Form authentication with captcha...

[rpr_listas <rp...@telefonica.net>]

Hi all!

I'm thinking in implement a captcha 
(http://en.wikipedia.org/wiki/Captcha) protection for web-based 
authentication. I'm looking in the tomcat surce and the form 
authentication seems be implemented by 
org.apache.catalina.authenticator.FormAuthenticator class.  But I'm not 
sure if change this class is the right way.

Are there other better method to do this?
Must I change the FormAutenticator class or must extend it in other 
class and i can refer to it in the tomcat configuration ?

Thanks in advance and best regards.
Ricardo.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form authentication with captcha...

[David Smith <dn...@cornell.edu>]

I think what you are after is well beyond tomcat's realm 
authentication/authorization implementation. 

You could implement your own login page and filter (notice I didn't 
mention realm).  The login page/servlet can validate users, track the 
error rate and opt for showing CAPTCHA as necessary.  The filter would 
simply check for valid login and redirect to the login page/servlet as 
necessary. 

To fully mimic the tomcat realm for the rest of the app, wrap the 
request overriding the getRemoteUser() method to return the username of 
the logged in user.  That's as easy as extending HttpServletRequestWrapper.

--David

rpr_listas wrote:
> Hi David,
>
> I don't like realm because I don't want to implement a new 
> authentication repository, I only want to implement a new 
> authentication method. Doing this at the realm level limit the 
> possibilities of the form, i want to do captcha validation when the 
> user has has tw consecutive errors from the same IP. How realm can 
> access this data?
>
> Thanks in advance.
> Ricardo.
>
> David Delbecq escribió:
>> En l'instant précis du 04/07/07 10:15, rpr_listas s'exprimait en ces
>> termes:
>>  
>>> Hello David,
>>>
>>> I know that this is out of the specification, and bind my application
>>> to this server implementation, but modify the realm has the same
>>> problem, transform my application in a tomcat-only application.
>>>     
>> Indeed it would make your application work only with server
>> authentification that split password in 2 parts (password/captcha), but
>> 1) it's easier to make and maintain a custom realm accros tomcat version
>> than patch tomcat authentificator.
>> 2) if you need to switch later from tomcat to jboss or other container,
>> all you have is to recode for that server an equivalent of your realm
>> (most server provide such support for user authentifications), while
>> doing a fix similar to the one of authentificator might prove more
>> difficult as not an expected point of extension.
>> 3) If you limit change to realm, other webapplications can still run
>> without trouble on your tomcat, this include the tomcat manager, tomcat
>> admin, that are commonly deployed on tomcat.
>>
>>  
>>> Build a custom authentication is not solution, because this disconnect
>>> the application from the J2EE standard, and I prefer to fit to
>>> standards in the rest of the application. I think that the better
>>> approach could be a custom authentication servlet and this servlet
>>> store a new Principal in the container. But i think that in J2EE can't
>>> access to do this from servlet.
>>>     
>> Indeed it can't really do it, but you could perhaps use and
>> authentification filter like this:
>> http://securityfilter.sourceforge.net/
>>
>> There is even a discussion on how to pass additional arguments to it's
>> authentification mecanism:
>>
>> http://sourceforge.net/forum/forum.php?thread_id=1527995&forum_id=200424
>>  
>>> Best regards.
>>> Ricardo
>>>
>>> David Delbecq escribió:
>>>    
>>>> Hello,
>>>>
>>>> Form authnetificator does form based authentification regarding the
>>>> corresponding J2EE specifications, which specify the submit name of 
>>>> the
>>>> username field (j_username), the submit name of the user password
>>>> (j_passwrd), and that's all. Of course you, developper of 
>>>> webapplication
>>>> can customize form (adding company logo, etc), but the specs states 
>>>> that
>>>> user must provide username and password and submit it to
>>>> /j_security_check url. Adding a captcha in this specs or other
>>>> informations is not possible like that.
>>>>
>>>> The only 2 ways i see to add captcha and not break specs is either
>>>>
>>>> 1) to create a realm that expect the captcha to be appended or 
>>>> perpended
>>>> to password.
>>>> eg:
>>>> j_username: johnSmith
>>>> j_password: 12345@captcha=AdQ1
>>>> The realm could probably compare the provided captcha with some value
>>>> stored somewhere else
>>>> the j_password field could be constructed, client side, with 
>>>> javascript,
>>>> from 2 not submitted fields.
>>>>
>>>> or
>>>> 2) Don't rely on container security and provide your own security with
>>>> you own whatever forms.
>>>>
>>>>
>>>> En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
>>>> termes:
>>>>  
>>>>      
>>>>> Hi all!
>>>>>
>>>>> I'm thinking in implement a captcha
>>>>> (http://en.wikipedia.org/wiki/Captcha) protection for web-based
>>>>> authentication. I'm looking in the tomcat surce and the form
>>>>> authentication seems be implemented by
>>>>> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
>>>>> not sure if change this class is the right way.
>>>>>
>>>>> Are there other better method to do this?
>>>>> Must I change the FormAutenticator class or must extend it in other
>>>>> class and i can refer to it in the tomcat configuration ?
>>>>>
>>>>> Thanks in advance and best regards.
>>>>> Ricardo.
>>>>>
>>>>>             
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form authentication with captcha...

[rpr_listas <rp...@telefonica.net>]

Hi David,

I don't like realm because I don't want to implement a new 
authentication repository, I only want to implement a new authentication 
method. Doing this at the realm level limit the possibilities of the 
form, i want to do captcha validation when the user has has tw 
consecutive errors from the same IP. How realm can access this data?

Thanks in advance.
Ricardo.

David Delbecq escribió:
> En l'instant précis du 04/07/07 10:15, rpr_listas s'exprimait en ces
> termes:
>   
>> Hello David,
>>
>> I know that this is out of the specification, and bind my application
>> to this server implementation, but modify the realm has the same
>> problem, transform my application in a tomcat-only application.
>>     
> Indeed it would make your application work only with server
> authentification that split password in 2 parts (password/captcha), but
> 1) it's easier to make and maintain a custom realm accros tomcat version
> than patch tomcat authentificator.
> 2) if you need to switch later from tomcat to jboss or other container,
> all you have is to recode for that server an equivalent of your realm
> (most server provide such support for user authentifications), while
> doing a fix similar to the one of authentificator might prove more
> difficult as not an expected point of extension.
> 3) If you limit change to realm, other webapplications can still run
> without trouble on your tomcat, this include the tomcat manager, tomcat
> admin, that are commonly deployed on tomcat.
>
>   
>> Build a custom authentication is not solution, because this disconnect
>> the application from the J2EE standard, and I prefer to fit to
>> standards in the rest of the application. I think that the better
>> approach could be a custom authentication servlet and this servlet
>> store a new Principal in the container. But i think that in J2EE can't
>> access to do this from servlet.
>>     
> Indeed it can't really do it, but you could perhaps use and
> authentification filter like this:
> http://securityfilter.sourceforge.net/
>
> There is even a discussion on how to pass additional arguments to it's
> authentification mecanism:
>
> http://sourceforge.net/forum/forum.php?thread_id=1527995&forum_id=200424
>   
>> Best regards.
>> Ricardo
>>
>> David Delbecq escribió:
>>     
>>> Hello,
>>>
>>> Form authnetificator does form based authentification regarding the
>>> corresponding J2EE specifications, which specify the submit name of the
>>> username field (j_username), the submit name of the user password
>>> (j_passwrd), and that's all. Of course you, developper of webapplication
>>> can customize form (adding company logo, etc), but the specs states that
>>> user must provide username and password and submit it to
>>> /j_security_check url. Adding a captcha in this specs or other
>>> informations is not possible like that.
>>>
>>> The only 2 ways i see to add captcha and not break specs is either
>>>
>>> 1) to create a realm that expect the captcha to be appended or perpended
>>> to password.
>>> eg:
>>> j_username: johnSmith
>>> j_password: 12345@captcha=AdQ1
>>> The realm could probably compare the provided captcha with some value
>>> stored somewhere else
>>> the j_password field could be constructed, client side, with javascript,
>>> from 2 not submitted fields.
>>>
>>> or
>>> 2) Don't rely on container security and provide your own security with
>>> you own whatever forms.
>>>
>>>
>>> En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
>>> termes:
>>>  
>>>       
>>>> Hi all!
>>>>
>>>> I'm thinking in implement a captcha
>>>> (http://en.wikipedia.org/wiki/Captcha) protection for web-based
>>>> authentication. I'm looking in the tomcat surce and the form
>>>> authentication seems be implemented by
>>>> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
>>>> not sure if change this class is the right way.
>>>>
>>>> Are there other better method to do this?
>>>> Must I change the FormAutenticator class or must extend it in other
>>>> class and i can refer to it in the tomcat configuration ?
>>>>
>>>> Thanks in advance and best regards.
>>>> Ricardo.
>>>>
>>>>     
>>>>         

Re: Form authentication with captcha...

[David Delbecq <de...@oma.be>]

En l'instant précis du 04/07/07 10:15, rpr_listas s'exprimait en ces
termes:
> Hello David,
>
> I know that this is out of the specification, and bind my application
> to this server implementation, but modify the realm has the same
> problem, transform my application in a tomcat-only application.
Indeed it would make your application work only with server
authentification that split password in 2 parts (password/captcha), but
1) it's easier to make and maintain a custom realm accros tomcat version
than patch tomcat authentificator.
2) if you need to switch later from tomcat to jboss or other container,
all you have is to recode for that server an equivalent of your realm
(most server provide such support for user authentifications), while
doing a fix similar to the one of authentificator might prove more
difficult as not an expected point of extension.
3) If you limit change to realm, other webapplications can still run
without trouble on your tomcat, this include the tomcat manager, tomcat
admin, that are commonly deployed on tomcat.

>
> Build a custom authentication is not solution, because this disconnect
> the application from the J2EE standard, and I prefer to fit to
> standards in the rest of the application. I think that the better
> approach could be a custom authentication servlet and this servlet
> store a new Principal in the container. But i think that in J2EE can't
> access to do this from servlet.
Indeed it can't really do it, but you could perhaps use and
authentification filter like this:
http://securityfilter.sourceforge.net/

There is even a discussion on how to pass additional arguments to it's
authentification mecanism:

http://sourceforge.net/forum/forum.php?thread_id=1527995&forum_id=200424
>
> Best regards.
> Ricardo
>
> David Delbecq escribió:
>> Hello,
>>
>> Form authnetificator does form based authentification regarding the
>> corresponding J2EE specifications, which specify the submit name of the
>> username field (j_username), the submit name of the user password
>> (j_passwrd), and that's all. Of course you, developper of webapplication
>> can customize form (adding company logo, etc), but the specs states that
>> user must provide username and password and submit it to
>> /j_security_check url. Adding a captcha in this specs or other
>> informations is not possible like that.
>>
>> The only 2 ways i see to add captcha and not break specs is either
>>
>> 1) to create a realm that expect the captcha to be appended or perpended
>> to password.
>> eg:
>> j_username: johnSmith
>> j_password: 12345@captcha=AdQ1
>> The realm could probably compare the provided captcha with some value
>> stored somewhere else
>> the j_password field could be constructed, client side, with javascript,
>> from 2 not submitted fields.
>>
>> or
>> 2) Don't rely on container security and provide your own security with
>> you own whatever forms.
>>
>>
>> En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
>> termes:
>>  
>>> Hi all!
>>>
>>> I'm thinking in implement a captcha
>>> (http://en.wikipedia.org/wiki/Captcha) protection for web-based
>>> authentication. I'm looking in the tomcat surce and the form
>>> authentication seems be implemented by
>>> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
>>> not sure if change this class is the right way.
>>>
>>> Are there other better method to do this?
>>> Must I change the FormAutenticator class or must extend it in other
>>> class and i can refer to it in the tomcat configuration ?
>>>
>>> Thanks in advance and best regards.
>>> Ricardo.
>>>
>>>     
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form authentication with captcha...

[rpr_listas <rp...@telefonica.net>]

Hello David,

I know that this is out of the specification, and bind my application to 
this server implementation, but modify the realm has the same problem, 
transform my application in a tomcat-only application.

Build a custom authentication is not solution, because this disconnect 
the application from the J2EE standard, and I prefer to fit to standards 
in the rest of the application. I think that the better approach could 
be a custom authentication servlet and this servlet store a new 
Principal in the container. But i think that in J2EE can't access to do 
this from servlet.

Best regards.
Ricardo

David Delbecq escribió:
> Hello,
>
> Form authnetificator does form based authentification regarding the
> corresponding J2EE specifications, which specify the submit name of the
> username field (j_username), the submit name of the user password
> (j_passwrd), and that's all. Of course you, developper of webapplication
> can customize form (adding company logo, etc), but the specs states that
> user must provide username and password and submit it to
> /j_security_check url. Adding a captcha in this specs or other
> informations is not possible like that.
>
> The only 2 ways i see to add captcha and not break specs is either
>
> 1) to create a realm that expect the captcha to be appended or perpended
> to password.
> eg:
> j_username: johnSmith
> j_password: 12345@captcha=AdQ1
> The realm could probably compare the provided captcha with some value
> stored somewhere else
> the j_password field could be constructed, client side, with javascript,
> from 2 not submitted fields.
>
> or
> 2) Don't rely on container security and provide your own security with
> you own whatever forms.
>
>
> En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
> termes:
>   
>> Hi all!
>>
>> I'm thinking in implement a captcha
>> (http://en.wikipedia.org/wiki/Captcha) protection for web-based
>> authentication. I'm looking in the tomcat surce and the form
>> authentication seems be implemented by
>> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
>> not sure if change this class is the right way.
>>
>> Are there other better method to do this?
>> Must I change the FormAutenticator class or must extend it in other
>> class and i can refer to it in the tomcat configuration ?
>>
>> Thanks in advance and best regards.
>> Ricardo.
>>
>>     


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form authentication with captcha...

[Christopher Schultz <ch...@christopherschultz.net>]

David and Ricardo,

David Delbecq wrote:
> 2) Don't rely on container security and provide your own security with
> you own whatever forms.

Securityfilter (http://securityfilter.sourceforge.net) is a drop-in
replacement for container-managed security that is implemented as a
filter and can be extended however you want.

Configuration is similar to web.xml declarative security, so there's not
too much to learn to get it up and running. It does not depend upon
container-specific classes so you won't lock yourself into one vendor,
or even one single version of that server.

-chris

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form authentication with captcha...

[David Delbecq <de...@oma.be>]

Hello,

Form authnetificator does form based authentification regarding the
corresponding J2EE specifications, which specify the submit name of the
username field (j_username), the submit name of the user password
(j_passwrd), and that's all. Of course you, developper of webapplication
can customize form (adding company logo, etc), but the specs states that
user must provide username and password and submit it to
/j_security_check url. Adding a captcha in this specs or other
informations is not possible like that.

The only 2 ways i see to add captcha and not break specs is either

1) to create a realm that expect the captcha to be appended or perpended
to password.
eg:
j_username: johnSmith
j_password: 12345@captcha=AdQ1
The realm could probably compare the provided captcha with some value
stored somewhere else
the j_password field could be constructed, client side, with javascript,
from 2 not submitted fields.

or
2) Don't rely on container security and provide your own security with
you own whatever forms.


En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
termes:
> Hi all!
>
> I'm thinking in implement a captcha
> (http://en.wikipedia.org/wiki/Captcha) protection for web-based
> authentication. I'm looking in the tomcat surce and the form
> authentication seems be implemented by
> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
> not sure if change this class is the right way.
>
> Are there other better method to do this?
> Must I change the FormAutenticator class or must extend it in other
> class and i can refer to it in the tomcat configuration ?
>
> Thanks in advance and best regards.
> Ricardo.
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org