tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sreyan Chakravarty <sreyan.mail...@gmail.com>
Subject Re: HTTP 400 with Form based authentication
Date Mon, 07 Sep 2015 13:56:12 GMT
I did what you said. That is pointing the web browser to a protected
resource without authentication and then logging in. It works perfectly IF
AND ONLY IF the credentials are ABSOLUTELY correct. Otherwise I am getting
undefined behavior an thats where I need your help now.

First-: If I provide an invalid user-id and valid/invalid password I am
getting the following error-:

HTTP Status 500 -

java.lang.NullPointerException
org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltIterationsEncoded(DigestCredentialHandlerBase.java:147)
org.apache.catalina.realm.SecretKeyCredentialHandler.matches(SecretKeyCredentialHandler.java:73)
org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:297)
org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:267)
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:272)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:452)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)

Now I thought that when invalid credentials of any kind are given Tomcat is
supposed to take you to the <form-error-page>. Then why is it I am getting
a 500 error. Clearly something is wrong from my side or else the
<form-error-page>
is invoked under different circumstances.


Secondly-: If I provide a valid user-id and invalid password I am again not
redirected to the form-error-page I am kept in j_security_check. How do I
show the user that is credentials are wrong ?


Also can I webapp have different realms ? If so how do you distinguish them
? I was looking at the RealmBase source and I haven't noticed a place for
realmName. If not then what is the use of the <realmName> element in
web.xml ?

The example that you have provided -:

request.login(req.getParameter("username"),
                  req.getParameter("password"));

Which realm would it use if there were multiple realms available ?

Thanks for your patience in helping me Christopher.

Regards
Sreyan Chakravarty

On Tue, Sep 1, 2015 at 9:44 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Sreyan,
>
> On 8/31/15 3:20 PM, Sreyan Chakravarty wrote:
> > Ok I found FormAuthenticator and landingPage attribute in it in the
> > source.
>
> You shouldn't need to look at the source.
>
> > But how do I use that in my application ? What do I do ?
>
> You configure the FormAuthenticationValve in your application's
> META-INF/context.xml file.
> http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction
>
> The intro says you can configure any Valve in any of the following
> "Catalina container[s] (Engine, Host, or Context)." Just make it a new
> child of the <Context> element you should already have.
>
> > Any documentation for this ?
>
> Just what you have already read:
>
> <Context>
>   <Valve className="name.of.valve.class"
>     ... other configuration attributes ...
>     />
> </Context>
>
> - -chris
>
> > On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty <
> > sreyan.mailing@gmail.com> wrote:
> >
> >> Well Christopher thanks for that eye opener. I didn't know that
> >> the specs were so inconsistent.
> >>
> >> Okay now regarding your comment-:
> >>
> >> "Servlet 3.0 added the HttpServletRequest.login() method would
> >> improved the situation greatly: you can implement your own login
> >> handler that plugs-into the authentication services of the
> >> container. It's just that the container doesn't handle any
> >> redirection to a login page (none is required) or credential
> >> capturing (easily done with a servlet)."
> >>
> >> How do you implement your own login handler and how do you plug
> >> that into Tomcat Auth services. Can you provide some info as to
> >> how I would do that ?
> >>
> >> And what is the extension to FORM Authenticator that Mark is
> >> talking about ?
> >>
> >> Also correct me if I am wrong, then the page that I use to login
> >> and the page that will contain j_security_check as an action must
> >> be two different pages.
> >>
> >> Also can I have two <login-config> elements in my web.xml ?
> >>
> >> On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz <
> >> chris@christopherschultz.net> wrote:
> >>
> > Sreyan,
> >
> > On 8/31/15 1:39 PM, Sreyan Chakravarty wrote:
> >>>>> First of all I did read the Servlet Spec, it provided no
> >>>>> hint as to what I was doing wrong.
> >>>>>
> >>>>> So you are saying that I can't have a login form on the
> >>>>> page when the welcome page ? Why not ? Tons of site have
> >>>>> just that, like Twitter and Facebook. It seems weird why I
> >>>>> can't have it on my welcome page.
> >
> > Oh, you can do it, but you'll have to implement it yourself. Go
> > re-read the spec's section on how FORM authentication works. Note
> > that you are required to attempt to access a protected page before
> > being asked for authentication. I think it's a big hole in the spec
> > that should be filled, but anything Tomcat would do for you here
> > is, by definition, out-of-spec.
> >
> >>>>> And wait a minute. You are telling me that I have to first
> >>>>> point my web browser to /teacher/success.jsp and then when
> >>>>> I get the login page and login  ?
> >
> > Yes.
> >
> >>>>> What can't I do the following-:
> >>>>>
> >>>>> First login from the login page and then go to
> >>>>> success.jsp?
> >
> > You sure can do that, but you can't use j_security_check as
> > yourPOST target. Instead, you have to write your own Servlet and
> > then (probably) call HttpServletRequest.login() from there, then
> > redirect the user to wherever you want them to go.
> >
> >>>>> Why do I have to first hit an auth error and then be
> >>>>> redirected back to login and then provide my user/pass
> >>>>> combo ?
> >
> > This is spec-defined behavior.
> >
> >>>>> So how do you code a login module ? Where I can login first
> >>>>> and then go to my resources ?
> >
> > What's a "login module"?
> >
> >>>>> This is indeed weird.
> >
> > It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But
> > certainly not weird.
> >
> > Servlet 3.0 added the HttpServletRequest.login() method would
> > improved the situation greatly: you can implement your own login
> > handler that plugs-into the authentication services of the
> > container. It's just that the container doesn't handle any
> > redirection to a login page (none is required) or credential
> > capturing (easily done with a servlet).
> >
> > Really the only thing the servlet spec is missing is a setting in
> > <form-login> like <default-landing-page> or something like that,
> > so that if you try to login with j_security_check and you hadn't
> > already requested a protected resource, the container knows where
> > to send the user after authentication.
> >
> > -chris
> >>>
> >>> --------------------------------------------------------------------
> - -
> >>>
> >>>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
> >
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJV5c7LAAoJEBzwKT+lPKRYBkoP/RCzs3LjRGedna+GYX1KP7nD
> eeQseNjfe+nCC9w0hkUUklTxA7ikC92IJHxfoBNKOwjEzIBBrT1stoR1rwUAjMRp
> dBZ44EjxybDYHQgCJkLdFQXD0q3+SH4kYDguVNJNSl8vpYQ4ehTj7RDV0mlf7USz
> rLgwZ/4WZh/QU3VMf0R+xYbnz/nkbzAMiIn9ZGMa/R26tBWT1AEWbP7ntGw6qFgM
> i4FhElMb21cJYSrU6eAvTvJpJR97ziBnCLauZxBmfiioIH09iutXqrG8F/q3Ou42
> 9mBEPCqYTwj6ZznSX5nXbujllNTdtSJNfZUfuCLRgV+fzEhfYuDflnptIPDMjg/9
> HH1WCozm/sAvLh/z3Gn0uPpALhTzT0b4rHlH8rksJqZlQ/0vaEO14HQgvhe3/DbM
> DCo8MCU/QTq7CILd1eB1l4kfiIDkc4XFUxYkdnUWCwvLelWWRMUB3Zd5B9gYefdK
> iJ3ivzwwd5GJURb/S+KAucJCHaN6gIkLE3z3IIb/Q/LUsc1AT+8mdwCMeExsr7N2
> 5wg9B64SviroD3Ab86lL/8MVan525YGuM/h4xUjn5v90Nv7Bm+9jZBCA3M1/FzbW
> XrrH5lFs/E4LJKOCGbM8sLNUbsYoa6nN1WI3XHovJkgnKnaVhA24MmEE0dN1GvDf
> P3TvUkHPDy2+b6MfN/x9
> =FCGh
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message