You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mats Nyberg <mn...@tim.se> on 2002/05/10 12:03:07 UTC
automatic login
friends, cohorts;
have an application involving user registration and "declarative
authorization".
in the end of an user registration i want the newly created user also to
be logged in
without providing a "now you can use your new id and password to log
in"-screen.
HOWTO?
i vanely thought something like -snip- would do and now after some days
in the mud i thought
i'd swallow my pride and ask; how do one do this?
regards
----snip
<% session.setAttribute("tomcat.auth.originalLocation",
"/protected/xxx.jsp"); %>
<form method="POST" action="j_security_check" >
Username: <input type="hidden" name="j_username" value="<%=
userId %>"><br>
Password: <input type="hidden" name="j_password" value="<%=
password %>"><br>
<br>
<input type="submit" value="login" name="j_security_check">
</form>
---snip
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: unsubscribe failed
Posted by Milt Epstein <me...@uiuc.edu>.
On Thu, 27 Jun 2002, Chris Faulkner wrote:
> Hi
>
> Really sorry to do this but I need to get off this list - my mailbox
> isn't big enough !
>
> I emailed the unsubscribe address, got a response to confirm. I hit
> reply on this link and then got the message below !!nWhich is
> aboslute nonsense.
Doesn't look like nonsense to me.
To see what address the list has you subscribed as, look for a header
(perhaps Return-Path) that has "tomcat-user-return" in it, and it will
also include the address (with "@" changed to "=").
> I have had this before when trying to unsubscribe and I have seen
> others report it.
>
> Could someone take me off this list, please
>
> Thanks
>
> Chris
>
>
>
> Hi! This is the ezmlm program. I'm managing the
> tomcat-user@jakarta.apache.org mailing list.
>
> I'm working for my owner, who can be reached
> at tomcat-user-owner@jakarta.apache.org.
>
> Acknowledgment: The address
>
> christopher.faulkner@ntlworld.com
>
> was not on the tomcat-user mailing list when I received
> your request and is not a subscriber of this list.
>
>
>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
Milt Epstein
Research Programmer
Systems and Technology Services (STS)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
unsubscribe failed
Posted by Chris Faulkner <ch...@ntlworld.com>.
Hi
Really sorry to do this but I need to get off this list - my mailbox isn't big enough !
I emailed the unsubscribe address, got a response to confirm. I hit reply on this link and then got the message below !!nWhich is aboslute nonsense.
I have had this before when trying to unsubscribe and I have seen others report it.
Could someone take me off this list, please
Thanks
Chris
Hi! This is the ezmlm program. I'm managing the
tomcat-user@jakarta.apache.org mailing list.
I'm working for my owner, who can be reached
at tomcat-user-owner@jakarta.apache.org.
Acknowledgment: The address
christopher.faulkner@ntlworld.com
was not on the tomcat-user mailing list when I received
your request and is not a subscriber of this list.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
j_security_check and login
Posted by Chris Faulkner <ch...@ntlworld.com>.
Hello all
I've been using JBoss and Tomcat for a while and have started to move what we have in JBoss/Tomcat to a Tomcat only environment. It
is all OK so far. We have a login mehanism wich uses the JDBCRealm stuff. Usernames/pwds/roles are stored in the database. I have
protected a set of pages and it all works, I can login via j_security_check and get to my protected pages. So that is fine and I understand
the mechanism.
However, we have a servlet which was called immediately after the j_security_check which performed some site-specific stuff (eg setting a
cookie, logging the login attempt, etc). This was the code that we used in JBoss, this was called instead of j_security_check upon login.
This worked in JBOss but not in Tomcat.
String path="/context/ourLoginServlet";
response.setStatus(302,"Found");
response.setHeader("Location", path);
String rdString = new String("/j_security_check?j_username="+request.getParameter("j_username")
+"&j_password="+request.getParameter("j_password")+"");
RequestDispatcher rd = application.getRequestDispatcher(rdString);
rd.include(request,response);
if (!response.isCommitted())
{
response.reset();
}
You can see what is happening, we create a RequestDispatcher object which called j_security_check which is included in the reponse. I
know this is not ideal because as a GET request, it puts the username/pwd in the access log. So, I'd like to know why this fails in Tomcat.
Given that Tomcat was our servlet container in JBOss, it may be be some config thing.
I'd also like to do it better. Essentially, I could do it by changing that the page that Tomcat redirects to after a successful login. I could set
that page to "ourLoginServlet". Is there anyway of doing that transparently? I saw an email in the archives that gave this "<%
session.setAttribute("tomcat.auth.originalLocation", "/ourLoginServlet"); %>". I thought I could put that in my login.jsp page and that after
j_secutiy_check, we'd get our login servlet called. However, this doesn't seem to change the first page you get sent to after
j_security_check. Any idea why not or what the setting should be ?
I also tried a filter on j_secutiy_check but for some reason, POSTS to j_security_check don't show up in teh access log so I can't set up a
filter on it. Any idea what ?
Thanks so much for any help or comments.
Chris
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by Vincenzo Marchese <v....@arsretia.net>.
Mats Nyberg wrote:
> thanks for your reply vincenzo,
>
> the problem is however not to get the form sent but rather to get
> tomcat/the auth.interceptor to bite.
> to this sollution i get a "404 /j_security_check not found"
>
> after another moment of contemplation... perhapps you mean that
> 1. in unprotected page set session attribute
> "my.alltogether.made.up" to "newlyRegisterredUser"
> 2. go to protected page (which obviously sends me to login page
> 3. in login page:
> if("newlyRegisterredUser".equals(session.getAttribute("my.alltogether.made.up")))
>
> fill form with user details and submit
That's exactly what I meant ;)
>
> and thta this would do the trick? I'll try for sure, thanx again, I'll
> get back to you with tales of success.
Hope so
>
>
> Vincenzo Marchese wrote:
>
>> Have you tried redirecting with an automatic post to your protected
>> location with some javascript like:
>>
>> document.forms["authform"].submit();
>>
>> obviously after filling the form with the code you wrote down below.
>>
>> You can control in form-login page if you come from a registration
>> procedure and then do the automatic post.
>>
>>
>>
>> Mats Nyberg wrote:
>>
>>> friends, cohorts;
>>> have an application involving user registration and "declarative
>>> authorization".
>>> in the end of an user registration i want the newly created user
>>> also to be logged in
>>> without providing a "now you can use your new id and password to log
>>> in"-screen.
>>>
>>> HOWTO?
>>>
>>> i vanely thought something like -snip- would do and now after some
>>> days in the mud i thought
>>> i'd swallow my pride and ask; how do one do this?
>>>
>>> regards
>>>
>>> ----snip
>>> <% session.setAttribute("tomcat.auth.originalLocation",
>>> "/protected/xxx.jsp"); %>
>>> <form method="POST" action="j_security_check" >
>>> Username: <input type="hidden" name="j_username" value="<%=
>>> userId %>"><br>
>>> Password: <input type="hidden" name="j_password" value="<%=
>>> password %>"><br>
>>> <br>
>>> <input type="submit" value="login" name="j_security_check">
>>> </form>
>>> ---snip
>>>
>>>
>>> --
>>> To unsubscribe, e-mail:
>>> <ma...@jakarta.apache.org>
>>> For additional commands, e-mail:
>>> <ma...@jakarta.apache.org>
>>>
>>>
>>
>>
>
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
"But I don't like Spam!!!!"
-----------------------------------------------------
Vincenzo Marchese
ARSRETIA S.r.l.
Via D. Sansotta, 97
00144 Roma (IT)
e-mail: v.marchese@arsretia.net
Tel.: +39 06 52270097
Fax: +39 06 52272313
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by Mats Nyberg <mn...@tim.se>.
thanks for your reply vincenzo,
the problem is however not to get the form sent but rather to get
tomcat/the auth.interceptor to bite.
to this sollution i get a "404 /j_security_check not found"
after another moment of contemplation... perhapps you mean that
1. in unprotected page set session attribute
"my.alltogether.made.up" to "newlyRegisterredUser"
2. go to protected page (which obviously sends me to login page
3. in login page:
if("newlyRegisterredUser".equals(session.getAttribute("my.alltogether.made.up")))
fill form with user details and submit
and thta this would do the trick? I'll try for sure, thanx again, I'll
get back to you with tales of success.
Vincenzo Marchese wrote:
> Have you tried redirecting with an automatic post to your protected
> location with some javascript like:
>
> document.forms["authform"].submit();
>
> obviously after filling the form with the code you wrote down below.
>
> You can control in form-login page if you come from a registration
> procedure and then do the automatic post.
>
>
>
> Mats Nyberg wrote:
>
>> friends, cohorts;
>> have an application involving user registration and "declarative
>> authorization".
>> in the end of an user registration i want the newly created user also
>> to be logged in
>> without providing a "now you can use your new id and password to log
>> in"-screen.
>>
>> HOWTO?
>>
>> i vanely thought something like -snip- would do and now after some
>> days in the mud i thought
>> i'd swallow my pride and ask; how do one do this?
>>
>> regards
>>
>> ----snip
>> <% session.setAttribute("tomcat.auth.originalLocation",
>> "/protected/xxx.jsp"); %>
>> <form method="POST" action="j_security_check" >
>> Username: <input type="hidden" name="j_username" value="<%=
>> userId %>"><br>
>> Password: <input type="hidden" name="j_password" value="<%=
>> password %>"><br>
>> <br>
>> <input type="submit" value="login" name="j_security_check">
>> </form>
>> ---snip
>>
>>
>> --
>> To unsubscribe, e-mail:
>> <ma...@jakarta.apache.org>
>> For additional commands, e-mail:
>> <ma...@jakarta.apache.org>
>>
>>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by Vincenzo Marchese <v....@arsretia.net>.
Have you tried redirecting with an automatic post to your protected
location with some javascript like:
document.forms["authform"].submit();
obviously after filling the form with the code you wrote down below.
You can control in form-login page if you come from a registration
procedure and then do the automatic post.
Mats Nyberg wrote:
> friends, cohorts;
> have an application involving user registration and "declarative
> authorization".
> in the end of an user registration i want the newly created user also
> to be logged in
> without providing a "now you can use your new id and password to log
> in"-screen.
>
> HOWTO?
>
> i vanely thought something like -snip- would do and now after some
> days in the mud i thought
> i'd swallow my pride and ask; how do one do this?
>
> regards
>
> ----snip
> <% session.setAttribute("tomcat.auth.originalLocation",
> "/protected/xxx.jsp"); %>
> <form method="POST" action="j_security_check" >
> Username: <input type="hidden" name="j_username" value="<%=
> userId %>"><br>
> Password: <input type="hidden" name="j_password" value="<%=
> password %>"><br>
> <br>
> <input type="submit" value="login" name="j_security_check">
> </form>
> ---snip
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
Know what I pray for? The strength to change what I can, the inability to
accept what I can't and the incapacity to tell the difference. -- Calvin
-----------------------------------------------------
Vincenzo Marchese
ARSRETIA S.r.l.
Via D. Sansotta, 97
00144 Roma (IT)
e-mail: v.marchese@arsretia.net
Tel.: +39 06 52270097
Fax: +39 06 52272313
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by Mats Nyberg <mn...@tim.se>.
Craig R. McClanahan wrote:
>
>On Fri, 10 May 2002, Mats Nyberg wrote:
>
>>Date: Fri, 10 May 2002 20:00:51 +0200
>>From: Mats Nyberg <mn...@tim.se>
>>Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>>To: Tomcat Users List <to...@jakarta.apache.org>
>>Subject: Re: automatic login
>>
>>locking myself in is no problem; this is an app running on a collegue's
>>(peter antman @ jboss) heavily patched version of a JBoss 2.something
>>loaded with tomcat and jboss dependencies.
>>
>>do you know the internals of the accessinterceptor/authentification process
>>in tomcat?
>>
>
>I'd *better* know it, because I wrote it ... :-)
>
straight to the source, huh
;)
>
>
>Look in package org.apache.catalina.authenticator in the Tomcat source
>code for the implementation classes that implement the various login
>methods.
>
using 3.2, dude
:(
>You'll need to understand quite a bit about Tomcat's internal
>architecture for this to work
>
I do
>-- there are some UML diagrams and such
>stuff in the "Catalina Documentation" part of the tomcat-docs webapp.
>
>However, I'm afraid that I'm not going to be able to assist you any, due
>to time constraints.
>
hey, i know i'm on a seller's market here ;)
got an idea, though.
I'll be back
by the way, vincenzo: your idea worked - will write HOWTO for the list
>
>
>Craig
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 10 May 2002, Mats Nyberg wrote:
> Date: Fri, 10 May 2002 20:00:51 +0200
> From: Mats Nyberg <mn...@tim.se>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Re: automatic login
>
> locking myself in is no problem; this is an app running on a collegue's
> (peter antman @ jboss) heavily patched version of a JBoss 2.something
> loaded with tomcat and jboss dependencies.
>
> do you know the internals of the accessinterceptor/authentification process
> in tomcat?
>
I'd *better* know it, because I wrote it ... :-)
Look in package org.apache.catalina.authenticator in the Tomcat source
code for the implementation classes that implement the various login
methods. You'll need to understand quite a bit about Tomcat's internal
architecture for this to work -- there are some UML diagrams and such
stuff in the "Catalina Documentation" part of the tomcat-docs webapp.
However, I'm afraid that I'm not going to be able to assist you any, due
to time constraints.
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by Mats Nyberg <mn...@tim.se>.
locking myself in is no problem; this is an app running on a collegue's
(peter antman @ jboss) heavily patched version of a JBoss 2.something
loaded with tomcat and jboss dependencies.
do you know the internals of the accessinterceptor/authentification process
in tomcat?
Craig R. McClanahan wrote:
>
>On Fri, 10 May 2002, Mats Nyberg wrote:
>
>>Date: Fri, 10 May 2002 12:03:07 +0200
>>From: Mats Nyberg <mn...@tim.se>
>>Reply-To: Tomcat Users List <to...@jakarta.apache.org>
>>To: tomcat-user@jakarta.apache.org
>>Subject: automatic login
>>
>>friends, cohorts;
>>have an application involving user registration and "declarative
>>authorization".
>>in the end of an user registration i want the newly created user also to
>>be logged in
>>without providing a "now you can use your new id and password to log
>>in"-screen.
>>
>>HOWTO?
>>
>>i vanely thought something like -snip- would do and now after some days
>>in the mud i thought
>>i'd swallow my pride and ask; how do one do this?
>>
>
>There is no portable mechanism in the current servlet API to do this for
>container-managed security. You will have to either modify your copy of
>Tomcat (and therefore be locked in), or use application-managed security
>instead.
>
>>regards
>>
>
>Craig
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: automatic login
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 10 May 2002, Mats Nyberg wrote:
> Date: Fri, 10 May 2002 12:03:07 +0200
> From: Mats Nyberg <mn...@tim.se>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: automatic login
>
> friends, cohorts;
> have an application involving user registration and "declarative
> authorization".
> in the end of an user registration i want the newly created user also to
> be logged in
> without providing a "now you can use your new id and password to log
> in"-screen.
>
> HOWTO?
>
> i vanely thought something like -snip- would do and now after some days
> in the mud i thought
> i'd swallow my pride and ask; how do one do this?
>
There is no portable mechanism in the current servlet API to do this for
container-managed security. You will have to either modify your copy of
Tomcat (and therefore be locked in), or use application-managed security
instead.
> regards
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>