You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by "Bhardwaj, Ashutosh" <As...@fmr.com> on 2006/11/21 11:19:37 UTC
Login Portlet
I am trying to understand the processing of Login Portlet that ships
with j2-admin app. I am bit confused that login credentials that are set
LoginProxy servlet are removed from session in LoginRedirector servlet
without any processing. Can somebody guide me how these credentials are
processed?
regards,
ashutosh bhardwaj
Re: Login Portlet
Posted by Philip Mark Donaghy <ph...@gmail.com>.
On 11/21/06, Aaron Evans <aa...@gmail.com> wrote:
> Here is an excerpt from an old posting:
Those posts can be found,
http://thread.gmane.org/gmane.comp.jakarta.jetspeed.user/16505/focus=16522
And
http://thread.gmane.org/gmane.comp.jakarta.jetspeed.user/16110/focus=16139
We will have documentation for this soon.
Philip
>
> Jetspeeed uses a JAAS realm for authentication. It is configured in jetspeed's
> context xml (although it can be moved up to the container level).
>
> J2EE containers that use realm authentication require that the request
> parameters j_username and j_password be posted to /j_security_check for
> authentication.
>
> If you look at jetspeed's web.xml, you will see a standard web application
> security constraint and login config:
>
> <!-- Protect LogInRedirectory.jsp. This will require a login when called -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Login</web-resource-name>
> <url-pattern>/login/redirector</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
>
> <!-- Login configuration uses form-based authentication -->
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Jetspeed</realm-name>
> <form-login-config>
> <form-login-page>/login/login</form-login-page>
> <form-error-page>/login/error</form-error-page>
> </form-login-config>
> </login-config>
>
> I believe that what happens is that the login portlet posts to the
> /login/redirector protected resource. Because the user is not authenticated,
> they get redirected to /login/login.
>
> I believe that the /login/login URI is a blank page that contains a hidden
> form that takes the user name and password parameter values submitted from
> the login portlet and puts them in hidden fields with the names j_username
> and j_password. It also has some kind of onload JS or meta refresh which
> then causes the hidden form to post to /j_security_check.
>
> If authentication is not successful, the user will be sent to /login/error.
> If it is successful, the user will be sent to /login/redirector and they will
> now be allowed access to it because they have been authenticated. This URI
> no doubt redirects to the portal root (applying profiling rules).
>
> On 11/21/06, Bhardwaj, Ashutosh <As...@fmr.com> wrote:
> > I am trying to understand the processing of Login Portlet that ships
> > with j2-admin app. I am bit confused that login credentials that are set
> > LoginProxy servlet are removed from session in LoginRedirector servlet
> > without any processing. Can somebody guide me how these credentials are
> > processed?
> >
> > regards,
> > ashutosh bhardwaj
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-user-help@portals.apache.org
>
>
--
Philip Donaghy
donaghy.blogspot.com del.icio.us/donaghy/philip
Skype: philipmarkdonaghy
Office: +33 5 56 60 88 02
Mobile: +33 6 20 83 22 62
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org
Re: Login Portlet
Posted by Aaron Evans <aa...@gmail.com>.
Here is an excerpt from an old posting:
Jetspeeed uses a JAAS realm for authentication. It is configured in jetspeed's
context xml (although it can be moved up to the container level).
J2EE containers that use realm authentication require that the request
parameters j_username and j_password be posted to /j_security_check for
authentication.
If you look at jetspeed's web.xml, you will see a standard web application
security constraint and login config:
<!-- Protect LogInRedirectory.jsp. This will require a login when called -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/login/redirector</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- Login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Jetspeed</realm-name>
<form-login-config>
<form-login-page>/login/login</form-login-page>
<form-error-page>/login/error</form-error-page>
</form-login-config>
</login-config>
I believe that what happens is that the login portlet posts to the
/login/redirector protected resource. Because the user is not authenticated,
they get redirected to /login/login.
I believe that the /login/login URI is a blank page that contains a hidden
form that takes the user name and password parameter values submitted from
the login portlet and puts them in hidden fields with the names j_username
and j_password. It also has some kind of onload JS or meta refresh which
then causes the hidden form to post to /j_security_check.
If authentication is not successful, the user will be sent to /login/error.
If it is successful, the user will be sent to /login/redirector and they will
now be allowed access to it because they have been authenticated. This URI
no doubt redirects to the portal root (applying profiling rules).
On 11/21/06, Bhardwaj, Ashutosh <As...@fmr.com> wrote:
> I am trying to understand the processing of Login Portlet that ships
> with j2-admin app. I am bit confused that login credentials that are set
> LoginProxy servlet are removed from session in LoginRedirector servlet
> without any processing. Can somebody guide me how these credentials are
> processed?
>
> regards,
> ashutosh bhardwaj
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org