jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton_Gr...@mn.man.de
Subject Antwort: Re: Security (using FormAuthentication) not working against WebSphere 5.1
Date Tue, 08 Jun 2004 12:42:53 GMT




Thanks for your explanations!

As I am not at all familiar with any packet capture tool
I need some help of my collegues. We try this in the late afternoon ...

Do you think it is the right place to change the implementation of the
method
      getSecureSessionIdCookie()
in FormAuthentication to include step3) and step4) if no cookie is found in
step 2) ?

Regards,

Toni Grimm

---------------------------------------------------------------
Anton Grimm
MAN Nutzfahrzeuge AG
IDP - Software Produktionsumgebungen
Dachauerstr.667
D - 80995 M√ľnchen

Fon:       +49-89-1580-1054
Fax:       +49-89-1580-4550
mailto:    Anton_Grimm@mn.man.de
Internet: http://www.man-trucks.com
---------------------------------------------------------------




|---------+------------------------------->
|         |           Kazuhito SUGURI     |
|         |           <suguri.kazuhito@lab|
|         |           .ntt.co.jp>         |
|         |                               |
|         |           06/08/2004 10:34 AM |
|         |           Bitte antworten an  |
|         |           "Cactus Users List" |
|         |                               |
|---------+------------------------------->
  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                      
                                       |
  |       An:       cactus-user@jakarta.apache.org                                       
                                       |
  |       Kopie:                                                                         
                                       |
  |       Thema:    Re: Security (using FormAuthentication) not working against WebSphere
5.1                                    |
  >------------------------------------------------------------------------------------------------------------------------------|




Hi,

In article
<OF37E58DAD.F9518323-ONC1256EAD.00279C95-C1256EAD.0029B440@mn.man.de>,
Tue, 8 Jun 2004 09:35:31 +0200,
Anton_Grimm@mn.man.de wrote:
Anton_Grimm> When I run our suite against WebSphere 5.1.0.4 the tests using
Anton_Grimm> FormAuthentication fail reporting
Anton_Grimm>
Anton_Grimm>       "Failed to authenticate the principal."
[snip]
Anton_Grimm> ### WebSphere ###
Anton_Grimm>
Anton_Grimm> getCookie(theConnection, theTarget) - Header: null:HTTP/1.1
302 Found
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Date:Tue, 08 Jun
2004
Anton_Grimm> 06:24:12 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Server:IBM_HTTP_Server/2.0.47-PQ84017 Apache/2.0.47 (Unix)
DAV/2
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm>
Set-Cookie:WASReqURL=http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/ServletRedirectorSecure?;Path=/

Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Cache-Control:no-cache="set-cookie,set-cookie2"
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Expires:Thu, 01
Dec 1994
Anton_Grimm> 16:00:00 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Location:
http://mmwasint.mn-man.biz:8085/mandeploymantwebapp/jsp/LoginForm.jsp
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Length:0
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Content-Type:text/html;
Anton_Grimm> charset=ISO-8859-1
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Content-Language:en-US
[snip]
Anton_Grimm> Anyway, when I request the Url (against WebSphere)
Anton_Grimm>       http://hostname:port/context/ServletRedirectoSecure?
Anton_Grimm> I get forwarded to the login-page.
Anton_Grimm>
Anton_Grimm> Before submitting the Login-Page I request
Anton_Grimm>       javascript:alert(document.cookie)
Anton_Grimm> and I get two cookies (WASReqURL and JSESSIONID).

WebSphere may set a Set-Cookie header for JSESSIONID in the response
for the login-page, which will not be accessed by FormAuthentication
implementation.


Could you trace HTTP messages for the following sequence
by using packet cature tool?
(1) C->S request the URL
http://hostname:port/context/ServletRedirectoSecure?
(2) S->C 302 response
(3) C->S request the login-page
(4) S->C 200 response with login-page
(5) C->S request j_security_check with username, password and JSESSIONID


Current implementation of the FormAuthentication class is assuming that
a Set-Cookie header for JSESSIONID exists in a response at (2).
Then, the FormAuthentication class does not perform (3)-(4),
but perfoms (5) immediately.

However, it's possible for AP server to start session tracking from
the first login-page request (3), and for that case,
AP server may send the Set-Cookie header for JSESSIONID at (4).


Regards,
----
Kazuhito SUGURI
mailto:suguri.kazuhito@lab.ntt.co.jp

---------------------------------------------------------------------
To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: cactus-user-help@jakarta.apache.org





This message and any attachments are confidential and may be privileged or otherwise protected
from disclosure. 
If you are not the intended recipient, please telephone or email the sender and delete this
message and any attachment 
from your system. If you are not the intended recipient, you must not copy this message or
attachment or disclose the 
contents to any other person.


Mime
View raw message