tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Schmeets" <ma...@chipware.com>
Subject RE: j_username in session cookie - where did it go?
Date Wed, 14 Aug 2002 17:47:48 GMT
Well, I know there are a lot of other ways of doing this, but having the
username and password from forms auth makes it very simple. The username and
password are for the database. The servlet app isn't necessarily the only
app to access certain data, there may well be some legacy and client-server
apps too. Besides, some architects like to keep security at the database
level.
I didn't mean to suggest that there aren't other ways, just that Craig's
suggestion sounded pretty severe.



-----Original Message-----
From: Ralph Einfeldt [mailto:ralph.einfeldt@uptime-isc.de]
Sent: Wednesday, August 14, 2002 12:18 PM
To: Tomcat Users List
Subject: AW: j_username in session cookie - where did it go?


Was has the security on the data level to do with Craigs answer?

The container makes the authentication, that is it checks the
username and password against a Realm. After that the application
knows who is logged in and which roles this user has. That's
the only thin that a application needs to show or not show any
information.

For what do you need a password on this level or j_username ?


> -----Urspr√ľngliche Nachricht-----
> Von: Mark Schmeets [mailto:marks@chipware.com]
> Gesendet: Mittwoch, 14. August 2002 16:54
> An: Tomcat Users List
> Betreff: RE: j_username in session cookie - where did it go?
>
>
> whoa, that seems like a very oversimplified answer. Some of us require
> security at the data level too. A "solution" like that makes Tomcat's
> authentication useless in that situation...
>
>
> Mark
>
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Tuesday, August 13, 2002 11:11 PM
> To: Tomcat Users List
> Subject: Re: j_username in session cookie - where did it go?
>
>
>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 22:56:32 -0400
> > From: Ed Thompson <ethompson7@carolina.rr.com>
> > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > Subject: Re: j_username in session cookie - where did it go?
> >
> > I was also scrapping the password - used j_userbane and
> j_passwd  for
> > database access.
> >
>
> There is no portable way to do that.  And Tomcat 4 does not
> expose them,
> because the password because it is none of the app's business
> -- the user
> is either authenticated or not.
>
> > Any hints on that one?
>
> Re-architect your app so that it needs only the username.
>
> Craig
>
>
> >
> > ----- Original Message -----
> > From: "Craig R. McClanahan" <craigmcc@apache.org>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <ethompson7@carolina.rr.com>
> > > > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > > > To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from
> Tomcat 3.2 to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under
> 3.2 I could pull
> > > > j_username out of the session cookie after
> authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if
> you are using
> BASIC
> > > authentication you could decode the username out of the
> "Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there.  I know
> I tried it
> under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening?  Have
> the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated
> username is to call
> > > request.getRemoteUser().  See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail:
> > <mailto:tomcat-user-help@jakarta.apache.org>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message