Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D0A5C1796F for ; Mon, 7 Sep 2015 13:56:39 +0000 (UTC) Received: (qmail 78095 invoked by uid 500); 7 Sep 2015 13:56:28 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 78035 invoked by uid 500); 7 Sep 2015 13:56:28 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 78024 invoked by uid 99); 7 Sep 2015 13:56:28 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Sep 2015 13:56:28 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 535A81A07FE for ; Mon, 7 Sep 2015 13:56:28 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.901 X-Spam-Level: ** X-Spam-Status: No, score=2.901 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=3, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id h7QB-lpIdw47 for ; Mon, 7 Sep 2015 13:56:15 +0000 (UTC) Received: from mail-la0-f45.google.com (mail-la0-f45.google.com [209.85.215.45]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 78049201E7 for ; Mon, 7 Sep 2015 13:56:14 +0000 (UTC) Received: by laeb10 with SMTP id b10so52969320lae.1 for ; Mon, 07 Sep 2015 06:56:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=tqJzccyOeJqRdHx/1cLZ0IZJQtrGG7IIn79O480cExE=; b=Iv0tFB5uI1J5B71rMNgu4mAeKlDWtJi7PjHvfD1TOSn2djQsrOElhQ/hAovKQ2nQQ5 cKz+Kq0YAkavXuA4pr/OSNRJU3wyJEWbp/oFUgba47ik53V37montMTfd0iM6lDq0njb Bqo+YZUmD8yXL4l71TqyyOtJiNg8pmGdM1vrMsh9jakzFmpTOiMIw6Dd2ZZi0qlWZvO8 5Gh9v5nyVUObiJl6oAbgmGiqT1zbIEmx7YDVnZ3GQzsF0vt5/Wzt2zqfIJpngNcmBueV xX6M8q20cPPHG2LtpNG0VH3fJICL4F1yUNtmdf1lCsSe4hidwQvgx+8fyinq1SxGT1xM wUzA== MIME-Version: 1.0 X-Received: by 10.152.6.73 with SMTP id y9mr17091949lay.45.1441634172869; Mon, 07 Sep 2015 06:56:12 -0700 (PDT) Received: by 10.112.228.233 with HTTP; Mon, 7 Sep 2015 06:56:12 -0700 (PDT) In-Reply-To: <55E5CECB.6010806@christopherschultz.net> References: <55E32E3A.8030408@apache.org> <55E42C8E.8050308@apache.org> <55E48DF4.7010602@christopherschultz.net> <55E4939E.3060201@christopherschultz.net> <55E5CECB.6010806@christopherschultz.net> Date: Mon, 7 Sep 2015 19:26:12 +0530 Message-ID: Subject: Re: HTTP 400 with Form based authentication From: Sreyan Chakravarty To: Tomcat Users List Content-Type: multipart/alternative; boundary=089e01494220c5215e051f289c9f --089e01494220c5215e051f289c9f Content-Type: text/plain; charset=UTF-8 I did what you said. That is pointing the web browser to a protected resource without authentication and then logging in. It works perfectly IF AND ONLY IF the credentials are ABSOLUTELY correct. Otherwise I am getting undefined behavior an thats where I need your help now. First-: If I provide an invalid user-id and valid/invalid password I am getting the following error-: HTTP Status 500 - java.lang.NullPointerException org.apache.catalina.realm.DigestCredentialHandlerBase.matchesSaltIterationsEncoded(DigestCredentialHandlerBase.java:147) org.apache.catalina.realm.SecretKeyCredentialHandler.matches(SecretKeyCredentialHandler.java:73) org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:297) org.apache.catalina.realm.DataSourceRealm.authenticate(DataSourceRealm.java:267) org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:272) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:452) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658) org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:745) Now I thought that when invalid credentials of any kind are given Tomcat is supposed to take you to the . Then why is it I am getting a 500 error. Clearly something is wrong from my side or else the is invoked under different circumstances. Secondly-: If I provide a valid user-id and invalid password I am again not redirected to the form-error-page I am kept in j_security_check. How do I show the user that is credentials are wrong ? Also can I webapp have different realms ? If so how do you distinguish them ? I was looking at the RealmBase source and I haven't noticed a place for realmName. If not then what is the use of the element in web.xml ? The example that you have provided -: request.login(req.getParameter("username"), req.getParameter("password")); Which realm would it use if there were multiple realms available ? Thanks for your patience in helping me Christopher. Regards Sreyan Chakravarty On Tue, Sep 1, 2015 at 9:44 PM, Christopher Schultz < chris@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sreyan, > > On 8/31/15 3:20 PM, Sreyan Chakravarty wrote: > > Ok I found FormAuthenticator and landingPage attribute in it in the > > source. > > You shouldn't need to look at the source. > > > But how do I use that in my application ? What do I do ? > > You configure the FormAuthenticationValve in your application's > META-INF/context.xml file. > http://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Introduction > > The intro says you can configure any Valve in any of the following > "Catalina container[s] (Engine, Host, or Context)." Just make it a new > child of the element you should already have. > > > Any documentation for this ? > > Just what you have already read: > > > ... other configuration attributes ... > /> > > > - -chris > > > On Tue, Sep 1, 2015 at 12:46 AM, Sreyan Chakravarty < > > sreyan.mailing@gmail.com> wrote: > > > >> Well Christopher thanks for that eye opener. I didn't know that > >> the specs were so inconsistent. > >> > >> Okay now regarding your comment-: > >> > >> "Servlet 3.0 added the HttpServletRequest.login() method would > >> improved the situation greatly: you can implement your own login > >> handler that plugs-into the authentication services of the > >> container. It's just that the container doesn't handle any > >> redirection to a login page (none is required) or credential > >> capturing (easily done with a servlet)." > >> > >> How do you implement your own login handler and how do you plug > >> that into Tomcat Auth services. Can you provide some info as to > >> how I would do that ? > >> > >> And what is the extension to FORM Authenticator that Mark is > >> talking about ? > >> > >> Also correct me if I am wrong, then the page that I use to login > >> and the page that will contain j_security_check as an action must > >> be two different pages. > >> > >> Also can I have two elements in my web.xml ? > >> > >> On Mon, Aug 31, 2015 at 11:19 PM, Christopher Schultz < > >> chris@christopherschultz.net> wrote: > >> > > Sreyan, > > > > On 8/31/15 1:39 PM, Sreyan Chakravarty wrote: > >>>>> First of all I did read the Servlet Spec, it provided no > >>>>> hint as to what I was doing wrong. > >>>>> > >>>>> So you are saying that I can't have a login form on the > >>>>> page when the welcome page ? Why not ? Tons of site have > >>>>> just that, like Twitter and Facebook. It seems weird why I > >>>>> can't have it on my welcome page. > > > > Oh, you can do it, but you'll have to implement it yourself. Go > > re-read the spec's section on how FORM authentication works. Note > > that you are required to attempt to access a protected page before > > being asked for authentication. I think it's a big hole in the spec > > that should be filled, but anything Tomcat would do for you here > > is, by definition, out-of-spec. > > > >>>>> And wait a minute. You are telling me that I have to first > >>>>> point my web browser to /teacher/success.jsp and then when > >>>>> I get the login page and login ? > > > > Yes. > > > >>>>> What can't I do the following-: > >>>>> > >>>>> First login from the login page and then go to > >>>>> success.jsp? > > > > You sure can do that, but you can't use j_security_check as > > yourPOST target. Instead, you have to write your own Servlet and > > then (probably) call HttpServletRequest.login() from there, then > > redirect the user to wherever you want them to go. > > > >>>>> Why do I have to first hit an auth error and then be > >>>>> redirected back to login and then provide my user/pass > >>>>> combo ? > > > > This is spec-defined behavior. > > > >>>>> So how do you code a login module ? Where I can login first > >>>>> and then go to my resources ? > > > > What's a "login module"? > > > >>>>> This is indeed weird. > > > > It's a (giant, gaping) hole in the spec. Inconvenient, maybe. But > > certainly not weird. > > > > Servlet 3.0 added the HttpServletRequest.login() method would > > improved the situation greatly: you can implement your own login > > handler that plugs-into the authentication services of the > > container. It's just that the container doesn't handle any > > redirection to a login page (none is required) or credential > > capturing (easily done with a servlet). > > > > Really the only thing the servlet spec is missing is a setting in > > like or something like that, > > so that if you try to login with j_security_check and you hadn't > > already requested a protected resource, the container knows where > > to send the user after authentication. > > > > -chris > >>> > >>> -------------------------------------------------------------------- > - - > >>> > >>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >>> For additional commands, e-mail: users-help@tomcat.apache.org > >>> > >>> > >> > > > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5c7LAAoJEBzwKT+lPKRYBkoP/RCzs3LjRGedna+GYX1KP7nD > eeQseNjfe+nCC9w0hkUUklTxA7ikC92IJHxfoBNKOwjEzIBBrT1stoR1rwUAjMRp > dBZ44EjxybDYHQgCJkLdFQXD0q3+SH4kYDguVNJNSl8vpYQ4ehTj7RDV0mlf7USz > rLgwZ/4WZh/QU3VMf0R+xYbnz/nkbzAMiIn9ZGMa/R26tBWT1AEWbP7ntGw6qFgM > i4FhElMb21cJYSrU6eAvTvJpJR97ziBnCLauZxBmfiioIH09iutXqrG8F/q3Ou42 > 9mBEPCqYTwj6ZznSX5nXbujllNTdtSJNfZUfuCLRgV+fzEhfYuDflnptIPDMjg/9 > HH1WCozm/sAvLh/z3Gn0uPpALhTzT0b4rHlH8rksJqZlQ/0vaEO14HQgvhe3/DbM > DCo8MCU/QTq7CILd1eB1l4kfiIDkc4XFUxYkdnUWCwvLelWWRMUB3Zd5B9gYefdK > iJ3ivzwwd5GJURb/S+KAucJCHaN6gIkLE3z3IIb/Q/LUsc1AT+8mdwCMeExsr7N2 > 5wg9B64SviroD3Ab86lL/8MVan525YGuM/h4xUjn5v90Nv7Bm+9jZBCA3M1/FzbW > XrrH5lFs/E4LJKOCGbM8sLNUbsYoa6nN1WI3XHovJkgnKnaVhA24MmEE0dN1GvDf > P3TvUkHPDy2+b6MfN/x9 > =FCGh > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --089e01494220c5215e051f289c9f--