You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2006/08/08 18:22:32 UTC
Modifying saved URL from j_security_check
Hi list,
imagine a framed web-application: After session-timeout, the user clicks on
a link in an outer frame which has the inner frame as it's target.
What happens? j_security_check is called, login-page displayed,
authorization performed and saved url is requested. Unfortunately, your
framed view gets lost.
Therefore I'm looking for a possibility to modify the savedURL in
j_security_check.
I know that a filter in tomcat can't be applied to j_security_check, I've
tried a Valve, however, I can't access the neccesary objects like
org.apache.catalina.session, when inheriting from ValveBase.
Has anyone from the list ever manipulated j_security_check? Or does anybody
have an alternative solution (like writing an own j_security_chjeck)?
Inserting frame-breaks into the html-pages via Javascript is, unfortunately,
not an option.
Any suggestions higly appreciated!
Greg
PS.: We're talking about Tomcat 5.0.28
--
what's puzzlin' you, is the nature of my game
Re: Modifying saved URL from j_security_check
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Mark,
currently it's pretty busy here, therefore I couldn't try your suggestion
yet.
However, what I've tried so far is:
I've subclassed *all* Authenticators from
org.apache.catalina.authenticator(Digest, Form and SSL) since I
thought that maybe some other Authenticator
is being triggered since we're running SSL here, I've again patched
Authenticator.properties, however, to no avail.
I renamed catalina.jar to catalina5.0.28Patched.jar (after moving the
original catalina.jar to some other directory), but this can't be the reason
for this odd behaviour.
I'll continue now with your suggestion an will keep you posted.
Thanks again!
Greg
--
what's puzzlin' you, is the nature of my game
Re: Modifying saved URL from j_security_check
Posted by Mark Thomas <ma...@apache.org>.
Gregor Schneider wrote:
> Hi Mark,
>
> something really, really strange is happening here: As you suggested, I've
> subclassed org.apache.catalina.authenticator.FormAuthenticator, patched the
> Authenticators.properties in catalina.jar, however, my own Authenticator is
> not being used.
<snip/>
> I thought that maybe the reason for this might be that we're running in
> SSL-mode, however, same behaviour when using pure http....
Hmm. Odd. Very odd. I am using 5.5.x and other weird things are
happening that I need to fix. In the mean-time, can you try plan B
below? Make sure that you use the jars in your Tomcat installation to
compile against.
My authenticator is being called but the process is failing due to a
struts error I don't yet understand. Anyway, can you try the following?
Copy org.apache.catalina.authenticator.FormAuthenticator, add a
System.out somewhere and place the compiled class in
server/classes/org/apache/catalina/authenticator/FormAuthenticator.class
Authenticators.properties should be as per a clean installation
This should over-ride the class in the jar and call your code.
Best of luck.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Modifying saved URL from j_security_check
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Mark,
something really, really strange is happening here: As you suggested, I've
subclassed org.apache.catalina.authenticator.FormAuthenticator, patched the
Authenticators.properties in catalina.jar, however, my own Authenticator is
not being used.
Strange though, since if I delete my jar where my Authenticator resides from
server/lib, Tomcat won't start up grumping that my class is missing...
I've overwritten the methods invoke(), where I'm just throwing an Exception
(to make sure that my class is really triggered as a 1st try), also I've
overwritten the method restoreRequest() and authenticate() - none of the
methods gets hit.
Do you have any idea what I'm missing here?
Below is my code (short & simple):
================[cut]=======================
package com.cr.manuals.catalina;
import java.io.IOException;
import java.util.Iterator;
import java.util.Locale;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import org.apache.catalina.HttpRequest;
import org.apache.catalina.HttpResponse;
import org.apache.catalina.Request;
import org.apache.catalina.Response;
import org.apache.catalina.Session;
import org.apache.catalina.ValveContext;
import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.authenticator.SavedRequest;
import org.apache.catalina.deploy.LoginConfig;
public class FormAuthenticator extends
org.apache.catalina.authenticator.FormAuthenticator {
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request Request to be processed
* @param response Response to be processed
* @param context The valve context used to invoke the next valve
* in the current processing pipeline
*
* @exception IOException if an input/output error occurs
* @exception ServletException if thrown by a processing element
*/
public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException {
System.out.println("******** inside own invoke ********");
throw new ServletException("Inside invoke");
}
/**
* Authenticate the user making this request, based on the specified
* login configuration. Return <code>true</code> if any specified
* constraint has been satisfied, or <code>false</code> if we have
* created a response challenge already.
*
* @param request Request we are processing
* @param response Response we are creating
* @param config Login configuration describing how authentication
* should be performed
*
* @exception IOException if an input/output error occurs
*/
public boolean authenticate(HttpRequest request,
HttpResponse response,
LoginConfig config)
throws IOException {
System.out.println ("*********** inside own authenticate ********");
return super.authenticate(request, response, config);
}
/**
* Restore the original request from information stored in our session.
* If the original request is no longer present (because the session
* timed out), return <code>false</code>; otherwise, return
* <code>true</code>.
*
* @param request The request to be restored
* @param session The session containing the saved information
*/
protected boolean restoreRequest(HttpRequest request, Session session) {
System.out.println("********* inside own restore *********");
return super.restoreRequest(request, session);
}
}
================[cut]=======================
This is the content of my Authenticators.properties:
================[cut]=======================
BASIC=org.apache.catalina.authenticator.BasicAuthenticator
CLIENT-CERT=org.apache.catalina.authenticator.SSLAuthenticator
DIGEST=org.apache.catalina.authenticator.DigestAuthenticator
FORM=com.cr.manuals.catalina.FormAuthenticator
NONE=org.apache.catalina.authenticator.NonLoginAuthenticator
================[cut]=======================
I thought that maybe the reason for this might be that we're running in
SSL-mode, however, same behaviour when using pure http....
FYI: Tomcat 5.0.28, Suse Linux 9.1
Clueless...
Greg
--
what's puzzlin' you, is the nature of my game
Re: Modifying saved URL from j_security_check
Posted by Mark Thomas <ma...@apache.org>.
Gregor Schneider wrote:
> Any suggestions higly appreciated!
Subclassing o.a.c.authenticator.FormAuthenticator? You would need to
modify Authenticators.properties which resides in catalina.jar
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org