You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@click.apache.org by Ivan Furdi <iv...@uniplus.hr> on 2010/03/26 08:48:38 UTC

Authentication with "injection"

Hi all,

I am making an application with click framework which will be called 
from other application with GET request.

The development is going fluently (nice work on click framework btw) but 
I'm stuck at the step where I have
to call the click application from other app. I'm using form based 
authentication and i protected needed resources
but now when i call app "from outside" I always get login screen.
I know that's the normal behaviour but I want to ask if there's some way 
to skip login screen using supplied
request parameters? (for example username and password). I know this is 
not very secure but i need it for
a test.

I'm a bit green in security area so if someone can recommend some topics 
to study I would be very thankful.

Regards, /
/Ivan

Re: Authentication with "injection"

Posted by Bob Schellink <sa...@gmail.com>.
Hi Ivan,


On 26/03/2010 06:48 PM, Ivan Furdi wrote:

> I know that's the normal behaviour but I want to ask if there's some way
> to skip login screen using supplied
> request parameters? (for example username and password). I know this is
> not very secure but i need it for
> a test.


This will depend on your security framework. If you are using JEE security then you will be 
dependent on the servlet container whether it provides a way to programmatically login via request 
parameters. For Tomcat see this email which explains about creating a Filter to fake out certain API 
to make the login work:

http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg41324.html

You could also try and simulate a login from the remote site (do a post to /j_security_check), grab 
the JSESSIONID cookie, and set it as a cookie for your next request to the server.

Alternative options are to use a different Security framework such as Spring Security or Apache 
Shiro. They allow you to programmatically login.

You can find links to these projects here:

http://click.apache.org/docs/user-guide/html/ch05.html#alternatve-security-solutions

Before rolling to production, ensure the site login page is accessed through HTTPS so that the 
username/password is not sent as cleartext.


>
> I'm a bit green in security area so if someone can recommend some topics
> to study I would be very thankful.


The login side of security in JEE is not as simple as it should be. The upcoming Servlet 3.0 spec 
addresses some of this by adding login/logout API to the ServletRequest:

Let me know if you have other questions.

kind regards

bob