tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Strauß <t.stra...@srs-management.de>
Subject AW: FormAuthentication Valve changes fail with RequestListeners?
Date Fri, 30 Mar 2012 10:49:14 GMT
Hi,

thank you for the information.

We have not succeeded so far. I want to give you some more information what
happens, the context.xml and the web.xml

What we have changed versus the existing setup, working on 7.0.11
- We have moved the login.jsp into the protection domain (was outside
before). This did not remove the issue.
- We have changed the preemptiveAuthentication setting. This did not remove
the issue.

This is the flow through the system that we can see:

Client sends request to /portal
	
	/portal is not protected
	/portal/jsp/main.jsp is welcome page and protected (see web.xml)
	portal context configures formauthentication on the protection
domain
	Tomcat redirects/forwards incoming call to /jsp/login.jsp (protected
resource)
	
FormAuthentication Valve is called
Request Listener is called (expected: principal is null -> OK!)
jsp/login.jsp is displayed, waiting for user
User adds information, press submit 
Client sends request to j_security_check is initiated by browser with form
data

(something happens here?)

Realm is called: Authentication succeeds, realm creates principal
	Realm provides its own implementation of Principal Object
	Realm uses different table-structure than original DataSource Realm

(something happens here?)
	
Request Listener is called (expected: principal is not null -> FAILS!)

(something happens here?)

jsp/main.jsp is called, principal in request is not null -> can be dumped to
the JSP view


Following here is the used context.xml

--- 8< ----------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<Context  antiJARLocking="false"
    antiResourceLocking="false" 
    fireRequestListenersOnForwards="true"
 preemptiveAuthentication="true">
    
  <Valve className="org.apache.catalina.valves.AccessLogValve"
    fileDateFormat="yyyy-MM-dd"
    pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{Referer}i&quot;
&quot;%{User-Agent}i&quot;"
    prefix="portal-srs-standard."
    suffix=".log"/>
  
  
  <Valve className="org.apache.catalina.authenticator.FormAuthenticator"
    changeSessionIdOnAuthentication="false"
    alwaysUseSession="true"
    landingPage="/jsp/main.jsp" />
    
  <ResourceLink global="pendb"
      name="jdbc/DataSource"
      type="javax.sql.DataSource"/>
  <WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
--- 8< ----------------------------------------------------------

Follwing here is the web.xml

--- 8< ----------------------------------------------------------
                <?xml version="1.0" encoding="utf-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
    version="3.0" metadata-complete="true">
    <display-name>SRS Standard Portal - PDX Application</display-name>
    <filter>
        <filter-name>CharacterEncodingFilter</filter-name>
 
<filter-class>de.srs.pen.portal.utils.server.filter.SetCharacterEncodingFilt
er</filter-class>
        <init-param>
            <param-name>ignore</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>
    <filter>
    <filter-name>RequestDumper</filter-name>
    <filter-class>
        org.apache.catalina.filters.RequestDumperFilter
    </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>RequestDumper</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <filter-mapping>
        <filter-name>CharacterEncodingFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <!-- Listener -->
    <listener>
 
<listener-class>de.srs.pen.portal.utils.server.servlet.PortalSessionManager<
/listener-class>
    </listener>
    <listener>
 
<listener-class>de.srs.pen.portal.utils.server.ObjectLockHandler</listener-c
lass>
    </listener>
    <listener>
 
<listener-class>de.srs.pen.portal.utils.server.servlet.PortalRequestListener
</listener-class>
    </listener>
    <listener>
 
<listener-class>de.srs.pen.portal.app.server.PortalContextListener</listener
-class>
    </listener>
    <!-- Servlets und GWT Services -->
    <servlet>
        <description>Single point of entry fuer die Web
Applikation</description>
        <display-name>DelegatingPortalServlet</display-name>
        <servlet-name>DelegatingPortalServlet</servlet-name>
 
<servlet-class>de.srs.pen.portal.utils.server.servlet.DelegatingPortalServic
eServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <description>gets PDF for Instance</description>
        <display-name>DisplayPDFServlet</display-name>
        <servlet-name>DisplayPDFServlet</servlet-name>
 
<servlet-class>de.srs.pen.portal.utils.server.servlet.DisplayPDFServlet</ser
vlet-class>
        <init-param>
            <param-name>DPI</param-name>
            <param-value>120</param-value>
        </init-param>
    </servlet>
    <servlet>
        <display-name>DownloadServlet</display-name>
        <servlet-name>DownloadServlet</servlet-name>
 
<servlet-class>de.srs.pen.portal.utils.server.servlet.DownloadServlet</servl
et-class>
    </servlet>
    <servlet>
        <display-name>DeployFormServlet</display-name>
        <servlet-name>DeployFormServlet</servlet-name>
 
<servlet-class>de.srs.pen.portal.app.server.services.DeployFormServlet</serv
let-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>DelegatingPortalServlet</servlet-name>
        <url-pattern>/delegating/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>DownloadServlet</servlet-name>
        <url-pattern>/servlet/DownloadServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>DisplayPDFServlet</servlet-name>
        <url-pattern>/servlet/DisplayPDFServlet</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>DeployFormServlet</servlet-name>
        <url-pattern>/servlet/DeployFormServlet</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>59</session-timeout>
    </session-config>
    <!-- Servlets Default page to serve -->
    <welcome-file-list>
        <welcome-file>jsp/main.jsp</welcome-file>
    </welcome-file-list>
    <error-page>
        <error-code>403</error-code>
        <location>/error/403.jsp</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/error/500.jsp</location>
    </error-page>
    <error-page>
        <error-code>408</error-code>
        <location>/error/408.jsp</location>
    </error-page>

    <security-constraint>
        <display-name>PDiX Portal</display-name>
        <web-resource-collection>
            <web-resource-name>PDX Portal Protected</web-resource-name>
            <url-pattern>/jsp/*</url-pattern>
        </web-resource-collection>
        <web-resource-collection>
            <web-resource-name>servlets</web-resource-name>
            <url-pattern>/servlet/*</url-pattern>
        </web-resource-collection>
        <web-resource-collection>
            <web-resource-name>GWT Resourcen</web-resource-name>
            <url-pattern>/StandardPortal/*</url-pattern>
        </web-resource-collection>
        <web-resource-collection>
            <web-resource-name>services</web-resource-name>
            <url-pattern>/delegating/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>authenticatedUser</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>PDXRealm</realm-name>
        <form-login-config>
            <form-login-page>/jsp/login.jsp</form-login-page>
            <form-error-page>/jsp/login.jsp?error=true</form-error-page>
        </form-login-config>
    </login-config>
    <!-- Security roles referenced by this web application -->
    <security-role>
        <role-name>authenticatedUser</role-name>
    </security-role>
</web-app>
--- 8< ----------------------------------------------------------

Mit freundlichen Grüßen

Thomas Strauß
Geschäftsführer Entwicklung

SRS PaperDynamix® 
WE MAKE PAPER WORK

SRS-Management GmbH 
Berliner Ring 93
64625 Bensheim 
T +49 6251 85 424 - 20 
F +49 6251 85 424 - 14
M +49 174 2110912

www.srs-management.de
www.srs-paperdynamix.de

HRB 25262 AG Darmstadt
Geschäftsführer: Detlev Homilius, Thomas Strauß


> -----Ursprüngliche Nachricht-----
> Von: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
> Gesendet: Donnerstag, 29. März 2012 22:56
> An: Tomcat Users List
> Betreff: Re: FormAuthentication Valve changes fail with RequestListeners?
> 
> 2012/3/29 Thomas Strauß <t.strauss@srs-management.de>:
> > Hi,
> >
> > we have a web application using the FormAuthentication with Tomcat
> 7.0.11.
> >
> > The application provides it’s own realm, that is valid for the whole
> > server (configured in server.xml). The realm is based on datasource
> realm.
> >
> > The application provides request listeners that rely on the
> > request.getPrincipal() method to obtain the logged on user.
> >
> > The request listener authenticates a service framework with the
> > principal from the request.
> >
> > Tomcat 7.0.11 as stated above works with this design.
> >
> >
> > In Tomcat 7.0.26 this approach fails, because the requestlistener can
> > no longer obtain the principal using request.getPrincipal(). The call
> > returns null. A webpage (jsp) called after the listener as target of
> > the request can obtain the principal from the request as expected.
> >
> > No configuration changes have been applied between 7.0.11 and 7.0.26.
> >
> > Additionally we have experimented with various valve options, but did
> > not succeed.
> >
> > We cannot explain this behavior and think it is a bug in Tomcat.
> >
> > Any help appreciated, as currently we cannot upgrade Tomcat due to
> > this issue.
> >
> 
> > In Tomcat 7.0.26 this approach fails, because the requestlistener can
> > no longer obtain the principal using request.getPrincipal().
> 
> Is there a security constraint on the resource that the user is accessing?
> (I.e. is user accessing a protected resource?)
> 
> Look at configuration options for <Context>. See
> "preemptiveAuthentication" there.
> 
> 
> Best regards,
> Konstantin Kolinko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.


Mime
View raw message