You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ap...@dsl.pipex.com on 2011/10/04 18:43:37 UTC
Using multiple login pages
Hello
I have a realm defined as follows in my application's web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
Which means that all users must log in from the page ...login.jsp.
But is it possible with Tomcat 6.0.26 for multiple login pages to be specified? And could this be
combined with specifying several welcome pages depending upon which login page I use?
For example:
loginPageA.jsp calls index.jsp
loginPageB.jsp calls doThis.jsp
loginPageC.jsp calls doThat.jsp
Thanks
Martin O'Shea.
--
-------------------------------------------------
Visit Pipex Business: The homepage for UK Small Businesses
Go to http://www.pipex.co.uk/business-services
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 10/4/2011 2:01 PM, André Warnier wrote:
> Christopher Schultz wrote: ...
>
> (I agree with what precedes this)
>>
>> So, you can sniff the original request URI and serve-up whatever
>> flavor of login page you want.
>
> But with declarative security, that's kind of hard to do, no ?
> Can't do that with a Servlet Filter.
Something like this:
<form-login-page>/login.jsp</form-login-page>
login.jsp:
<%
if(original_uri.equals("/one_thing"))
{
dispatcher.include("/login_form_A.jsp");
}
else if(original_uri.equals("/another_thing"))
{
dispatcher.include("/login_form_B.jsp");
}
else
{
dispatcher.include("/login_form_default.jsp");
}
%>
That's not terribly difficult to do. You can use whatever logic you want.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6LVRAACgkQ9CaO5/Lv0PCn6QCgl/ncRiyICo1reGjEi7kK9x+S
xh4AoIdC5yS+fX6AnbUP3Z4sn5N81yLU
=jvTt
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/4/2011 2:06 PM, appy74@dsl.pipex.com wrote:
> Not sure about which version of security I will use but I would
> like to accommodate MD5 verification into things.
Note that MD5 doesn't verify anything. It's just a hashing function that
can be used to fingerprint data. I highly recommend:
a. Switching to another hash function if you can: MD5 kind of sucks
b. Limit the amount of data that can be hashed by some reasonable amount
(we use a 4096-character limit on passwords)
c. Salt your hashes in case someone steals your password database
(Tomcat's realms are not sufficient for this: you'll have to build
your own)
Tomcat's realms are all capable of hashing credentials based upon any
available hashing algorithm to the JVM.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6LVlAACgkQ9CaO5/Lv0PBLsgCeMfQ1lCblNw0lJwHnaK+FnmUK
zHEAn07N25ffZv5kwr679pk+zcIh6fOz
=/oVk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Using multiple login pages
> Do you mean the login page as specified in web.xml's
> <login-config> as below:
If you're already using a .jsp for the login, you have all the dynamic content capability you need. If instead you want the login to be handled by a servlet, just make the <form-login-page> setting target a previously defined <url-pattern> for some appropriate servlet of the webapp.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Ok. I think, I think I have it now to my satisfaction although much work remains.
Thanks Chris and Charles.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 06 Oct 2011 01 45
To: Tomcat Users List
Subject: Re: Using multiple login pages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 6:50 PM, Martin O'Shea wrote:
> If I understand you correctly, I think I should have this:
>
> <login-config> <auth-method>FORM</auth-method>
> <realm-name>Form-Based Authentication Area</realm-name>
> <form-login-config> <form-login-page>/login</form-login-page>
> <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
>
>
</form-login-config>
> </login-config>
>
> But when called I receive a page not found exception. /login maps
> to a servlet I've been using to test my own logging in outside of
> j_security_check
It's important to understand that the <form-login-page> is the
resource returned when the user tries to access a protected resource
but is not yet authenticated. The <form-login-page> does *not* perform
any authentication itself. It merely requests credentials from the
user (i.e. it contains a <form> with j_username and j_password fields).
> Should the servlet mapped to /login receive j_username and
> j_password?
No. It should produce a page which contains a login form.
Tomcat will handle the actual processing of j_username/j_password for
you, and then send the user onto the originally-requested page.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8
sbAAn0R85xOID9LtrPCSwIk54uZgssT3
=ssS3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 6:50 PM, Martin O'Shea wrote:
> If I understand you correctly, I think I should have this:
>
> <login-config> <auth-method>FORM</auth-method>
> <realm-name>Form-Based Authentication Area</realm-name>
> <form-login-config> <form-login-page>/login</form-login-page>
> <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
>
>
</form-login-config>
> </login-config>
>
> But when called I receive a page not found exception. /login maps
> to a servlet I've been using to test my own logging in outside of
> j_security_check
It's important to understand that the <form-login-page> is the
resource returned when the user tries to access a protected resource
but is not yet authenticated. The <form-login-page> does *not* perform
any authentication itself. It merely requests credentials from the
user (i.e. it contains a <form> with j_username and j_password fields).
> Should the servlet mapped to /login receive j_username and
> j_password?
No. It should produce a page which contains a login form.
Tomcat will handle the actual processing of j_username/j_password for
you, and then send the user onto the originally-requested page.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6M+fwACgkQ9CaO5/Lv0PCf7QCgiEzUtizqst/nDb0F9qrLeeb8
sbAAn0R85xOID9LtrPCSwIk54uZgssT3
=ssS3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
If I understand you correctly, I think I should have this:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
But when called I receive a page not found exception. /login maps to a servlet I've been using to test my own logging in outside of j_security_check
Should the servlet mapped to /login receive j_username and j_password?
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 05 Oct 2011 23 41
To: Tomcat Users List
Subject: RE: Using multiple login pages
> From: Caldarale, Charles R
> Subject: RE: Using multiple login pages
> If you're already using a .jsp for the login, you have all the dynamic
> content capability you need. If instead you want the login to be
> handled by a servlet, just make the <form-login-page> setting target a
> previously defined <url-pattern> for some appropriate servlet of the webapp.
In the interest of full disclosure, I have to say that I haven't actually tried doing that...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Caldarale, Charles R
> Subject: RE: Using multiple login pages
> If you're already using a .jsp for the login, you have all the dynamic
> content capability you need. If instead you want the login to be handled
> by a servlet, just make the <form-login-page> setting target a previously
> defined <url-pattern> for some appropriate servlet of the webapp.
In the interest of full disclosure, I have to say that I haven't actually tried doing that...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Do you mean the login page as specified in web.xml's <login-config> as below:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
Or a dedicated page calling a servlet of my own for logging in?
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 05 Oct 2011 23 20
To: Tomcat Users List
Subject: RE: Using multiple login pages
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Using multiple login pages
> I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.
Simply set the <url-pattern> of some <servlet-mapping> to that of the login page.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin O'Shea [mailto:appy74@dsl.pipex.com]
> Subject: RE: Using multiple login pages
> I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.
Simply set the <url-pattern> of some <servlet-mapping> to that of the login page.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
That's a shame. It looked promising.
I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 05 Oct 2011 23 13
To: Tomcat Users List
Subject: Re: Using multiple login pages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 6:06 PM, Martin O'Shea wrote:
> Thanks for this Chris. It is food for thought.
>
> I was under the impression that <form-login-page> was static, because
> that's how I seen it used in apps I've worked on.
>
> But I am curious to try a filter as well, something like this mapped
> to the login:
That's not going to work: the authentication stuff happens before your Filter can get it's hands on the request.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6M1nQACgkQ9CaO5/Lv0PAbvQCgsXcZD/J1FWCKl/LzuQOCEXr0
0qgAoJgNHrsZoD03AvFcDw0J6Euqaz3s
=py59
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 6:06 PM, Martin O'Shea wrote:
> Thanks for this Chris. It is food for thought.
>
> I was under the impression that <form-login-page> was static,
> because that's how I seen it used in apps I've worked on.
>
> But I am curious to try a filter as well, something like this
> mapped to the login:
That's not going to work: the authentication stuff happens before your
Filter can get it's hands on the request.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6M1nQACgkQ9CaO5/Lv0PAbvQCgsXcZD/J1FWCKl/LzuQOCEXr0
0qgAoJgNHrsZoD03AvFcDw0J6Euqaz3s
=py59
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Thanks for this Chris. It is food for thought.
I was under the impression that <form-login-page> was static, because that's how I seen it used in apps I've worked on.
But I am curious to try a filter as well, something like this mapped to the login:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws java.io.IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
// pre login action
// get username
String username = req.getParameter("j_username");
// if user is in revoked list send error
if ( revokeList.contains(username) ) {
res.sendError(javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// call next filter in the chain : let j_security_check authenticate
// user
chain.doFilter(request, response);
// post login action
}
I wouldn't mind seeing a servlet specified as <form-login-page> if you know of an example.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 05 Oct 2011 22 08
To: Tomcat Users List
Subject: Re: Using multiple login pages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> I have it now. There was a redirection going on in a method called
> from a scriptlet in the login page. It now seems to be OK.
Glad you got it going.
> But one thing bugs me still: you said that you can have 'different
> login pages for different types of resources you're trying to
> reach.' Can you give any pointers about this?
A "page" is defined as whatever the server responds when you request a
resource. The <form-login-page> you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static <form> that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the <login-form-page> to be a servlet that makes
decisions and forwards to some other .jsp file.
Use your imagination.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 1:59 PM, Martin O'Shea wrote:
> I have it now. There was a redirection going on in a method called
> from a scriptlet in the login page. It now seems to be OK.
Glad you got it going.
> But one thing bugs me still: you said that you can have 'different
> login pages for different types of resources you're trying to
> reach.' Can you give any pointers about this?
A "page" is defined as whatever the server responds when you request a
resource. The <form-login-page> you configure in your web.xml can be
dynamic: you can do whatever you want in that page. It doesn't have to
be a static <form> that always looks the same. You can
include/forward/etc from that page. It doesn't even have to be a JSP.
You can configure the <login-form-page> to be a servlet that makes
decisions and forwards to some other .jsp file.
Use your imagination.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MxyEACgkQ9CaO5/Lv0PByHACfZL9ykx3wPGApX1yyzjxYwkQR
Rf4AoJG5DnnBtbIFYzZsKSLzPJOjJq2j
=A5GW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
I have it now. There was a redirection going on in a method called from a scriptlet in the login page. It now seems to be OK.
Thanks Chris.
But one thing bugs me still: you said that you can have 'different login pages for different types of resources you're trying to reach.' Can you give any pointers about this?
.-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 05 Oct 2011 18 39
To: Tomcat Users List
Subject: Re: Using multiple login pages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 11:41 AM, Martin O'Shea wrote:
> This follows on from yesterday's discussion about whether in my
> application, I can have more than one page with an embedded login form
> or not.
>
> I've been looking over the servlet spec (V2.2) and it seems that I
> can't actually do this which is a shame.
Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses.
> So I'm now looking at a more conventional log in from a login page.
> But can anyone explain to me why I don’t see my login page when I run
> the application?
>
> Login.jsp contains the following:
This isn't relevant if you're not seeing it.
> Which corresponds to the following in web.xml:
>
> <welcome-file-list>
> <welcome-file>/jsp/about/concept.jsp</welcome-file>
> </welcome-file-list>
>
> <security-constraint> <web-resource-collection>
> <url-pattern>/aboutConcept</url-pattern>
> </web-resource-collection> <auth-constraint> <description/>
> <role-name>ADMIN</role-name> </auth-constraint> </security-constraint
> >
>
> <login-config> <form-login-config>
> <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
>
>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
> </form-login-config> </login-config>
>
> But when I run the application, all I get is the html of the page
> specified in the welcome file list?
Is that a question or a statement?
> But if I then invoke a link from the welcome file, I get the login
> page. Surely it should be the other way around?
Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have <url-pattern>/*</url-pattern> in your <web-resource-collection>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0
Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL
=wbh5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Pid <pi...@pidster.com>.
On 05/10/2011 18:51, Martin O'Shea wrote:
> <welcome-file-list>
> <welcome-file>/jsp/index/newjsp.jsp</welcome-file>
> </welcome-file-list>
This is incorrect, it should contain a list of welcome-file elements
which indicated which files can be used as index files, when found in a
directory.
It shouldn't give a full path to a specific file:
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
<welcome-file>newjsp.jsp</welcome-file>
</welcome-file-list>
p
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
Maybe I've misunderstood something but I'm having a lot of trouble getting the login page to display with the following:
<welcome-file-list>
<welcome-file>/jsp/index/newjsp.jsp</welcome-file>
</welcome-file-list>
<!-- Error pages. -->
<error-page>
<error-code>403</error-code>
<location>/jsp/error/error403.jsp</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/jsp/error/error404.jsp</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/jsp/error/error408.jsp</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/jsp/error/error500.jsp</location>
</error-page>
<!-- Accessibility. -->
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>myApp</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ADMIN</role-name>
</security-role>
All that newjsp.jsp in the welcome list contains is 'Hello World'. But running it in several browsers, all I get is a warning about redirection. Other applications of mine using a single log in page are fine. I can't see where this one is wrong.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: 05 Oct 2011 18 39
To: Tomcat Users List
Subject: Re: Using multiple login pages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 11:41 AM, Martin O'Shea wrote:
> This follows on from yesterday's discussion about whether in my
> application, I can have more than one page with an embedded login form
> or not.
>
> I've been looking over the servlet spec (V2.2) and it seems that I
> can't actually do this which is a shame.
Do what, have different login pages for different types of resources you're trying to reach? Sure you can: try reading my responses.
> So I'm now looking at a more conventional log in from a login page.
> But can anyone explain to me why I don’t see my login page when I run
> the application?
>
> Login.jsp contains the following:
This isn't relevant if you're not seeing it.
> Which corresponds to the following in web.xml:
>
> <welcome-file-list>
> <welcome-file>/jsp/about/concept.jsp</welcome-file>
> </welcome-file-list>
>
> <security-constraint> <web-resource-collection>
> <url-pattern>/aboutConcept</url-pattern>
> </web-resource-collection> <auth-constraint> <description/>
> <role-name>ADMIN</role-name> </auth-constraint> </security-constraint
> >
>
> <login-config> <form-login-config>
> <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
>
>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
> </form-login-config> </login-config>
>
> But when I run the application, all I get is the html of the page
> specified in the welcome file list?
Is that a question or a statement?
> But if I then invoke a link from the welcome file, I get the login
> page. Surely it should be the other way around?
Your welcome file is not protected in any way, so you are not challenged for credentials. If you want to login to see every page on your site, you should have <url-pattern>/*</url-pattern> in your <web-resource-collection>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0
Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL
=wbh5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/5/2011 11:41 AM, Martin O'Shea wrote:
> This follows on from yesterday's discussion about whether in my
> application, I can have more than one page with an embedded login
> form or not.
>
> I've been looking over the servlet spec (V2.2) and it seems that I
> can't actually do this which is a shame.
Do what, have different login pages for different types of resources
you're trying to reach? Sure you can: try reading my responses.
> So I'm now looking at a more conventional log in from a login page.
> But can anyone explain to me why I don’t see my login page when I
> run the application?
>
> Login.jsp contains the following:
This isn't relevant if you're not seeing it.
> Which corresponds to the following in web.xml:
>
> <welcome-file-list>
> <welcome-file>/jsp/about/concept.jsp</welcome-file>
> </welcome-file-list>
>
> <security-constraint> <web-resource-collection>
> <url-pattern>/aboutConcept</url-pattern>
> </web-resource-collection> <auth-constraint> <description/>
> <role-name>ADMIN</role-name> </auth-constraint>
> </security-constraint >
>
> <login-config> <form-login-config>
> <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
>
>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
> </form-login-config> </login-config>
>
> But when I run the application, all I get is the html of the page
> specified in the welcome file list?
Is that a question or a statement?
> But if I then invoke a link from the welcome file, I get the login
> page. Surely it should be the other way around?
Your welcome file is not protected in any way, so you are not
challenged for credentials. If you want to login to see every page on
your site, you should have <url-pattern>/*</url-pattern> in your
<web-resource-collection>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6MlkYACgkQ9CaO5/Lv0PB3nQCfRf0g/erXaD2kOPyaBCMJW/h0
Ce0An0EbOElkSImGQYK8y+JkZdtcrIqL
=wbh5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by Martin O'Shea <ap...@dsl.pipex.com>.
This follows on from yesterday's discussion about whether in my application,
I can have more than one page with an embedded login form or not.
I've been looking over the servlet spec (V2.2) and it seems that I can't
actually do this which is a shame. So I'm now looking at a more conventional
log in from a login page. But can anyone explain to me why I dont see my
login page when I run the application?
Login.jsp contains the following:
<form action = "<c:url value = 'j_security_check' />" method = "post">
<table align = "center" border = "0" cellspacing = "0">
<tr>
<th align = "right"><font class =
"label">Username</font></th>
<td align = "left"><input class = "textInput" name =
"j_username" type = "text"></td>
</tr>
<tr>
<th align = "right"><font class =
"label">Password</font></th>
<td align = "left"><input class = "textInput" name =
"j_password" type = "password"></td>
</tr>
<tr>
<td></td>
<td>
<input class = "button" type = "submit" value = "Log
in">
<input class = "button" type = "reset" value =
"Clear">
</td>
</tr>
</table>
</form>
Which corresponds to the following in web.xml:
<welcome-file-list>
<welcome-file>/jsp/about/concept.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>myApp</web-resource-name>
<description/>
<url-pattern>/aboutConcept</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint >
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/protected/login.jsp</form-login-page>
<form-error-page>/jsp/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ADMIN</role-name>
</security-role>
But when I run the application, all I get is the html of the page specified
in the welcome file list? But if I then invoke a link from the welcome file,
I get the login page. Surely it should be the other way around?
-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com]
Sent: 04 Oct 2011 19 56
To: Tomcat Users List
Subject: Re: Using multiple login pages
appy74@dsl.pipex.com wrote:
> Not sure about which version of security I will use but I would like
> to accommodate MD5 verification into things. There's no sensitive or
> confidential info in the system either so protected page access may not be
required.
>
I don't know what you have in mind, but there are some basic principles to
avoid wasting your time :
1) In Tomcat (and other servlet engines), there are 2 different ways of
doing authentication :
- declarative, as per web.xml. In that case Tomcat, /before it evens calls
the webapp or any filter in it/, intercepts a non-authenticated call and
returns *the* login form to the browser. It then (later) intercepts the
submit of that form by the browser, checks the credentials, and if they pass
muster, it allows the call to proceed to the webapp which the user wanted in
the first place.
- application- or filter-based authentication : in this case, Tomcat is not
aware that there is an authentication taking place. It forwards the call to
the webapp, and a filter /in the webapp/ intercepts the call and does
whatever is needed to check the authentication, return a login form etc..
This second authentication scheme is probably more flexible for doing the
kind of thing you seem to want to do (but also more complex to do).
2) There already exist a number of authentication systems on the market.
Unless this is considered as an exercise, re-use an existing one instead of
rolling you own. Web authentication looks deceptively simple, but is in
fact quite complex and delicate, and open to many mistakes which completely
defeat the purpose.
(This being said, if it is an exercise, it is an interesting area).
3) anything that your server sends to a browser should be considered "open
and lost".
Once you send something out there, the recipient can do with it what he
wants : save it, analyse it, copy it, decompile it, falsify it, re-send it
to your server and whatnot. There is no practical way to avoid that.
(You don't even know that it is really a browser out there).
4) the only good way to secure things if you do form authentication, is to
work over HTTPS.
The customer is going to type a login-id and a password, in the form, in
clear.
The browser is going to send this over HTTP to the server.
Anyone who can "sniff" this traffic is going to see what is sent.
And even if he does not understand it, he can record it and replay it.
But not under HTTPS.
5) users always take the easy path. That means that, if they can choose
their password, they will pick the same one as the one they use already for
their network login, for their email account, for their bank account, etc..
So if anyone subverts /your/ login system - even if on /your/ server there
is nothing vital to grab - the damage is probably not limited to your
server. You don't want to be accused of facilitating the bad guy's job.
6) If you are thinking of encrypting the data in the browser, it's probably
not worth the effort. For that, you will have to write some special code,
and download it to the browser to run it there. Once you do that, it can be
saved, analysed, replicated, falsified, disabled.
So why bother ?
HTH. Been there, etc..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by André Warnier <aw...@ice-sa.com>.
appy74@dsl.pipex.com wrote:
> Not sure about which version of security I will use but I would like to accommodate MD5
> verification into things. There's no sensitive or confidential info in the system either so
> protected page access may not be required.
>
I don't know what you have in mind, but there are some basic principles to avoid wasting
your time :
1) In Tomcat (and other servlet engines), there are 2 different ways of doing authentication :
- declarative, as per web.xml. In that case Tomcat, /before it evens calls the webapp or
any filter in it/, intercepts a non-authenticated call and returns *the* login form to the
browser. It then (later) intercepts the submit of that form by the browser, checks the
credentials, and if they pass muster, it allows the call to proceed to the webapp which
the user wanted in the first place.
- application- or filter-based authentication : in this case, Tomcat is not aware that
there is an authentication taking place. It forwards the call to the webapp, and a filter
/in the webapp/ intercepts the call and does whatever is needed to check the
authentication, return a login form etc..
This second authentication scheme is probably more flexible for doing the kind of thing
you seem to want to do (but also more complex to do).
2) There already exist a number of authentication systems on the market. Unless this is
considered as an exercise, re-use an existing one instead of rolling you own. Web
authentication looks deceptively simple, but is in fact quite complex and delicate, and
open to many mistakes which completely defeat the purpose.
(This being said, if it is an exercise, it is an interesting area).
3) anything that your server sends to a browser should be considered "open and lost".
Once you send something out there, the recipient can do with it what
he wants : save it, analyse it, copy it, decompile it, falsify it, re-send it to your
server and whatnot. There is no practical way to avoid that.
(You don't even know that it is really a browser out there).
4) the only good way to secure things if you do form authentication, is to work over HTTPS.
The customer is going to type a login-id and a password, in the form, in clear.
The browser is going to send this over HTTP to the server.
Anyone who can "sniff" this traffic is going to see what is sent.
And even if he does not understand it, he can record it and replay it.
But not under HTTPS.
5) users always take the easy path. That means that, if they can choose their password,
they will pick the same one as the one they use already for their network login, for their
email account, for their bank account, etc.. So if anyone subverts /your/ login system -
even if on /your/ server there is nothing vital to grab - the damage is probably not
limited to your server. You don't want to be accused of facilitating the bad guy's job.
6) If you are thinking of encrypting the data in the browser, it's probably not worth the
effort. For that, you will have to write some special code, and download it to the
browser to run it there. Once you do that, it can be saved, analysed, replicated,
falsified, disabled.
So why bother ?
HTH. Been there, etc..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by ap...@dsl.pipex.com.
Not sure about which version of security I will use but I would like to accommodate MD5
verification into things. There's no sensitive or confidential info in the system either so
protected page access may not be required.
Thanks Andre and Chris.
Quoting André Warnier <aw...@ice-sa.com>:
> Christopher Schultz wrote:
> ...
>
> (I agree with what precedes this)
> >
> > So, you can sniff the original request URI and serve-up whatever
> > flavor of login page you want.
>
> But with declarative security, that's kind of hard to do, no ?
> Can't do that with a Servlet Filter.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
-------------------------------------------------
Visit Pipex Business: The homepage for UK Small Businesses
Go to http://www.pipex.co.uk/business-services
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
...
(I agree with what precedes this)
>
> So, you can sniff the original request URI and serve-up whatever
> flavor of login page you want.
But with declarative security, that's kind of hard to do, no ?
Can't do that with a Servlet Filter.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by ap...@dsl.pipex.com.
Thanks Chris. I'll be reading the spec soon enough.
Quoting Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin,
>
> On 10/4/2011 1:12 PM, appy74@dsl.pipex.com wrote:
> > Before I look at the specification
>
> :(
>
> You should read the spec all the way through IMO. It's not that long,
> it's well-written and readable by real humans (and not
> techno-lawyers), and very informative.
>
> > maybe I should clarify my question: can I have the login form
> > embedded in different pages?
>
> You can put your login form wherever you want. Just be aware that the
> container is going to intercept any non-authenticated access attempts
> to protected resources and forward them to the one-and-only login page
> you have configured in <form-login-page>.
>
> > This way, there would be only one <login-config> element where re-
> > direction could resolve the welcome page issue once login is
> > achieved.
> >
> > Each page would then be able to direct each of which calls the
> > same login authentication, but
>
> But what?
>
> Your login.jsp page can forward/include anything it wants, as long as
> none of the resources it tries to include/forward to are protected.
>
> So, you can sniff the original request URI and serve-up whatever
> flavor of login page you want. To see how to do *that*, I'm going to
> make you read the spec :)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk6LRtoACgkQ9CaO5/Lv0PDdiACgiXTpEM7sH9ttfSzyf2n4e+0v
> XsEAmwWgoS08TAcSwMzN5hI8ox+7SnDZ
> =Ihdu
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
-------------------------------------------------
Visit Pipex Business: The homepage for UK Small Businesses
Go to http://www.pipex.co.uk/business-services
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using multiple login pages
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/4/2011 1:12 PM, appy74@dsl.pipex.com wrote:
> Before I look at the specification
:(
You should read the spec all the way through IMO. It's not that long,
it's well-written and readable by real humans (and not
techno-lawyers), and very informative.
> maybe I should clarify my question: can I have the login form
> embedded in different pages?
You can put your login form wherever you want. Just be aware that the
container is going to intercept any non-authenticated access attempts
to protected resources and forward them to the one-and-only login page
you have configured in <form-login-page>.
> This way, there would be only one <login-config> element where re-
> direction could resolve the welcome page issue once login is
> achieved.
>
> Each page would then be able to direct each of which calls the
> same login authentication, but
But what?
Your login.jsp page can forward/include anything it wants, as long as
none of the resources it tries to include/forward to are protected.
So, you can sniff the original request URI and serve-up whatever
flavor of login page you want. To see how to do *that*, I'm going to
make you read the spec :)
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6LRtoACgkQ9CaO5/Lv0PDdiACgiXTpEM7sH9ttfSzyf2n4e+0v
XsEAmwWgoS08TAcSwMzN5hI8ox+7SnDZ
=Ihdu
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by ap...@dsl.pipex.com.
Before I look at the specification, maybe I should clarify my question: can I have the login form
embedded in different pages? This way, there would be only one <login-config> element where re-
direction could resolve the welcome page issue once login is achieved.
Each page would then be able to direct each of which calls the same login authentication, but
Quoting "Caldarale, Charles R" <Ch...@unisys.com>:
> > From: appy74@dsl.pipex.com [mailto:appy74@dsl.pipex.com]
> > Subject: Using multiple login pages
>
> > is it possible with Tomcat 6.0.26 for multiple login pages
> > to be specified?
>
> Read the servlet spec, especially section 13.2. A webapp may have only one
> <login-config> element, so there cannot be multiple login pages, if you stick
> with declarative security. Various frameworks (e.g., Spring) _might_ have
> the ability to display different login pages in a single webapp, but you'll
> have to look at the doc for those.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
-------------------------------------------------
Visit Pipex Business: The homepage for UK Small Businesses
Go to http://www.pipex.co.uk/business-services
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Using multiple login pages
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: appy74@dsl.pipex.com [mailto:appy74@dsl.pipex.com]
> Subject: Using multiple login pages
> is it possible with Tomcat 6.0.26 for multiple login pages
> to be specified?
Read the servlet spec, especially section 13.2. A webapp may have only one <login-config> element, so there cannot be multiple login pages, if you stick with declarative security. Various frameworks (e.g., Spring) _might_ have the ability to display different login pages in a single webapp, but you'll have to look at the doc for those.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org