You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by J Doe <ib...@yahoo.com> on 2002/12/06 17:33:12 UTC

bypassing memory realms

Background: Consider two webapps: foo and bar.  When a
user of foo performs a certain action, foo shares
files with bar by calling actions on each other via
HTTP.

We are being asked to put a memory realm on foo and
bar so that users must login. The problem is that now
the above system-level communication between foo and
bar will break.

Question: if one knows the username and password for a
webapp, can it be placed on the URL?

E.g.
http://mydomain.com:8080/foo?username=x&password=y

I've tried this but no luck.

More generally, is there a way to do it with the
java.net URL class?  

Any ideas?  I realize that perhaps foo and bar could
communicate in a different way (RMI, JMS) but that is
not really an option for us.

thanks,
Mike

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: bypassing memory realms

Posted by David Brown <dw...@webitplanet.com>.

J Doe writes: 

> 
> Background: Consider two webapps: foo and bar.  When a
> user of foo performs a certain action, foo shares
> files with bar by calling actions on each other via
> HTTP. 
> 
> We are being asked to put a memory realm on foo and
> bar so that users must login. The problem is that now
> the above system-level communication between foo and
> bar will break. 
> 
> Question: if one knows the username and password for a
> webapp, can it be placed on the URL? 
> 
> E.g.
> http://mydomain.com:8080/foo?username=x&password=y 
> 
> I've tried this but no luck. 
> 
> More generally, is there a way to do it with the
> java.net URL class?   
> 
> Any ideas?  I realize that perhaps foo and bar could
> communicate in a different way (RMI, JMS) but that is
> not really an option for us. 
> 
> thanks,
> Mike 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com 
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org> 
> 

Hello Mike, u could use java beans type classes and session attributes get 
and set between the to webapps. store and check the session id's to insure 
valid data by using the corresponding session id. i personally would not use 
the users id and password in the url even if it was private as long as there 
were other as yet unauthenticated users on the local subnet. and, of course, 
don't even mention doing this on the public wire (you would be asking to get 
severely compromised). the memoryRealm would be ok if u MD5 digest the 
passwords in the otherwise human readable flat ASCII text tomcat-users.xml 
file but u would prove to be a PITA under load of many simultaneous users 
(though a low user count would be ok). preferably, use the JDBCRealm which 
works great 4 me running oracle but u can run mySQL or postgresql and allows 
queries where the users table can be a fk to some other business logic 
table. hope this helps, david. 

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: bypassing memory realms

Posted by J Doe <ib...@yahoo.com>.

Thanks for your input, everyone.

I found that the approached described in this link
worked best:

http://ostermiller.org/utils/Base64.html

The basic idea is to encode the "user:pass" string in
Base 64 and simply add that to the Http header.

--- Andreas Probst <an...@gmx.net> wrote:
> I think this is a browser-intern thing. A person
> looking over 
> your shoulder could read it. But IE will translate
> this into a 
> just normal request. There's no difference to a
> request where IE 
> had asked for credentials. From within your servlet
> you will not 
> even be able to realize it.
> 
> On 6 Dec 2002 at 19:04, Andreas Probst wrote:
> 
> > Hi Mike,
> > 
> > try http://name:pass@www.....
> > 
> > How do you know the password?
> > 
> > Andreas
> > 
> > On 6 Dec 2002 at 8:33, J Doe wrote:
> > 
> > > 
> > > Background: Consider two webapps: foo and bar. 
> When a
> > > user of foo performs a certain action, foo
> shares
> > > files with bar by calling actions on each other
> via
> > > HTTP.
> > > 
> > > We are being asked to put a memory realm on foo
> and
> > > bar so that users must login. The problem is
> that now
> > > the above system-level communication between foo
> and
> > > bar will break.
> > > 
> > > Question: if one knows the username and password
> for a
> > > webapp, can it be placed on the URL?
> > > 
> > > E.g.
> > >
> http://mydomain.com:8080/foo?username=x&password=y
> > > 
> > > I've tried this but no luck.
> > > 
> > > More generally, is there a way to do it with the
> > > java.net URL class?  
> > > 
> > > Any ideas?  I realize that perhaps foo and bar
> could
> > > communicate in a different way (RMI, JMS) but
> that is
> > > not really an option for us.
> > > 
> > > thanks,
> > > Mike
> > > 
> > >
> __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up
> now.
> > > http://mailplus.yahoo.com
> > > 
> > > --
> > > To unsubscribe, e-mail:  
> > >
> <ma...@jakarta.apache.org>
> For
> > > additional commands, e-mail:
> > > <ma...@jakarta.apache.org>
> > > 
> > 
> > 
> > 
> > --
> > To unsubscribe, e-mail:  
> >
> <ma...@jakarta.apache.org>
> For
> > additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > 
> 
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: bypassing memory realms

Posted by Andreas Probst <an...@gmx.net>.

I think this is a browser-intern thing. A person looking over 
your shoulder could read it. But IE will translate this into a 
just normal request. There's no difference to a request where IE 
had asked for credentials. From within your servlet you will not 
even be able to realize it.

On 6 Dec 2002 at 19:04, Andreas Probst wrote:

> Hi Mike,
> 
> try http://name:pass@www.....
> 
> How do you know the password?
> 
> Andreas
> 
> On 6 Dec 2002 at 8:33, J Doe wrote:
> 
> > 
> > Background: Consider two webapps: foo and bar.  When a
> > user of foo performs a certain action, foo shares
> > files with bar by calling actions on each other via
> > HTTP.
> > 
> > We are being asked to put a memory realm on foo and
> > bar so that users must login. The problem is that now
> > the above system-level communication between foo and
> > bar will break.
> > 
> > Question: if one knows the username and password for a
> > webapp, can it be placed on the URL?
> > 
> > E.g.
> > http://mydomain.com:8080/foo?username=x&password=y
> > 
> > I've tried this but no luck.
> > 
> > More generally, is there a way to do it with the
> > java.net URL class?  
> > 
> > Any ideas?  I realize that perhaps foo and bar could
> > communicate in a different way (RMI, JMS) but that is
> > not really an option for us.
> > 
> > thanks,
> > Mike
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> > 
> > --
> > To unsubscribe, e-mail:  
> > <ma...@jakarta.apache.org> For
> > additional commands, e-mail:
> > <ma...@jakarta.apache.org>
> > 
> 
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org> For
> additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: bypassing memory realms

Posted by Andreas Probst <an...@gmx.net>.

Hi Mike,

try http://name:pass@www.....

How do you know the password?

Andreas

On 6 Dec 2002 at 8:33, J Doe wrote:

> 
> Background: Consider two webapps: foo and bar.  When a
> user of foo performs a certain action, foo shares
> files with bar by calling actions on each other via
> HTTP.
> 
> We are being asked to put a memory realm on foo and
> bar so that users must login. The problem is that now
> the above system-level communication between foo and
> bar will break.
> 
> Question: if one knows the username and password for a
> webapp, can it be placed on the URL?
> 
> E.g.
> http://mydomain.com:8080/foo?username=x&password=y
> 
> I've tried this but no luck.
> 
> More generally, is there a way to do it with the
> java.net URL class?  
> 
> Any ideas?  I realize that perhaps foo and bar could
> communicate in a different way (RMI, JMS) but that is
> not really an option for us.
> 
> thanks,
> Mike
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org> For
> additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>