tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frerk.Me...@Edeka.de
Subject Re: Container managed security in tomcat 5.x, need j_password in struts web app, ServletFilter or IntermediateServlet? [Auf Viren geprüft]
Date Wed, 18 Aug 2004 12:20:43 GMT

Thanks Tim Funk for the quick answer,

In  FormAuthenticator there is a line:
                principal =
                    context.getRealm().authenticate(username, password);
It returns an
interface java.security.Principal
The Principal stores the username (uid), not the password (Credential).
I only can call getName().
Furthermore any Realm has no access to the users session.
So I can't get the password from the realm.

I could of course write the password as cleartext or obscured code in my
own Realm to an external
data store. But I don't want that. It's dirty and unsafe and against the
security requirements of
this web-app.

I've searched the Java Servlet Specification v.2.4
http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html
but haven't found a place where applying ServletFilters to
/j_security_check is forbidden.

Could you please provide me with an pointer to the spec you have forbidding
this kind
of filtering?

One of many same questions I have found on
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg117539.html
(Message 1117539 on this list)
was answered by yourself with the suggestion of using a valve.
Could you please me more detail on that solution?

On the same answer there was mentioned that BEA WebLogic provides a hook
named
auth-filter
which would solve my problem too (in a proprietary way). With Websphere
this is the second App-Server which could solve my problem.
I have a Sun ONE Web App Server 7 at hands, so will try eventually
the ServletFilter-method too.

Another thread on this list with the same requirement is number 111855:
"servlet sendRedirect() to j_security_check problem (remember me)"
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg111855.html
It announces Matt Raibles solution, programmed into his example application
AppFuse.
It works y submitting a subrequest vie HttpClient lib which seems rather
strange to me.

It cites an earlier posting number 111700
http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg111700.html

One more question:
In the Tomcat 5.0.27 source in FormAuthentificator.java it says
        // Save the authenticated Principal in our session
        session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);

        // If we are not caching, save the username and password as well
        if (!cache) {
            session.setNote(Constants.SESS_USERNAME_NOTE, username);
            session.setNote(Constants.SESS_PASSWORD_NOTE, password);
        }
Am I able to session.getNote(Constants.SESS_PASSWORD_NOTE, password) in my
web-app?
It seems to be stored in the session, or am I wrong?

Frerk Meyer

EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:frerk.meyer@edeka.de





---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message