tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <funk...@joedog.org>
Subject Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
Date Wed, 18 Aug 2004 12:32:43 GMT
http://issues.apache.org/bugzilla/show_bug.cgi?id=21795

You can always write your own Realm which creates your own custom Principal 
which can store the password in it. This does require some casting but not 
uncommon.

-Tim

Frerk.Meyer@Edeka.de wrote:
> Thanks Tim Funk for the quick answer,
> 
> In  FormAuthenticator there is a line:
>                 principal =
>                     context.getRealm().authenticate(username, password);
> It returns an
> interface java.security.Principal
> The Principal stores the username (uid), not the password (Credential).
> I only can call getName().
> Furthermore any Realm has no access to the users session.
> So I can't get the password from the realm.
> 
> I could of course write the password as cleartext or obscured code in my
> own Realm to an external
> data store. But I don't want that. It's dirty and unsafe and against the
> security requirements of
> this web-app.
> 
> I've searched the Java Servlet Specification v.2.4
> http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html
> but haven't found a place where applying ServletFilters to
> /j_security_check is forbidden.
> 
> Could you please provide me with an pointer to the spec you have forbidding
> this kind
> of filtering?
> 
> One of many same questions I have found on
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg117539.html
> (Message 1117539 on this list)
> was answered by yourself with the suggestion of using a valve.
> Could you please me more detail on that solution?
> 
> On the same answer there was mentioned that BEA WebLogic provides a hook
> named
> auth-filter
> which would solve my problem too (in a proprietary way). With Websphere
> this is the second App-Server which could solve my problem.
> I have a Sun ONE Web App Server 7 at hands, so will try eventually
> the ServletFilter-method too.
> 
> Another thread on this list with the same requirement is number 111855:
> "servlet sendRedirect() to j_security_check problem (remember me)"
> http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg111855.html
> It announces Matt Raibles solution, programmed into his example application
> AppFuse.
> It works y submitting a subrequest vie HttpClient lib which seems rather
> strange to me.
> 
> It cites an earlier posting number 111700
> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg111700.html
> 
> One more question:
> In the Tomcat 5.0.27 source in FormAuthentificator.java it says
>         // Save the authenticated Principal in our session
>         session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
> 
>         // If we are not caching, save the username and password as well
>         if (!cache) {
>             session.setNote(Constants.SESS_USERNAME_NOTE, username);
>             session.setNote(Constants.SESS_PASSWORD_NOTE, password);
>         }
> Am I able to session.getNote(Constants.SESS_PASSWORD_NOTE, password) in my
> web-app?
> It seems to be stored in the session, or am I wrong?
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message