Adam, > I think single-sign-on above and beyond tomcat SSO is in the pipeline > for the long term though. That'll be quite the trick... in the long term... meaning "a super container" could spam multiple web app servers, ejb containers, databases, directory servers... transparently passing security credentials appropriately to all? WOW!
'til then I think I'll just stick with securing url patterns in webapps and ejb methods in ejbs... and ne'er the twain shall meet. gary... > From: Adam Hardy <[EMAIL PROTECTED]> > Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> > Date: Mon, 17 Nov 2003 23:34:59 +0100 > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: automate login to other opensource apps > > If you are using CMS then you must realise that the realm and the login > info from j_username etc are held seperately in tomcat from your app. > > In the realm implementation that is run by tomcat at login, you have no > access to the request or the session (although you could stick it in a > hashmap in a singleton or JNDI space = dirty great hack). > > In the app, the only way of finding out what your user entered is to > call request.getUserPrincipal or .getRemoteUser() or .isUserInRole(). > > So basically you can find out the name. You then have to query the realm > in your app to find out more info about them, e.g. password. If it is > stored in MD5, then you've got problems. You cannot intercept the submit > to j_security_check > > I think single-sign-on above and beyond tomcat SSO is in the pipeline > for the long term though. > > HTH > Adam > > On 11/17/2003 06:59 PM Gary Hardy wrote: >> jack: >> >> I noticed you haven't received any responses yet. I was kinda waiting to see >> is anyone had any bright ideas regarding... catching j_username/j_password >> for later use within a webapp. I posted a somewhat related question in >> "Subject: application security gone mad". >> >> Someone (please!) correct me if I'm wrong... rather than hacking something >> around the login form, storing the j_username/j_password text in the >> session, ... wouldn't it be cleaner to write your own Realm? Then... access >> the session security credentials via the Realm? >> >> gary... >> >> >>> From: "Jack Bakker" <[EMAIL PROTECTED]> >>> Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]> >>> Date: Mon, 17 Nov 2003 10:45:42 -0500 >>> To: <[EMAIL PROTECTED]> >>> Subject: automate login to other opensource apps >>> >>> I have several Struts apps with a form-based single signon using a JNDIRealm >>> with md5 passwords in openldap. I'm looking to pass username/password used >>> in Java login to other apps like horde, dotproject, among others for user >>> convenience. Sync of user account info between db stores used by other >>> projects aside, what's the best (and most secure) way of trapping the >>> password in plaintext to pass to other apps ? Seems like it should be a >>> simple thing to do but getPassword of the Realm doesn't appear to be exposed >>> ? am I missing something obvious ? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
