jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ankur.ku...@axa.com.au
Subject Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need help
Date Fri, 20 Feb 2004 02:10:03 GMT
Kazuhito, I tested this code, this method works fine. Now, I'm doing this 
in my test case:

   FormAuthentication form = new 
FormAuthentication("visitor1","password");
   form.setSessionCookieName("JSESSIONID_PORTAL");
   theRequest.setAuthentication(form);
and here is weblogic.xml entry:
<session-descriptor>
    <session-param>
      <param-name>CookieName</param-name>
      <param-value>JSESSIONID_PORTAL</param-value>
    </session-param>
    <session-param>.....

and here is debug info :
004/02/20 13:06:31:028 EST [DEBUG] CookieUtil - -Cookie validation path = 
[/eservice/JspRedirectorSecure]
004/02/20 13:06:31:028 EST [DEBUG] CookieUtil - ->getCookiePath = 
[/eservice/JspRedirectorSecure]
004/02/20 13:06:31:028 EST [DEBUG] CookieUtil - ->createHttpClientCookie = 
[JSESSIONID_PORTAL=A1rm2UQE11our2wr19VmsL5iE
LBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630]
004/02/20 13:06:31:028 EST [DEBUG] CookieUtil - ->createHttpClientCookies 
= [[Lorg.apache.commons.httpclient.Cookie;@70
dd3]
004/02/20 13:06:31:028 EST [DEBUG] CookieUtil - ->createHttpState = [[ | | 
JSESSIONID_PORTAL=A1rm2UQE11our2wr19VmsL5iE
LBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630]]
004/02/20 13:06:31:215 EST [DEBUG] CookieUtil - 
-<createHttpState([simulation URL = [null], automatic session = [true],
cookies = [[name = [JSESSIONID_PORTAL], value = 
[A1rm2UQE11our2wr19VmsL5iEPLBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630], domai
 = [pc23165], path = [null], isSecure = [false], comment = [null], 
expiryDate = [null]]], headers = [], GET parameters
 [[[Cactus_Service] = [[GET_RESULTS]]]], POST parameters = []], 
[http://pc23165:80/eservice/JspRedirectorSecure?Cactus_
ervice=GET_RESULTS])
004/02/20 13:06:31:215 EST [DEBUG] CookieUtil - 
-<createHttpClientCookies([simulation URL = [null], automatic session =
[true], cookies = [[name = [JSESSIONID_PORTAL], value = 
[A1rm2UQE11our2wr19VmsL5iEPLBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630
, domain = [pc23165], path = [null], isSecure = [false], comment = [null], 
expiryDate = [null]]], headers = [], GET par
meters = [[[Cactus_Service] = [[GET_RESULTS]]]], POST parameters = []], 
[http://pc23165:80/eservice/JspRedirectorSecure
Cactus_Service=GET_RESULTS])
004/02/20 13:06:31:215 EST [DEBUG] CookieUtil - 
-<createHttpClientCookie([simulation URL = [null], automatic session =
true], cookies = [[name = [JSESSIONID_PORTAL], value = 
[A1rm2UQE11our2wr19VmsL5iEPLBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630]
 domain = [pc23165], path = [null], isSecure = [false], comment = [null], 
expiryDate = [null]]], headers = [], GET para
eters = [[[Cactus_Service] = [[GET_RESULTS]]]], POST parameters = []], 
[http://pc23165:80/eservice/JspRedirectorSecure?
actus_Service=GET_RESULTS], [name = [JSESSIONID_PORTAL], value = 
[A1rm2UQE11our2wr19VmsL5iEPLBFZbG5lXVmqnGRPM5Ce9rSQ4h!
04608630], domain = [pc23165], path = [null], isSecure = [false], comment 
= [null], expiryDate = [null]])
004/02/20 13:06:31:215 EST [DEBUG] CookieUtil - 
-<getCookiePath([simulation URL = [null], automatic session = [true], c
okies = [[name = [JSESSIONID_PORTAL], value = 
[A1rm2UQE11our2wr19VmsL5iEPLBFZbG5lXVmqnGRPM5Ce9rSQ4h!604608630], domain
 [pc23165], path = [null], isSecure = [false], comment = [null], 
expiryDate = [null]]], headers = [], GET parameters =
[[Cactus_Service] = [[GET_RESULTS]]]], POST parameters = []], 
[/eservice/JspRedirectorSecure?Cactus_Service=GET_RESULTS


Cheers!!!

- Ankur



Please respond to "Cactus Users List" <cactus-user@jakarta.apache.org>
To:     cactus-user@jakarta.apache.org
cc: 

Subject:        Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need 
help

Hi Ankur,

In article 
<OF7FE6EDEE.98421ACF-ONCA256E40.00085447-CA256E40.0008E319@nm.com.au>,
Fri, 20 Feb 2004 12:36:57 +1100,
ankur.kumar@axa.com.au wrote: 
ankur.kumar> I would sugges one more change. The new method you wrote 
ankur.kumar> "getSecureSessionIdCookie(WebRequest theRequest...." :

Thank you. I added the private member and accessor as you had suggested.
                 public void setSessionCookieName(String)
                 public String getSessionCookieName()
However, I cannot test this works as it's desired.
I need your help.

Thank you,
----
Kazuhito SUGURI
mailto:suguri.kazuhito@lab.ntt.co.jp
/*
 * ====================================================================
 *
 * The Apache Software License, Version 1.1
 *
 * Copyright (c) 2001-2003 The Apache Software Foundation.  All rights
 * reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. The end-user documentation included with the redistribution, if
 *    any, must include the following acknowlegement:
 *       "This product includes software developed by the
 *        Apache Software Foundation (http://www.apache.org/)."
 *    Alternately, this acknowlegement may appear in the software itself,
 *    if and wherever such third-party acknowlegements normally appear.
 *
 * 4. The names "The Jakarta Project", "Cactus" and "Apache Software
 *    Foundation" must not be used to endorse or promote products
 *    derived from this software without prior written permission. For
 *    written permission, please contact apache@apache.org.
 *
 * 5. Products derived from this software may not be called "Apache"
 *    nor may "Apache" appear in their names without prior written
 *    permission of the Apache Group.
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 */
package org.apache.cactus.client.authentication;

import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;

import org.apache.cactus.Cookie;
import org.apache.cactus.WebRequest;
import org.apache.cactus.client.connector.http.ConnectionHelper;
import org.apache.cactus.client.connector.http.ConnectionHelperFactory;
import org.apache.cactus.configuration.Configuration;
import org.apache.cactus.configuration.WebConfiguration;
import org.apache.cactus.util.ChainedRuntimeException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/**
 * Form-based authentication implementation. An instance of this class
 * can be reused across several tests as it caches the session cookie.
 * Thus the first time it is used to authenticate the user, it calls
 * the security URL (which is by default the context URL prepended by
 * "j_security_check"), caches the returned session cookie and adds the
 * cookie for the next request. The second time it is called, it simply
 * addes the session cookie for the next request.
 * 
 * @author <a href="mailto:Jason.Robertson@acs-inc.com">Jason Robertson</a>
 * @author <a href="mailto:vmassol@apache.org">Vincent Massol</a>
 *
 * @since 1.5
 *
 * @version $Id: $
 */
public class FormAuthentication extends AbstractAuthentication
{
    /**
     * The logger.
     */
    private static final Log LOGGER = 
        LogFactory.getLog(FormAuthentication.class);

    /**
     * The expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     */
    private int expectedPreAuthResponse = 
HttpURLConnection.HTTP_MOVED_TEMP;

    /**
     * The expected HTTP response code when the authentication is 
succeeded.
     */
    private int expectedAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP;

    /**
     * The URL to use when attempting to log in, if for whatever reason 
     * the default URL is incorrect.
     */
    private URL securityCheckURL = null;

    /**
     * The cookie name of the session.
     */
    private String sessionCookieName = "JSESSIONID";

    /**
     * We store the session cookie.
     */
    private Cookie jsessionCookie = null;


    /**
     * {@link WebRequest} object that will be used to connect to the
     * security URL. 
     */
    private WebRequest securityRequest = new WebRequest();
 
    /**
     * @param theName user name of the Credential
     * @param thePassword user password of the Credential
     */
    public FormAuthentication(String theName, String thePassword)
    {
        super(theName, thePassword);
    }
 
    /**
     * @see AbstractAuthentication#validateName(String)
     */
    protected void validateName(String theName)
    {
        // Nothing to do here...
    }
 
    /**
     * @see AbstractAuthentication#validatePassword(String)
     */
    protected void validatePassword(String thePassword)
    {
        // Nothing to do here...
    }

    /**
     * @see AbstractAuthentication#configure(WebRequest, Configuration)
     */
    public void configure(WebRequest theRequest,
        Configuration theConfiguration)
    {
        // Only authenticate the first time this instance is used.
        if (this.jsessionCookie == null)
        {
           authenticate(theRequest, theConfiguration);
        }

        // Sets the session id cookie for the next request.
        if (this.jsessionCookie != null)
        {
            theRequest.addCookie(this.jsessionCookie);
        }
    }

    /**
     * @return the {@link WebRequest} that will be used to connect to the
     * security URL. It can be used to add additional HTTP parameters such
     * as proprietary ones required by some containers.
     */
    public WebRequest getSecurityRequest()
    {
        return this.securityRequest;
    }
 
    /**
     * This sets the URL to use when attempting to log in. This method is 
used
     * if for whatever reason the default URL is incorrect.
     *
     * @param theUrl A URL to use to attempt to login.
     */
    public void setSecurityCheckURL(URL theUrl)
    {
       this.securityCheckURL = theUrl;
    }
 
    /**
     * This returns the URL to use when attempting to log in. By default, 
it's
     * the context URL defined in the Cactus configuration with 
     * "/j_security_check" appended. 
     *
     * @param theConfiguration the Cactus configuration
     * @return the URL that is being used to attempt to login.
     */
    public URL getSecurityCheckURL(Configuration theConfiguration)
    {
        if (this.securityCheckURL == null)
        {
            // Configure default
            String stringUrl = 
                ((WebConfiguration) theConfiguration).getContextURL()
                + "/j_security_check";

            try
            {
                this.securityCheckURL = new URL(stringUrl);
            }
            catch (MalformedURLException e)
            {
                throw new ChainedRuntimeException(
                    "Unable to create default Security Check URL [" 
                    + stringUrl + "]");
            }
        }

        LOGGER.debug("Using security check URL [" + this.securityCheckURL
            + "]");

        return securityCheckURL;
    }


    /**
     * Get the cookie name of the session.
     */
    public String getSessionCookieName(){
                 return this.sessionCookieName;
    }

    /**
     * Set the cookie name of the session to theName.
     * If theName is null, the change request will be ignored.
     * The default is &quot;<code>JSESSIONID</code>&quot;.
     */
    public void setSessionCookieName(String theName){
                 if(theName==null){
                     return;
                 }
                 this.sessionCookieName = theName;
    }

    /**
     * Get the expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     */
    public int getExpectedPreAuthResponse(){
                 return this.expectedPreAuthResponse;
    }

    /**
     * Set the expected HTTP response code for the request to a restricted
     * resource without authenticated principal.
     * The default is HttpURLConnection.HTTP_MOVED_TEMP.
     */
    public void setExpectedPreAuthResponse(int expected){
                 this.expectedPreAuthResponse = expected;
    }

    /**
     * Get the expected HTTP response code when the authentication is 
succeeded.
     */
    public int getExpectedAuthResponse(){
                 return this.expectedAuthResponse;
    }

    /**
     * Set the expected HTTP response code when the authentication is 
succeeded.
     * The default is HttpURLConnection.HTTP_MOVED_TEMP.
     */
    public void setExpectedAuthResponse(int expected){
                 this.expectedAuthResponse = expected;
    }


    private void checkResponseCodeEquals(int expected, int actual)
                 throws Exception
    {
                 if(actual!=expected){
                     throw new Exception("Received a [" + actual + "] 
response code"
                                                                 + " and 
was expecting a [" + expected + "]");
                 }
    }


    private Cookie getCookie(HttpURLConnection connection, String target){
                 // Check (possible multiple) cookies for a target.
                 int i = 1;
                 String key = connection.getHeaderFieldKey(i);
                 while (key != null){
                     if (key.equalsIgnoreCase("set-cookie")){
                                 // Cookie is in the form:
                                 // "NAME=VALUE; expires=DATE; path=PATH;
                                 //  domain=DOMAIN_NAME; secure"
                                 // The only thing we care about is 
finding a cookie with
                                 // the name "JSESSIONID" and caching the 
value.
                                 String cookiestr = 
connection.getHeaderField(i);
                                 String nameValue = cookiestr.substring(0, 
cookiestr.indexOf(";"));
                                 int equalsChar = nameValue.indexOf("=");
                                 String name = nameValue.substring(0, 
equalsChar);
                                 String value = 
nameValue.substring(equalsChar + 1);
                                 if (name.equalsIgnoreCase(target)){
                                     return new 
Cookie(connection.getURL().getHost(),
 name, value);
                }
            }
                     key = connection.getHeaderFieldKey(++i);
                 }
                 return null;
    }


    private Cookie getSecureSessionIdCookie(WebRequest theRequest,
     Configuration theConfiguration)
    {
                 HttpURLConnection connection;
                 String resource = null;

                 try{
            // Create a helper that will connect to a restricted resource.
                     resource = ((WebConfiguration) 
theConfiguration).getRedirectorURL(theRequest);
            ConnectionHelper helper =
                ConnectionHelperFactory.getConnectionHelper(resource,
                                     theConfiguration);
                     WebRequest request =
                                 new WebRequest((WebConfiguration) 
theConfiguration);
            // Make the connection using a default web request.
            connection = helper.connect(request, theConfiguration);
                     checkResponseCodeEquals(getExpectedPreAuthResponse(),
 connection.getResponseCode());
                 }catch(Throwable e){
            throw new ChainedRuntimeException("Failed to connect to the 
secured redirector: "
        + resource, e);
        }

                 return getCookie(connection, getSessionCookieName());
    }


    /**
     * Authenticate the principal by calling the security URL.
     * 
     * @param theRequest the web request used to connect to the Redirector
     * @param theConfiguration the Cactus configuration
     */
    public void authenticate(WebRequest theRequest,
                                                      Configuration 
theConfiguration)
    {
                 jsessionCookie = getSecureSessionIdCookie(theRequest,
                                  theConfiguration);
 
        try {
            // Create a helper that will connect to the security check 
URL.
                     String url = 
getSecurityCheckURL(theConfiguration).toString();
            ConnectionHelper helper =
 ConnectionHelperFactory.getConnectionHelper(url,
                                     (WebConfiguration) theConfiguration);

            // Configure a web request with the JSESSIONID cookie,
            // the username and the password.
            WebRequest request = getSecurityRequest();
            request.setConfiguration(theConfiguration);
            request.addCookie(jsessionCookie);
            request.addParameter("j_username", getName(), 
WebRequest.POST_METHOD);
            request.addParameter("j_password", getPassword(), 
WebRequest.POST_METHOD);

            // Make the connection using the configured web request.
            HttpURLConnection connection = helper.connect(request, 
theConfiguration);
                     checkResponseCodeEquals(getExpectedAuthResponse(),
 connection.getResponseCode());
        }catch(Throwable e){
            throw new ChainedRuntimeException("Failed to authenticate the 
principal",
        e);
        }
    }
}

---------------------------------------------------------------------
To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: cactus-user-help@jakarta.apache.org




*********************************************************************************
Important Note
This email (including any attachments) contains information which is 
confidential and may be subject to legal privilege.  If you are not 
the intended recipient you must not use, distribute or copy this 
email.  If you have received this email in error please notify the 
sender immediately and delete this email. Any views expressed in this 
email are not necessarily the views of AXA.   Thank you.
*********************************************************************************


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message