jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robertson, Jason" <Jason.Robert...@acs-inc.com>
Subject RE: Form Authentication
Date Mon, 16 Sep 2002 20:58:59 GMT
Yeah, I'm working on it in between meetings :), it seems like it's a Tomcat
"feature".

This is what is returned from tomcat when I try to go directly to
j_security_check:

HTTP Status 400 - Invalid direct reference to form login page
Status report
message: Invalid direct reference to form login page
description: The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).

I read one web page that said you get this when you try to go directly to
the login page (as opposed to going to a restricted resource first), and to
me that seems like a bug but I didn't really find anything that said it was
or should be a bug.

I'm going to experiment, perhaps if I have the JSESSIONID when I go to the
j_security_check page it'll be happy. I'll try to go the ServletRedirector
first, get a JSESSIONID, then log in. We'll see.

I'll pass on info as I find it...

Jason

-----Original Message-----
From: Vincent Massol [mailto:vmassol@octo.com]
Sent: Monday, September 16, 2002 4:45 PM
To: 'Cactus Users List'
Cc: 'Robertson, Jason'
Subject: RE: Form Authentication


Ok, we now have more info. The error you're getting in the stack trace
is:

"Unable to login, probably due to bad username/password. Received a
[400] response code andwas expecting a [302]"

This means that the URL used to login is not correct (400 - bad
request). The default URL used is: cactus.contextURL +
"j_security_check". Maybe this is not correct.

I can't help you more here as I don't know enough about form-based
authentication. I'll have to read up on that.

Jason, any idea?
Thanks
-Vincent

> -----Original Message-----
> From: Qingxian Wang [mailto:qingxian_wang@sunsystems.com]
> Sent: 16 September 2002 17:47
> To: 'Cactus Users List'
> Subject: RE: Form Authentication
> 
> I have tried the 1.5dev.  I still cannot run the authenticate test.
The
> username, password and the role are set in tomcat-user.xml.  My code
is
> like
> this:
> 
> public class CactusTest_WebDeployerActionServlet extends
ServletTestCase {
> 
>     public CactusTest_WebDeployerActionServlet(String strName) {
>         super(strName);
>     }
> 
>     /**
>      * Start the tests.
>      *
>      * @param theArgs the arguments. Not used
>      */
>     public static void main(String[] theArgs)
>     {
>         junit.textui.TestRunner.main(new String[]{
>             CactusTest_WebDeployerActionServlet.class.getName()});
>     }
> 
>     /**
>      * @return a test suite (<code>TestSuite</code>) that includes all
> methods
>      *         starting with "test"
>      */
>     public static Test suite()
>     {
>         // All methods starting with "test" will be executed in the
test
> suite.
>         return new
TestSuite(CactusTest_WebDeployerActionServlet.class);
>     }
> 
>     public void beginFormAuthentication(WebRequest theRequest)
>     {
>         theRequest.setRedirectorName("ServletRedirectorSecure");
>         theRequest.setAuthentication(new FormAuthentication("sun",
> "sunsys"));
>     }
> 
>     public void testFormAuthentication()
>     {
>         assertEquals("sun", request.getUserPrincipal().getName());
>         assertEquals("sun", request.getRemoteUser());
>         assertTrue("User not in 'everyone' role",
> request.isUserInRole("everyone"));
>     }
> 
> }
> 
> 
> 
> The following are the error messages:
> 
>  1)
>
testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser
vl
> et
>
.CactusTest_WebDeployerActionServlet)org.apache.cactus.util.ChainedRunti
me
> Ex
> ception: Failed to authenticate the principal
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
Fo
> rm
> Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):297)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj
(1
> k)
> :146)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l
og
> /L
> ogAspect.aj(1k))
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
mA
> ut
> hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun
d9
> (H
>
ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1
k)
> :1
> 18)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
nn
> ec
> tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
nt
> .j
> ava;org/apache/cactus/util/log/LogAspect.aj(1k):184)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra
ct
> Ht
> tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
va
> ;o
> rg/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav
a:
> 30
> 8)
>      at
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
.j
> av
> a:258)
>      at
> org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
>      at
> org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223)
>      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
Source)
>      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
Source)
>  org.apache.cactus.util.ChainedRuntimeException: Unable to login,
probably
> due to bad username/password. Received a [400] response code andwas
> expecting a [302]
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
Fo
> rm
> Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):259)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj
(1
> k)
> :146)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l
og
> /L
> ogAspect.aj(1k))
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
mA
> ut
> hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun
d9
> (H
>
ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1
k)
> :1
> 18)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
nn
> ec
> tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
nt
> .j
> ava;org/apache/cactus/util/log/LogAspect.aj(1k):184)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra
ct
> Ht
> tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
va
> ;o
> rg/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav
a:
> 30
> 8)
>      at
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
.j
> av
> a:258)
>      at
> org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
>      at
> org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223)
>      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
Source)
>      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
Source)
> 
> 
> Qingxian
> 
> -----Original Message-----
> From: Vincent Massol [mailto:vmassol@octo.com]
> Sent: 16 September 2002 15:47
> To: 'Cactus Users List'
> Subject: RE: Form Authentication
> 
> 
> Hi Qingxian,
> 
> Can you try with the latest Cactus version (1.5dev) from CVS. I have
> committed Jason's code in CVS yesterday and I have added some more
> debugging information that could help.
> 
> You can get the nightly distribution of yesterday here:
> 
> http://jakarta.apache.org/builds/jakarta-cactus/nightly/2002-09-16/
> 
> Thanks
> -Vincent
> 
> > -----Original Message-----
> > From: Qingxian Wang [mailto:qingxian_wang@sunsystems.com]
> > Sent: 16 September 2002 11:24
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> > I have tried to use FormAuthentication class with the Cactus 1.4.1.
I
> got
> > the following error although I have set up the correct username and
> > password:
> >
> >  1)
> >
>
testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser
> vl
> > et
> >
.CactusTest_WebDeployerActionServlet)java.lang.IllegalStateException:
> > class
> > java.lang.IllegalArgumentException: Unable to login, probably due to
> bad
> > username/password. [Bad Response Code]
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
> Fo
> > rm
> > Authentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:193)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.dispatch9_con
> fi
> > gu
> >
>
re(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:4
> 7)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.around9_confi
> gu
> > re
> >
>
(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:115
> 6)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
> mA
> > ut
> > hentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:43)
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.dispatch26_connect(H
> tt
> > pC
> >
>
lientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1
> 16
> > )
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.around26_connect(Htt
> pC
> > li
> >
>
entConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:123
> 6)
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
> nn
> > ec
> > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:106)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
> nt
> > .j
> > ava;org/apache/cactus/util/log/LogAspect.aj[1k]:186)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.dispatch2_doTest(AbstractHtt
> pC
> > li
> > ent.java;org/apache/cactus/util/log/LogAspect.aj[1k]:109)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.around2_doTest(AbstractHttpC
> li
> > en
> > t.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1236)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
> va
> > ;o
> > rg/apache/cactus/util/log/LogAspect.aj[1k]:104)
> >      at
> >
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
> .j
> > av
> > a:260)
> >      at
> > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
> >      at
> >
org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:195)
> >      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
> Source)
> >      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
> Source)
> >
> > Any idear?
> >
> > Qingxian
> >
> > -----Original Message-----
> > From: Qingxian Wang
> > Sent: 16 September 2002 10:58
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> >
> > I have tried to use the FormAuthentication class with the
> > CactusStrutsTestCase of the Struts test case framework.  My test
case
> has
> > problem to find the user name and password.  I got an
> > IllegalArgumentException thrown from the FormAuthentication class.
I
> will
> > try to use the Cactus directly, i.e. ServletTestCase class.
> >
> > Qingxian
> >
> > -----Original Message-----
> > From: Vincent Massol [mailto:vmassol@octo.com]
> > Sent: 15 September 2002 22:19
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> >
> > Thanks Jason! I've committed your code (modified slightly to add
> missing
> > javadoc, and the checkstyle violations ... :)).
> >
> > I don't have any answer to your questions below. What we now need to
> do
> > is:
> >
> > 1- write a test case for it
> > 2- try it on several application servers
> > 3- add web site documentation to explain how to use it
> >
> > I guess 1 and 2 will give us the answers to your questions...
> >
> > Thanks again
> > -Vincent
> >
> > > -----Original Message-----
> > > From: Robertson, Jason [mailto:Jason.Robertson@acs-inc.com]
> > > Sent: 12 September 2002 23:04
> > > To: 'Cactus Users List'
> > > Subject: RE: Form Authentication
> > >
> > > Ok, attached is a slightly updated file with some comments and
such.
> > >
> > > The basic premise is:
> > > 1. Is JSESSIONID non-null? If yes, stick it into a cookie and
we're
> > done.
> > > 2. If it's null, authenticate.
> > > 3. To authenticate, connect to ${ContextURL}/j_security_check with
> the
> > > username/password. This _should_ authenticate you.
> > > 4. Cache the returned JSESSIONID.
> > > 5. To verify we were authenticated, check a combination of the
> > response
> > > code
> > > and maybe redirect location. See question below.
> > >
> > > A TestCase could create a new FormAuthentication object for each
> test,
> > or
> > > could have a static one in the TestCase that will get initialized
> once
> > and
> > > reused. The latter would provide quicker testcases at the expense
of
> > > keeping
> > > state between test cases, which is a philosophical expense at
best.
> > The
> > > cool
> > > thing is in this case, though, that even if a single test case is
> run
> > in
> > > the
> > > middle of the sequence it will still work. It doesn't really rely
on
> > the
> > > TestCase before it (the authentication will just happen when
> needed),
> > so
> > > it
> > > may not really violate any of the unit test philosophy.
> > >
> > > Only a couple questions:
> > >
> > > 1. Will all app servers send a 302 response with the location
being
> > the
> > > ContextURL after a successful login? WebLogic does, and that's my
> only
> > > source right now. What about on an unsuccessful login? WebLogic
> > returns a
> > > 200 and the content is that of the login page, but I think it
would
> be
> > > acceptable to return a 302 with a Location of the login page. I
> think
> > my
> > > code will work with both, but testing will be the only proof.
> > >
> > > 2. Do I need the setSecurityCheck method? Or will
> > > ${ContextURL}/j_security_check always work? It's really a safety
> net,
> > but
> > > it
> > > might be unnecessary.
> > >
> > > Jason
> > >
> > > -----Original Message-----
> > > From: Erik Hatcher [mailto:lists@ehatchersolutions.com]
> > > Sent: Thursday, September 12, 2002 9:17 AM
> > > To: Cactus Users List
> > > Subject: Re: Form Authentication
> > >
> > >
> > > Wow, just in the nick of time too!  I haven't looked at your code,
> but
> > > this is exactly what we need as well.
> > >
> > > I look forward to the Cactus committers having a look at this to
see
> > if
> > > it fits in and getting it committed!  :)
> > >
> > > Thanks Jason!
> > >
> > > 	Erik
> > >
> > > Robertson, Jason wrote:
> > > > Here's a FormAuthentication implementation that doesn't need any
> > rework
> > > of
> > > > the standard flow. The only modification needed to make this
> compile
> > is
> > > to
> > > > make the base class AbstractAuthentication's member variables
> > 'theName'
> > > and
> > > > 'thePassword' protected instead of private.
> > > >
> > > > This is a first pass. It's short on comments, and has some
> debugging
> > > code
> > > > temporarily commented out, but it works. At least for me, on
> > WebLogic
> > > 7.0.
> > > > :)
> > > >
> > > > I'll comment it and express some minor concerns especially with
> > regards
> > > to
> > > > various app servers in the coming days, but I thought I'd throw
> this
> > out
> > > > now.
> > > >
> > > > I tried to include a sample ear that has a basic example, but
the
> > war's
> > > lib
> > > > directory is too big and it bounced. So I've included the
project,
> > just
> > > > adjust the jar file properties in build.xml to make it all work.
> > > >
> > > > Jason
> > > >
> > > >
> > > >
> > > >
> >
>
------------------------------------------------------------------------
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <mailto:cactus-user-help@jakarta.apache.org>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail:
> > > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> > This e-mail and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual or entity to whom it is
> addressed. If
> > you have received this e-mail in error you must not copy, distribute
> or
> > take
> > any action in reliance on it. Please notify the sender by e-mail or
> > telephone.
> > We utilise an anti-virus system and therefore any files sent via
> e-mail
> > will
> > have been checked for known viruses. You are however advised to run
> your
> > own
> > virus check before opening any attachments received as we will not
in
> any
> > event accept any liability whatsoever once an e-mail and/or any
> attachment
> > is received. Any views expressed by an individual within this e-mail
> do
> > not
> > necessarily reflect the views of Systems Union Group plc or any of
its
> > subsidiary companies.
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> > This e-mail and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual or entity to whom it is
> addressed. If
> > you have received this e-mail in error you must not copy, distribute
> or
> > take
> > any action in reliance on it. Please notify the sender by e-mail or
> > telephone.
> > We utilise an anti-virus system and therefore any files sent via
> e-mail
> > will
> > have been checked for known viruses. You are however advised to run
> your
> > own
> > virus check before opening any attachments received as we will not
in
> any
> > event accept any liability whatsoever once an e-mail and/or any
> attachment
> > is received. Any views expressed by an individual within this e-mail
> do
> > not
> > necessarily reflect the views of Systems Union Group plc or any of
its
> > subsidiary companies.
> >
> >
> > --
> > To unsubscribe, e-mail:   <mailto:cactus-user-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:cactus-user-
> > help@jakarta.apache.org>
> 
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:cactus-user-help@jakarta.apache.org>
> 
> 
> This e-mail and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom it is
addressed. If
> you have received this e-mail in error you must not copy, distribute
or
> take
> any action in reliance on it. Please notify the sender by e-mail or
> telephone.
> We utilise an anti-virus system and therefore any files sent via
e-mail
> will
> have been checked for known viruses. You are however advised to run
your
> own
> virus check before opening any attachments received as we will not in
any
> event accept any liability whatsoever once an e-mail and/or any
attachment
> is received. Any views expressed by an individual within this e-mail
do
> not
> necessarily reflect the views of Systems Union Group plc or any of its
> subsidiary companies.
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:cactus-user-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:cactus-user-
> help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:cactus-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:cactus-user-help@jakarta.apache.org>


Mime
View raw message