Return-Path: list-help: list-unsubscribe: List-Post: List-Id: Mailing-List: contact cactus-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list cactus-user@jakarta.apache.org Received: (qmail 12880 invoked from network); 19 Feb 2004 22:57:10 -0000 Received: from unknown (HELO hutch.nm.com) (203.103.221.38) by daedalus.apache.org with SMTP; 19 Feb 2004 22:57:10 -0000 Received: from c2.nm.com.au (unverified) by hutch.nm.com (Content Technologies SMTPRS 4.2.5) with ESMTP id for ; Fri, 20 Feb 2004 10:01:48 +1100 MIME-Version: 1.0 Sensitivity: To: "Cactus Users List" Subject: Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need help X-Mailer: Lotus Notes Release 5.0.12 February 13, 2003 Message-ID: From: ankur.kumar@axa.com.au Date: Fri, 20 Feb 2004 09:56:44 +1100 X-MIMETrack: Serialize by Router on ELAN-MEL/AU/NMHDMZ(Release 5.0.11 |July 24, 2002) at 02/20/2004 09:56:01 AM, Serialize complete at 02/20/2004 09:56:01 AM Content-Type: multipart/alternative; boundary="=_alternative 007E0E20CA256E3F_=" X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N --=_alternative 007E0E20CA256E3F_= Content-Type: text/plain; charset="us-ascii" Hi Kazuhito, I tried this modified FormAuthentication and it works when I run Weblogic Server with host name as "localhost". But if I use any other host name, it doesn't work, and reason being is domain name is set to "localhost" for other cookies, like cookies getting created from createHttpState() method of CookieUtil. I think BaseWebRequest also needs modification where domain name is hard-coded.: public void addCookie(String theName, String theValue) { addCookie("localhost", theName, theValue); } I will modify it and then try to run the code. Thanks, Ankur Please respond to "Cactus Users List" To: cactus-user@jakarta.apache.org cc: Subject: Re: Form Authentication is not working in Weblogic Portal 7.0 SP4,need help Hi, In article <20040219.155000.71085584.suguri.kazuhito@lab.ntt.co.jp>, Thu, 19 Feb 2004 15:50:00 +0900 (JST), Kazuhito SUGURI wrote: suguri.kazuhito> I'll propose a modified FormAuthentication soon. This is the one. I had modified FormAuthentication.java in cactus-src-1.5. Two sets of accessor has been added to the original: - void setExpectedPreAuthResponse(int) / int getExpectedPreAuthResponse() Set/get the expected HTTP response code for the request to the restricted resource without valid cookie. The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP). This is corresponding to the Step (2). - void setExpectedAuthResponse(int) / int getexpectedAuthResponse() Set/get the expected HTTP response code if the security_check is succeeded. The default is 302 (HttpURLConnection.HTTP_MOVED_TEMP). This is corresponding to the Step (4). Ankur, would you try this? Regards, ---- Kazuhito SUGURI mailto:suguri.kazuhito@lab.ntt.co.jp /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 2001-2003 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Cactus" and "Apache Software * Foundation" must not be used to endorse or promote products * derived from this software without prior written permission. For * written permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * */ package org.apache.cactus.client.authentication; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; import org.apache.cactus.Cookie; import org.apache.cactus.WebRequest; import org.apache.cactus.client.connector.http.ConnectionHelper; import org.apache.cactus.client.connector.http.ConnectionHelperFactory; import org.apache.cactus.configuration.Configuration; import org.apache.cactus.configuration.WebConfiguration; import org.apache.cactus.util.ChainedRuntimeException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * Form-based authentication implementation. An instance of this class * can be reused across several tests as it caches the session cookie. * Thus the first time it is used to authenticate the user, it calls * the security URL (which is by default the context URL prepended by * "j_security_check"), caches the returned session cookie and adds the * cookie for the next request. The second time it is called, it simply * addes the session cookie for the next request. * * @author Jason Robertson * @author Vincent Massol * * @since 1.5 * * @version $Id: $ */ public class FormAuthentication extends AbstractAuthentication { /** * The logger. */ private static final Log LOGGER = LogFactory.getLog(FormAuthentication.class); /** * The expected HTTP response code for the request to a restricted * resource without authenticated principal. */ private int expectedPreAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP; /** * The expected HTTP response code when the authentication is succeeded. */ private int expectedAuthResponse = HttpURLConnection.HTTP_MOVED_TEMP; /** * The URL to use when attempting to log in, if for whatever reason * the default URL is incorrect. */ private URL securityCheckURL = null; /** * We store the session cookie name because of case issues. We need * to be able to send exactly the same one as was sent back by the * server. */ private String sessionIdCookieName = null; /** * We store the session id cookie so that this instance can * be reused for another test. */ private String sessionId = null; /** * {@link WebRequest} object that will be used to connect to the * security URL. */ private WebRequest securityRequest = new WebRequest(); /** * @param theName user name of the Credential * @param thePassword user password of the Credential */ public FormAuthentication(String theName, String thePassword) { super(theName, thePassword); } /** * @see AbstractAuthentication#validateName(String) */ protected void validateName(String theName) { // Nothing to do here... } /** * @see AbstractAuthentication#validatePassword(String) */ protected void validatePassword(String thePassword) { // Nothing to do here... } /** * @see AbstractAuthentication#configure(WebRequest, Configuration) */ public void configure(WebRequest theRequest, Configuration theConfiguration) { // Only authenticate the first time this instance is used. if (this.sessionId == null) { authenticate(theRequest, theConfiguration); } // Sets the session id cookie for the next request. if (this.sessionId != null) { theRequest.addCookie(this.sessionIdCookieName, this.sessionId); } } /** * @return the {@link WebRequest} that will be used to connect to the * security URL. It can be used to add additional HTTP parameters such * as proprietary ones required by some containers. */ public WebRequest getSecurityRequest() { return this.securityRequest; } /** * This sets the URL to use when attempting to log in. This method is used * if for whatever reason the default URL is incorrect. * * @param theUrl A URL to use to attempt to login. */ public void setSecurityCheckURL(URL theUrl) { this.securityCheckURL = theUrl; } /** * This returns the URL to use when attempting to log in. By default, it's * the context URL defined in the Cactus configuration with * "/j_security_check" appended. * * @param theConfiguration the Cactus configuration * @return the URL that is being used to attempt to login. */ public URL getSecurityCheckURL(Configuration theConfiguration) { if (this.securityCheckURL == null) { // Configure default String stringUrl = ((WebConfiguration) theConfiguration).getContextURL() + "/j_security_check"; try { this.securityCheckURL = new URL(stringUrl); } catch (MalformedURLException e) { throw new ChainedRuntimeException( "Unable to create default Security Check URL [" + stringUrl + "]"); } } LOGGER.debug("Using security check URL [" + this.securityCheckURL + "]"); return securityCheckURL; } /** * Get the expected HTTP response code for the request to a restricted * resource without authenticated principal. */ public int getExpectedPreAuthResponse(){ return this.expectedPreAuthResponse; } /** * Set the expected HTTP response code for the request to a restricted * resource without authenticated principal. * The default is HttpURLConnection.HTTP_MOVED_TEMP. */ public void setExpectedPreAuthResponse(int expected){ this.expectedPreAuthResponse = expected; } /** * Get the expected HTTP response code when the authentication is succeeded. */ public int getExpectedAuthResponse(){ return this.expectedAuthResponse; } /** * Set the expected HTTP response code when the authentication is succeeded. * The default is HttpURLConnection.HTTP_MOVED_TEMP. */ public void setExpectedAuthResponse(int expected){ this.expectedAuthResponse = expected; } private void checkResponseCodeEquals(int expected, int actual) throws Exception { if(actual!=expected){ throw new Exception("Received a [" + actual + "] response code" + " and was expecting a [" + expected + "]"); } } private Cookie getCookie(HttpURLConnection connection, String target){ // Check (possible multiple) cookies for a target. int i = 1; String key = connection.getHeaderFieldKey(i); while (key != null){ if (key.equalsIgnoreCase("set-cookie")){ // Cookie is in the form: // "NAME=VALUE; expires=DATE; path=PATH; // domain=DOMAIN_NAME; secure" // The only thing we care about is finding a cookie with // the name "JSESSIONID" and caching the value. String cookiestr = connection.getHeaderField(i); String nameValue = cookiestr.substring(0, cookiestr.indexOf(";")); int equalsChar = nameValue.indexOf("="); String name = nameValue.substring(0, equalsChar); String value = nameValue.substring(equalsChar + 1); if (name.equalsIgnoreCase(target)){ return new Cookie(connection.getURL().getHost(), name, value); } } key = connection.getHeaderFieldKey(++i); } return null; } private Cookie getSecureSessionIdCookie(WebRequest theRequest, Configuration theConfiguration) { HttpURLConnection connection; String resource = null; try{ // Create a helper that will connect to a restricted resource. resource = ((WebConfiguration) theConfiguration).getRedirectorURL(theRequest); ConnectionHelper helper = ConnectionHelperFactory.getConnectionHelper(resource, theConfiguration); WebRequest request = new WebRequest((WebConfiguration) theConfiguration); // Make the connection using a default web request. connection = helper.connect(request, theConfiguration); checkResponseCodeEquals(getExpectedPreAuthResponse(), connection.getResponseCode()); }catch(Throwable e){ throw new ChainedRuntimeException("Failed to connect to the secured redirector: " + resource, e); } return getCookie(connection, "JSESSIONID"); } /** * Authenticate the principal by calling the security URL. * * @param theRequest the web request used to connect to the Redirector * @param theConfiguration the Cactus configuration */ public void authenticate(WebRequest theRequest, Configuration theConfiguration) { Cookie jsessionCookie = getSecureSessionIdCookie(theRequest, theConfiguration); sessionIdCookieName = jsessionCookie.getName(); sessionId = jsessionCookie.getValue(); try { // Create a helper that will connect to the security check URL. String url = getSecurityCheckURL(theConfiguration).toString(); ConnectionHelper helper = ConnectionHelperFactory.getConnectionHelper(url, (WebConfiguration) theConfiguration); // Configure a web request with the JSESSIONID cookie, // the username and the password. WebRequest request = getSecurityRequest(); request.setConfiguration(theConfiguration); request.addCookie(jsessionCookie); request.addParameter("j_username", getName(), WebRequest.POST_METHOD); request.addParameter("j_password", getPassword(), WebRequest.POST_METHOD); // Make the connection using the configured web request. HttpURLConnection connection = helper.connect(request, theConfiguration); checkResponseCodeEquals(getExpectedAuthResponse(), connection.getResponseCode()); }catch(Throwable e){ throw new ChainedRuntimeException("Failed to authenticate the principal", e); } } } --------------------------------------------------------------------- To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: cactus-user-help@jakarta.apache.org ********************************************************************************* Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA. Thank you. ********************************************************************************* --=_alternative 007E0E20CA256E3F_=--