You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Albretch Mueller <lb...@gmail.com> on 2008/01/20 04:14:33 UTC
Security Realms and form-login-page
On page 120 of the servlet spec., it is stated referring to the
<form-login-page> element in the <security-constraint> section of an
application's web.xml:
~
The form-login-page element defines the location in the web app where
the page that can be used for login can be found. The path begins with
a leading / and is interpreted relative to the root of the WAR.
~
How could you then specify a different (virtual) host accepting only
https connections, that would authenticate the user and then somehow
communicate to the particular webapp Sec Realm so the user is
authenticated?
~
I think the supposed login page could redirect to that host's login
page, but how could that virtual host redirect back to the regular
pages?
~
How do some sites out there implement something similar to this?
~
thanks
lbrtchx
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Realms and form-login-page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Albrecht,
Albretch Mueller wrote:
|> Let me get this straight: you want to create a webapp that does nothing
|> other than authenticate connections for another webapp?
|>
|> Why would you want to do something like this?
| ~
| Well, what else would you do if:
| ~
| * you maintain a number of name-based virtual hosts (of your own and
| for development)
| ~
| * you want to/can only pay for an SSL certificate
| ~
| * you only need the secure connections while transferring sensitive
| data, such as sign up, personal profile/options (re)set, login and
| payments
Fair enough. Note that for development, you can use self-signed SSL
certs which are free.
Anyhow, if you want one webapp to authenticate others, then you need to
give out some kind of token after login that can sent be to the primary
application for background communication with the auth server. Something
like this:
User AUTH app PRIMARY app
User ---- HTTP ------------------------------>
~ | |
~ | <--- redirect ---------------------------+
~ |
~ | ----------------------->
~ | |
~ | <---- login page ------+
~ |
~ | ---- login submit ----->
~ | | (generate token)
~ | <---- redirect --------+
~ |
~ | ----- (request includes login token) ----->
~ | | verify token with auth
~ | <----------------+
~ | checks token |
~ | +-- token ok/bad >
~ | | create session
~ | |
You will have to be careful to ensure that random tokens cannot be
forged by malicious users. I recommend information hashing, token
timeouts, client IP verification (if acceptable), and application
identification.
Good luck!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkeVMY4ACgkQ9CaO5/Lv0PDP+wCghhWopqwLWoQ+qKiaHZ0epEfL
rzYAoKrsEBTYx9zRnBhWIsGnczCzi8xt
=V2xz
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Realms and form-login-page
Posted by Albretch Mueller <lb...@gmail.com>.
> Let me get this straight: you want to create a webapp that does nothing
> other than authenticate connections for another webapp?
>
> Why would you want to do something like this?
~
Well, what else would you do if:
~
* you maintain a number of name-based virtual hosts (of your own and
for development)
~
* you want to/can only pay for an SSL certificate
~
* you only need the secure connections while transferring sensitive
data, such as sign up, personal profile/options (re)set, login and
payments
~
lbrtchx
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Realms and form-login-page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Albrecht,
Albretch Mueller wrote:
| How could you then specify a different (virtual) host accepting only
| https connections, that would authenticate the user and then somehow
| communicate to the particular webapp Sec Realm so the user is
| authenticated?
Let me get this straight: you want to create a webapp that does nothing
other than authenticate connections for another webapp?
Why would you want to do something like this?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkeUtQ8ACgkQ9CaO5/Lv0PCrOQCfSxgeGkXULaOfq1W4mkETLykP
mKsAoJL01HcqPHetW3LYcJopPXnwr5vG
=gkSI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Realms and form-login-page
Posted by Albretch Mueller <lb...@gmail.com>.
On Jan 20, 2008 9:59 AM, Martin Gainty <mg...@hotmail.com> wrote:
> are you using apache as front-end?
> or are you relying on the https connector?
> Martin-
~
I am using apache as front-end
~
lbrtchx
~
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org