In the realm implementation that is run by tomcat at login, you have no access to the request or the session (although you could stick it in a hashmap in a singleton or JNDI space = dirty great hack).
In the app, the only way of finding out what your user entered is to call request.getUserPrincipal or .getRemoteUser() or .isUserInRole().
So basically you can find out the name. You then have to query the realm in your app to find out more info about them, e.g. password. If it is stored in MD5, then you've got problems. You cannot intercept the submit to j_security_check
I think single-sign-on above and beyond tomcat SSO is in the pipeline for the long term though.
HTH Adam
On 11/17/2003 06:59 PM Gary Hardy wrote:
jack:
I noticed you haven't received any responses yet. I was kinda waiting to see is anyone had any bright ideas regarding... catching j_username/j_password for later use within a webapp. I posted a somewhat related question in "Subject: application security gone mad".
Someone (please!) correct me if I'm wrong... rather than hacking something around the login form, storing the j_username/j_password text in the session, ... wouldn't it be cleaner to write your own Realm? Then... access the session security credentials via the Realm?
gary...
From: "Jack Bakker" <[EMAIL PROTECTED]> Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> Date: Mon, 17 Nov 2003 10:45:42 -0500 To: <[EMAIL PROTECTED]> Subject: automate login to other opensource apps
I have several Struts apps with a form-based single signon using a JNDIRealm with md5 passwords in openldap. I'm looking to pass username/password used in Java login to other apps like horde, dotproject, among others for user convenience. Sync of user account info between db stores used by other projects aside, what's the best (and most secure) way of trapping the password in plaintext to pass to other apps ? Seems like it should be a simple thing to do but getPassword of the Realm doesn't appear to be exposed ? am I missing something obvious ?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
