tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anastasios Angelidis <voo...@videotron.ca>
Subject Re: Beyond bassic form authentication?
Date Tue, 27 Jul 2004 14:09:40 GMT
That wont work.

Try navigating to the login page of the security sample on Tomcat. and 
try loging in! It will throw an exception of the sort that it canot 
authenticate against itself....

Yiannis Mavroukakis wrote:

>Why not make the welcome page part of the secured app
>, let the users authenticate and then use getUserPrincipal()
>to determine whether you need to redirect them to the secured pages.
>
>-----Original Message-----
>From: Anastasios Angelidis [mailto:voodoo@videotron.ca]
>Sent: 27 July 2004 14:34
>To: Yiannis Mavroukakis
>Subject: Re: Beyond bassic form authentication?
>
>
>Yeah it will but what will it do with it? ;)
>
>I guess I have to explain this step by step lol....
>
>1- Create a directory /MyNewApp in /webapps and attach a context to it.
>2- Create all standard webapp directories like /WEB-INF etc...
>3- Create a new directory /secured in in the inside your new webpass 
>directory. Bassically /webapps/MyNewApp/secured
>4- Put the security sample jsp pages that come with Tomcat within the 
>secured folder.
>5- Create your user realm
>6- Configure security constraints. Set constraint on the /secured 
>folder. Point authentication to the login.jsp... etc...
>
>So now we are all happy?
>
>Now open your browser and go to http://localhost:8080/MyNewApp/secured. 
>Tomcat notices thatthis is aprotected URL and shoot back to you the 
>login page.... You login and voila evryone is happy again!
>
>Now create index.jsp page in your webapps root /MyNewApp and add it to 
>the list of welcome pages in your web.xml.... Which by default index.jsp 
>is configured as default page....
>
>Back in your browser go to: http://localhost:8080/MyNewApp/ and you 
>should see the new index.jsp page you just created...
>
>Now we are all happy again! ;)
>
>On this new index.jsp page create a login form. Now from this login form 
>I want to be authenticated to access /MyNewApp/secured.
>
>So here we have to problems...
>1- You canot put as the action point /secured. Even though you pass a 
>j_username and j_password fields with correct credential through the 
>POST, because you are not authenticated, it will shoot back at you the 
>login page that was configured in web.xml And then you can do proper login.
>
>2- The action point canot be j_security_check because Tomcat will not 
>know what to do with it! Bassically your are posting a form with action 
>j_security_check from an unsecure resource. Even if Tomcat understood 
>and actually authneticated it you, where would it redirect you? It 
>wouldn't know. When you access a secure resource directly Tomcat 
>attaches the secured resource URL in some way to the login page. So when 
>you authenticate it knows where to redirect you.
>
>Thanks
>
>Yiannis Mavroukakis wrote:
>
>  
>
>>Not sure I get this a 100% percent, but with regards to your last statement,
>>"Of course I canot just put a form on the welcome page with 
>>action="<%=request.encodeURL("j_security_check")%>" 
>>The browser wouldn't know where to post to."
>>
>>The browser will post to the application server
>>anyway! It is no different than saying that the form will post to
>>either POST=http://foo.org/bar or to POST=bar (assume foo.org is the
>>domain of your application server).
>>
>>-----Original Message-----
>>From: Anastasios Angelidis [mailto:voodoo@videotron.ca]
>>Sent: 26 July 2004 15:12
>>To: Tomcat Users List
>>Subject: Re: Beyond bassic form authentication?
>>
>>
>>Ok then I think the problem is not understood ;)
>>
>>My form authentication does work. In fact I scabbed the whole security 
>>sample :P
>>
>>Like I noted... When I type  the protected resources URL in the browser 
>>address bar. Tomcats authentication kicks in and redirects me to the 
>>login page I specified in my web.xml I type the username and password 
>>that is stored in mysql and I login. This works fine.
>>
>>What I want to do is access the protected resource from an unprotected 
>>resource. For intsance on the welcome page of my web app which everyone 
>>can see. I want to add a login form which will login the user and give 
>>him access to the protect resource.
>>
>>One solution is to just put a "Sign-In" link which will in turn try to 
>>access the protected resource, but since the visitor is not logged in, 
>>he will be redirected to the login page.
>>
>>The other solution which I want is to offer a login page directly on the 
>>welcome page. Of course I canot just put a form on the welcome page with 
>>action="<%=request.encodeURL("j_security_check")%>" The browser wouldn't 
>>know where to post to.
>>
>>
>>
>>Yiannis Mavroukakis wrote:
>>
>> 
>>
>>    
>>
>>><english>
>>>Anastasie I think what Robert means is you should "steal" some code
>>>   
>>>
>>>      
>>>
>>>from the existing examples in Tomcat.
>> 
>>
>>    
>>
>>></english>
>>>
>>><greek>
>>>Yparxoune epishs kai alloi tropoi pou boreis na to kaneis ayto..boreis
>>>kalista na exeis authentication mesw tou Apache kai enos module
>>>pou koitaei gia valid accounts sthn mySQL sou.
>>></greek>
>>>
>>>Happy coding,
>>>
>>>Yiannis
>>>
>>>-----Original Message-----
>>>From: Anastasios Angelidis [mailto:voodoo@videotron.ca]
>>>Sent: 26 July 2004 14:13
>>>To: Tomcat Users List
>>>Subject: Re: Beyond bassic form authentication?
>>>
>>>
>>>Does any one have any ideas on this? What is code scabbing?
>>>
>>>Thanks
>>>
>>>Robert Harper wrote:
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>Did you try scabbing code from the login.jsp? You may want to use that and
the
>>>>user will gain access to the areas allowed with their group or role.
>>>>
>>>>Robert S. Harper
>>>>801.265.8800 ex. 255
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>>>-----Original Message-----
>>>>>From: Anastasios Angelidis [mailto:voodoo@videotron.ca]
>>>>>Sent: Friday, July 23, 2004 7:37 AM
>>>>>To: tomcat-user@jakarta.apache.org
>>>>>Subject: Beyond bassic form authentication?
>>>>>
>>>>>So I setup my web app to use Form Authentication with a User Realm in
my
>>>>>MySQL DB. It all works fine. I type the protected resources URL into the
>>>>>browser, I get redirected to the login page, I login and behold it works!
;)
>>>>>
>>>>>Now how would I give access to a secure resource from an unsecure
>>>>>resource. For instance...
>>>>>
>>>>>My webapp has a front page with recent news, welcome message etc...
>>>>>Standard home page stuff...
>>>>>Obviously I can put a sign-in link that will try to access the protected
>>>>>resource, which will then redirect to the login page...
>>>>>But is there a way to put a login form on the home page directly and
>>>>>post that form for authentication and from there give access to the
>>>>>protected resource?
>>>>>
>>>>>Thanks
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>>
>>>>> 
>>>>>
>>>>>    
>>>>>
>>>>>       
>>>>>
>>>>>          
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>________________________________________________________________________
>>>This e-mail has been scanned for all viruses by Star Internet. The
>>>service is powered by MessageLabs.
>>>
>>>Note:__________________________________________________________________
>>>This message is for the named person's use only. It may contain
>>>confidential, proprietary or legally privileged information. No
>>>confidentiality or privilege is waived or lost by any mistransmission.
>>>If you receive this message in error, please immediately delete it and
>>>all copies of it from your system, destroy any hard copies of it and
>>>notify the sender. You must not, directly or indirectly, use, disclose,
>>>distribute, print, or copy any part of this message if you are not the
>>>intended recipient. Jaguar Freight Services and any of its subsidiaries
>>>each reserve the right to monitor all e-mail communications through its
>>>networks.
>>>Any views expressed in this message are those of the individual sender,
>>>except where the message states otherwise and the sender is authorized
>>>to state them to be the views of any such entity.
>>>________________________________________________________________________
>>>This e-mail has been scanned for all viruses by Star Internet. The
>>>service is powered by MessageLabs.
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>________________________________________________________________________
>>This e-mail has been scanned for all viruses by Star Internet. The
>>service is powered by MessageLabs.
>>
>>Note:__________________________________________________________________
>>This message is for the named person's use only. It may contain
>>confidential, proprietary or legally privileged information. No
>>confidentiality or privilege is waived or lost by any mistransmission.
>>If you receive this message in error, please immediately delete it and
>>all copies of it from your system, destroy any hard copies of it and
>>notify the sender. You must not, directly or indirectly, use, disclose,
>>distribute, print, or copy any part of this message if you are not the
>>intended recipient. Jaguar Freight Services and any of its subsidiaries
>>each reserve the right to monitor all e-mail communications through its
>>networks.
>>Any views expressed in this message are those of the individual sender,
>>except where the message states otherwise and the sender is authorized
>>to state them to be the views of any such entity.
>>________________________________________________________________________
>>This e-mail has been scanned for all viruses by Star Internet. The
>>service is powered by MessageLabs.
>>
>> 
>>
>>    
>>
>
>
>________________________________________________________________________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs.
>
>Note:__________________________________________________________________
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please immediately delete it and
>all copies of it from your system, destroy any hard copies of it and
>notify the sender. You must not, directly or indirectly, use, disclose,
>distribute, print, or copy any part of this message if you are not the
>intended recipient. Jaguar Freight Services and any of its subsidiaries
>each reserve the right to monitor all e-mail communications through its
>networks.
>Any views expressed in this message are those of the individual sender,
>except where the message states otherwise and the sender is authorized
>to state them to be the views of any such entity.
>________________________________________________________________________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs.
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message