Form-based Login question

[Jerry Malcolm <2n...@gmail.com>]

I have been using form-based auth for several years.  I understand the
challenge concept where TC puts up the pre-defined login page when the
first page requiring auth is requested.  But I have a slightly different
situation.  I want all of my non-protected pages (guest-level) to include
the id/pw fields at the top of the page.  At any time when the user chooses
to go to the protected area of the site, they enter their id/pw and hit the
login button and it takes them to a page in the protected area.  Basically,
I want to bypass the forced login page if the user entered an id/pw unless
obviously the auth failed on the provided id/pw.

Is there a way to 'force' provide credentials under the covers at the time
the first protected page is requested to get the user signed on without the
intermediate login form appearing?

Thanks.

Jerry

Re: Form-based Login question

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 12/1/11 11:46 PM, Caldarale, Charles R wrote:
>> From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com] Subject: Re:
>> Form-based Login question
> 
>> Before I start, any words of advice for migrating?  Should it be
>> relatively painless (e.g. install, copy current server.xml, and
>> go?)
> 
> Never, never, never copy your current server.xml to a new version
> of Tomcat.  (Can't emphasize that enough.)

+lots

> Lots of configuration tags have changed, disappeared, or have been 
> added.

... and class names have changed or disappeared altogether, logging is
different, etc.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7Y8xIACgkQ9CaO5/Lv0PCKsgCgt4Yq875Co9Y+96N3FjxronSc
tEoAnjguQYygvTKnSimRXphdRMMFDEob
=kGWP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Form-based Login question

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Jerry Malcolm [mailto:2ndgenfilms@gmail.com] 
> Subject: Re: Form-based Login question

> Before I start, any words of advice for migrating?  Should
> it be relatively painless 

It's pretty painless, if your webapps are well-behaved.  Tomcat 7 is better at detecting errors (e.g., memory leaks) and enforcing compliance with the spec.  Read the migration guide:

http://tomcat.apache.org/migration.html

> (e.g. install, copy current server.xml, and go?)

Never, never, never copy your current server.xml to a new version of Tomcat.  (Can't emphasize that enough.)  Lots of configuration tags have changed, disappeared, or have been added.  Read the config docs for the target level, then apply the differences between your server.xml and the 5.5 original to the 7.0 server.xml, adjusting for the aforementioned config changes.

And if you're still keeping <Context> elements in server.xml, now is your opportunity to eliminate that archaic behavior.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Form-based Login question

[Jerry Malcolm <2n...@gmail.com>]

Ouch... you said a curse word.... "Upgrade".... :-)  I know I've needed to
do it for a long time now... I'm still on 5.5.  But if it ain't broke....
You've at least given me a good excuse to dive in and upgrade to get this
login feature.  Before I start, any words of advice for migrating?  Should
it be relatively painless (e.g. install, copy current server.xml, and go?)
or is this something I'd better allocate a few days for?

Thanks.

Jerry

On Thu, Dec 1, 2011 at 8:53 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jerry,
>
> On 12/1/11 9:30 PM, Jerry Malcolm wrote:
> > I have been using form-based auth for several years.  I understand
> > the challenge concept where TC puts up the pre-defined login page
> > when the first page requiring auth is requested.  But I have a
> > slightly different situation.  I want all of my non-protected pages
> > (guest-level) to include the id/pw fields at the top of the page.
> > At any time when the user chooses to go to the protected area of
> > the site, they enter their id/pw and hit the login button and it
> > takes them to a page in the protected area.  Basically, I want to
> > bypass the forced login page if the user entered an id/pw unless
> > obviously the auth failed on the provided id/pw.
> >
> > Is there a way to 'force' provide credentials under the covers at
> > the time the first protected page is requested to get the user
> > signed on without the intermediate login form appearing?
>
> The easiest thing to do it to upgrade to Tomcat 7 which supports
> servlet spec 3.0. There is a new method in the HttpServletRequest
> class called "login" that takes a username and password.
>
> Just take the username and password from the request (in a servlet you
> write yourself) and call request.login(). After that, forward (or
> redirect) the user wherever you want -- some kind of "you're
> logged-in" landing page.
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7YPZEACgkQ9CaO5/Lv0PAldwCfQ7XLKMTDwNtNpgWh7anwNUIo
> P5MAnjoAsGuqxmQsv2jeg+C1gvkmLaRK
> =Wvqf
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Form-based Login question

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jerry,

On 12/1/11 9:30 PM, Jerry Malcolm wrote:
> I have been using form-based auth for several years.  I understand
> the challenge concept where TC puts up the pre-defined login page
> when the first page requiring auth is requested.  But I have a
> slightly different situation.  I want all of my non-protected pages
> (guest-level) to include the id/pw fields at the top of the page.
> At any time when the user chooses to go to the protected area of
> the site, they enter their id/pw and hit the login button and it
> takes them to a page in the protected area.  Basically, I want to
> bypass the forced login page if the user entered an id/pw unless 
> obviously the auth failed on the provided id/pw.
> 
> Is there a way to 'force' provide credentials under the covers at
> the time the first protected page is requested to get the user
> signed on without the intermediate login form appearing?

The easiest thing to do it to upgrade to Tomcat 7 which supports
servlet spec 3.0. There is a new method in the HttpServletRequest
class called "login" that takes a username and password.

Just take the username and password from the request (in a servlet you
write yourself) and call request.login(). After that, forward (or
redirect) the user wherever you want -- some kind of "you're
logged-in" landing page.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7YPZEACgkQ9CaO5/Lv0PAldwCfQ7XLKMTDwNtNpgWh7anwNUIo
P5MAnjoAsGuqxmQsv2jeg+C1gvkmLaRK
=Wvqf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org