You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Johannes Meyer <jo...@gmail.com> on 2013/02/08 16:47:33 UTC
AJAX Authentification
Hello all,
I'm developing a web application with asynchronous techniques (ExtJS).
The most pages are secured with a "security-constraint", so the user
has to log in at first.
The users gets prompted a login dialog and can type in his username
and password. The data will be sent asynchronous to the server and the
user should be logged in.
How can I implement it at best?
I tried to work with FORM-authentication but it is not very elegant.
Is there any solution to make an AJAX-Authentication?
Or can I build a servlet, that logs the user in, without show him any dialogs?
Best regards,
Johannes
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/2/8 Johannes Meyer <jo...@gmail.com>:
> Hi Konstantin,
>
> thank you for answer.
>
>> HttpServletRequest.login(..) ?
>> (in a Servlet 3.0 application)
>
> If I call this function, only the current request is authorized, but
> not the whole session.
>
Whether authorization is cached in the session depends on
authorization schema and on configuration of Authenticator.
Whether you are successful with this also depends on whether your AJAX
request and other requests belong to the same session.
YMMV.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by Johannes Meyer <jo...@gmail.com>.
I built a solution, that is working for me. The Servlet is doing a
login, copies the the authentication-data to the session and responds
with JSON-Data.
The problem with this solution is, that I have to access a private
member by using reflections, because the StandardSession-Object is
hidden with a Facade-Pattern.
It's very dirty, but perhaps it can help anyone.
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, java.io.IOException {
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
boolean success = false;
String errortext = null;
if (username!=null && password!=null) {
try {
// authenticate the current request
req.login(username, password);
// attention! only the request is authenticated now
try {
// on org.apache.catalina.session.StandardSession we can set the
"UserPrincipal" from the current request
// this object is private member of an instance of
'StandardSessionFacade'
StandardSession tomcatSession = (StandardSession)
getPrivateField(req.getSession(), "session");
// set the authentication-data to the session
tomcatSession.setPrincipal( req.getUserPrincipal() );
tomcatSession.setAuthType(HttpServletRequest.BASIC_AUTH);
tomcatSession.setNote(Constants.SESS_USERNAME_NOTE, username);
tomcatSession.setNote(Constants.SESS_PASSWORD_NOTE, password);
// OK
Log(jafaLogger.LVL_INFO_LOW, "Login OK");
success = true;
}
catch (Exception e) {
success = false;
errortext = "Error configuring session: " + e.getMessage();
Log(jafaLogger.LVL_ERR_HIGH, errortext);
}
}
catch (ServletException loginError) {
success = false;
errortext = loginError.toString();
}
}
else {
success = false;
errortext = "Username or password missing";
}
res.setContentType("application/json");
JSONObject jsonElement = new JSONObject();
try{
jsonElement.put("success", success);
if (!success && errortext!=null)
{
jsonElement.put("errortext", errortext);
}
}
catch (JSONException jsonException){}
PrintWriter out = res.getWriter();
out.write(jsonElement.toString());
out.flush();
out.close();
}
2013/2/9 Jimmy Johnson <ec...@gmail.com>:
> I had the same requirements and ended up using Spring security. Although spring security is no set up for ajax itself, you can make a filter that catches all ajax context after it goes through the security class filters. Take a look here :
>
> http://static.springsource.org/spring-security/site/
>
> If you think this is a solution for you let me know and I can provide more details.
>
> Jimmy
>
> On Feb 8, 2013, at 8:35 AM, Johannes Meyer <jo...@gmail.com> wrote:
>
>> Hi Konstantin,
>>
>> thank you for answer.
>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>
>> If I call this function, only the current request is authorized, but
>> not the whole session.
>>
>> Is there any solution to authorize the session?
>>
>> Thank you,
>> Johannes
>>
>> 2013/2/8 Konstantin Kolinko <kn...@gmail.com>:
>>> 2013/2/8 Johannes Meyer <jo...@gmail.com>:
>>>> Hello all,
>>>>
>>>> I'm developing a web application with asynchronous techniques (ExtJS).
>>>>
>>>> The most pages are secured with a "security-constraint", so the user
>>>> has to log in at first.
>>>>
>>>>
>>>> The users gets prompted a login dialog and can type in his username
>>>> and password. The data will be sent asynchronous to the server and the
>>>> user should be logged in.
>>>>
>>>> How can I implement it at best?
>>>>
>>>> I tried to work with FORM-authentication but it is not very elegant.
>>>>
>>>> Is there any solution to make an AJAX-Authentication?
>>>>
>>>> Or can I build a servlet, that logs the user in, without show him any dialogs?
>>>>
>>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by Jimmy Johnson <ec...@gmail.com>.
I had the same requirements and ended up using Spring security. Although spring security is no set up for ajax itself, you can make a filter that catches all ajax context after it goes through the security class filters. Take a look here :
http://static.springsource.org/spring-security/site/
If you think this is a solution for you let me know and I can provide more details.
Jimmy
On Feb 8, 2013, at 8:35 AM, Johannes Meyer <jo...@gmail.com> wrote:
> Hi Konstantin,
>
> thank you for answer.
>
>> HttpServletRequest.login(..) ?
>> (in a Servlet 3.0 application)
>
> If I call this function, only the current request is authorized, but
> not the whole session.
>
> Is there any solution to authorize the session?
>
> Thank you,
> Johannes
>
> 2013/2/8 Konstantin Kolinko <kn...@gmail.com>:
>> 2013/2/8 Johannes Meyer <jo...@gmail.com>:
>>> Hello all,
>>>
>>> I'm developing a web application with asynchronous techniques (ExtJS).
>>>
>>> The most pages are secured with a "security-constraint", so the user
>>> has to log in at first.
>>>
>>>
>>> The users gets prompted a login dialog and can type in his username
>>> and password. The data will be sent asynchronous to the server and the
>>> user should be logged in.
>>>
>>> How can I implement it at best?
>>>
>>> I tried to work with FORM-authentication but it is not very elegant.
>>>
>>> Is there any solution to make an AJAX-Authentication?
>>>
>>> Or can I build a servlet, that logs the user in, without show him any dialogs?
>>>
>>
>> HttpServletRequest.login(..) ?
>> (in a Servlet 3.0 application)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by Johannes Meyer <jo...@gmail.com>.
Hi Konstantin,
thank you for answer.
> HttpServletRequest.login(..) ?
> (in a Servlet 3.0 application)
If I call this function, only the current request is authorized, but
not the whole session.
Is there any solution to authorize the session?
Thank you,
Johannes
2013/2/8 Konstantin Kolinko <kn...@gmail.com>:
> 2013/2/8 Johannes Meyer <jo...@gmail.com>:
>> Hello all,
>>
>> I'm developing a web application with asynchronous techniques (ExtJS).
>>
>> The most pages are secured with a "security-constraint", so the user
>> has to log in at first.
>>
>>
>> The users gets prompted a login dialog and can type in his username
>> and password. The data will be sent asynchronous to the server and the
>> user should be logged in.
>>
>> How can I implement it at best?
>>
>> I tried to work with FORM-authentication but it is not very elegant.
>>
>> Is there any solution to make an AJAX-Authentication?
>>
>> Or can I build a servlet, that logs the user in, without show him any dialogs?
>>
>
> HttpServletRequest.login(..) ?
> (in a Servlet 3.0 application)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by Konstantin Kolinko <kn...@gmail.com>.
2013/2/8 Johannes Meyer <jo...@gmail.com>:
> Hello all,
>
> I'm developing a web application with asynchronous techniques (ExtJS).
>
> The most pages are secured with a "security-constraint", so the user
> has to log in at first.
>
>
> The users gets prompted a login dialog and can type in his username
> and password. The data will be sent asynchronous to the server and the
> user should be logged in.
>
> How can I implement it at best?
>
> I tried to work with FORM-authentication but it is not very elegant.
>
> Is there any solution to make an AJAX-Authentication?
>
> Or can I build a servlet, that logs the user in, without show him any dialogs?
>
HttpServletRequest.login(..) ?
(in a Servlet 3.0 application)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AJAX Authentification
Posted by André Warnier <aw...@ice-sa.com>.
Johannes Meyer wrote:
> Hello all,
>
> I'm developing a web application with asynchronous techniques (ExtJS).
>
> The most pages are secured with a "security-constraint", so the user
> has to log in at first.
>
>
> The users gets prompted a login dialog and can type in his username
> and password. The data will be sent asynchronous to the server and the
> user should be logged in.
>
> How can I implement it at best?
>
> I tried to work with FORM-authentication but it is not very elegant.
>
> Is there any solution to make an AJAX-Authentication?
>
> Or can I build a servlet, that logs the user in, without show him any dialogs?
>
Hi.
Almost any HTTP authentication requirement can be solved, but whether it is easy,
difficult, or impossible depends a lot on the details of the situation.
So you will need to provide some additional data if you want more help.
E.g.
Is this an Internet server with clients being anywhere, or is it a purely Intranet situation ?
If Intranet, are you using any form of Windows domain authentication ?
What are the browsers ? (it can matter, if the Ajax in the browser uses its own connection
and authentication, or shares it with the browser in general)
What degree of security does this require ?
Do the Ajax calls address the same host & webapp as the ones which the browser accesses ?
Are you using some specific Ajax library to make those calls ? (if yes, which
authentication methods does it support ?)
Do you have an Apache httpd in front of Tomcat, or can you set one up ? (there are more
authentication variations available for httpd than for tomcat, and the httpd-level
authentication can be forwarded to tomcat)
etc..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org