tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HTTP 400 with Form based authentication
Date Tue, 01 Sep 2015 16:14:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sreyan,

On 8/31/15 3:20 PM, Sreyan Chakravarty wrote:
> Ok I found FormAuthenticator and landingPage attribute in it in the
> source.

You shouldn't need to look at the source.

> But how do I use that in my application ? What do I do ?

You configure the FormAuthenticationValve in your application's
META-INF/context.xml file.
http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction

The intro says you can configure any Valve in any of the following
"Catalina container[s] (Engine, Host, or Context)." Just make it a new
child of the <Context> element you should already have.

> Any documentation for this ?

Just what you have already read:

<Context>
  <Valve className="name.of.valve.class"
    ... other configuration attributes ...
    />
</Context>

- -chris

> On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < 
> sreyan.mailing@gmail.com> wrote:
> 
>> Well Christopher thanks for that eye opener. I didn't know that
>> the specs were so inconsistent.
>> 
>> Okay now regarding your comment-:
>> 
>> "Servlet 3.0 added the HttpServletRequest.login() method would
>> improved the situation greatly: you can implement your own login
>> handler that plugs-into the authentication services of the
>> container. It's just that the container doesn't handle any
>> redirection to a login page (none is required) or credential
>> capturing (easily done with a servlet)."
>> 
>> How do you implement your own login handler and how do you plug
>> that into Tomcat Auth services. Can you provide some info as to
>> how I would do that ?
>> 
>> And what is the extension to FORM Authenticator that Mark is
>> talking about ?
>> 
>> Also correct me if I am wrong, then the page that I use to login
>> and the page that will contain j_security_check as an action must
>> be two different pages.
>> 
>> Also can I have two <login-config> elements in my web.xml ?
>> 
>> On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < 
>> chris@christopherschultz.net> wrote:
>> 
> Sreyan,
> 
> On 8/31/15 1:39 PM, Sreyan Chakravarty wrote:
>>>>> First of all I did read the Servlet Spec, it provided no
>>>>> hint as to what I was doing wrong.
>>>>> 
>>>>> So you are saying that I can't have a login form on the
>>>>> page when the welcome page ? Why not ? Tons of site have
>>>>> just that, like Twitter and Facebook. It seems weird why I
>>>>> can't have it on my welcome page.
> 
> Oh, you can do it, but you'll have to implement it yourself. Go 
> re-read the spec's section on how FORM authentication works. Note
> that you are required to attempt to access a protected page before
> being asked for authentication. I think it's a big hole in the spec
> that should be filled, but anything Tomcat would do for you here
> is, by definition, out-of-spec.
> 
>>>>> And wait a minute. You are telling me that I have to first
>>>>> point my web browser to /teacher/success.jsp and then when
>>>>> I get the login page and login  ?
> 
> Yes.
> 
>>>>> What can't I do the following-:
>>>>> 
>>>>> First login from the login page and then go to
>>>>> success.jsp?
> 
> You sure can do that, but you can't use j_security_check as
> yourPOST target. Instead, you have to write your own Servlet and
> then (probably) call HttpServletRequest.login() from there, then
> redirect the user to wherever you want them to go.
> 
>>>>> Why do I have to first hit an auth error and then be
>>>>> redirected back to login and then provide my user/pass
>>>>> combo ?
> 
> This is spec-defined behavior.
> 
>>>>> So how do you code a login module ? Where I can login first
>>>>> and then go to my resources ?
> 
> What's a "login module"?
> 
>>>>> This is indeed weird.
> 
> It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But 
> certainly not weird.
> 
> Servlet 3.0 added the HttpServletRequest.login() method would
> improved the situation greatly: you can implement your own login
> handler that plugs-into the authentication services of the
> container. It's just that the container doesn't handle any
> redirection to a login page (none is required) or credential
> capturing (easily done with a servlet).
> 
> Really the only thing the servlet spec is missing is a setting in 
> <form-login> like <default-landing-page> or something like that,
> so that if you try to login with j_security_check and you hadn't
> already requested a protected resource, the container knows where
> to send the user after authentication.
> 
> -chris
>>> 
>>> --------------------------------------------------------------------
- -
>>>
>>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>> 
>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV5c7LAAoJEBzwKT+lPKRYBkoP/RCzs3LjRGedna+GYX1KP7nD
eeQseNjfe+nCC9w0hkUUklTxA7ikC92IJHxfoBNKOwjEzIBBrT1stoR1rwUAjMRp
dBZ44EjxybDYHQgCJkLdFQXD0q3+SH4kYDguVNJNSl8vpYQ4ehTj7RDV0mlf7USz
rLgwZ/4WZh/QU3VMf0R+xYbnz/nkbzAMiIn9ZGMa/R26tBWT1AEWbP7ntGw6qFgM
i4FhElMb21cJYSrU6eAvTvJpJR97ziBnCLauZxBmfiioIH09iutXqrG8F/q3Ou42
9mBEPCqYTwj6ZznSX5nXbujllNTdtSJNfZUfuCLRgV+fzEhfYuDflnptIPDMjg/9
HH1WCozm/sAvLh/z3Gn0uPpALhTzT0b4rHlH8rksJqZlQ/0vaEO14HQgvhe3/DbM
DCo8MCU/QTq7CILd1eB1l4kfiIDkc4XFUxYkdnUWCwvLelWWRMUB3Zd5B9gYefdK
iJ3ivzwwd5GJURb/S+KAucJCHaN6gIkLE3z3IIb/Q/LUsc1AT+8mdwCMeExsr7N2
5wg9B64SviroD3Ab86lL/8MVan525YGuM/h4xUjn5v90Nv7Bm+9jZBCA3M1/FzbW
XrrH5lFs/E4LJKOCGbM8sLNUbsYoa6nN1WI3XHovJkgnKnaVhA24MmEE0dN1GvDf
P3TvUkHPDy2+b6MfN/x9
=FCGh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message