So if I understand you...
On my index page which is not protected put a form with <form ... action="j_security_check">
And somewhere at the top of page have something like if(getUserPrincipal()) redirect....
I guess we can both try it lol...
Yiannis Mavroukakis wrote:
Ok..:) <puts D hat and sits in the corner> Let me see if I got this right..if you put a form on the unprotected resource that posts to j_security_check, in theory and according to the servlet spec, you should be redirected to the same url (or the requested url and be authenticated). If that is correct, you could then use getUserPrincipal() to forward the user to the protected part. But as I say, IF I am correct..otherwise I'll put the second D hat on.
-----Original Message----- From: Anastasios Angelidis [mailto:[EMAIL PROTECTED] Sent: 27 July 2004 15:10 To: Tomcat Users List Subject: Re: Beyond bassic form authentication?
That wont work.
Try navigating to the login page of the security sample on Tomcat. and try loging in! It will throw an exception of the sort that it canot authenticate against itself....
Yiannis Mavroukakis wrote:
Why not make the welcome page part of the secured app , let the users authenticate and then use getUserPrincipal() to determine whether you need to redirect them to the secured pages.
-----Original Message----- From: Anastasios Angelidis [mailto:[EMAIL PROTECTED] Sent: 27 July 2004 14:34 To: Yiannis Mavroukakis Subject: Re: Beyond bassic form authentication?
Yeah it will but what will it do with it? ;)
I guess I have to explain this step by step lol....
1- Create a directory /MyNewApp in /webapps and attach a context to it.
2- Create all standard webapp directories like /WEB-INF etc...
3- Create a new directory /secured in in the inside your new webpass directory. Bassically /webapps/MyNewApp/secured
4- Put the security sample jsp pages that come with Tomcat within the secured folder.
5- Create your user realm
6- Configure security constraints. Set constraint on the /secured folder. Point authentication to the login.jsp... etc...
So now we are all happy?
Now open your browser and go to http://localhost:8080/MyNewApp/secured. Tomcat notices thatthis is aprotected URL and shoot back to you the login page.... You login and voila evryone is happy again!
Now create index.jsp page in your webapps root /MyNewApp and add it to the list of welcome pages in your web.xml.... Which by default index.jsp is configured as default page....
Back in your browser go to: http://localhost:8080/MyNewApp/ and you should see the new index.jsp page you just created...
Now we are all happy again! ;)
On this new index.jsp page create a login form. Now from this login form I want to be authenticated to access /MyNewApp/secured.
So here we have to problems...
1- You canot put as the action point /secured. Even though you pass a j_username and j_password fields with correct credential through the POST, because you are not authenticated, it will shoot back at you the login page that was configured in web.xml And then you can do proper login.
2- The action point canot be j_security_check because Tomcat will not know what to do with it! Bassically your are posting a form with action j_security_check from an unsecure resource. Even if Tomcat understood and actually authneticated it you, where would it redirect you? It wouldn't know. When you access a secure resource directly Tomcat attaches the secured resource URL in some way to the login page. So when you authenticate it knows where to redirect you.
Thanks
Yiannis Mavroukakis wrote:
Not sure I get this a 100% percent, but with regards to your last statement,
"Of course I canot just put a form on the welcome page with action="<%=request.encodeURL("j_security_check")%>" The browser wouldn't know where to post to."
The browser will post to the application server anyway! It is no different than saying that the form will post to either POST=http://foo.org/bar or to POST=bar (assume foo.org is the domain of your application server).
-----Original Message----- From: Anastasios Angelidis [mailto:[EMAIL PROTECTED] Sent: 26 July 2004 15:12 To: Tomcat Users List Subject: Re: Beyond bassic form authentication?
Ok then I think the problem is not understood ;)
My form authentication does work. In fact I scabbed the whole security sample :P
Like I noted... When I type the protected resources URL in the browser address bar. Tomcats authentication kicks in and redirects me to the login page I specified in my web.xml I type the username and password that is stored in mysql and I login. This works fine.
What I want to do is access the protected resource from an unprotected resource. For intsance on the welcome page of my web app which everyone can see. I want to add a login form which will login the user and give him access to the protect resource.
One solution is to just put a "Sign-In" link which will in turn try to access the protected resource, but since the visitor is not logged in, he will be redirected to the login page.
The other solution which I want is to offer a login page directly on the welcome page. Of course I canot just put a form on the welcome page with action="<%=request.encodeURL("j_security_check")%>" The browser wouldn't know where to post to.
Yiannis Mavroukakis wrote:
<english>
Anastasie I think what Robert means is you should "steal" some code
from the existing examples in Tomcat.
</english>
<greek> Yparxoune epishs kai alloi tropoi pou boreis na to kaneis ayto..boreis kalista na exeis authentication mesw tou Apache kai enos module pou koitaei gia valid accounts sthn mySQL sou. </greek>
Happy coding,
Yiannis
-----Original Message----- From: Anastasios Angelidis [mailto:[EMAIL PROTECTED] Sent: 26 July 2004 14:13 To: Tomcat Users List Subject: Re: Beyond bassic form authentication?
Does any one have any ideas on this? What is code scabbing?
Thanks
Robert Harper wrote:
Did you try scabbing code from the login.jsp? You may want to use that and the user will gain access to the areas allowed with their group or role.
Robert S. Harper 801.265.8800 ex. 255
-----Original Message----- From: Anastasios Angelidis [mailto:[EMAIL PROTECTED] Sent: Friday, July 23, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: Beyond bassic form authentication?
So I setup my web app to use Form Authentication with a User Realm in my MySQL DB. It all works fine. I type the protected resources URL into the browser, I get redirected to the login page, I login and behold it works! ;)
Now how would I give access to a secure resource from an unsecure resource. For instance...
My webapp has a front page with recent news, welcome message etc... Standard home page stuff... Obviously I can put a sign-in link that will try to access the protected resource, which will then redirect to the login page... But is there a way to put a login form on the home page directly and post that form for authentication and from there give access to the protected resource?
Thanks
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
Note:__________________________________________________________________ This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Jaguar Freight Services and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
Note:__________________________________________________________________ This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Jaguar Freight Services and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
Note:__________________________________________________________________ This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Jaguar Freight Services and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
Note:__________________________________________________________________ This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Jaguar Freight Services and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
