user / password
NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this?
Re: user / password
I do not know NetBeans but you probably want to have a look at tomcat-users.xml in the Tomcat configuration directory. Chris Lenart schrieb: NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: user / password
I did but it's blank. Do I add one? -Original Message- From: Markus Meyer [mailto:me...@mesw.de] Sent: Thursday, August 27, 2009 3:14 PM To: Tomcat Users List Subject: Re: user / password I do not know NetBeans but you probably want to have a look at tomcat-users.xml in the Tomcat configuration directory. Chris Lenart schrieb: NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user / password
See http://www.netbeans.org/kb/61/websvc/gs-axis.html Search for tomcat-users.xml in this document. Chris Lenart schrieb: I did but it's blank. Do I add one? -Original Message- From: Markus Meyer [mailto:me...@mesw.de] Sent: Thursday, August 27, 2009 3:14 PM To: Tomcat Users List Subject: Re: user / password I do not know NetBeans but you probably want to have a look at tomcat-users.xml in the Tomcat configuration directory. Chris Lenart schrieb: NetBeans is trying to connect to Tomcat and asking for an ID and password. Wher do I find this? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problems with user/password data when trying to connect to DBs - Tomcat sees '' as username instead of the given one
Hello, I have a WS deployed on Tomcat and querying a DB. The JDBC and JNDI configurations should be fine but I still have some problems. When loading the WS (actually starting Tomcat) I got the following exception. It doesn't recognise the user and password I set in the context.xml. I searched for similar problems, but in the net there are only example exceptions that indeed see the username they set. In my case, the program doesn't consider the username me and indeed tries to estabilish the connection with username ' ' . The account perfectly works when accessing through the MySQL Query Browser. Any hints on what I'm doing wrong? Thanks! Dan Tomcat Exception: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Access denied for user ''@'localhost' (using password: YES)) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1225) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.getConnection(BasicDataSource.java:880) at uk.ac.ox.comlab.combio.euhart.db.DBAccess.connect(DBAccess.java:96) at uk.ac.ox.comlab.combio.euhart.db.DBAccess.init(DBAccess.java:37) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at com.sun.xml.ws.api.server.InstanceResolver.createNewInstance(InstanceResolver.java:215) at com.sun.xml.ws.api.server.InstanceResolver.createDefault(InstanceResolver.java:180) at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:123) at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:627) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:578) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: java.sql.SQLException: Access denied for user ''@'localhost' (using password: YES) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1055) at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:956) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3491) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3423) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:910) at com.mysql.jdbc.MysqlIO.secureAuth411(MysqlIO.java:3923) at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1273) at
Re: Problems with user/password data when trying to connect to DBs - Tomcat sees '' as username instead of the given one
You have an error in your Resource definition. The attribute for username is 'username', not 'user'. The corrected version is below: Resource name=jdbc/cellmlrep type=javax.sql.DataSource auth=Container username=me password=me driverClassName=com.mysql.jdbc.Driver url=jdbc:mysql://localhost:3306/cellmlrep maxActive=8 maxIdle=4/ See the JNDI Datasource docs for your version of tomcat at tomcat.apache.org. --David Daniele Development-ML wrote: Hello, I have a WS deployed on Tomcat and querying a DB. The JDBC and JNDI configurations should be fine but I still have some problems. When loading the WS (actually starting Tomcat) I got the following exception. It doesn't recognise the user and password I set in the context.xml. I searched for similar problems, but in the net there are only example exceptions that indeed see the username they set. In my case, the program doesn't consider the username me and indeed tries to estabilish the connection with username ' ' . The account perfectly works when accessing through the MySQL Query Browser. Any hints on what I'm doing wrong? Thanks! Dan Tomcat Exception: org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (Access denied for user ''@'localhost' (using password: YES)) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1225) at org.apache.tomcat.dbcp.dbcp.BasicDataSource.getConnection(BasicDataSource.java:880) at uk.ac.ox.comlab.combio.euhart.db.DBAccess.connect(DBAccess.java:96) at uk.ac.ox.comlab.combio.euhart.db.DBAccess.init(DBAccess.java:37) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at com.sun.xml.ws.api.server.InstanceResolver.createNewInstance(InstanceResolver.java:215) at com.sun.xml.ws.api.server.InstanceResolver.createDefault(InstanceResolver.java:180) at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:123) at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:627) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:578) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: java.sql.SQLException: Access denied for user ''@'localhost' (using
Re: DBCP user/password specified in getConnection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anthony, Berglas, Anthony wrote: | We have an app that uses connection pooling, but tries to specify the | username/password in the code. In particular, it does not want the | password to be in plain text in an xml file. There is only one username | involved, so no issues with heterogeneous connection pools. Pretty | basic requirement. This comes up every so often. If you aren't going to put the plaintext password in your XML file, what is your strategy for the password? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeLt6sACgkQ9CaO5/Lv0PAo/wCgqDE78RN+YJsb5eTFCGvUxV0X JLIAn2OJkuAV/CeFWxcGsVIU5gqtmn25 =LURT -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DBCP user/password specified in getConnection
We have an app that uses connection pooling, but tries to specify the username/password in the code. In particular, it does not want the password to be in plain text in an xml file. There is only one username involved, so no issues with heterogeneous connection pools. Pretty basic requirement. Tomcat complains that this is not supported in Basic DBCP. Any pointers most welcome. If not possible with DBCP, what connection poolers do people recommend? C3p0? Thanks, Anthony (We had tried to use Oracle CP, but too hard to set max nr connections parameter which is a property, rather than reflected. Requires a special JNDI factory, or a future version of Tomcat.) -- Dr Anthony Berglas Ph. +61 7 3227 4410 Mob. +61 44 838 8874 [EMAIL PROTECTED]; [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] User-password from the HttpServletRequest
Thanks Chris, it helps a lot for me :-) Very useful informations. Original-Nachricht Datum: Thu, 03 May 2007 15:02:35 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: [OT] User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: I saw, that I can get the password via the Principle: The Tomcat server has his own implementation of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc). Wow, Tomcat keeps the user's password lying around in memory? That's unfortunate... :( Does somebody know a good encryption/decryption algorithm which works only with a password (String)? There are many symmetric encryption algorithms. DES, 3DES (Triple DES), AES, and Blowfish are quire popular. Java supports many of these algorithms out of the box. Figuring out how to use them can be a challenge, so here's some of the things I've learned. With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following ciphers available from the SunJCE version 1.5 provider: AES Blowfish DES 3DES Each of these can be used with a simple password. You'll need to massage your strings to get them into the proper format, though. Here is some helpful code. In order to do anything with a cipher, you'll need a key. The easiest way to create a key is like this: byte[] password = ...; String algorithm = ...; // AES, 3DES, etc. Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password, algorithm); Now that you have a key (which can be used for decryption, btw), you can use a cipher: byte[] clearText = ...; // convert your data-to-encrypt to bytes Cipher cipher = javax.crypto.Cipher.getInstance(algorithm); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] cipherText = cipher.doFinal(clearText); Decryption is the same, just that you use DECRYPT_MODE when you call Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS. A few other notes: * Be careful about converting Strings to and from byte arrays. Make sure that you consistently use the same character encoding (UTF-8 is always a good bet) or your efforts will end in tears. * If you want to store your encrypted data in a database, you have to decide if you want to store binary byte data (BLOB) or character data (CLOB). BLOBs are probably smaller (keep reading) but not as easy to read when observing data in the database. CLOBs will take more space but are easier to read when looking at your db. If you choose to use a CLOB, then you'll need to convert the cipher text into a readable format. Base64 encoding is often chosen because it results in 4 bytes of output for every 3 bytes of input, so you waste only 1/3 extra storage. Compare that to a character binary encoding (my term) where you have 1 byte - 2 character conversion (results look like 1a2b3c etc.) which doubles your data, which sucks. This is only one way to interact with Java's crypto APIs. I'm sure there are other ways, but after a lot of reading this is what I came up with. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6 spL4xNqgsIAuKgHBLnD3KFo= =RssM -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
I saw, that I can get the password via the Principle: The Tomcat server has his own implementation of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc). I know the problem with the changing of password, but thats not the main probelm now ;-) Does somebody know a good encryption/decryption algorithm wich works only with a password (String)? Original-Nachricht Datum: Wed, 02 May 2007 16:54:22 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: I'm using the password of the [authentication] to encrypt and decrypt some data to a database user specific (each users own data has the users password). Uh... are you sure this is a good idea? If the user changes his or her password, do you re-encrypt all of their data? This doesn't seem like a very efficient way to store encrypted information. My advice: randomly generate an encryption key when the account is created (or afterward for existing users) and encrypt /that/ with the user's password. Then, when the user's password is changed, you only have to re-encrypt the encryption/decryption key itself, instead of every piece of information in there. To get to the password must be possibly, not? The servlet API provides no way to get the user's password. You'll have to do this yourself. If you need the password all the time, you could store it in the session during login and you'd have it available whenever you want. If you use my suggestion from above, you could use the login password to decrypt the general encryption/decryption key and then store that in the session, which might be more convenient (or safer?) than storing the user's actual password in the session. On second thought, the encryption key is more sensitive (at least, as far as your application goes) than the user's password, so perhaps the user's password in the session is better just in case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOPp+9CaO5/Lv0PARAmcWAJ4t20OJWt1cm7ypLLLRm6mUtIAOZwCfZFJX I+XT0VE6lyijDBtb/JScUnM= =0QB0 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] User-password from the HttpServletRequest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: I saw, that I can get the password via the Principle: The Tomcat server has his own implementation of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc). Wow, Tomcat keeps the user's password lying around in memory? That's unfortunate... :( Does somebody know a good encryption/decryption algorithm which works only with a password (String)? There are many symmetric encryption algorithms. DES, 3DES (Triple DES), AES, and Blowfish are quire popular. Java supports many of these algorithms out of the box. Figuring out how to use them can be a challenge, so here's some of the things I've learned. With my (relatively standard) Sun JDK 1.5.0_11-b03, I have the following ciphers available from the SunJCE version 1.5 provider: AES Blowfish DES 3DES Each of these can be used with a simple password. You'll need to massage your strings to get them into the proper format, though. Here is some helpful code. In order to do anything with a cipher, you'll need a key. The easiest way to create a key is like this: byte[] password = ...; String algorithm = ...; // AES, 3DES, etc. Key encryptionKey = new javax.crypto.spec.SecretKeySpec(password, algorithm); Now that you have a key (which can be used for decryption, btw), you can use a cipher: byte[] clearText = ...; // convert your data-to-encrypt to bytes Cipher cipher = javax.crypto.Cipher.getInstance(algorithm); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] cipherText = cipher.doFinal(clearText); Decryption is the same, just that you use DECRYPT_MODE when you call Cipher.init. DO NOT TRY TO SHARE Cipher OBJECTS. A few other notes: * Be careful about converting Strings to and from byte arrays. Make sure that you consistently use the same character encoding (UTF-8 is always a good bet) or your efforts will end in tears. * If you want to store your encrypted data in a database, you have to decide if you want to store binary byte data (BLOB) or character data (CLOB). BLOBs are probably smaller (keep reading) but not as easy to read when observing data in the database. CLOBs will take more space but are easier to read when looking at your db. If you choose to use a CLOB, then you'll need to convert the cipher text into a readable format. Base64 encoding is often chosen because it results in 4 bytes of output for every 3 bytes of input, so you waste only 1/3 extra storage. Compare that to a character binary encoding (my term) where you have 1 byte - 2 character conversion (results look like 1a2b3c etc.) which doubles your data, which sucks. This is only one way to interact with Java's crypto APIs. I'm sure there are other ways, but after a lot of reading this is what I came up with. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOjHL9CaO5/Lv0PARAmhuAJ9dmZchojiDSNOGBiPE8RCtZn8WHgCfXJL6 spL4xNqgsIAuKgHBLnD3KFo= =RssM -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
Sebbo the word you looking for is SYMMETRICAL encryption I think Sun has an Class... cant remember. Anyway have a look at things like DES... and the one I like IDEA. You can read up on all that stuff and I'm pretty sure you will find java implementations. I did have this all coded a long time ago... but I dont know where I put it off hand. Probably better to use a Sun lib anyway... - Original Message - From: [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, May 03, 2007 7:45 PM Subject: Re: User-password from the HttpServletRequest I saw, that I can get the password via the Principle: The Tomcat server has his own implementation of Principle: GenericPrinciple which holds all the stuff (pw, roles, etc). I know the problem with the changing of password, but thats not the main probelm now ;-) Does somebody know a good encryption/decryption algorithm wich works only with a password (String)? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
User-password from the HttpServletRequest
Hi How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) And there some web server independent solution? Thanks in advance and greets Sam -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
Hi Sam, I did something like that once but using the JSP saving the data in session variable that were available for all the session of the user... Roberto Hi How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) And there some web server independent solution? Thanks in advance and greets Sam -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
Im using a FORM based authentication. Im not sure, but I think to remember that I once had the possibility to see all the user stuff (password, roles, database password, database user, etc.) but I dont know where ;-). Im using the password of the authentification to encrypt and decrypt some data to a database user specific (each users own data has the users password). To get to the password must be possibly, not? Original-Nachricht Datum: Wed, 2 May 2007 20:46:40 +0200 Von: Johnny Kewl [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest I've never seen a function that will do that... think its a security thing. I think you have to get the user name, and then Parse the User file yourself, or read the database yourself... whatever realm you using. If its BASIC authorization you using you could just decode the authorization header, but the only reason that works is because its a weak form of protection... if the admin guy switched to DIGEST... that method will break. I've just about finished an alternative SSO authorization system for Tomcat, thus my interest in your question... I'd be reluctant to expose passwords in the API, however there may be a terrific reason for it... would you mind telling me why you want to do this? - Original Message - From: [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Wednesday, May 02, 2007 6:56 PM Subject: User-password from the HttpServletRequest Hi How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) And there some web server independent solution? Thanks in advance and greets Sam -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
[EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? You can't access the credential from HttpServletRequest object, it's not made available as part of the Servlet spec. Which realm implementation are you using? p greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: User-password from the HttpServletRequest
Im using a DataSource Realm. Hmm but from where can I access the credentials? Original-Nachricht Datum: Wed, 02 May 2007 20:00:04 +0100 Von: Pid [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest [EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? You can't access the credential from HttpServletRequest object, it's not made available as part of the Servlet spec. Which realm implementation are you using? p greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
JDBC I guess... Maybe the difficulty is an indication that its not the right way to go... For example if a user ever has to change their password... data is lost, or a huge procedure. Think about this... maybe its a good idea. Remember that if you see the user name in a page it means they authenticated. So if the user gets to the code they had to come through the locked door... And if the user is going to get the data back through the browser... this will probably work. Invent a secret code A4H%BIGSECRETYtffguTetc etc. Then HASH that say using MD5 with the User name That becomes your password and you lock and unlock the data with that. Not terrific cryptography... but it will work and users can change their passwords... Could add some salt to that like the documents name. Maybe good luck - Original Message - From: [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, May 02, 2007 9:06 PM Subject: Re: User-password from the HttpServletRequest Im using a DataSource Realm. Hmm but from where can I access the credentials? Original-Nachricht Datum: Wed, 02 May 2007 20:00:04 +0100 Von: Pid [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest [EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? You can't access the credential from HttpServletRequest object, it's not made available as part of the Servlet spec. Which realm implementation are you using? p greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? Unless you are using some non-standard setup or user-tracking library of some kind, there is no way to get the user's password from the request (or anywhere else for that matter). Your application will need to take care of this capability itself. I'd like to point out that storing users' unencrypted passwords anywhere is probably not a good idea, though I must admit that I don't know what situation you are in. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOPhN9CaO5/Lv0PARAhmgAJ9J/JwWYIfqXBcKRibC+cnVCpOWpACfTMU2 BCfrbvfSAVTvoBxP8peaxpw= =Dmyd -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User-password from the HttpServletRequest
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: I'm using the password of the [authentication] to encrypt and decrypt some data to a database user specific (each users own data has the users password). Uh... are you sure this is a good idea? If the user changes his or her password, do you re-encrypt all of their data? This doesn't seem like a very efficient way to store encrypted information. My advice: randomly generate an encryption key when the account is created (or afterward for existing users) and encrypt /that/ with the user's password. Then, when the user's password is changed, you only have to re-encrypt the encryption/decryption key itself, instead of every piece of information in there. To get to the password must be possibly, not? The servlet API provides no way to get the user's password. You'll have to do this yourself. If you need the password all the time, you could store it in the session during login and you'd have it available whenever you want. If you use my suggestion from above, you could use the login password to decrypt the general encryption/decryption key and then store that in the session, which might be more convenient (or safer?) than storing the user's actual password in the session. On second thought, the encryption key is more sensitive (at least, as far as your application goes) than the user's password, so perhaps the user's password in the session is better just in case. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOPp+9CaO5/Lv0PARAmcWAJ4t20OJWt1cm7ypLLLRm6mUtIAOZwCfZFJX I+XT0VE6lyijDBtb/JScUnM= =0QB0 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: User-password from the HttpServletRequest
I use form based authentication backed by a Database Realm. After the user logs in I can get the user info on top of every JSP page with this code snippet. % Principal principle = (Principal)request.getUserPrincipal(); User loggedInUser = JSPUtils.loadUser(session, principle.getName()); // fetches user from database, name is unique. loggedInUser.getPassword(); loggedInUser.getLastAccessDate(); loggedInUser.isAdmin(); loggedInUser.getEmail(); etc. % User is my own custom object created with Hibernate mapped to the user table. However this object can be created by straight sql/JDBC also. My code also stores the User object in the session so that it is only loaded from the database once. This way I don't have to do anything fancy to get all the info I need on a User, straight database calls. Cheers, -Steve Rock eCirkit.com -Original Message- From: Johnny Kewl [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 4:06 PM To: Tomcat Users List Subject: Re: User-password from the HttpServletRequest JDBC I guess... Maybe the difficulty is an indication that its not the right way to go... For example if a user ever has to change their password... data is lost, or a huge procedure. Think about this... maybe its a good idea. Remember that if you see the user name in a page it means they authenticated. So if the user gets to the code they had to come through the locked door... And if the user is going to get the data back through the browser... this will probably work. Invent a secret code A4H%BIGSECRETYtffguTetc etc. Then HASH that say using MD5 with the User name That becomes your password and you lock and unlock the data with that. Not terrific cryptography... but it will work and users can change their passwords... Could add some salt to that like the documents name. Maybe good luck - Original Message - From: [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, May 02, 2007 9:06 PM Subject: Re: User-password from the HttpServletRequest Im using a DataSource Realm. Hmm but from where can I access the credentials? Original-Nachricht Datum: Wed, 02 May 2007 20:00:04 +0100 Von: Pid [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest [EMAIL PROTECTED] wrote: Do you mean during the login process, or after it has been done? I mean after the user has been logged in (form based login). Have you an example how I can receive the password from the HttpServletRequest? You can't access the credential from HttpServletRequest object, it's not made available as part of the Servlet spec. Which realm implementation are you using? p greets Original-Nachricht Datum: Wed, 02 May 2007 13:31:49 -0400 Von: Christopher Schultz [EMAIL PROTECTED] An: Tomcat Users List users@tomcat.apache.org Betreff: Re: User-password from the HttpServletRequest -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sam, [EMAIL PROTECTED] wrote: How can I get the password from the logged in user via the HttpServletRequest in general? (I need the password in a servlet filter to do some stuff) Do you mean during the login process, or after it has been done? Unless you can get a request object during the login process, you will only be able to get the user's password when using BASIC authentication (not FORM). You'll need to get the Authorization header from the request and decode it to get the user's credentials. You can read all about HTTP auth in RFC 2617 (http://www.faqs.org/rfcs/rfc2617.html) to determine how to interpret the data found there. And there some web server independent solution? I assume that you mean /application server/-independent solution. Yes, all (compliant) Java application servers support the servlet API. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGOMsF9CaO5/Lv0PARAlIvAKChwWOlitX82IddFCuhseB/yVQKdgCgpwAN IUy2xRS5++zOtJm/Zvfd31s= =HvYe -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail
what is default user/password for tomcat .zip installation?
Hi Thank you for reading my post. I have download and installed tomcat 5.5.17 from .zip version as i need to debug some applications now i want to open manager console and it asks me about username/password can some one please tell me what is default user and password? will the password be useable for admin console too? thanks -- View this message in context: http://www.nabble.com/what-is-default-user-password-for-tomcat-.zip-installation--tf3284225.html#a9135340 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what is default user/password for tomcat .zip installation?
On Sat, 24 Feb 2007, legolas wrote: I have download and installed tomcat 5.5.17 from .zip version as i need to debug some applications now i want to open manager console and it asks me about username/password can some one please tell me what is default user and password? will the password be useable for admin console too? If you were so smart to download and unzip Tomcat distribution, be so smart once more and read what the tomcat home page says about usernames/password: NOTE: For security reasons, using the administration webapp is restricted to users with role admin. The manager webapp is restricted to users with role manager. Users are defined in $CATALINA_HOME/conf/tomcat-users.xml. -- Mikolaj Rydzewski [EMAIL PROTECTED] http://ceti.pl/~miki/ PGP KeyID: 8b12ab02 There are three kinds of people: men, women, and unix. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: what is default user/password for tomcat .zip installation?
legolas wrote: Hi Thank you for reading my post. I have download and installed tomcat 5.5.17 from .zip version as i need to debug some applications now i want to open manager console and it asks me about username/password can some one please tell me what is default user and password? will the password be useable for admin console too? There is no default user and password. You have to edit $CATALINA_HOME/conf/tomcat-users.xml to create a user. The user needs the manager role to access the manager app and the admin role to access the admin app. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
