tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: automate login to other opensource apps
Date Mon, 17 Nov 2003 22:34:59 GMT
If you are using CMS then you must realise that the realm and the login 
info from j_username etc are held seperately in tomcat from your app.

In the realm implementation that is run by tomcat at login, you have no 
access to the request or the session (although you could stick it in a 
hashmap in a singleton or JNDI space = dirty great hack).

In the app, the only way of finding out what your user entered is to 
call request.getUserPrincipal or .getRemoteUser() or .isUserInRole().

So basically you can find out the name. You then have to query the realm 
in your app to find out more info about them, e.g. password. If it is 
stored in MD5, then you've got problems. You cannot intercept the submit 
to j_security_check

I think single-sign-on above and beyond tomcat SSO is in the pipeline 
for the long term though.


On 11/17/2003 06:59 PM Gary Hardy wrote:
> jack:
> I noticed you haven't received any responses yet. I was kinda waiting to see
> is anyone had any bright ideas regarding... catching j_username/j_password
> for later use within a webapp. I posted a somewhat related question in
> "Subject: application security gone mad".
> Someone (please!) correct me if I'm wrong... rather than hacking something
> around the login form, storing the j_username/j_password text in the
> session, ... wouldn't it be cleaner to write your own Realm? Then... access
> the session security credentials via the Realm?
> gary...
>>From: "Jack Bakker" <>
>>Reply-To: "Tomcat Users List" <>
>>Date: Mon, 17 Nov 2003 10:45:42 -0500
>>To: <>
>>Subject: automate login to other opensource apps
>>I have several Struts apps with a form-based single signon using a JNDIRealm
>>with md5 passwords in openldap. I'm looking to pass username/password used
>>in Java login to other apps like horde, dotproject, among others for user
>>convenience. Sync of user account info between db stores used by other
>>projects aside, what's the best (and most secure) way of trapping the
>>password in plaintext to pass to other apps ? Seems like it should be a
>>simple thing to do but getPassword of the Realm doesn't appear to be exposed
>>? am I missing something obvious ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message