Return-Path: 
 <users-return-253357-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 7E3431836F
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon, 18 May 2015 22:02:38 +0000 (UTC)
Received: (qmail 17570 invoked by uid 500); 18 May 2015 22:02:34 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 17503 invoked by uid 500); 18 May 2015 22:02:34 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 17491 invoked by uid 99); 18 May 2015 22:02:34 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 May 2015 22:02:34 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 172DAC5C19
	for <users@tomcat.apache.org>; Mon, 18 May 2015 22:02:34 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.142
X-Spam-Level: 
X-Spam-Status: No, score=-0.142 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H2=-1.143,
	URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id CyDoJDlzni1B for <users@tomcat.apache.org>;
	Mon, 18 May 2015 22:02:24 +0000 (UTC)
Received: from vms173023pub.verizon.net (vms173023pub.verizon.net
 [206.46.173.23])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTPS id DF59E25065
	for <users@tomcat.apache.org>; Mon, 18 May 2015 22:02:23 +0000 (UTC)
Received: from Christophers-MacBook-Pro.local ([173.79.164.201])
 by vms173023.mailsrvcs.net
 (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014))
 with ESMTPA id <0NOK00LI0FUJ3BF0@vms173023.mailsrvcs.net> for
 users@tomcat.apache.org; Mon, 18 May 2015 17:01:36 -0500 (CDT)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=XqdN4uAV c=1 sm=1
 tr=0	a=YZvWn4c/W8VqgPENxCgm9A==:117
 a=cGdM_UB1h6QA:10 a=IkcTkHD0fZMA:10	a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8
 a=-9mUelKeXuEA:10 a=h1PgugrvaO0A:10	a=j4nzMFrpAAAA:8 a=C4GPsB7_s3-f7Df3QN8A:9
 a=QEXdDO2ut3YA:10
Message-id: <555A613B.3050201@christopherschultz.net>
Date: Mon, 18 May 2015 18:01:31 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0)
 Gecko/20100101 Thunderbird/31.6.0
MIME-version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat valve JAAS : form error page displayed first before
 response reaches back to Tomcat valve
References: <SNT152-W32A03D1F4C93C8A91FE48BA0C50@phx.gbl>,
 <SNT152-W3660E2E4BB27310168FEF4A0C50@phx.gbl>,<5559BB7B.4040509@apache.org>,
 <SNT152-W5068709B5F44A775E40501A0C40@phx.gbl>,<5559DE62.6070903@apache.org>,
 <SNT152-W373262E4AA1A0DB6932763A0C40@phx.gbl>,<5559EF10.4090600@apache.org>,
 <SNT152-W83FF4806B6DE7870B3DAE2A0C40@phx.gbl>,
 <555A46C9.5010207@christopherschultz.net>
 <SNT152-W468A3AD34385009655A049A0C40@phx.gbl>
In-reply-to: <SNT152-W468A3AD34385009655A049A0C40@phx.gbl>
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ming Yap,

On 5/18/15 4:56 PM, Kim Ming Yap wrote:
> Now here's comes to crucial point and question when comes to JAAS.
> 
> I know the benefit of JAAS - a pluggable authentication and 
> authorization module.
> 
> Why and in JavaEE's name have a JAAS realm (eg in Tomcat) where
> the loginmodule has no access to those most important objects -
> sessions, request etc?

... because JAAS does not require you to be running within a web
context. You can use JAAS in a think client. Or from a command-line
client. Or whatever. In those cases, what would you use for the
request or session?

> I did a bit of research .. hence other web container like JBoss, 
> Oracle WebLogic has to build an extended version of their 
> authentication module to capture those important objects ..
> 
> I just don't comprehend this.This is mind boggling.

Pluggable authentication and authorization is kind of an unattainable
goal when you want it to work across any use case. You just happen to
be thinking of the web-based authentication use case, here, and it's
not matching up with your expectations.

What if you wanted to use some information about a TLS certificate for
authentication? Does the JAAS module now need to have access to the
X.509 certificate as well? What about a Smart Card? Where does that
fit into your web-based view of JAAS?

It's just more complicated than you think, unfortunately.

> I have spent almost 4 weeks on trying to solve this basic problem 
> when comes to form based authentication using JAAS.
> 
> 1. Valid credential -> no issue2. Credential disabled due to gt 3 
> retry -> This message propagate to the error page3. Invalid user
> id -> This message propagate to error page4. Invalid password ->
> This message propagate to error page

You should do some reading about user-enumeration vulnerabilities and
similar things. You probably don't want to give this kind of
information to a user. Hint: the user might be an adversary, and any
information you give them them is something they can use to gain
access to your system.

For example: if I enter obama@whitehouse.gov as my username and you
tell me "user does not exist", I can keep trying usernames until I get
one that does exist. Great, now I know the user exists and I can keep
trying passwords until I get in. If you tell me "credentials
disabled", then I will know when I've tripped some kind of maximum
login-attempt trigger that will (likely) disable the user for a while.
So, I'll adjust my attack strategy so that I only try each user 3
times because I know that after that, they will be disabled.

If you have a hard business requirement to tell the user why they
aren't being permitted to login, you might want to go back to whoever
wrote those requirements and ask them to review them from a security
perspective.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVWmE7AAoJEBzwKT+lPKRYLHsP/0SjF8xJlXoZUPLRZVKAvJ9U
Lf4c5eokEFOjQdbMx4e3vLnTfYK2dWnq0d1Te3n+Zk6fWahy4ijiHHZsdvsQxHCt
VDFmXZe6FcBu1bFzcU9JNnr2RqRDEBd3St7wWlReB49LpgQaXh3jvKQgPK67ChR9
K0kBAgzV9BRXzKRLjkEHhC+Q3jFgzmd2J3HerDCgKB6jSFw6dn8NdZJqCfAIAG6R
xtbYvryRrQEVaMNs0Z0eDRsRy3iTAZAA1FZOUGSxVfAWapcj12RtnbKfB6tX+wc1
ghy6ZZW3efQSirvZ4BbYqsptBYzsA3oU25zbJG5jdz170okYLphx9vbtbP7wFQFJ
CPANIDWLj/aTKCch+SCOMLlOXCBAR69HobDG3Tzi0riaeZAxNuBV61SZjIUhA+Bl
tVfihOoLxZQcPk7s4VoR4w1SD7nBqMSkzbwTJujbjM7UKi311lRr6LqO6DvYEsg1
eX4qpKELndniJ035wrZXjbGtMS6JWDRjmeIJkVc0+6XsdMJ7c1bzaImfJg9dv6x9
ZlKpiTbW4n5jC6jrvu5elRuAudf0Me467y9JDZq6ujMmcPVr3BcQQKb4cHXnPRzh
BpHqXcn19LZGatyx0wpz8nf5ZjHQiyeaWOgSjLyk8yJXXz6EyA4SZ8Ndi8O5Z/tb
kgPkqUPohzH02HWcg6E2
=q5gu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org