Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 28551 invoked from network); 4 Jul 2007 08:38:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Jul 2007 08:38:26 -0000 Received: (qmail 18405 invoked by uid 500); 4 Jul 2007 08:38:15 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 18210 invoked by uid 500); 4 Jul 2007 08:38:14 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 18199 invoked by uid 99); 4 Jul 2007 08:38:14 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2007 01:38:14 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of delbd+jakarta@oma.be designates 193.190.231.71 as permitted sender) Received: from [193.190.231.71] (HELO bonnie.oma.be) (193.190.231.71) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Jul 2007 01:38:10 -0700 Received: from bonnie.oma.be (localhost [127.0.0.1]) by bonnie.oma.be (8.13.6/8.11.1) with ESMTP id l648bnMX022618 for ; Wed, 4 Jul 2007 08:37:49 GMT Received: from [193.190.249.120] (cal-12.oma.be [193.190.249.120]) by bonnie.oma.be (8.13.6/8.11.1) with ESMTP id l648bng1022614 for ; Wed, 4 Jul 2007 08:37:49 GMT Message-ID: <468B5C3A.2060800@oma.be> Date: Wed, 04 Jul 2007 10:37:14 +0200 From: David Delbecq User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Form authentication with captcha... References: <468A0CA2.2080005@telefonica.net> <468A23A2.7020208@oma.be> <468B5707.4080009@telefonica.net> In-Reply-To: <468B5707.4080009@telefonica.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org En l'instant pr�cis du 04/07/07 10:15, rpr_listas s'exprimait en ces termes: > Hello David, > > I know that this is out of the specification, and bind my application > to this server implementation, but modify the realm has the same > problem, transform my application in a tomcat-only application. Indeed it would make your application work only with server authentification that split password in 2 parts (password/captcha), but 1) it's easier to make and maintain a custom realm accros tomcat version than patch tomcat authentificator. 2) if you need to switch later from tomcat to jboss or other container, all you have is to recode for that server an equivalent of your realm (most server provide such support for user authentifications), while doing a fix similar to the one of authentificator might prove more difficult as not an expected point of extension. 3) If you limit change to realm, other webapplications can still run without trouble on your tomcat, this include the tomcat manager, tomcat admin, that are commonly deployed on tomcat. > > Build a custom authentication is not solution, because this disconnect > the application from the J2EE standard, and I prefer to fit to > standards in the rest of the application. I think that the better > approach could be a custom authentication servlet and this servlet > store a new Principal in the container. But i think that in J2EE can't > access to do this from servlet. Indeed it can't really do it, but you could perhaps use and authentification filter like this: http://securityfilter.sourceforge.net/ There is even a discussion on how to pass additional arguments to it's authentification mecanism: http://sourceforge.net/forum/forum.php?thread_id=1527995&forum_id=200424 > > Best regards. > Ricardo > > David Delbecq escribi�: >> Hello, >> >> Form authnetificator does form based authentification regarding the >> corresponding J2EE specifications, which specify the submit name of the >> username field (j_username), the submit name of the user password >> (j_passwrd), and that's all. Of course you, developper of webapplication >> can customize form (adding company logo, etc), but the specs states that >> user must provide username and password and submit it to >> /j_security_check url. Adding a captcha in this specs or other >> informations is not possible like that. >> >> The only 2 ways i see to add captcha and not break specs is either >> >> 1) to create a realm that expect the captcha to be appended or perpended >> to password. >> eg: >> j_username: johnSmith >> j_password: 12345@captcha=AdQ1 >> The realm could probably compare the provided captcha with some value >> stored somewhere else >> the j_password field could be constructed, client side, with javascript, >> from 2 not submitted fields. >> >> or >> 2) Don't rely on container security and provide your own security with >> you own whatever forms. >> >> >> En l'instant pr�cis du 03/07/07 10:45, rpr_listas s'exprimait en ces >> termes: >> >>> Hi all! >>> >>> I'm thinking in implement a captcha >>> (http://en.wikipedia.org/wiki/Captcha) protection for web-based >>> authentication. I'm looking in the tomcat surce and the form >>> authentication seems be implemented by >>> org.apache.catalina.authenticator.FormAuthenticator class. But I'm >>> not sure if change this class is the right way. >>> >>> Are there other better method to do this? >>> Must I change the FormAutenticator class or must extend it in other >>> class and i can refer to it in the tomcat configuration ? >>> >>> Thanks in advance and best regards. >>> Ricardo. >>> >>> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org