jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robertson, Jason" <Jason.Robert...@acs-inc.com>
Subject RE: Form Authentication
Date Tue, 17 Sep 2002 13:55:08 GMT
Ok, I merged with the latest from CVS, and have tested on WebLogic 7 and
Tomcat.

Jason

-----Original Message-----
From: Robertson, Jason [mailto:Jason.Robertson@acs-inc.com]
Sent: Monday, September 16, 2002 5:53 PM
To: 'Cactus Users List'
Subject: RE: Form Authentication


Hmmm, I've gotten it to work, but there is some strange behavior.

I found an additional post saying you "can't" go directly to the login page
or j_security_check because then Tomcat wouldn't know where to send you once
you've authenticated. Therefore you _must_ go to a restricted resource
first, so that once authenticated you can be redirected there. I understand
the point, but would it really be that horrible to redirect to the defined
welcome-page in lieu of a known location? That seems like a quite reasonable
thing to do.

But, that's not what it does. 

So I now get the servlet redirector and go there first, on the assumption
that it is a restricted resource (which it must be for any of this to work).


Vincent - is this safe? I'm thinking not because what if the person writing
a JSP Redirector-only test case and they want to use form authentication?
Can they? I've never done a JSP Redirector before.

Once I get back the JSESSIONID from that request, I cache it, then log in.
There is something strange with the 302, however. I get back I get this
Location header:

Location: http://localhost/simple-form-login/secure/ServletRedirector

I'm using the stock Tomcat, so notice the fact that the port (:8080) is not
present in this redirect. Thus, my compare to my original request fails. Is
this a bug in Tomcat? How does my browser work (which is does)?

So, for now, I've commented out the check and it all works. On WebLogic,
too.

I've attached my code that works which is a mod of the last code I sent in
(i.e. not a mod of the latest in CVS). I hate to do it to ya Vincent, but I
don't have CVS access from here at work, so if you want to merge my changes
into your version you can (it's not much), or you can wait about 5 hours and
I can do it when I get home... :)

Jason

-----Original Message-----
From: Robertson, Jason [mailto:Jason.Robertson@acs-inc.com]
Sent: Monday, September 16, 2002 4:59 PM
To: 'Vincent Massol'; 'Cactus Users List'
Subject: RE: Form Authentication


Yeah, I'm working on it in between meetings :), it seems like it's a Tomcat
"feature".

This is what is returned from tomcat when I try to go directly to
j_security_check:

HTTP Status 400 - Invalid direct reference to form login page
Status report
message: Invalid direct reference to form login page
description: The request sent by the client was syntactically incorrect
(Invalid direct reference to form login page).

I read one web page that said you get this when you try to go directly to
the login page (as opposed to going to a restricted resource first), and to
me that seems like a bug but I didn't really find anything that said it was
or should be a bug.

I'm going to experiment, perhaps if I have the JSESSIONID when I go to the
j_security_check page it'll be happy. I'll try to go the ServletRedirector
first, get a JSESSIONID, then log in. We'll see.

I'll pass on info as I find it...

Jason

-----Original Message-----
From: Vincent Massol [mailto:vmassol@octo.com]
Sent: Monday, September 16, 2002 4:45 PM
To: 'Cactus Users List'
Cc: 'Robertson, Jason'
Subject: RE: Form Authentication


Ok, we now have more info. The error you're getting in the stack trace
is:

"Unable to login, probably due to bad username/password. Received a
[400] response code andwas expecting a [302]"

This means that the URL used to login is not correct (400 - bad
request). The default URL used is: cactus.contextURL +
"j_security_check". Maybe this is not correct.

I can't help you more here as I don't know enough about form-based
authentication. I'll have to read up on that.

Jason, any idea?
Thanks
-Vincent

> -----Original Message-----
> From: Qingxian Wang [mailto:qingxian_wang@sunsystems.com]
> Sent: 16 September 2002 17:47
> To: 'Cactus Users List'
> Subject: RE: Form Authentication
> 
> I have tried the 1.5dev.  I still cannot run the authenticate test.
The
> username, password and the role are set in tomcat-user.xml.  My code
is
> like
> this:
> 
> public class CactusTest_WebDeployerActionServlet extends
ServletTestCase {
> 
>     public CactusTest_WebDeployerActionServlet(String strName) {
>         super(strName);
>     }
> 
>     /**
>      * Start the tests.
>      *
>      * @param theArgs the arguments. Not used
>      */
>     public static void main(String[] theArgs)
>     {
>         junit.textui.TestRunner.main(new String[]{
>             CactusTest_WebDeployerActionServlet.class.getName()});
>     }
> 
>     /**
>      * @return a test suite (<code>TestSuite</code>) that includes all
> methods
>      *         starting with "test"
>      */
>     public static Test suite()
>     {
>         // All methods starting with "test" will be executed in the
test
> suite.
>         return new
TestSuite(CactusTest_WebDeployerActionServlet.class);
>     }
> 
>     public void beginFormAuthentication(WebRequest theRequest)
>     {
>         theRequest.setRedirectorName("ServletRedirectorSecure");
>         theRequest.setAuthentication(new FormAuthentication("sun",
> "sunsys"));
>     }
> 
>     public void testFormAuthentication()
>     {
>         assertEquals("sun", request.getUserPrincipal().getName());
>         assertEquals("sun", request.getRemoteUser());
>         assertTrue("User not in 'everyone' role",
> request.isUserInRole("everyone"));
>     }
> 
> }
> 
> 
> 
> The following are the error messages:
> 
>  1)
>
testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser
vl
> et
>
.CactusTest_WebDeployerActionServlet)org.apache.cactus.util.ChainedRunti
me
> Ex
> ception: Failed to authenticate the principal
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
Fo
> rm
> Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):297)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj
(1
> k)
> :146)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l
og
> /L
> ogAspect.aj(1k))
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
mA
> ut
> hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun
d9
> (H
>
ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1
k)
> :1
> 18)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
nn
> ec
> tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
nt
> .j
> ava;org/apache/cactus/util/log/LogAspect.aj(1k):184)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra
ct
> Ht
> tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
va
> ;o
> rg/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav
a:
> 30
> 8)
>      at
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
.j
> av
> a:258)
>      at
> org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
>      at
> org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223)
>      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
Source)
>      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
Source)
>  org.apache.cactus.util.ChainedRuntimeException: Unable to login,
probably
> due to bad username/password. Received a [400] response code andwas
> expecting a [302]
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
Fo
> rm
> Authentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):259)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj
(1
> k)
> :146)
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure$ajc
Po
> st
>
Around13$ajcVoidWrapper(FormAuthentication.java;org/apache/cactus/util/l
og
> /L
> ogAspect.aj(1k))
>      at
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
mA
> ut
> hentication.java;org/apache/cactus/util/log/LogAspect.aj(1k):1145)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect$ajcPostAroun
d9
> (H
>
ttpClientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1
k)
> :1
> 18)
>      at
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
nn
> ec
> tionHelper.java;org/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
nt
> .j
> ava;org/apache/cactus/util/log/LogAspect.aj(1k):184)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest$ajcPostAround7(Abstra
ct
> Ht
> tpClient.java;org/apache/cactus/util/log/LogAspect.aj(1k):108)
>      at
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
va
> ;o
> rg/apache/cactus/util/log/LogAspect.aj(1k):1240)
>      at
>
org.apache.cactus.AbstractWebTestCase.runWebTest(AbstractWebTestCase.jav
a:
> 30
> 8)
>      at
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
.j
> av
> a:258)
>      at
> org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
>      at
> org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:223)
>      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
Source)
>      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
Source)
> 
> 
> Qingxian
> 
> -----Original Message-----
> From: Vincent Massol [mailto:vmassol@octo.com]
> Sent: 16 September 2002 15:47
> To: 'Cactus Users List'
> Subject: RE: Form Authentication
> 
> 
> Hi Qingxian,
> 
> Can you try with the latest Cactus version (1.5dev) from CVS. I have
> committed Jason's code in CVS yesterday and I have added some more
> debugging information that could help.
> 
> You can get the nightly distribution of yesterday here:
> 
> http://jakarta.apache.org/builds/jakarta-cactus/nightly/2002-09-16/
> 
> Thanks
> -Vincent
> 
> > -----Original Message-----
> > From: Qingxian Wang [mailto:qingxian_wang@sunsystems.com]
> > Sent: 16 September 2002 11:24
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> > I have tried to use FormAuthentication class with the Cactus 1.4.1.
I
> got
> > the following error although I have set up the correct username and
> > password:
> >
> >  1)
> >
>
testFormAuthentication(com.systemsunion.framework.tools.web.deployer.ser
> vl
> > et
> >
.CactusTest_WebDeployerActionServlet)java.lang.IllegalStateException:
> > class
> > java.lang.IllegalArgumentException: Unable to login, probably due to
> bad
> > username/password. [Bad Response Code]
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.authenticate(
> Fo
> > rm
> > Authentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:193)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.dispatch9_con
> fi
> > gu
> >
>
re(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:4
> 7)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.around9_confi
> gu
> > re
> >
>
(FormAuthentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:115
> 6)
> >      at
> >
>
org.apache.cactus.client.authentication.FormAuthentication.configure(For
> mA
> > ut
> > hentication.java;org/apache/cactus/util/log/LogAspect.aj[1k]:43)
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.dispatch26_connect(H
> tt
> > pC
> >
>
lientConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1
> 16
> > )
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.around26_connect(Htt
> pC
> > li
> >
>
entConnectionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:123
> 6)
> >      at
> >
>
org.apache.cactus.client.HttpClientConnectionHelper.connect(HttpClientCo
> nn
> > ec
> > tionHelper.java;org/apache/cactus/util/log/LogAspect.aj[1k]:106)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.callRunTest(AbstractHttpClie
> nt
> > .j
> > ava;org/apache/cactus/util/log/LogAspect.aj[1k]:186)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.dispatch2_doTest(AbstractHtt
> pC
> > li
> > ent.java;org/apache/cactus/util/log/LogAspect.aj[1k]:109)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.around2_doTest(AbstractHttpC
> li
> > en
> > t.java;org/apache/cactus/util/log/LogAspect.aj[1k]:1236)
> >      at
> >
>
org.apache.cactus.client.AbstractHttpClient.doTest(AbstractHttpClient.ja
> va
> > ;o
> > rg/apache/cactus/util/log/LogAspect.aj[1k]:104)
> >      at
> >
>
org.apache.cactus.AbstractWebTestCase.runGenericTest(AbstractWebTestCase
> .j
> > av
> > a:260)
> >      at
> > org.apache.cactus.ServletTestCase.runTest(ServletTestCase.java:133)
> >      at
> >
org.apache.cactus.AbstractTestCase.runBare(AbstractTestCase.java:195)
> >      at com.systemsunion.build.junitx.SSTestRunner.start(Unknown
> Source)
> >      at com.systemsunion.build.junitx.SSTestRunner.main(Unknown
> Source)
> >
> > Any idear?
> >
> > Qingxian
> >
> > -----Original Message-----
> > From: Qingxian Wang
> > Sent: 16 September 2002 10:58
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> >
> > I have tried to use the FormAuthentication class with the
> > CactusStrutsTestCase of the Struts test case framework.  My test
case
> has
> > problem to find the user name and password.  I got an
> > IllegalArgumentException thrown from the FormAuthentication class.
I
> will
> > try to use the Cactus directly, i.e. ServletTestCase class.
> >
> > Qingxian
> >
> > -----Original Message-----
> > From: Vincent Massol [mailto:vmassol@octo.com]
> > Sent: 15 September 2002 22:19
> > To: 'Cactus Users List'
> > Subject: RE: Form Authentication
> >
> >
> > Thanks Jason! I've committed your code (modified slightly to add
> missing
> > javadoc, and the checkstyle violations ... :)).
> >
> > I don't have any answer to your questions below. What we now need to
> do
> > is:
> >
> > 1- write a test case for it
> > 2- try it on several application servers
> > 3- add web site documentation to explain how to use it
> >
> > I guess 1 and 2 will give us the answers to your questions...
> >
> > Thanks again
> > -Vincent
> >
> > > -----Original Message-----
> > > From: Robertson, Jason [mailto:Jason.Robertson@acs-inc.com]
> > > Sent: 12 September 2002 23:04
> > > To: 'Cactus Users List'
> > > Subject: RE: Form Authentication
> > >
> > > Ok, attached is a slightly updated file with some comments and
such.
> > >
> > > The basic premise is:
> > > 1. Is JSESSIONID non-null? If yes, stick it into a cookie and
we're
> > done.
> > > 2. If it's null, authenticate.
> > > 3. To authenticate, connect to ${ContextURL}/j_security_check with
> the
> > > username/password. This _should_ authenticate you.
> > > 4. Cache the returned JSESSIONID.
> > > 5. To verify we were authenticated, check a combination of the
> > response
> > > code
> > > and maybe redirect location. See question below.
> > >
> > > A TestCase could create a new FormAuthentication object for each
> test,
> > or
> > > could have a static one in the TestCase that will get initialized
> once
> > and
> > > reused. The latter would provide quicker testcases at the expense
of
> > > keeping
> > > state between test cases, which is a philosophical expense at
best.
> > The
> > > cool
> > > thing is in this case, though, that even if a single test case is
> run
> > in
> > > the
> > > middle of the sequence it will still work. It doesn't really rely
on
> > the
> > > TestCase before it (the authentication will just happen when
> needed),
> > so
> > > it
> > > may not really violate any of the unit test philosophy.
> > >
> > > Only a couple questions:
> > >
> > > 1. Will all app servers send a 302 response with the location
being
> > the
> > > ContextURL after a successful login? WebLogic does, and that's my
> only
> > > source right now. What about on an unsuccessful login? WebLogic
> > returns a
> > > 200 and the content is that of the login page, but I think it
would
> be
> > > acceptable to return a 302 with a Location of the login page. I
> think
> > my
> > > code will work with both, but testing will be the only proof.
> > >
> > > 2. Do I need the setSecurityCheck method? Or will
> > > ${ContextURL}/j_security_check always work? It's really a safety
> net,
> > but
> > > it
> > > might be unnecessary.
> > >
> > > Jason
> > >
> > > -----Original Message-----
> > > From: Erik Hatcher [mailto:lists@ehatchersolutions.com]
> > > Sent: Thursday, September 12, 2002 9:17 AM
> > > To: Cactus Users List
> > > Subject: Re: Form Authentication
> > >
> > >
> > > Wow, just in the nick of time too!  I haven't looked at your code,
> but
> > > this is exactly what we need as well.
> > >
> > > I look forward to the Cactus committers having a look at this to
see
> > if
> > > it fits in and getting it committed!  :)
> > >
> > > Thanks Jason!
> > >
> > > 	Erik
> > >
> > > Robertson, Jason wrote:
> > > > Here's a FormAuthentication implementation that doesn't need any
> > rework
> > > of
> > > > the standard flow. The only modification needed to make this
> compile
> > is
> > > to
> > > > make the base class AbstractAuthentication's member variables
> > 'theName'
> > > and
> > > > 'thePassword' protected instead of private.
> > > >
> > > > This is a first pass. It's short on comments, and has some
> debugging
> > > code
> > > > temporarily commented out, but it works. At least for me, on
> > WebLogic
> > > 7.0.
> > > > :)
> > > >
> > > > I'll comment it and express some minor concerns especially with
> > regards
> > > to
> > > > various app servers in the coming days, but I thought I'd throw
> this
> > out
> > > > now.
> > > >
> > > > I tried to include a sample ear that has a basic example, but
the
> > war's
> > > lib
> > > > directory is too big and it bounced. So I've included the
project,
> > just
> > > > adjust the jar file properties in build.xml to make it all work.
> > > >
> > > > Jason
> > > >
> > > >
> > > >
> > > >
> >
>
------------------------------------------------------------------------
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > > > For additional commands, e-mail:
> > > <mailto:cactus-user-help@jakarta.apache.org>
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail:
> > > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> > This e-mail and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual or entity to whom it is
> addressed. If
> > you have received this e-mail in error you must not copy, distribute
> or
> > take
> > any action in reliance on it. Please notify the sender by e-mail or
> > telephone.
> > We utilise an anti-virus system and therefore any files sent via
> e-mail
> > will
> > have been checked for known viruses. You are however advised to run
> your
> > own
> > virus check before opening any attachments received as we will not
in
> any
> > event accept any liability whatsoever once an e-mail and/or any
> attachment
> > is received. Any views expressed by an individual within this e-mail
> do
> > not
> > necessarily reflect the views of Systems Union Group plc or any of
its
> > subsidiary companies.
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> > <mailto:cactus-user-help@jakarta.apache.org>
> >
> >
> > This e-mail and any files transmitted with it are confidential and
> > intended
> > solely for the use of the individual or entity to whom it is
> addressed. If
> > you have received this e-mail in error you must not copy, distribute
> or
> > take
> > any action in reliance on it. Please notify the sender by e-mail or
> > telephone.
> > We utilise an anti-virus system and therefore any files sent via
> e-mail
> > will
> > have been checked for known viruses. You are however advised to run
> your
> > own
> > virus check before opening any attachments received as we will not
in
> any
> > event accept any liability whatsoever once an e-mail and/or any
> attachment
> > is received. Any views expressed by an individual within this e-mail
> do
> > not
> > necessarily reflect the views of Systems Union Group plc or any of
its
> > subsidiary companies.
> >
> >
> > --
> > To unsubscribe, e-mail:   <mailto:cactus-user-
> > unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:cactus-user-
> > help@jakarta.apache.org>
> 
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:cactus-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:cactus-user-help@jakarta.apache.org>
> 
> 
> This e-mail and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom it is
addressed. If
> you have received this e-mail in error you must not copy, distribute
or
> take
> any action in reliance on it. Please notify the sender by e-mail or
> telephone.
> We utilise an anti-virus system and therefore any files sent via
e-mail
> will
> have been checked for known viruses. You are however advised to run
your
> own
> virus check before opening any attachments received as we will not in
any
> event accept any liability whatsoever once an e-mail and/or any
attachment
> is received. Any views expressed by an individual within this e-mail
do
> not
> necessarily reflect the views of Systems Union Group plc or any of its
> subsidiary companies.
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:cactus-user-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:cactus-user-
> help@jakarta.apache.org>


--
To unsubscribe, e-mail:
<mailto:cactus-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:cactus-user-help@jakarta.apache.org>



Mime
View raw message