you to the login page, and you can ener > your username and password. Once you enter the right username and > password, Tomcat will actually send you to /teacher/success.jsp > > You really should read the Servlet Spec's section on authentication. > In fact, read the whole spec. It's quite readable and if you are going > to be writing web applications, you really ought to have read it. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5I30AAoJEBzwKT+lPKRYNvUQAIQOP8ShOVFnGkia8kAE2HMO > mDbr7f54havmRECpC2mCbxvIr3YphXMcDBZJpmuD1IS6ybNIa0hzvX/L2hSmxBYA > l2oDgInsm+jX+ndkHfZMtKcYp0Fku1Zg4VbSI13z+kTxObBd3tMN0ngkWGqO8YJC > 4lwV62ho+wx0Xg9r7tpHgqjYfLGDBwJiKkKyG47FNbDtkZFp/BukVMY2QJWKwDuj > Jb68wQ90jL4xBBLP6zCaJwpNXYjawAdJCCnFJkm90/6DhGzybnWMMQ736CVYdV/T > 64npEeglSytj/KUJlzsO5aCEMK5CZi13D2CYYP2Svh/bGvrlUoHn3sGuAScavgn5 > NKT5KdyiXkvXV5YOghTaycje9pXBUkQmhHsIWFMj1vuJOU8E0X+Rl+MJ2fSGrgic > D0x/zM58pUAPKnA2TD8xcUwLCDSo4akqCt64OPZNmM+i2hi2wXYVF4xfKBUD39GV > oau/MeEj4c8xYHoswC/vC3X1Ol2a3Kliubbb1owXIQUEzILCPFf8tfB/awFMwVDj > SfYR7nFtPvkHygqVY15Q38w3bxmobwlV/6Zb4mpmPER/OLQuWfNbdT7z/qVIZ53G > FSOaFfsWOgFFD3mjn1IUezVOjTUSpaTRU5xCIoM6LC7XdOxYLTMFKIyk1rjEEWbh > 0+wJHnsU1MbmxszEHMxd > =5ou+ > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sreyan, On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > First of all I did read the Servlet Spec, it provided no hint as to > what I was doing wrong. > > So you are saying that I can't have a login form on the page when > the welcome page ? Why not ? Tons of site have just that, like > Twitter and Facebook. It seems weird why I can't have it on my > welcome page. Oh, you can do it, but you'll have to implement it yourself. Go re-read the spec's section on how FORM authentication works. Note that you are required to attempt to access a protected page before being asked for authentication. I think it's a big hole in the spec that should be filled, but anything Tomcat would do for you here is, by definition, out-of-spec. > And wait a minute. You are telling me that I have to first point my > web browser to /teacher/success.jsp and then when I get the login > page and login ? Yes. > What can't I do the following-: > > First login from the login page and then go to success.jsp? You sure can do that, but you can't use j_security_check as yourPOST target. Instead, you have to write your own Servlet and then (probably) call HttpServletRequest.login() from there, then redirect the user to wherever you want them to go. > Why do I have to first hit an auth error and then be redirected > back to login and then provide my user/pass combo ? This is spec-defined behavior. > So how do you code a login module ? Where I can login first and > then go to my resources ? What's a "login module"? > This is indeed weird. It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But certainly not weird. Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the authentication services of the container. It's just that the container doesn't handle any redirection to a login page (none is required) or credential capturing (easily done with a servlet). Really the only thing the servlet spec is missing is a setting in like or something like that, so that if you try to login with j_security_check and you hadn't already requested a protected resource, the container knows where to send the user after authentication. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5JOeAAoJEBzwKT+lPKRYwSgQAJAARzjHnDqMXY9QexbBpyrZ DSZSxqCRljdHtnEEuBjlLfT8FRUATIU3g0rHZ99SQSXhgYojfvCZ7WalO3izxu6o NvmbptcCo/rASOvVqtVYpTu1ONhSgGu/v0fZ7maZksMlb0yXUSHpM5EeUucU92NK AEnZElXlV+6yf2arN9R5L80lZHxioF5tUkS1RoqYsBr3+1KuS1DzfVVO2NKzPLiK L03QVRCGdDtln66m6lrbPNjgzhMK3HvqMiHAPuED5sTMAha8uk5HTZfM855ojuY4 x8whD7X/6JjTemLue1pzd1CfSGx+EDxrgxgOscFyA4PK0zy8vQWnsnb5MAjKtvdw +8oHg445RDoYG6BYJ1ZXbTmft9APN37PCeyxzKcGEv0sEzj4q5XRIr8oNiXi74mf 8CQ1QsFv6tlMHysLk/3Tj53AwscZ59xnovjH5lUJqGDi8v6uIojhCOAwzG5UBQF0 JHq6Nd295a3Qp9XTj0WCyDJ6gHyDlzNMivI/dJzkaHOSeyML/hSfYSKKEL1vaOOO OECSLWqCWiXztOCNCbHvT5YINSmzqV1hdqoPEdSQyLlVbeHrK6vrZVAFpoqoxOOp ZaliFI6FTZkyiz3KE6pUjMR6PSiiTwK5GW/xhiI2ky5tcBgv4y8ZHXDiTOmchFt4 M5Rksa1BFd+fVbV0tn6m =u/HP -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
On 31/08/2015 18:49, Christopher Schultz wrote: > Really the only thing the servlet spec is missing is a setting in > like or something like that, so > that if you try to login with j_security_check and you hadn't already > requested a protected resource, the container knows where to send the > user after authentication. And that is a feature Tomcat provides as an extension to the FORM authenticator. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 8/31/15 2:01 PM, Mark Thomas wrote: > On 31/08/2015 18:49, Christopher Schultz wrote: > >> Really the only thing the servlet spec is missing is a setting >> in like or something like >> that, so that if you try to login with j_security_check and you >> hadn't already requested a protected resource, the container >> knows where to send the user after authentication. > > And that is a feature Tomcat provides as an extension to the FORM > authenticator. Yeah... I thought I remembered doing that but I couldn't find the reference to it and I'm fairly busy today :) Thanks for the reference. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5Jl9AAoJEBzwKT+lPKRYmQEP/2d0tmw48jatl/Q3HoXhSvCn W13Rr4/7t0GlgxtHfHKzv68XA8EnzvcpWg/aYnN+xSUZ4dbNcdVOjYU6SpR/bDRI Cg0zLnr/KccTKpd6OuSxzczWSc6OEVviIPthFATb9R6ooPJ/sS3AR5Be6wKjbeCD yAQZCQXMfBHDd39Zi6FWmWX4D0PJ8xht9Wq7bwrTup5Wpri8VRkQtQWoCzjcWCK5 hxweWqyFy0d0FCUFm+BK1DtoO3OlLpnDLTc1qRENlfrQ+x1aMzb0n77fFI5lKrPw y4jugfuFgFN/Q3DLAdRgysii6hWLT2Ymt6bIxDYX9QzKNmf12KtwqoeyHxVP4so7 /jUoEqnT4m8Twef6tBZ7XIBWwLJiYTEavA1nalIIa8VMniLb0pZBwfkBD7bA13Ln fMHfDWEkJ4mADn9cCAzKRXYEAXlOheDpErEtXmLb+RZA/2th+0hgpPo3KzDu4YRq h7CCvC1/OBNu4WRIC1FBTQoacZHlpol/AWAecXVoHY85349L+UHcpVIrgLMQsKtP VGJI2aM5oDAiAf2v3AXVXhwvDbuBZfbrbgmiVzviNW9seKtLnz6lAA49uo0sceAf g6EQj/B3coUWHszmZpCh2W4iiSaEqDMntZl03a2NqwBdTa9+ShbFktOu7JfrX3bo zuoqrRYFZi25hAE7/Xfw =8MYf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
Well Christopher thanks for that eye opener. I didn't know that the specs were so inconsistent. Okay now regarding your comment-: "Servlet 3.0 added the HttpServletRequest.login() method would improved the situation greatly: you can implement your own login handler that plugs-into the authentication services of the container. It's just that the container doesn't handle any redirection to a login page (none is required) or credential capturing (easily done with a servlet)." How do you implement your own login handler and how do you plug that into Tomcat Auth services. Can you provide some info as to how I would do that ? And what is the extension to FORM Authenticator that Mark is talking about ? Also correct me if I am wrong, then the page that I use to login and the page that will contain j_security_check as an action must be two different pages. Also can I have two elements in my web.xml ? On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sreyan, > > On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > > First of all I did read the Servlet Spec, it provided no hint as to > > what I was doing wrong. > > > > So you are saying that I can't have a login form on the page when > > the welcome page ? Why not ? Tons of site have just that, like > > Twitter and Facebook. It seems weird why I can't have it on my > > welcome page. > > Oh, you can do it, but you'll have to implement it yourself. Go > re-read the spec's section on how FORM authentication works. Note that > you are required to attempt to access a protected page before being > asked for authentication. I think it's a big hole in the spec that > should be filled, but anything Tomcat would do for you here is, by > definition, out-of-spec. > > > And wait a minute. You are telling me that I have to first point my > > web browser to /teacher/success.jsp and then when I get the login > > page and login ? > > Yes. > > > What can't I do the following-: > > > > First login from the login page and then go to success.jsp? > > You sure can do that, but you can't use j_security_check as yourPOST > target. Instead, you have to write your own Servlet and then > (probably) call HttpServletRequest.login() from there, then redirect > the user to wherever you want them to go. > > > Why do I have to first hit an auth error and then be redirected > > back to login and then provide my user/pass combo ? > > This is spec-defined behavior. > > > So how do you code a login module ? Where I can login first and > > then go to my resources ? > > What's a "login module"? > > > This is indeed weird. > > It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But > certainly not weird. > > Servlet 3.0 added the HttpServletRequest.login() method would improved > the situation greatly: you can implement your own login handler that > plugs-into the authentication services of the container. It's just > that the container doesn't handle any redirection to a login page > (none is required) or credential capturing (easily done with a servlet). > > Really the only thing the servlet spec is missing is a setting in > like or something like that, so > that if you try to login with j_security_check and you hadn't already > requested a protected resource, the container knows where to send the > user after authentication. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5JOeAAoJEBzwKT+lPKRYwSgQAJAARzjHnDqMXY9QexbBpyrZ > DSZSxqCRljdHtnEEuBjlLfT8FRUATIU3g0rHZ99SQSXhgYojfvCZ7WalO3izxu6o > NvmbptcCo/rASOvVqtVYpTu1ONhSgGu/v0fZ7maZksMlb0yXUSHpM5EeUucU92NK > AEnZElXlV+6yf2arN9R5L80lZHxioF5tUkS1RoqYsBr3+1KuS1DzfVVO2NKzPLiK > L03QVRCGdDtln66m6lrbPNjgzhMK3HvqMiHAPuED5sTMAha8uk5HTZfM855ojuY4 > x8whD7X/6JjTemLue1pzd1CfSGx+EDxrgxgOscFyA4PK0zy8vQWnsnb5MAjKtvdw > +8oHg445RDoYG6BYJ1ZXbTmft9APN37PCeyxzKcGEv0sEzj4q5XRIr8oNiXi74mf > 8CQ1QsFv6tlMHysLk/3Tj53AwscZ59xnovjH5lUJqGDi8v6uIojhCOAwzG5UBQF0 > JHq6Nd295a3Qp9XTj0WCyDJ6gHyDlzNMivI/dJzkaHOSeyML/hSfYSKKEL1vaOOO > OECSLWqCWiXztOCNCbHvT5YINSmzqV1hdqoPEdSQyLlVbeHrK6vrZVAFpoqoxOOp > ZaliFI6FTZkyiz3KE6pUjMR6PSiiTwK5GW/xhiI2ky5tcBgv4y8ZHXDiTOmchFt4 > M5Rksa1BFd+fVbV0tn6m > =u/HP > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP 400 with Form based authentication
Ok I found FormAuthenticator and landingPage attribute in it in the source. But how do I use that in my application ? What do I do ? Any documentation for this ? On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < sreyan.mail...@gmail.com> wrote: > Well Christopher thanks for that eye opener. I didn't know that the specs > were so inconsistent. > > Okay now regarding your comment-: > > "Servlet 3.0 added the HttpServletRequest.login() method would improved > the situation greatly: you can implement your own login handler that > plugs-into the authentication services of the container. It's just > that the container doesn't handle any redirection to a login page > (none is required) or credential capturing (easily done with a servlet)." > > How do you implement your own login handler and how do you plug that into > Tomcat Auth services. Can you provide some info as to how I would do that ? > > And what is the extension to FORM Authenticator that Mark is talking about > ? > > Also correct me if I am wrong, then the page that I use to login and the > page that will contain j_security_check as an action must be two different > pages. > > Also can I have two elements in my web.xml ? > > On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Sreyan, >> >> On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: >> > First of all I did read the Servlet Spec, it provided no hint as to >> > what I was doing wrong. >> > >> > So you are saying that I can't have a login form on the page when >> > the welcome page ? Why not ? Tons of site have just that, like >> > Twitter and Facebook. It seems weird why I can't have it on my >> > welcome page. >> >> Oh, you can do it, but you'll have to implement it yourself. Go >> re-read the spec's section on how FORM authentication works. Note that >> you are required to attempt to access a protected page before being >> asked for authentication. I think it's a big hole in the spec that >> should be filled, but anything Tomcat would do for you here is, by >> definition, out-of-spec. >> >> > And wait a minute. You are telling me that I have to first point my >> > web browser to /teacher/success.jsp and then when I get the login >> > page and login ? >> >> Yes. >> >> > What can't I do the following-: >> > >> > First login from the login page and then go to success.jsp? >> >> You sure can do that, but you can't use j_security_check as yourPOST >> target. Instead, you have to write your own Servlet and then >> (probably) call HttpServletRequest.login() from there, then redirect >> the user to wherever you want them to go. >> >> > Why do I have to first hit an auth error and then be redirected >> > back to login and then provide my user/pass combo ? >> >> This is spec-defined behavior. >> >> > So how do you code a login module ? Where I can login first and >> > then go to my resources ? >> >> What's a "login module"? >> >> > This is indeed weird. >> >> It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But >> certainly not weird. >> >> Servlet 3.0 added the HttpServletRequest.login() method would improved >> the situation greatly: you can implement your own login handler that >> plugs-into the authentication services of the container. It's just >> that the container doesn't handle any redirection to a login page >> (none is required) or credential capturing (easily done with a servlet). >> >> Really the only thing the servlet spec is missing is a setting in >> like or something like that, so >> that if you try to login with j_security_check and you hadn't already >> requested a protected resource, the container knows where to send the >> user after authentication. >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Comment: GPGTools - http://gpgtools.org >> >> iQIcBAEBCAAGBQJV5JOeAAoJEBzwKT+lPKRYwSgQAJAARzjHnDqMXY9QexbBpyrZ >> DSZSxqCRljdHtnEEuBjlLfT8FRUATIU3g0rHZ99SQSXhgYojfvCZ7WalO3izxu6o >> NvmbptcCo/rASOvVqtVYpTu1ONhSgGu/v0fZ7maZksMlb0yXUSHpM5EeUucU92NK >> AEnZElXlV+6yf2arN9R5L80lZHxioF5tUkS1RoqYsBr3+1KuS1DzfVVO2NKzPLiK >> L03QVRCGdDtln66m6lrbPNjgzhMK3HvqMiHAPuED5sTMAha8uk5HTZfM855ojuY4 >> x8whD7X/6JjTemLue1pzd1CfSGx+EDxrgxgOscFyA4PK0zy8vQWnsnb5MAjKtvdw >> +8oHg445RDoYG6BYJ1ZXbTmft9APN37PCeyxzKcGEv0sEzj4q5XRIr8oNiXi74mf >> 8CQ1QsFv6tlMHysLk/3Tj53AwscZ59xnovjH5lUJqGDi8v6uIojhCOAwzG5UBQF0 >> JHq6Nd295a3Qp9XTj0WCyDJ6gHyDlzNMivI/dJzkaHOSeyML/hSfYSKKEL1vaOOO >> OECSLWqCWiXztOCNCbHvT5YINSmzqV1hdqoPEdSQyLlVbeHrK6vrZVAFpoqoxOOp >> ZaliFI6FTZkyiz3KE6pUjMR6PSiiTwK5GW/xhiI2ky5tcBgv4y8ZHXDiTOmchFt4 >> M5Rksa1BFd+fVbV0tn6m >> =u/HP >> -END PGP SIGNATURE- >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: HTTP 400 with Form based authentication
On 31/08/2015 07:00, Sreyan Chakravarty wrote: > I don't understand where did I request the login page directly ? I just put > as index.jsp and and the error page as > index.jsp?error=true. > > So where is my error ? Did you request '/teacher/success.jsp' ? No, you did not. Did you request '/index.jsp' (or '/' that because of welcome page processing would forward to '/index.jsp') ? Yes, you did. And that is your error. Mark > > On Sun, Aug 30, 2015 at 9:54 PM, Mark Thomaswrote: > >> On 29/08/2015 22:16, Sreyan Chakravarty wrote: >>> Okay this is my first try at container based authentication using Realms >> in >>> Tomcat. And things have gone wrong. Here is my login page -: >> >> >> >> >>> My web.xml security configuration is -: >>> >>> >>> >>> TECHERS >>> /teacher/success.jsp >>> GET >>> POST >>> >> >> Remove the methods. By enumerating methods ONLY those methods are >> protected. PUT, HEAD, DELETE, etc. aould all be permitted. >> >> >> >> >>> Now when I click on submit I get the following error page in Tomcat -: >>> >>> >>> *HTTP Status 400 - Invalid direct reference to form login page* >>> >>> *message* *Invalid direct reference to form login page* >>> >>> *description* *The request sent by the client was syntactically >> incorrect.* >>> >>> >>> Why is this happening ? Any help would be greatly appreciated. >> >> Because you requested the login page directly. You need to request the >> protected page and Tomcat will handle the redirects. >> >> Mark >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP 400 with Form based authentication
On 29/08/2015 22:16, Sreyan Chakravarty wrote: Okay this is my first try at container based authentication using Realms in Tomcat. And things have gone wrong. Here is my login page -: snip/ My web.xml security configuration is -: security-constraint web-resource-collection web-resource-nameTECHERS/web-resource-name url-pattern/teacher/success.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection Remove the methods. By enumerating methods ONLY those methods are protected. PUT, HEAD, DELETE, etc. aould all be permitted. snip/ Now when I click on submit I get the following error page in Tomcat -: *HTTP Status 400 - Invalid direct reference to form login page* *message* *Invalid direct reference to form login page* *description* *The request sent by the client was syntactically incorrect.* Why is this happening ? Any help would be greatly appreciated. Because you requested the login page directly. You need to request the protected page and Tomcat will handle the redirects. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
HTTP 400 with Form based authentication
Okay this is my first try at container based authentication using Realms in Tomcat. And things have gone wrong. Here is my login page -: html body h2Login/h2 form method=post action=j_security_check User ID: input type=text name=j_username / br / Password: input type=password name=j_password / br / input type=submit value=Login /form /body /html As you can see its as simple as it can get. Once I click Submit with proper user creds I am suppose to land up in the /protected/success.jsp. (Its in a folder called protected which is under the webapp folder) The success page looks like the following-: ?xml version=1.0 encoding=ISO-8859-1 ? %@ page language=java contentType=text/html; charset=ISO-8859-1 pageEncoding=ISO-8859-1% !DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=ISO-8859-1 / titleHello User/title /head body h3Success/h3 /body /html Also as simple as it can get. My web.xml security configuration is -: security-constraint web-resource-collection web-resource-nameTECHERS/web-resource-name url-pattern/teacher/success.jsp/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nameTEACHER/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/index.jsp/form-login-page form-error-page/index.jsp?error=true/form-error-page /form-login-config /login-config security-role role-nameTEACHER/role-name /security-role Point out any errors if you find any. I have configured the realm in my context.xml as follows-: Realm className=org.apache.catalina.realm.DataSourceRealm localDataSource=true dataSourceName=jdbc/TestDB userTable=users userNameCol=user_id userCredCol=user_pass userRoleTable=user_roles roleNameCol=role_name CredentialHandler className = org.apache.catalina.realm.SecretKeyCredentialHandler algorithm = PBEWITHHMACSHA384ANDAES_256 iterations = 11 saltLength = 20 / /Realm Now when I click on submit I get the following error page in Tomcat -: *HTTP Status 400 - Invalid direct reference to form login page* *message* *Invalid direct reference to form login page* *description* *The request sent by the client was syntactically incorrect.* Why is this happening ? Any help would be greatly appreciated. What does the error mean ? Please check my web.xml and tell me if I am wrong. Regards Sreyan Chakravarty
How to set Session Values with Form Based Authentication
Hi, I'm using form based authentication with j_security_check. I want to set some session values upon the user login. I can set them in the index page. But when user directly put some other url then it will redirect to login page and then back to the actual requested page. Therefore my logic on index page will not get execute. Is there a way for me to set the session value when using j-security_check based form authentication in Tomcat? Thanks /Thusitha --
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 7:10 PM, rop wrote: Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Depending upon how you are storing the salt, you may be able to use Tomcat out of the box, now, because Tomcat can now do salted passwords (it was way overdue). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. You will be better-off moving away from Realm and towards CredentialHandler instead. Consider beginning to evaluate that for the future. - -chris On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz ch...@christopherschultz.net wrote: Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAvnDAAoJEBzwKT+lPKRYswIQAK+OITerGZSKo0NWWtpDGZZk yFbT2fwf4HfqveG0pP24pcF+1EJAkKJlPt+D/eonRw4REdVBjWlj5KOBVNSJSEcw JS+2tcOYNdJFx/EYL1EvTOCB4mKuzwpyfegikfP6pj/hy1rBXGOzVVNpHPIoUQ5Q ugkWqBckBZa/jVDwsvWbZUJPTuwYFs4HqdEfH4Y9NRvzBNz3a/cIjnRB75jAl+AY 0Wdcfe1YifFssVQv/jX8b+kUhVcrYQzS1EKzyJzuPcPYwF8X7sCLDB8QMkrB6Gkg FMHZA48ytQSrGJyq+rZ62C97Y/nXsQ4EKsK4+cLwcinjfEJ5MhSvZGY7I8Vm+cQk Xpika0vRNV8NtX+vqpdTS7lg/QeqZkUFn2KrDtpNyyS2e9lsbJ3laCcmDgg345VS DY7icmTsuNbc9gcWMJzcf5AuSmf/U2GhhTgIza9mO9SkT/uckxOYX8q6bu1WT/8L wSJeGPRI/VqIEik83X3dFWP6BcCguidjOB4J1uAowl1T1fKhrmVlsZ3LP9m9MWbO 0E4P7bRKIX3JlZvyqI2U2UFheFefj0vK/PCIUAttNDzuXENPvxigEiVrvYf5Qx37 JfVrW5cxHMGyUQ3YIVlZmRiwWT4hnZzbTLHxvs6/1mtu7Zr8267RcissgoEv5E7X 3X/MceB38qv4a3npJchq =HqR1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
On 3/12/2015 10:16 AM, rop wrote: Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm That is his option (a) in his list. Did you check that? And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#DataSourceRealm And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login On Thu, Mar 12, 2015 at 3:37 PM, David kerber dcker...@verizon.net wrote: On 3/12/2015 10:16 AM, rop wrote: Hi Chris, Thanks for your input. Re your points a+b: You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml Actually neither we define the Realm in $CATALINA_BASE/conf/server.xml That's also what I see in the Tomcat-docs: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto. html#DataSourceRealm That is his option (a) in his list. Did you check that? And I see no mention of META-INF anywhere in there. Can you please elaborate what you're referring to? On Wed, Mar 11, 2015 at 2:26 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Finally, found the issue. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov xkQ8CoV6X9Oq0TlV3PXi =Y/0T -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
Hi Chris, Yes, we are applying salt before hashing (to prevent googling up many passwords from the hashes). Override probably seemed like easiest way at the time, but maybe a better way now. Will check it out, thanks. /Rop On Thu, Mar 12, 2015 at 8:53 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/12/15 3:33 PM, rop wrote: Finally, found the issue. Please bottom-post if you can. Also, please sign your posts. On Thu, Mar 12, 2015 at 6:18 PM, Mark Thomas ma...@apache.org wrote: On 12/03/2015 15:51, rop wrote: Ah, I got it now. Thanks, David. Yes, the a-b-c-d points are OK then. As a trouble-shoot action, I actually did an install-and-test binary search among the intermediate tomcat-versions to pinpoint exactly which version breaks our app. Turns out, up to 7.0.47 it still works OK. (7.0.48 and 7.0.49 do not exist in the tomcat archive) And from 7.0.50 it breaks. So apparently, between 47 and 50 some change occurred that breaks our login Nothing jumps out at me in the change log. I'd add that FORM auth is tested as part of every release so it isn't a general problem. In your shoes, I'd be firing up Eclipse and remote debugging my way through the authentication process. Alternatively, try creating the smallest/simplest possible WAR that exhibits the problem. The crucial change was in the method RealmBase.compareCredentials(), which is new in 7.0.50 (the comparison was much simpler before that). It is much more extensible, now. Dunno if we do something unusual here, but we just extend DataSourceRealm, like MyDataSourceRealm, and implement the message-digest for password-hashing in there, by simply overriding the digest() method. Do you need to extend the whole realm, or did you just want to override Tomcat's default password-hashing algorithm? If you just want to tweak the hashing algorithm, you can write a simpler class and not subclass DataSourceRealm. What does your Realm do besides change the password-comparison algorithm? Before 7.0.50, this worked fine *without* explicitly setting the DataSourceRealm.setDigest() property. It's always been null, and still worked. This was because it defaulted to MD5 and Tomcat always used simplistic credential-hashing. It's much more sophisticated, now, and also supports things like Bcrypt, Scrypt, PBKDF2, etc. But the new method RealmBase.compareCredentials() assumes: if you use messageDigest, this property MUST be set. ( compareCredentials() calls hasMessageDigest() which did not happen in earlier versions. ) So the solution was to simply add the property digest in Realm digest=... ... which we didnt have there before. Then it works. Great. But I think you can do better. If your Realm merely changes the way hashing is done, please check-out the new features. You may be able to a) eliminate your class altogether due to new features or b) replace your Realm with a CredentialHandler that only does the mutation and comparison of credentials. We did this so you can use the same credential-mutations on *any* realm, without having to subclass every Realm to do it. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAe6tAAoJEBzwKT+lPKRYl6UP/AhEtn5f53OPipu+EN1r3iKR CkjrSZDT89yQ3LEqdV7mHkP1O1834MS8a21QVJ+AuLmceor2KRMkiwdAWbfa/uAx 5FKXg80n3Cu0lFQXrD3dHRq92+JPFJuAhN60s2VU+O76rbRgT4RkLULJa7j/t7Jr H2vQXL/kY2/y7Ku8Xg+I+be9fBdss7K0DBAq8PT1Qluo2BkHRjf5JU6D59xy0wXZ KMN6rnN7XRkKRw2/jZlle/fTBHKjIGO5Sq9lsr8KcS7Qpzguxlo3nZjz487pQ8Ok y1DV3pjNz7y4cZtL5j0zS8zxFf0Tlb5A/xfqn8japLXti0uBZEyld//b42mWlVD1 8OTcTh6B5XyMcqchfvfV/7Fp27EbKl6Gwtdn560NizQ3fCbmyx3QMWY5i1K+lq7P hlAYh4Xcs8WCS2aZ9s+R48AqsDAPsKVAHAam1i7wOe9k7yk7ziOkNvm1y9LNSseZ FPDc9G13O/JXDg7GRTOdX3yas2aXCygTkm062fd2Uvvv4E5musaIYE4VDJgAlWUJ cyY2Zx6DMjjSsDhxNgRgC6Z7c0eyjyHk7haWqMtWgqpDN0z+4qmc78o3hNoW5yfY TLEZQSKt7q04ECq0xlt0cktcp7hmHaB/gvu5bK+cYS8H4lmGAr9Fg6zbI31Uzyov xkQ8CoV6X9Oq0TlV3PXi =Y/0T -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication breaks after upgrade to Tom 7.0.59
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rop, On 3/10/15 2:57 PM, rop wrote: We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. What about the other log files in logs/? Nothing? :( From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. What is your Realm configuration, and in what file is it configured? If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue? Some initial thoughts for what could be wrong: a. You have put your Realm into conf/server.xml instead of into your web application's META-INF/context.xml file, and you forgot to copy that configuration from 7.0.35 to your new 7.0.59 install. b. You have put your Realm into conf/context.xml instead of into your web application's META-INF/context.xml file, and you should not have done that at all; move the Realm into META-INF/context.xml c. The configuration you are modifying isn't the one that Tomcat is actually using. I find that this happens a lot to people who are launching Tomcat from within an IDE like Eclipse, because the IDE does odd things with configuration management. d. You installed your JDBC driver into Tomcat 7.0.35's lib/ directory and didn't copy it into Tomcat 7.0.59's lib/ directory, though this should have given you errors on startup. Take a look at those possibilities and let us know what you find. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVAEKTAAoJEBzwKT+lPKRYyHMP/RbZX8neYPrCCGh0lTOQ7PRG MOXkxFSbQRGsWwV2tyH//Q41IKfSy1Tlb01zbxNklb7gy3h+j+8JgFoYLOjg/iVz f6XSfw4tUbpTMK/1kqIvpTIMbgi9aK18O+5aLlTdrvAguDZsODgylTi4MTTVZUPZ v1c+iQbvO8bC7YG81bBm+76rD9pyrMVFbvCPKijfZHTXk5CivaNDwtpysTgDyE65 aG4cHumGSf6JjxSG4cw84OteY6CAYfcNBVDe0/y+F3WKjB6BQ8eHWHEYR57pK+L8 sbxyp6gg5k5Fbrrk/EgEx30CL+rQQfsUkCwKfzlcn3J0fsaE043vnKcNmHA8c6QB DgC29Bj/o7WkW+hdB7UqB6d0Hq/x+lMZ1JDedEFQFm0IqIxyE3pI6PAX4BHQiWqG 04QB1kRJ32RhYX3+/6Le16FKVxwp2tjuv+xby6gsIGzEY817nIkmRi9SmdR8pGCx xaxY4uRCNsRrt3fj/nkpygg/ZABueMt+2ix0Nqpe8Wi5T6O8sTRW3jUqj8ZY78+G rbJZGBEbUuXe5s5o+ZsIfSjKY1U4NTtQhDd+ti8RpkDGy/pcSj2CNyPJ9NLS4E/u Lb1JdV2nANX4s5r7vWVP1Satzk4DGSx2e93ddy5wDk14vp09d1Fezaq5H8FXUxnc mzjWDKZT3BY6OqVoN2yj =b0eg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Form-based authentication breaks after upgrade to Tom 7.0.59
We are trying to upgrade Tomcat from 7.0.35 to 7.0.59. For some reason, the form-based authentication gets broken after the upgrade, and just gives Invalid username and/or password, please try again when trying to login. Cannot find anything in catalina.out related to this. From our logging, it appears the DataSourceRealm.authenticate() never gets called at all. If I downgrade to 7.0.35, it works again... Anyone has a clue if anything changed between these versions, what the problem might be, or even how to troubleshoot the issue?
Re: Passing additional parameters using j_security_check (Form based authentication)
On 12 March 2014 20:40, Christopher Schultz ch...@christopherschultz.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/12/14, 10:47 AM, Neeraj Sinha wrote: Thanks. Actually in the realm implementation, I make a call to backend authenticate () method which validates various login rules and if any of them fails, it returns false and the user is not allowed to login (GenericPrincipal object is instantiated with an invalid role) and is re-directed to login page. One of the rule is user account locking rule so user can not be authenticated successfully unless his/her user account is unlocked first so this solution won't work. Then you'll have to do your own partial authentication, process the reset code, then perform *formal* authentication (using request.authenticate()), then forward to wherever users should go after they reset their passwords. - -chris Chris, Thanks. What I am doing now is that I am processing the unlock code and re-directing the request to my login page along with get parameter as status based on which a message is displayed if the unlock was successful and further allows user to login. Although the earlier implementation was not like this but I have seen in couple of applications where this approach is followed. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTIHjsAAoJEBzwKT+lPKRYNo4P/jOQiQWlVFVu51i5KnpBGV5W HtjjnpJC6qU5Bu+MNqB2qcBeCJ6lTmlFZQ9fRSjL3CmDfkgBlApIoPebICMdGEoF wa9rNJljfkoUtUFpeas91rUwXXPYcKrlXFxelpemCHVu6EfoEVaFQh1s71e/gZrJ R5pkKSy4CWJxZ1R4GjuXadry39OvB5cjlnmLz8NpaNa337HrBe8EzsK/hmFBJjGB fUKORbxMszctpqzrQyaaRxkPwxw5duz8VaJ8kwimYXsMP4NmiNuX1xN8cDqxzJ2Z J23yqq0S9tIHbpGRIg867IHhbtSSyPv6tIihXdPZoNz7YwU9d7t8I0vut5c8kOzw JN5/wayIacqJTMuOHdwRr+n6RMw+RDgDMnlAXI/caUbXabCbdORDoo1CQlTs3wVv HeR0skCsRx2qDEnrLpnxrlrFwVbQiHBOpOH2yLi414YXdT203ndkmn9nSzCjOM5X uLF0yS2Q3MymFmJxaJrvmZwozf+LsNSUlTeVi+VQT7TSYHpL0CM15aCK+TCoYNtm bDsVNXoNKbsljGQzAO5iCPKdkQ845xBpMgl7uCrBA9bZT3hQXj8GcnZyBGyfsTYr TfhwzZK7DsA/lWXj3Bue50cv2w7pQUeo2FGjAGqkoYn4jwIIU7YlmnhKyMhSky+x OZXFwWvSplgE5F9zLBIP =iCrm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Regards, Neeraj
Re: Passing additional parameters using j_security_check (Form based authentication)
Hi Chris, On 12 March 2014 00:37, Christopher Schultz ch...@christopherschultz.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/8/14, 2:06 AM, Neeraj Sinha wrote: Chris, On 7 March 2014 21:43, Christopher Schultz ch...@christopherschultz.netwrote: Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. How are you checking the username and password? If you are letting Tomcat check that, you could make unlock.jsp protected so that the URL points to https:///unlock.jsp?code=[unlock_code]. After authentication, Tomcat will redirect the user to the original URL -- which will include the unlock code. Thanks. Actually in the realm implementation, I make a call to backend authenticate () method which validates various login rules and if any of them fails, it returns false and the user is not allowed to login (GenericPrincipal object is instantiated with an invalid role) and is re-directed to login page. One of the rule is user account locking rule so user can not be authenticated successfully unless his/her user account is unlocked first so this solution won't work. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH18KAAoJEBzwKT+lPKRYXLQP/AzuccE3pEzq5yF4zCWnAZLf VFdzsBJSbIt+C0CJyAffQ7UCRzVEZDJuAFVF12AhRcfdOUbn3N85QLUHPJoWHo0y +EbwSc951iRgzeMexp6EgB9DfdltelxCt9gXmAdvpZ91jPAldyVPA6spAdlkUixh +hcz9JqVMcILhN0tU35NilqbxYMRRQiserGHXffyRoH5KkWyeACLDrYICLgW8ylg 2yIPtAkKv+Qr3CRintvGnBHVxf5WCQ76e4vo8dd81PC0Ds/KfNJ5qeSFPnIVND6V KmA46lfpxezT0BOFV3OSRzsTDRJ2T7ZeyjPcbSknm+2SqLIhS0L0zLLF9S/4FFr2 qxIXeZV+AnVqPZBHCNhgCMGoK71recUULRqPcrWPpowgwom/rGyuzyuHD1epADa4 2Uumcw6DcbK6bhkDTFC+5wzeIFdddVKMP546FL3QeY6OlfnUyR8RE7WjqxXgVDOO Opti4wN7CHhEo9CzS4+IAOkJsghqXiiemuZvUgKcAuS5O5DiBiEtuc6uiDpT4H3S CaVEvhLX5VrJhD2ZkM2vZQS3v45BTSEmhr5EswE3n9/vknrRV1Vyh+nuyx/RoiIc M5id1+Gm/bS/3wVfcVrEyIavgwdj9gK9Lwl0DhexlWq4HCUVqRCsaNBcRR9qY/Tc jEU85sGWpjuH1N8vhhLJ =HOx2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Regards, Neeraj
Re: Passing additional parameters using j_security_check (Form based authentication)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/12/14, 10:47 AM, Neeraj Sinha wrote: Thanks. Actually in the realm implementation, I make a call to backend authenticate () method which validates various login rules and if any of them fails, it returns false and the user is not allowed to login (GenericPrincipal object is instantiated with an invalid role) and is re-directed to login page. One of the rule is user account locking rule so user can not be authenticated successfully unless his/her user account is unlocked first so this solution won't work. Then you'll have to do your own partial authentication, process the reset code, then perform *formal* authentication (using request.authenticate()), then forward to wherever users should go after they reset their passwords. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTIHjsAAoJEBzwKT+lPKRYNo4P/jOQiQWlVFVu51i5KnpBGV5W HtjjnpJC6qU5Bu+MNqB2qcBeCJ6lTmlFZQ9fRSjL3CmDfkgBlApIoPebICMdGEoF wa9rNJljfkoUtUFpeas91rUwXXPYcKrlXFxelpemCHVu6EfoEVaFQh1s71e/gZrJ R5pkKSy4CWJxZ1R4GjuXadry39OvB5cjlnmLz8NpaNa337HrBe8EzsK/hmFBJjGB fUKORbxMszctpqzrQyaaRxkPwxw5duz8VaJ8kwimYXsMP4NmiNuX1xN8cDqxzJ2Z J23yqq0S9tIHbpGRIg867IHhbtSSyPv6tIihXdPZoNz7YwU9d7t8I0vut5c8kOzw JN5/wayIacqJTMuOHdwRr+n6RMw+RDgDMnlAXI/caUbXabCbdORDoo1CQlTs3wVv HeR0skCsRx2qDEnrLpnxrlrFwVbQiHBOpOH2yLi414YXdT203ndkmn9nSzCjOM5X uLF0yS2Q3MymFmJxaJrvmZwozf+LsNSUlTeVi+VQT7TSYHpL0CM15aCK+TCoYNtm bDsVNXoNKbsljGQzAO5iCPKdkQ845xBpMgl7uCrBA9bZT3hQXj8GcnZyBGyfsTYr TfhwzZK7DsA/lWXj3Bue50cv2w7pQUeo2FGjAGqkoYn4jwIIU7YlmnhKyMhSky+x OZXFwWvSplgE5F9zLBIP =iCrm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Passing additional parameters using j_security_check (Form based authentication)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/8/14, 2:06 AM, Neeraj Sinha wrote: Chris, On 7 March 2014 21:43, Christopher Schultz ch...@christopherschultz.netwrote: Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. How are you checking the username and password? If you are letting Tomcat check that, you could make unlock.jsp protected so that the URL points to https:///unlock.jsp?code=[unlock_code]. After authentication, Tomcat will redirect the user to the original URL -- which will include the unlock code. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTH18KAAoJEBzwKT+lPKRYXLQP/AzuccE3pEzq5yF4zCWnAZLf VFdzsBJSbIt+C0CJyAffQ7UCRzVEZDJuAFVF12AhRcfdOUbn3N85QLUHPJoWHo0y +EbwSc951iRgzeMexp6EgB9DfdltelxCt9gXmAdvpZ91jPAldyVPA6spAdlkUixh +hcz9JqVMcILhN0tU35NilqbxYMRRQiserGHXffyRoH5KkWyeACLDrYICLgW8ylg 2yIPtAkKv+Qr3CRintvGnBHVxf5WCQ76e4vo8dd81PC0Ds/KfNJ5qeSFPnIVND6V KmA46lfpxezT0BOFV3OSRzsTDRJ2T7ZeyjPcbSknm+2SqLIhS0L0zLLF9S/4FFr2 qxIXeZV+AnVqPZBHCNhgCMGoK71recUULRqPcrWPpowgwom/rGyuzyuHD1epADa4 2Uumcw6DcbK6bhkDTFC+5wzeIFdddVKMP546FL3QeY6OlfnUyR8RE7WjqxXgVDOO Opti4wN7CHhEo9CzS4+IAOkJsghqXiiemuZvUgKcAuS5O5DiBiEtuc6uiDpT4H3S CaVEvhLX5VrJhD2ZkM2vZQS3v45BTSEmhr5EswE3n9/vknrRV1Vyh+nuyx/RoiIc M5id1+Gm/bS/3wVfcVrEyIavgwdj9gK9Lwl0DhexlWq4HCUVqRCsaNBcRR9qY/Tc jEU85sGWpjuH1N8vhhLJ =HOx2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Passing additional parameters using j_security_check (Form based authentication)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. Just to let you know, the main login page of the application is *login.jsp* which is configured in *web.xml *and it is called whenever any protected resource is requested. It has username and password fields and it's action is *j_security_check*. Now my problem is how to pass unlock_code, the 3rd parameter of *unlock.jsp* to *FormAuthenticator *using the action *j_security_check*? I have implementations of *authenticate* method in *LockOutRealm* where I would have liked to first check if unlock_code is not null and then if yes then would have called backend service to unlock the user first(which would have also checked the password matching part) and then would have made a call to instantiate *UserPrincipal*. I have the implementation of *getPrincipal* method in another custom realm. Is there anyway to pass other parameters apart from username and password to *FormAuthenticator*(org.apache.catalina.authenticator.FormAuthenticator)? Quick help/Any reference related to this scenario would be appreciated. This is not possible using Tomcat's built-in authenticators. This is something that is possible using securityfilter (a separate, open-source product you can find here: http://securityfilter.sourceforge.net/) It's a bit out of date but it works quite well. You can handle drive-by logins (those without an initial request to a protected page) and you can allow pass-through request parameters that will be sent-on to the post-login page as you are requesting. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTGfAnAAoJEBzwKT+lPKRYk54QAKEM5C7qdy8ClEabhE3JmUIY B/7N6cABjoSXM41NutlxPKydlS09rTaYwKsDjb79m+K5RwH2r0Czd71DIZ6gyLxK X1UTrpxttZaiD/X83mngT4aYj+Rna/3zpJDLSXkdG3Ey0Od8SL8WAQEFP81VRD9x xHos3FHca/NzrzPvVx4Vm49OhItntAHjOxQce788r6HGDLvYMbbOH/s8M0nFel2v zd5YckVk/pxuGnVPBoXCLKjHw1CyOVZPlSCmjzBOgQWvfaTZtSCkU3CrF1EY5kdj i9wl/QEgWZYDSTxD8YFHe1ciZXsGGtNc2lo+6pvm7jJ9fpnTZ71oIj7PB0atpv0O 79iTzHjnDx1TNM3TTrsCqGy9vFG7X3+F2hCwo9a/C8F1hdVgQvMdt/3ICMh4PWT7 +r5ZcikBW+SgW3RWepaE2WLEmlXicWsuyTp5oMu3lcczjxw0terXItjH5vB26ahE 04aw9VIOwxX1JMvvIKXDDirZZ4J6ngcZcvxBMEG5p1J1CVm0lnt/8DteNDolxhpk PVSm3I8j/CsRRoQDqEJn7kAti1tgnC85Noh+XEVyjdkPsAau4xr5dZR4fPc00Qby b3/B08nCHAKfywM67ZUiJS0F2AA+n7IW+Mufs1ClM1qUkjD8xtjadtbijeiD/1xa yhv59uhy1sYcBs7PmYan =XzKe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Passing additional parameters using j_security_check (Form based authentication)
Chris, On 7 March 2014 21:43, Christopher Schultz ch...@christopherschultz.netwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Neeraj, On 3/6/14, 4:34 AM, Neeraj Sinha wrote: I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. Just to let you know, the main login page of the application is *login.jsp* which is configured in *web.xml *and it is called whenever any protected resource is requested. It has username and password fields and it's action is *j_security_check*. Now my problem is how to pass unlock_code, the 3rd parameter of *unlock.jsp* to *FormAuthenticator *using the action *j_security_check*? I have implementations of *authenticate* method in *LockOutRealm* where I would have liked to first check if unlock_code is not null and then if yes then would have called backend service to unlock the user first(which would have also checked the password matching part) and then would have made a call to instantiate *UserPrincipal*. I have the implementation of *getPrincipal* method in another custom realm. Is there anyway to pass other parameters apart from username and password to *FormAuthenticator*(org.apache.catalina.authenticator.FormAuthenticator)? Quick help/Any reference related to this scenario would be appreciated. This is not possible using Tomcat's built-in authenticators. This is something that is possible using securityfilter (a separate, open-source product you can find here: http://securityfilter.sourceforge.net/) It's a bit out of date but it works quite well. You can handle drive-by logins (those without an initial request to a protected page) and you can allow pass-through request parameters that will be sent-on to the post-login page as you are requesting. - -chris Thanks. Actually I knew about the Securityfilter but probably it doesn't support single sign-on several web application contexts. I need to have single sign-on feature as well. - - Neeraj -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTGfAnAAoJEBzwKT+lPKRYk54QAKEM5C7qdy8ClEabhE3JmUIY B/7N6cABjoSXM41NutlxPKydlS09rTaYwKsDjb79m+K5RwH2r0Czd71DIZ6gyLxK X1UTrpxttZaiD/X83mngT4aYj+Rna/3zpJDLSXkdG3Ey0Od8SL8WAQEFP81VRD9x xHos3FHca/NzrzPvVx4Vm49OhItntAHjOxQce788r6HGDLvYMbbOH/s8M0nFel2v zd5YckVk/pxuGnVPBoXCLKjHw1CyOVZPlSCmjzBOgQWvfaTZtSCkU3CrF1EY5kdj i9wl/QEgWZYDSTxD8YFHe1ciZXsGGtNc2lo+6pvm7jJ9fpnTZ71oIj7PB0atpv0O 79iTzHjnDx1TNM3TTrsCqGy9vFG7X3+F2hCwo9a/C8F1hdVgQvMdt/3ICMh4PWT7 +r5ZcikBW+SgW3RWepaE2WLEmlXicWsuyTp5oMu3lcczjxw0terXItjH5vB26ahE 04aw9VIOwxX1JMvvIKXDDirZZ4J6ngcZcvxBMEG5p1J1CVm0lnt/8DteNDolxhpk PVSm3I8j/CsRRoQDqEJn7kAti1tgnC85Noh+XEVyjdkPsAau4xr5dZR4fPc00Qby b3/B08nCHAKfywM67ZUiJS0F2AA+n7IW+Mufs1ClM1qUkjD8xtjadtbijeiD/1xa yhv59uhy1sYcBs7PmYan =XzKe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Passing additional parameters using j_security_check (Form based authentication)
I have a jsp application and my tomcat version is 7.0.34. Authentication is done using *Form based authentication.* My requirement is as follows: When user's account gets locked, he has to send a unlock request and he gets a link in his registered email id clicking on which takes him to unlocking page(let's say *unlock.jsp*) which has 3 fields namely*username*, *password* and *unlock_code* and a submit button. After submission, once unlocked successfully the user should land to home page of the application. Just to let you know, the main login page of the application is *login.jsp* which is configured in *web.xml *and it is called whenever any protected resource is requested. It has username and password fields and it's action is *j_security_check*. Now my problem is how to pass unlock_code, the 3rd parameter of *unlock.jsp* to *FormAuthenticator *using the action *j_security_check*? I have implementations of *authenticate* method in *LockOutRealm* where I would have liked to first check if unlock_code is not null and then if yes then would have called backend service to unlock the user first(which would have also checked the password matching part) and then would have made a call to instantiate *UserPrincipal*. I have the implementation of *getPrincipal* method in another custom realm. Is there anyway to pass other parameters apart from username and password to *FormAuthenticator*(org.apache.catalina.authenticator.FormAuthenticator)? Quick help/Any reference related to this scenario would be appreciated.
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
Greetings, On Wed, Jun 26, 2013 at 4:08 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is UTF-8 data, which is basically wrong, because the standard HTTP/HTML character set is iso-8859-1, and they *should* indicate it when that is not what they are sending. But that is the reality. No, as much as it pains me to do so, I agree with with Mozilla folks on this one: adding a charset attribute to an application/x-form-urlencoded Content-Type violates the spec. There is no good solution. ... We really need an RFC for HTTP 2.0, with UTF-8 as the default charset/encoding. +1 Maybe they can clear-up Tomcat logging configuration while they are at it :) Thank you! This discussion was quite informational. -Shanti
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
Shanti Suresh wrote: Greetings, On Wed, Jun 26, 2013 at 4:08 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is UTF-8 data, which is basically wrong, because the standard HTTP/HTML character set is iso-8859-1, and they *should* indicate it when that is not what they are sending. But that is the reality. No, as much as it pains me to do so, I agree with with Mozilla folks on this one: adding a charset attribute to an application/x-form-urlencoded Content-Type violates the spec. There is no good solution. ... We really need an RFC for HTTP 2.0, with UTF-8 as the default charset/encoding. +1 Maybe they can clear-up Tomcat logging configuration while they are at it :) Thank you! This discussion was quite informational. You are welcome. Further as relatively [OT], in some other - non-Tomcat, non-Java - applications, we solve the general issue as follows (taking into account the deficiencies of the RFCs, the servers, the browsers, and the users) : - when programmers create the html documents containing the forms, they must make sure that they use a tool which really saves the html document in the charset/encoding that corresponds to their wishes - the html page should contain a declaration like : meta http-equiv=Content-Type content=text/html; charset=x / (where is the correct charset/encoding, like UTF-8) - each form that is sent to the browser is sent by the server with an explicit HTTP header : Content-type: text/html; charset= (that normally happens automatically, but you should nevertheless check that it matches) - the form tag of the form should contain the accept-charset attribute with the expected character set as value, like form accept-charset=UTF-8 ... - the form itself contains a hidden parameter like : input type=hidden name=charset-test value=y (where y is a character sequence which is so that, seen as bytes, its length would be different depending on the real character set used. E.g., for Europe, ÖöÜüÄä) - the application which receives the form submit data, must first check if the string received for the charset-test parameter matches its expectations. In other words, if the application expects UTF-8, then it should check that the received string has a byte length of 12 and a character length of 6, and matches a Unicode string ÖöÜüÄä) And if it doesn't, then it should take appropriate action (abort the action, or try another charset) (if the form sent by the server contains additional data coming from a back-end database system, then one should also check that the charset of that data matches the one of the form of course). This may look a bit like overkill, but it is the result of long and painful real-world experience with multi-lingual applications used with multiple browsers and multiple types of users in multiple countries doing cut-and-paste of all kinds of stuff into forms. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
Hello, When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Well I have tried IE, Firefox, Chrome. None of them is appending charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs. The best / only option is to set the characterEncoding attribute for the Authenticator [2] to UTF-8 and hope that the browsers are consistent in their failing to follow the specification and use whatever encoding the page is encoded with. HTH, Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding [2] http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes As you have referred in [2] I have added to my app's context xml Valve className=org.apache.catalina.authenticator.FormAuthenticator characterEncoding=utf-8/ and Czech letters are in the correct form. This is a solution. Thanks for an advice. Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
Jan Vávra wrote: Hello, When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Well I have tried IE, Firefox, Chrome. None of them is appending charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs. The best / only option is to set the characterEncoding attribute for the Authenticator [2] to UTF-8 and hope that the browsers are consistent in their failing to follow the specification and use whatever encoding the page is encoded with. HTH, Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding [2] http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes As you have referred in [2] I have added to my app's context xml Valve className=org.apache.catalina.authenticator.FormAuthenticator characterEncoding=utf-8/ and Czech letters are in the correct form. This is a solution. Thanks for an advice. By the way, referring to this basic failing of browsers : this is something that is clearly contrary to the specs, yet since years all major browsers have consistently ignored this issue. This failure of adding the character set/encoding to HTTP POST's is causing problems in multi-lingual web applications, and by itself forcing multiple workarounds which themselves are per force inconsistent. Does anyone have an idea why browsers keep on ignoring this issue, version after version ? (I would imagine that Apache httpd and Tomcat devs must have regular contacts with whomever develop browsers, so did anyone ever ask ?) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jan, On 6/26/13 7:14 AM, Jan Vávra wrote: Hello, When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Well I have tried IE, Firefox, Chrome. None of them is appending charset in Content-Type. Again, this is a common failing of browsers and is covered in the FAQ. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Did you read the FAQ? There are suggestions for fixing this issue. The CharacterEncodingFilter (/without/ the force option enabled) IMO is the most appropriate. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRyvEQAAoJEBzwKT+lPKRYTfsP/0Hru8ofkSxJW2TsgIL17y23 LgTEyINmWuijJK7SEzqk8ZXsjDKCyVxHECKGvrvQdp0/NHhnE7Vey856G2+C1568 ym/+ZOxJTbCcmvMsNbbp5WIb/j55waZQJhLS0DwVQHEfGxLM4C3hykV5R+NQuBSW smOa69S1yk66+moq4eHypWi6CH+e0TTaIwA8TDOtACREQphWdguKXGsgAX0hswK2 H6kh/+jpLdHKvU5CbyMsBqe912AFMD9E/hHmgiwEWAe/9+eTsHOlfV7EVJ8Vy7DW QoHHGYjADAcwapUijSMtckPpPeX9dt1XDJ5KQ+D2dojWgWUgN7+SbiTD1tmIjM+b KeQad/DeHsm+rZw9IQCQZkBaDJXlLYdBdn/pCLVcahh8QbYijThimdIA1V7kVVsp 8stYl27exDQHDZB2kr8pP+hykJIJIl+JGy6shhLYrGCv1jMCGbZha4/tS8/5Ccqz gWLJiyMmP7VkROgd1v1Pet8i+AuuZcs/nHFVQ2NUf4Tntz0/c0+fDJlCFStKBKaG uwA4FlC7PnOt3KuGf0TpbM8Ri60KRBaJ8QYGkDjx7mqT2leHzcUWNxFgulSXcQbx npoHsPRO+nEhxyqYfgozxNoOqUeZWgguG/5cCLemkYKZRDWylLekqdcd7Yd2RdBQ UabVUNZBgChB3kyiWlMR =gr3S -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/26/13 8:01 AM, André Warnier wrote: Jan Vávra wrote: Hello, When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Well I have tried IE, Firefox, Chrome. None of them is appending charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs. The best / only option is to set the characterEncoding attribute for the Authenticator [2] to UTF-8 and hope that the browsers are consistent in their failing to follow the specification and use whatever encoding the page is encoded with. HTH, Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding [2] http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes As you have referred in [2] I have added to my app's context xml Valve className=org.apache.catalina.authenticator.FormAuthenticator characterEncoding=utf-8/ and Czech letters are in the correct form. This is a solution. Thanks for an advice. By the way, referring to this basic failing of browsers : this is something that is clearly contrary to the specs, yet since years all major browsers have consistently ignored this issue. This failure of adding the character set/encoding to HTTP POST's is causing problems in multi-lingual web applications, and by itself forcing multiple workarounds which themselves are per force inconsistent. Does anyone have an idea why browsers keep on ignoring this issue, version after version ? (I would imagine that Apache httpd and Tomcat devs must have regular contacts with whomever develop browsers, so did anyone ever ask ?) Here's the long-standing bug in Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=241540 ...and one referenced from it with better spec-research: https://bugzilla.mozilla.org/show_bug.cgi?id=289060#c8 The bottom line is two specific items: 1. Content-Type should only have a charset attribute for text/ types 2. Adding charset to Content-Type for application/x-form-urlencoded has broken some stuff in the past, so Mozilla has chosen not to re-enable it - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRyvNoAAoJEBzwKT+lPKRYlucQAJVVLDiXE03vtrmTp6hjpgGQ G9PBDZiPapLjRRqtfzfZ1Wz6koOB5kfZJngopt2xP+Ha9H7rGHCfcCYW3tIk5WNi 9c+6G/9Mzx54NCpIYLklx4AZZH8FG/egMmgTsdnAQ9P+Z9DBzPX9luD0DTaXf9dE aDOPG0aSNMPl9Q4VXhFLV22PoEAdDVGDPnglOLRBoLgGzmVYVPNBqcDu8zfDLZKf ZHBBIhcOUGf5YdJlwhqOSTwqo6Uez0BfkZT126FrYh3y4MNMXVTO9p2cpOHNfGZn f7Ld1G0V3CB5bcsXIPNRQ53dugt/vOyN9diUaZ1WZwjqUUKjQoNw18qdzsolXpmn gWsigotQE0Cko7UQzTKsGJRNMPMGlPmKNG3QKG62LNfYQc3ugkeeNJIEDFKcIC5c 1KUaGFdim2/13XXLonbrxF8Fx0k1VTynhqZHmDWsgQbibx/6gPs6HTthLYO/bowW x26oHAC9o2BQLeJvJediaGwylHfogqOBbjFoHvIgyGYkwNj1Tav9ompHkh3bsHin OkT3KOuTx36oiZRF5DPhCuRviB8UgbQCvWubkGfIzSnj6QI+vdQbHLMqbL1Y5D7w TyJIzNZX4alGvfJDNk4Zh58h/MlUuRTkzGtRmNtOjHW4GRiILxuYS/cKsxPG/zvR euKbE0Lk4BcrOOSu+9h6 =UKAo -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override this with HTML is: meta http-equiv=Content-Type content=text/html; charset=utf-8 Firefox reads the body in UTF-8 then, which is fine, but the charset used in forms is still ISO-8859-1, so you have to add accept-charset=utf-8 to the form just for firefox (other browser automatically use UTF-8 or send the charset with the content-type). So: Why the hell is nobody fixing this bug? --- So the questions I have are: (1) Firefox is not properly sending UTF-8 in the POST request even if it reads the HTML page in UTF-8? And other browsers are now sending charset=utf-8 based on the the HTML META tag? (2) Firefox has started respecting the accept-charset=utf-8 attribute in forms now such that it adds charset to the Content-Type header of the POST request? I'm confused. I thought Mozilla was not going to fix this issue. Thanks for any clarifications. -Shanti On Wed, Jun 26, 2013 at 9:58 AM, Christopher Schultz Here's the long-standing bug in Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=241540 ...and one referenced from it with better spec-research: https://bugzilla.mozilla.org/show_bug.cgi?id=289060#c8 The bottom line is two specific items: 1. Content-Type should only have a charset attribute for text/ types 2. Adding charset to Content-Type for application/x-form-urlencoded has broken some stuff in the past, so Mozilla has chosen not to re-enable it - -chris
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override this with HTML is: meta http-equiv=Content-Type content=text/html; charset=utf-8 Firefox reads the body in UTF-8 then, which is fine, but the charset used in forms is still ISO-8859-1, so you have to add accept-charset=utf-8 to the form just for firefox (other browser automatically use UTF-8 or send the charset with the content-type). So: Why the hell is nobody fixing this bug? --- So the questions I have are: (1) Firefox is not properly sending UTF-8 in the POST request even if it reads the HTML page in UTF-8? And other browsers are now sending charset=utf-8 based on the the HTML META tag? (2) Firefox has started respecting the accept-charset=utf-8 attribute in forms now such that it adds charset to the Content-Type header of the POST request? I'm confused. I thought Mozilla was not going to fix this issue. Thanks for any clarifications. I think that you are still confused.. :-) (As are, in part, some of the people who posted on that Mozilla bug). (1) browsers, in general, are *not* sending a charset attribute in their POST submissions (whether form-url-encoded or multipart). This is a real pity, because it is the source of much confusion, and the real reason why servers have to go through loops to figure out (or force) the character set/encoding of the data that they are getting from browser POSTs. And the Mozilla people seem to say that it is that way, because when they tried to add this charset attribute, it broke a number of server applications at the time (8 years ago), and they see no reason to think that it would not still be the same today, so they arer not trying it again. (1a) what browsers *will* do, in general, is to send POST data in the same character set/encoding as the one of the HTML *page* which contains the form being posted. But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is UTF-8 data, which is basically wrong, because the standard HTTP/HTML character set is iso-8859-1, and they *should* indicate it when that is not what they are sending. But that is the reality. (2) the accept-charset attribute of a form does not mean that this form will *send* data according to that charset/encoding. It indicates that any data that is entered in the form's input boxes will be interpreted as being in that charset. So the fact of adding an accept-charset attribute to your form tags does not make it so that the browser will magically change its behaviour when POSTing data. In other words, it's a mess, and the mess is mainly due to some lack of precision in the original RFC's, but it is being perpetuated now by the fear of browser developers of breaking server applications by doing things right. Which is rather funny in a way, considering all the things that browser developers do all the time anyway which do break existing applications. We really need an RFC for HTTP 2.0, with UTF-8 as the default charset/encoding. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
2013/6/26 Shanti Suresh sha...@umich.edu: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override this with HTML is: meta http-equiv=Content-Type content=text/html; charset=utf-8 (...) --- That person is plainly wrong. You must not use different values in Content-Type HTTP header and in Content-Type META tag. 1. The HTML spec explicitly says that the HTTP header takes priority. http://www.w3.org/TR/html401/charset.html#h-5.2.2 2. Actually different browsers behave differently. Some may fall back to autodetection. (You may guess what browsers do not follow the specification). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shanti, On 6/26/13 11:00 AM, Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override this with HTML is: meta http-equiv=Content-Type content=text/html; charset=utf-8 Firefox reads the body in UTF-8 then, which is fine, but the charset used in forms is still ISO-8859-1, so you have to add accept-charset=utf-8 to the form just for firefox (other browser automatically use UTF-8 or send the charset with the content-type). So: Why the hell is nobody fixing this bug? --- So the questions I have are: (1) Firefox is not properly sending UTF-8 in the POST request even if it reads the HTML page in UTF-8? And other browsers are now sending charset=utf-8 based on the the HTML META tag? This is just a convention: it's not defined by the spec. One could argue that META should override HEADER, but the spec says the opposite, actually. (2) Firefox has started respecting the accept-charset=utf-8 attribute in forms now such that it adds charset to the Content-Type header of the POST request? I'm confused. I thought Mozilla was not going to fix this issue. No, browsers will use accept-charset as the charset they use to encode the POST request. The will still not likely add the charset attribute to the Content-Type header, because the spec says not to do so. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRy0i2AAoJEBzwKT+lPKRYUfEQAKpBWbhF6sDKY1uA6v7HgqQ3 eRbANUtnknEPiOscJqjMcW8ZWdKJl1mucvKigPNXwJMYpTe3Q/c3r8RjVLV9TqtC jgtWwxlS/GF3W8gO9BuLKva59dTbQtE+xyG12nNCJyxMHPow7WJWUIo4KVB4t0IB vCTXwQT65DxMXZGwRMoc6eFI9idu5M0t1Luj+wnf5PxqV338WoZDx4N7QrSKS3Cj z8S1OeA6uEqPHjSotl4Y7jgRBSSutP4AOwdnFjhBU81JWIZOl5+oaIemFcZgTcwm 0ZlcKThYud+BcH10mPv3nCieUSj1LHo6deEcCYMoNi3sEfSKlfvCW3XsQJI2T7xk 3jj+OplKqhYd8oMhg3sy7M2D25IenG0LJxnCADZutVhQ7U+qO3xKMeovymffNeXn rLOLlxliUiZ0EhPpQSqbtloAOvO/klyECdZlHlILSkFFtMmiQf6yDYtXQLAQfgqK o4/OAD9M7IqMLITmF4sUdt1fXfBjU7g/02tqmJWOP479XWbvqYHESG81XD6dR+PR mFQu+gpIMAZJpIGcVWwMKvG7hMKP9jeNRBp+w5yOBj2BPg9s8Z6vBaonXVMAFN5c VPzows5r1tx6YqKJkfEVpbswzRU4rx8HJHZUpYYBDpUhRztCQhcsFqKRj0d754cV l9hb19ydVgu1Iz0ztsFZ =MUYp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [slightly OT] FORM based authentication and utf-8 encoding of credentials
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 André, On 6/26/13 11:40 AM, André Warnier wrote: Shanti Suresh wrote: Hi Chris, This is such an interesting discussion. I am not sure what to make of this person's comment: --- TAXI 2012-10-09 09:03:59 PDT Wow, no fix since 8 years... And this is a real bug: If the HTTP header says the file is encoded in ISO-8859-1 the common way to override this with HTML is: meta http-equiv=Content-Type content=text/html; charset=utf-8 Firefox reads the body in UTF-8 then, which is fine, but the charset used in forms is still ISO-8859-1, so you have to add accept-charset=utf-8 to the form just for firefox (other browser automatically use UTF-8 or send the charset with the content-type). So: Why the hell is nobody fixing this bug? --- So the questions I have are: (1) Firefox is not properly sending UTF-8 in the POST request even if it reads the HTML page in UTF-8? And other browsers are now sending charset=utf-8 based on the the HTML META tag? (2) Firefox has started respecting the accept-charset=utf-8 attribute in forms now such that it adds charset to the Content-Type header of the POST request? I'm confused. I thought Mozilla was not going to fix this issue. Thanks for any clarifications. I think that you are still confused.. :-) (As are, in part, some of the people who posted on that Mozilla bug). (1) browsers, in general, are *not* sending a charset attribute in their POST submissions (whether form-url-encoded or multipart). This is a real pity, because it is the source of much confusion, and the real reason why servers have to go through loops to figure out (or force) the character set/encoding of the data that they are getting from browser POSTs. It is a shame, but you're running into a hole in the spec: only text/* should have a charset, and we're not talking about text/* unfortunately. So, the spec technically forbids fixing the problem. And the Mozilla people seem to say that it is that way, because when they tried to add this charset attribute, it broke a number of server applications at the time (8 years ago), and they see no reason to think that it would not still be the same today, so they arer not trying it again. It's more like 15 years ago at this point. But, how many times have we said Tomcat is spec-compliant and your client is not, so you can go #@$*( yourself? The same is true here for the browser: they are being spec-compliant, even if it is rather stupid. It would be nice to introduce a new HTTP header like Form-Content-Type or whatever and it's always valid (because old, stupid software will ignore it and new software will respect it). (1a) what browsers *will* do, in general, is to send POST data in the same character set/encoding as the one of the HTML *page* which contains the form being posted. It's worth pointing out that this is merely convention, and only because it obviously makes sense to operate this way. But, even when sending UTF-8 encoded data according to this principle, they are *not* indicating that it is UTF-8 data, which is basically wrong, because the standard HTTP/HTML character set is iso-8859-1, and they *should* indicate it when that is not what they are sending. But that is the reality. No, as much as it pains me to do so, I agree with with Mozilla folks on this one: adding a charset attribute to an application/x-form-urlencoded Content-Type violates the spec. There is no good solution. (2) the accept-charset attribute of a form does not mean that this form will *send* data according to that charset/encoding. It /should/. Why do you think it wouldn't? It indicates that any data that is entered in the form's input boxes will be interpreted as being in that charset. I think that's roughly the same thing. The browser would be stupid not to send the data using that character encoding. So the fact of adding an accept-charset attribute to your form tags does not make it so that the browser will magically change its behaviour when POSTing data. Whether it's magic or not, accept-charset should cause the form to be sent in one of the charsets listed. If you only list one, it should be sent using that character encoding or the browser should give the user an error saying it doesn't know how to encode that way. All browsers know how to do UTF-8. In other words, it's a mess, and the mess is mainly due to some lack of precision in the original RFC's, but it is being perpetuated now by the fear of browser developers of breaking server applications by doing things right. Which is rather funny in a way, considering all the things that browser developers do all the time anyway which do break existing applications. We really need an RFC for HTTP 2.0, with UTF-8 as the default charset/encoding. +1 Maybe they can clear-up Tomcat logging configuration while they are at it :) - -chris -BEGIN PGP
FORM based authentication and utf-8 encoding of credentials
Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. I have also written own realm. When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The first letter Ž is really encoded in the utf-8 as bytes in hexa C5, BD. But in the method public Principal authenticate(String username, String credentials) the parameter credentials has first two bytes C3, 85. In my login.jsp I have these relevant parts: % request.setCharacterEncoding(UTF-8); % html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 ... form method=POST action=j_security_check accept-charset=utf-8 and also tomcat is telling in the http response header: Content-Type: text/html;charset=UTF-8 But nothing of it forced Tomcat to translate password correctly from utf-8 string. Even the manual reencoding in authenticate(.) doesn't help: credentials = new String(credentials.getBytes(),utf-8) Because the received bytes of first letter are C3, 85 instead of expected C5, BD. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Thanks Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
Well, it is custom created and managed xml file. But the core of problem is in the string credentials in method public Principal authenticate(String username, String credentials). If the string was encoded properly (in java as utf-16) the credentials.length would be equal to 11 but its real length is 14. And that corresponds to the fact that in credentials is stored some form of utf-8 encoding. Utf-8 encoding string ŽežUlička.1 has length 14. +1 for each letter: Ž,ž,č. Jan. Where do you store your login/password : DB ? xml file ? encrypted in xml file ? De : Jan Vávra [va...@602.cz] Envoyé : lundi 24 juin 2013 13:36 À : Tomcat Users List Objet : FORM based authentication and utf-8 encoding of credentials Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. I have also written own realm. When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The first letter Ž is really encoded in the utf-8 as bytes in hexa C5, BD. But in the method public Principal authenticate(String username, String credentials) the parameter credentials has first two bytes C3, 85. In my login.jsp I have these relevant parts: % request.setCharacterEncoding(UTF-8); % html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 ... form method=POST action=j_security_check accept-charset=utf-8 and also tomcat is telling in the http response header: Content-Type: text/html;charset=UTF-8 But nothing of it forced Tomcat to translate password correctly from utf-8 string. Even the manual reencoding in authenticate(.) doesn't help: credentials = new String(credentials.getBytes(),utf-8) Because the received bytes of first letter are C3, 85 instead of expected C5, BD. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Thanks Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
On 24/06/2013 12:52, Jan Vávra wrote: Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. OK. That means you've got the basics set up correctly. I have also written own realm. I'd suggest testing with the default UserDatabaseRealm to rule out any issues with your custom Realm. I suspect the issues are elsewhere but I still do this to be sure. When I create user with password with czech String ŽežUlička.1 the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=pj_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs. The best / only option is to set the characterEncoding attribute for the Authenticator [2] to UTF-8 and hope that the browsers are consistent in their failing to follow the specification and use whatever encoding the page is encoded with. HTH, Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding [2] http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FORM based authentication with MD5 encrypted password
Hello everyone, is there a way to do FORM based authentication in tomcat but with MD5 encrypted password ? thanks
Re: FORM based authentication with MD5 encrypted password
On 07/12/2010 11:14, mike lan wrote: Hello everyone, is there a way to do FORM based authentication in tomcat but with MD5 encrypted password ? Yes. Read the realm docs for details. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Basic/Form-based authentication with Tomat 6.0
I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost:8080/examples/jsp/security/protected) that bundled with the tomcat distribution. I've tried the latest tomcat 6.0.24 on both 32-bit windows and 64-bit linux, and didn't get it to work. I've also tried to configure my own MemoryRealm that uses the default tomcat-users.xml file and still could get it to work. I never had this problem with Tomcat 5... Please help! Thanks a lot! ND - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic/Form-based authentication with Tomat 6.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 2/11/2010 3:19 PM, Nicholas Duan wrote: I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost:8080/examples/jsp/security/protected) that bundled with the tomcat distribution. I've tried the latest tomcat 6.0.24 on both 32-bit windows and 64-bit linux, and didn't get it to work. I've also tried to configure my own MemoryRealm that uses the default tomcat-users.xml file and still could get it to work. I never had this problem with Tomcat 5... Could you describe didn't work in a bit more detail? Did your server catch fire? Did your web browser crash? Did Tomcat crash? Or, were you asked for your password repeatedly even though you think you were entering it correctly? Certainly, providing some of your configuration along with your next post would be helpful. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt0Z10ACgkQ9CaO5/Lv0PAKYQCcDjxWWKJVdTZPTl4L0kpo55Og piQAn34Ip6UFsDnUVNZMc3Ji0JSrfl3B =k+PQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic/Form-based authentication with Tomat 6.0
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 2/11/2010 3:19 PM, Nicholas Duan wrote: I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost:8080/examples/jsp/security/protected) that bundled with the tomcat distribution. I've tried the latest tomcat 6.0.24 on both 32-bit windows and 64-bit linux, and didn't get it to work. I've also tried to configure my own MemoryRealm that uses the default tomcat-users.xml file and still could get it to work. I never had this problem with Tomcat 5... Could you describe didn't work in a bit more detail? Did your server catch fire? Did your web browser crash? Did Tomcat crash? Or, were you asked for your password repeatedly even though you think you were entering it correctly? Certainly, providing some of your configuration along with your next post would be helpful. Apart from the above, and just for fun : have you verified that the section with the usernames, roles etc.. in tomcat-users.xml is not commented-out ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Basic/Form-based authentication with Tomat 6.0
If my server caught fire, I would be calling 911 instead of asking for help here... Anyway, I was running everything with the default tomcat 6.0 configuration. I checked that the tomcat-users.xml file indeed contains all the user auth needed for the jsp sample application, and that matches the user role defined in web.xml of the examples app. I was using tomcat/tomcat as username/password. Has anyone tried the protected jsp security example on tomcat 6 out of the box and passed the initial authentication page? without additional configuration? The url link is, as provided in my previous posting, as follows: http://localhost:8080/examples/jsp/security/protected. I tried this sample app on multiple versions of 6.0 and on multiple machines, using JDK 1.6. If you could get it work (e.g. pass the initial login page) without additional conf, I'd appreciate if you could reply with your machine and JDK configuration. Thanks! ND - Original Message - From: André Warnier a...@ice-sa.com Date: Thursday, February 11, 2010 3:26 pm Subject: Re: Basic/Form-based authentication with Tomat 6.0 Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nicholas, On 2/11/2010 3:19 PM, Nicholas Duan wrote: I am not sure if this is a configuration problem, but I can't get the basic/form-based authentication working on Tomcat 6.0, and couldn't even get the protected jsp example (http://localhost:8080/examples/jsp/security/protected) that bundled with the tomcat distribution. I've tried the latest tomcat 6.0.24 on both 32-bit windows and 64-bit linux, and didn't get it to work. I've also tried to configure my own MemoryRealm that uses the default tomcat-users.xml file and still could get it to work. I never had this problem with Tomcat 5... Could you describe didn't work in a bit more detail? Did your server catch fire? Did your web browser crash? Did Tomcat crash? Or, were you asked for your password repeatedly even though you think you were entering it correctly? Certainly, providing some of your configuration along with your next post would be helpful. Apart from the above, and just for fun : have you verified that the section with the usernames, roles etc.. in tomcat-users.xml is not commented-out ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Basic/Form-based authentication with Tomat 6.0
From: Nicholas Duan [mailto:nd...@gmu.edu] Subject: Re: Basic/Form-based authentication with Tomat 6.0 If my server caught fire, I would be calling 911 instead of asking for help here... Despite your protestations, you still haven't told us what *does* happen when you try to use the protected JSP. Saying doesn't work provides precious little real information. Has anyone tried the protected jsp security example on tomcat 6 out of the box and passed the initial authentication page? without additional configuration? Yup, works fine for me; the resulting output is: You are logged in as remote user tomcat in session 83F7218CB04F361086023450DBD2B031 Your user principal name is tomcat Apart from the above, and just for fun : have you verified that the section with the usernames, roles etc.. in tomcat-users.xml is not commented-out ? Did you take Andre's suggestion and remove the comment markers? And then restart Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RE: Basic/Form-based authentication with Tomat 6.0
Thanks Chuck! Indeed it was commented out. I must have overlooked the comment marker. Thanks! ND - Original Message - From: Caldarale, Charles R chuck.caldar...@unisys.com Date: Thursday, February 11, 2010 4:09 pm Subject: RE: Basic/Form-based authentication with Tomat 6.0 From: Nicholas Duan [mailto:nd...@gmu.edu] Subject: Re: Basic/Form-based authentication with Tomat 6.0 If my server caught fire, I would be calling 911 instead of asking for help here... Despite your protestations, you still haven't told us what *does* happen when you try to use the protected JSP. Saying doesn't work provides precious little real information. Has anyone tried the protected jsp security example on tomcat 6 out of the box and passed the initial authentication page? without additional configuration? Yup, works fine for me; the resulting output is: You are logged in as remote user tomcat in session 83F7218CB04F361086023450DBD2B031Your user principal name is tomcat Apart from the above, and just for fun : have you verified that the section with the usernames, roles etc.. in tomcat-users.xml is not commented-out ? Did you take Andre's suggestion and remove the comment markers? And then restart Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: RE: Basic/Form-based authentication with Tomat 6.0
From: Nicholas Duan [mailto:nd...@gmu.edu] Subject: Re: RE: Basic/Form-based authentication with Tomat 6.0 Thanks Chuck! Indeed it was commented out. I must have overlooked the comment marker. Thanks! Thank André, he suggested it. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
I'm interested in what others have to say about this too...for instance there is no provision for disabling an account either...if the account exists you can login with it. I'm not sure I understand the second part of your question about authorization...do yo mean authorization or authentication?...if you really mean authentication, it sounds to me like you don't have something set up correctly...you should be getting a 403 access denied in both firefox and ie if login fails. Authorization has nothing to do with form based authentication and would be handled by the container based on the roles you create. Curtis On Tue, Oct 20, 2009 at 1:50 AM, Nirvann jatin.kulka...@yahoo.com wrote: I am trying to explore the form based authentication provided by container. I have some doubts regarding same. The first thing is what mechanism can be used to handle authorization errors. For authentication we have control of jsp pages (Login and Login error pages). But there is nothing to let users know that they are failing role based authorization. Secondly, a subquestion of first, how does the container signal an authorization error. I tried with IE and Mozilla. In IE I get a 404 resource not found. In mozilla it just displays a blank page. regards, nirvan. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25970503.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Curtis Garman Web Programmer Heartland Community College - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
Curtis Garman wrote: I'm interested in what others have to say about this too...for instance there is no provision for disabling an account either...if the account exists you can login with it. I'm not sure I understand the second part of your question about authorization...do yo mean authorization or authentication?...if you really mean authentication, it sounds to me like you don't have something set up correctly...you should be getting a 403 access denied in both firefox and ie if login fails. Authorization has nothing to do with form based authentication and would be handled by the container based on the roles you create. Curtis I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses userPage.jsp. It is fine upto this point because user has access to userPage.jsp. But what happens if the user tries to access adminPage.jsp for which he is not authorized. As you have indicated it should fail through 403 access denied. But, I am getting HTTP 404 - File not found in IE and blank page in Mozilla. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25975955.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
Nirvann: I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses userPage.jsp. It is fine upto this point because user has access to userPage.jsp. But what happens if the user tries to access adminPage.jsp for which he is not authorized. As you have indicated it should fail through 403 access denied. But, I am getting HTTP 404 - File not found in IE and blank page in Mozilla. In a situation like the one you describe my Tomcat responds with 403 response code and the standard access denied page (I did not change it in web.xml). So, I second Curtis' guess that you did something wrong. BTW: What IE shows you is of very little use, unless you turn off friendly error messages. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
I would also google making internet explorer display your error page ...this is something I learned in the apache cookbook...IE will display it's own error message if your error page isn't at least 512 bytes...anyway you might want to research this a little Did you define a custom 403 page? Are you sure you aren't getting the 404 looking for your 403 page? I'm not sure what else to tell you because I've never had this problem. It might help if you post some of your configuration/code Curtis 2009/10/20 Markus Schönhaber tomcat-us...@list-post.mks-mail.de: Nirvann: I mean't authorization. Consider a scenario as follows. There are two users, admin and user. Consider two pages adminPage.jsp and userPage.jsp. Admin has rights to both the pages but user can access only userPage.jsp. Lets assume that the user logs in as user (not admin) and accesses userPage.jsp. It is fine upto this point because user has access to userPage.jsp. But what happens if the user tries to access adminPage.jsp for which he is not authorized. As you have indicated it should fail through 403 access denied. But, I am getting HTTP 404 - File not found in IE and blank page in Mozilla. In a situation like the one you describe my Tomcat responds with 403 response code and the standard access denied page (I did not change it in web.xml). So, I second Curtis' guess that you did something wrong. BTW: What IE shows you is of very little use, unless you turn off friendly error messages. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Curtis Garman Web Programmer Heartland Community College - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nirvann, On 10/20/2009 2:50 AM, Nirvann wrote: The first thing is what mechanism can be used to handle authorization errors. For authentication we have control of jsp pages (Login and Login error pages). But there is nothing to let users know that they are failing role based authorization. Tomcat should be issuing a 403 error, which you ought to be able to capture using web.xml's error-page configuration. Secondly, a subquestion of first, how does the container signal an authorization error. See above. I tried with IE and Mozilla. In IE I get a 404 resource not found. In mozilla it just displays a blank page. If this is the case, then you probably have some kind of broken configuration. 404 is not appropriate for forbidden, but if you are trying to forward to a page that doesn't exist, the 404 might be masking the 403 error. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd3VwACgkQ9CaO5/Lv0PAqTACeJ5MKYK7PsUGlsQ9gQCl7j6Zc uNwAoIIw/WB+QO5L1XuFs3YIZB9OOZ5R =lDTg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
On Tue, Oct 20, 2009 at 10:55 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nirvann, On 10/20/2009 2:50 AM, Nirvann wrote: The first thing is what mechanism can be used to handle authorization errors. For authentication we have control of jsp pages (Login and Login error pages). But there is nothing to let users know that they are failing role based authorization. Tomcat should be issuing a 403 error, which you ought to be able to capture using web.xml's error-page configuration. Secondly, a subquestion of first, how does the container signal an authorization error. See above. I tried with IE and Mozilla. In IE I get a 404 resource not found. In mozilla it just displays a blank page. If this is the case, then you probably have some kind of broken configuration. 404 is not appropriate for forbidden, but if you are trying to forward to a page that doesn't exist, the 404 might be masking the 403 error. Exactly...this is quite possible - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrd3VwACgkQ9CaO5/Lv0PAqTACeJ5MKYK7PsUGlsQ9gQCl7j6Zc uNwAoIIw/WB+QO5L1XuFs3YIZB9OOZ5R =lDTg -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Curtis Garman Web Programmer Heartland Community College - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
Sorry guys to have bothered you with my silly mistake. Actually, I had configured 403 error page in web.xml file but the page was not at proper location. Hence I was getting 404 file not found. Now I can access the role error page for authorization error. Thanks a lot for all your insights. regards, nirvan. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25984106.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: doubts about tomcat form based authentication
The way I solved the issue was removing he user from the tomcat role table. Tomcat itself will then not allow you to login. I am using a Realm authentication as well. In the user table I specified what role the user had (either plain user, manager, admin, or a trainer), then based off of that, the tomcat role table was populated at create new user time. It will throw your 403 error (which mine does) - Josh On Tue, Oct 20, 2009 at 7:18 PM, Nirvann jatin.kulka...@yahoo.com wrote: Sorry guys to have bothered you with my silly mistake. Actually, I had configured 403 error page in web.xml file but the page was not at proper location. Hence I was getting 404 file not found. Now I can access the role error page for authorization error. Thanks a lot for all your insights. regards, nirvan. -- View this message in context: http://www.nabble.com/doubts-about-tomcat-form-based-authentication-tp25970503p25984106.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication
Am Sonntag, 21. Juni 2009 01:34:29 schrieb Caldarale, Charles R: [...] you hard-code the single role name in the LoginModule, using whatever value you have in web.xml (currently User). You must have a role class that implements Principal and Serializable (in addition to the Principal class for the user name); this role class must be specified in your Realm element via the roleClassName attribute. Create an instance of the role class with the predefined name and add it to the Subject object's principals set in your commit() method after you have added the user name Principal object. By adding a roleClassName to the Realm descriptor (context.xml) and by adding a RolePrincipal to the subject solved my problem of authentication failures. Thank you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Form-based authentication
Hello everybody, If this is not the appropriate mailing list, please tell me which mailing list I should use. I have writte a first jaas login module and it does authenticate users by logging into an imap server. If the credentials establish a connection and the inbox can be opened, the login is considered successful. This works so far. But now I do not see how to connect the authentication module to a security constraint. I mean, do I have to add every user that has an imap account to web.xml? Not really!? (You will find my web.xml and context.xml at the end of this message) Best Regards, Oliver Block ?xml version=1.0 encoding=UTF-8? Context antiJARLocking=true path=/JavaMailLoginServlet Realm className=org.apache.catalina.realm.JAASRealm appName=WebLogin userClassNames=com.oliverblock.principal.JavaMailPrincipal roleClassNames= debug=99 / Resource name=mail/Session auth=Container type=javax.mail.Session mail.smtp.host=localhost mail.imap.host=localhost factory=org.apache.naming.factory.MailSessionFactory / /Context ?xml version=1.0 encoding=UTF-8? web-app version=2.5 xmlns=http://java.sun.com/xml/ns/javaee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd; session-config session-timeout 30 /session-timeout /session-config welcome-file-list welcome-fileindex.jsp/welcome-file /welcome-file-list security-constraint display-nameUserConstraint/display-name web-resource-collection web-resource-nameUser/web-resource-name description/ url-pattern//url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodHEAD/http-method http-methodPUT/http-method http-methodOPTIONS/http-method http-methodTRACE/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint description/ role-nameUser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-name/ form-login-config form-login-page/login.html/form-login-page form-error-page/loginError.html/form-error-page /form-login-config /login-config security-role description/ role-nameUser/role-name /security-role /web-app - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form-based authentication
From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Form-based authentication But now I do not see how to connect the authentication module to a security constraint. I mean, do I have to add every user that has an imap account to web.xml? No, each user would normally have a set of roles with which they are associated, and it's the roles that are configured in web.xml. Often, group membership is used as a substitute for roles. Since the imap accounts likely do not have any means of specifying role or group attributes, your login module can simply utilize any role name it likes for all users once authentication has occurred. Only that single role name (User, in your current setup) needs to be configured in web.xml, assuming that every user that authenticates successfully is allowed access. - Chuck P.S. Remove the path attribute from your Context element - it's not allowed. THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form-based authentication
Am Samstag, 20. Juni 2009 23:41:11 schrieb Caldarale, Charles R: From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Form-based authentication But now I do not see how to connect the authentication module to a security constraint. I mean, do I have to add every user that has an imap account to web.xml? No, each user would normally have a set of roles with which they are associated, and it's the roles that are configured in web.xml. your login module can simply utilize any role name it likes for all users once authentication has occurred. Are the roles passed to the LoginModule? How? Best Regards, Oliver Block - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form-based authentication
From: Oliver Block [mailto:li...@oliver-block.eu] Subject: Re: Form-based authentication Are the roles passed to the LoginModule? No, you hard-code the single role name in the LoginModule, using whatever value you have in web.xml (currently User). You must have a role class that implements Principal and Serializable (in addition to the Principal class for the user name); this role class must be specified in your Realm element via the roleClassName attribute. Create an instance of the role class with the predefined name and add it to the Subject object's principals set in your commit() method after you have added the user name Principal object. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 5/13/2009 8:16 AM, Caldarale, Charles R wrote: From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? Session fixation which is essentially a form of session hijacking. Basically, you get yourself a session and a session id from the server. You write that down and walk away. Then, you trick someone else into sitting down and logging-in. Since the session id does not change, you can go to another machine, hijack the user's session, and impersonate them. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMY7EACgkQ9CaO5/Lv0PAVuQCgq3BW343Iydg+ZAfaT4y0sWup EjQAnRTFEa0KRoPlNQtNwiL51hAk3MbW =i/jw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin, On 5/13/2009 9:27 AM, Martin Gainty wrote: if you are asking how to overcome Man-in-the-middle fraudulent manipulation based on basic authentication? He's not. and or Man-in-the middle fraudulent manipulation based on Form-based authentication which uses j_username and j_password and posts back to j_security_check using cleartext? He's not asking that, either. i would suggest implementation authentication using either Message-Digest or HTTPS Message-Digest This does not solve the problem, which is session hijacking, not protection of credentials. You have wasted a great deal of your time coming up with that response. Instead, you should have read the referenced thread and contributed to the discussion of protection against session fixation, instead of posting tips on how to protect credentials. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoMZGUACgkQ9CaO5/Lv0PCg1wCdFV8/BDav0DR+g6dg0MU70HeI 7qYAoJtB3AUbI9f9uMCwLW07ej2lH64N =zjkh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
From: umeshkavade [mailto:umeshkav...@yahoo.co.in] Subject: Re: Form Based Authentication creates user session before it is authenticated? P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? I'll bite: what vulnerability are you referring to? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
http://www.cafesoft.com/products/cams/tomcat-security.html if you are asking how to overcome Man-in-the-middle fraudulent manipulation based on basic authentication? and or Man-in-the middle fraudulent manipulation based on Form-based authentication which uses j_username and j_password and posts back to j_security_check using cleartext? i would suggest implementation authentication using either Message-Digest or HTTPS Message-Digest processes passwords with a Digest algorithm such as SHA, MD2, or MD5.. the receiving entity must agree on the digested contents for authentication to occur HTTPS or HTTP on a SSL connection usually implemented with a known key stored in a keystore where access is controlled by CA (certificate authority) presentation of a certificate.. a good explanation of how Tomcat implements SSL details are available at http://www.mbaworld.com/docs/ssl-howto.html commercial vendors such as Verisign have implemented CA servers which validate the requesting entity and the requestor to ensure both are indeed who they say they are.. client authenticating to CA authority is a new feature but prevents spoofed clients from order-execution and/or using spoofed credentials to effect fraudulent transactions..I would strongly suggest you enable authentication capability in both directions if using SSL https://www.verisign.com/support/roots.html security elements defined and configured by Tomcat: Deployment descriptor security-constraint elements define the permissions and rules for the protected Tomcat resources and include the following XML elements: web-resource-collection - A set of URL patterns and HTTP methods that describe a set of resources to be protected. All requests that contain a URL pattern matched in a web resource collection are subject to the constraint. auth-constraint - A set of security roles (one or more) to which a user must belong to be granted access to resources matched by the web resource collections (e.g. admin/manager) user-data-constraint - Describes integrity and confidentiality requirements for the transport layer of the client server. an example of XSD which describes user-data-constraintType would be xsd:complexType name=user-data-constraintType xsd:annotation xsd:documentation The user-data-constraintType is used to indicate how data communicated between the client and container should be protected. Used in: security-constraint /xsd:documentation /xsd:annotation xsd:sequence xsd:element name=description type=j2ee:descriptionType minOccurs=0 maxOccurs=unbounded/ xsd:element name=transport-guarantee type=j2ee:transport-guaranteeType/ /xsd:sequence xsd:attribute name=id type=xsd:ID/ /xsd:complexType namespace j2ee is assigned xmlns:j2ee=http://java.sun.com/xml/ns/j2ee; where transport=guaranteeType can be NONE,INTEGRAL or CONFIDENTIAL the latter 2 types imply use of SSL Man in the middle fraud is a concern to all and one which should be dealt with the most secure and reliable algorithm available anyone else? Martin Gainty __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons
Re: Form Based Authentication creates user session before it is authenticated?
No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? Christopher, thanks for the reply. This is inline with my analysis. Actually, I am trying to address 'Session Fixation' issue in my web application. I saw your reply on thread http://www.nabble.com/How-to-avoid-session-fixation--td15311806.html. In one of the reply you gave following suggestion to address the issue: - a custom valve contains the whole implementation - requests to the servlet/URI j_security_check are intercepted - for intercepted requests the current session is destroyed and a new one is created: -- snip -- ... request.getSession().invalidate(); request.getSession(true); ... -- snap -- - to have a proper redirect to the originally requested page the original request has to be copied from the old session to the new one. I filter out any references to the old session id, although I'm not sure whether this is really necessary. I think, this would solve my problem. The only blocker for me is step: requests to the servlet/URI j_security_check are intercepted. I did not get good info on google which would teach me how I can do this. Pointers on this would be of great help. Thanks, Umesh P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515249.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
Christopher, I got the solution. Thanks. Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Umesh, On 5/8/2009 9:03 PM, umeshkavade wrote: In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. Pid is right, you can't avoid this. Tomcat stores the original request that caused authentication to be triggered in the session. Technically, it's not stored in the session attributes (so you can't manipulate it), but it's definitely tied to the session. If you want to avoid session creation, you'll have to roll your own authentication mechanism. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm You should get the source code from the actual source repository: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Is there any way to avoid this and tell tomcat to not create session. No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIidsACgkQ9CaO5/Lv0PC2MgCgiHFPJfAotZX9ZSB89ADVt2r7 XT4AoLIq/Yo29sQOQM/DPDkDXqHARVR0 =A1z7 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. Actually, on reflection, I'm not sure the original request is stored in the session itself. But in either case, the session *is* created beforehand and you can't avoid this. p So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Form Based Authentication creates user session before it is authenticated?
take a look at HttpServletRequest.code for method which creates a new session via getSession(request,true) http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/Servlet-API-by-tomcat/javax/servlet/http/HttpServletRequest.java.htm getSession(request,true) will create a new Session getSession(request,false) will NOT create a new session FormAuthenticator.java authenticate method shows the calls to getSession as for newSession will be created e.g. http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm authenticate method (calls to getSession method) if (ssoId != null) 107:associate(ssoId, getSession(request, true)); 128:session = getSession(request, true); 161:session = getSession(request, true); 198:session = getSession(request, true); 243:if (session == null) 244:session = getSession(request, false); matchRequest 287:Session session = getSession(request, false); HTH Martin Gainty __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 9 May 2009 10:35:37 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Form Based Authentication creates user session before it is authenticated? Pid wrote: umeshkavade wrote: Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. Actually, on reflection, I'm not sure the original request is stored in the session itself. But in either case, the session *is* created beforehand and you can't avoid this. p So you need the user to have a session *before* authentication takes place. p Inputs on this will be of great help. Thanks in advance. - Umesh - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org _ Hotmail® has a new way to see what's up with your friends. http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009
Form Based Authentication creates user session before it is authenticated?
Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. Inputs on this will be of great help. Thanks in advance. - Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23455945.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org