tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "post@gregperry.co.uk" <p...@gregperry.co.uk>
Subject Re: Capturing User Passwords
Date Thu, 29 Sep 2005 10:24:19 GMT
Thanks Larry - that's worked for me!

-----Original Message-----
From: Larry Meadors [mailto:larry.meadors@gmail.com] 
Sent: 29 September 2005 04:01
To: Tomcat Users List
Subject: Re: Capturing User Passwords


Here is the code (this is for tomcat 4.1.x):

      if(log.isDebugEnabled()){
          Principal principal = req.getUserPrincipal();
          PropertyDescriptor[] pds;
          pds =
PropertyUtils.getPropertyDescriptors(principal.getClass());
          for(int i = 0; i &lt; pds.length; i++){
              try {
                  String name = pds[i].getName();
                  Object value = PropertyUtils.getProperty(principal,
name);
                  log.debug("pds." + name + " = " + value);
              } catch (Exception e) {
                  e.printStackTrace();
              }
          }
      }

Larry


On 9/28/05, post@gregperry.co.uk &lt;post@gregperry.co.uk&gt; wrote:
&gt;
&gt;
&gt;
&gt; I am trying to find a way of capturing a user's password so that I can
have
&gt; the user login to one of my web applications (which acts as a client),
and
&gt; pass it to a second application (which acts as the server).
&gt;
&gt; I know that I can retrieve the user from the ServletRequest using
&gt; req.getUserPrincipal(). However, I do not know how I can retrieve the
&gt; password.
&gt;
&gt; Can anyone offer any advice on whether this can be done and if so, the
best
&gt; way of doing it?
&gt;
&gt; [ I did attempt to use forms-based authentication and use a filter to
&gt; capture the password whenever the j_security_check action was invoked.
&gt; However, I read in another post that Tomcat does not allow filters to
be
&gt; placed on j_security_check. ]
&gt;
&gt; Once I have the password, I'd ideally be looking at converting it to a
&gt; Credentials object, so that I could pass that to my second app, rather
than
&gt; passing the raw password. Does anyone know whether this can be
achieved by
&gt; using Tomcat's UserPasswordCredentials class?
&gt;
&gt; Also, to prevent the password been exposed in the URL posted from the
login
&gt; page, I'd also be looking to implement SSL. I presume that this will
cause
&gt; encryption problems. Does anyone have any advice about how I  could
work
&gt; around this?
&gt;
&gt;
&gt; ---------------------------------------------------------------------
&gt; To unsubscribe, e-mail:
&gt; tomcat-user-unsubscribe@jakarta.apache.org
&gt; For additional commands, e-mail:
&gt; tomcat-user-help@jakarta.apache.org
&gt;
&gt;

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

IMPORTANT NOTICE
If you have received this e-mail in error or wish to read our e-mail disclaimer statement
and monitoring policy, please refer to the statement below or contact the sender.
This communication is from Deloitte &amp; Touche LLP.  Deloitte &amp; Touche LLP is
a limited liability partnership registered in England and Wales with registered number OC303675.
 A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter
Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered
office.  Deloitte &amp; Touche LLP is authorised and regulated by the Financial Services
Authority.
This communication and any attachments contain information which is confidential and may also
be privileged.  It is for the exclusive use of the intended recipient(s).  If you are not
the intended recipient(s) please note that any form of disclosure, distribution, copying or
use of this communication or the information in it or in any attachments is strictly prohibited
and may be unlawful.  If you have received this communication in error, please return it with
the title "received in error" to IT.SECURITY.UK@deloitte.co.uk then delete the email and destroy
any copies of it.
E-mail communications cannot be guaranteed to be secure or error free, as information could
be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain
viruses.  We do not accept liability for any such matters or their consequences.  Anyone who
communicates with us by e-mail is taken to accept the risks in doing so.
When addressed to our clients, any opinions or advice contained in this e-mail and any attachments
are subject to the terms and conditions expressed in the governing Deloitte &amp; Touche
LLP client engagement letter.
Opinions, conclusions and other information in this e-mail and any attachments which do not
relate to the official business of the firm are neither given nor endorsed by it.


Mime
View raw message