jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton_Gr...@mn.man.de
Subject Antwort: Re: Security (using FormAuthentication) not working against WebSphere 5.1
Date Tue, 08 Jun 2004 12:42:53 GMT

Thanks for your explanations!

As I am not at all familiar with any packet capture tool
I need some help of my collegues. We try this in the late afternoon ...

Do you think it is the right place to change the implementation of the
in FormAuthentication to include step3) and step4) if no cookie is found in
step 2) ?


Toni Grimm

Anton Grimm
MAN Nutzfahrzeuge AG
IDP - Software Produktionsumgebungen
D - 80995 M√ľnchen

Fon:       +49-89-1580-1054
Fax:       +49-89-1580-4550
mailto:    Anton_Grimm@mn.man.de
Internet: http://www.man-trucks.com

|         |           Kazuhito SUGURI     |
|         |           <suguri.kazuhito@lab|
|         |           .ntt.co.jp>         |
|         |                               |
|         |           06/08/2004 10:34 AM |
|         |           Bitte antworten an  |
|         |           "Cactus Users List" |
|         |                               |
  |       An:       cactus-user@jakarta.apache.org                                       
  |       Kopie:                                                                         
  |       Thema:    Re: Security (using FormAuthentication) not working against WebSphere
5.1                                    |


In article
Tue, 8 Jun 2004 09:35:31 +0200,
Anton_Grimm@mn.man.de wrote:
Anton_Grimm> When I run our suite against WebSphere the tests using
Anton_Grimm> FormAuthentication fail reporting
Anton_Grimm>       "Failed to authenticate the principal."
Anton_Grimm> ### WebSphere ###
Anton_Grimm> getCookie(theConnection, theTarget) - Header: null:HTTP/1.1
302 Found
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Date:Tue, 08 Jun
Anton_Grimm> 06:24:12 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Server:IBM_HTTP_Server/2.0.47-PQ84017 Apache/2.0.47 (Unix)
Anton_Grimm> getCookie(theConnection, theTarget) - Header:

Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Cache-Control:no-cache="set-cookie,set-cookie2"
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Expires:Thu, 01
Dec 1994
Anton_Grimm> 16:00:00 GMT
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Location:
Anton_Grimm> getCookie(theConnection, theTarget) - Header: Content-Length:0
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> charset=ISO-8859-1
Anton_Grimm> getCookie(theConnection, theTarget) - Header:
Anton_Grimm> Anyway, when I request the Url (against WebSphere)
Anton_Grimm>       http://hostname:port/context/ServletRedirectoSecure?
Anton_Grimm> I get forwarded to the login-page.
Anton_Grimm> Before submitting the Login-Page I request
Anton_Grimm>       javascript:alert(document.cookie)
Anton_Grimm> and I get two cookies (WASReqURL and JSESSIONID).

WebSphere may set a Set-Cookie header for JSESSIONID in the response
for the login-page, which will not be accessed by FormAuthentication

Could you trace HTTP messages for the following sequence
by using packet cature tool?
(1) C->S request the URL
(2) S->C 302 response
(3) C->S request the login-page
(4) S->C 200 response with login-page
(5) C->S request j_security_check with username, password and JSESSIONID

Current implementation of the FormAuthentication class is assuming that
a Set-Cookie header for JSESSIONID exists in a response at (2).
Then, the FormAuthentication class does not perform (3)-(4),
but perfoms (5) immediately.

However, it's possible for AP server to start session tracking from
the first login-page request (3), and for that case,
AP server may send the Set-Cookie header for JSESSIONID at (4).

Kazuhito SUGURI

To unsubscribe, e-mail: cactus-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: cactus-user-help@jakarta.apache.org

This message and any attachments are confidential and may be privileged or otherwise protected
from disclosure. 
If you are not the intended recipient, please telephone or email the sender and delete this
message and any attachment 
from your system. If you are not the intended recipient, you must not copy this message or
attachment or disclose the 
contents to any other person.

View raw message