You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Ralf Baumhof (JIRA)" <ji...@apache.org> on 2008/03/17 13:29:24 UTC

[jira] Created: (GERONIMO-3923) Login established without tomcat notification

Login established without tomcat notification
---------------------------------------------

                 Key: GERONIMO-3923
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3923
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security
    Affects Versions: 2.1, 2.0.2
         Environment: Windows, Linux
            Reporter: Ralf Baumhof


I have set up a security realm (sql realm). In web.xml tomcat is advised to keep a watch an all pages lying in directory /pages. I use a form login. If the  login form is designed to use j_security_check action, the servlet authentication works. The first try to access a page in /pages/* area leads to the login form and after successful login the page is diplayed. However, the application has strong security impacts, so we would prefer to use a JSF backing bean which performs a LoginContext method for login to geronimo. This also works. The login succeeds and i get a principal. But the application is not logged in at tomcat webcontainer. It's not possible to access the pages in /pages/* area. Is this a bug or a feature???? What must be done if one want's to use the LoginContext way??? According to the geronimo wiki i suggest that it should work. 




-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (GERONIMO-3923) Login established without tomcat notification

Posted by "David Jencks (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/GERONIMO-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Jencks reassigned GERONIMO-3923:
--------------------------------------

    Assignee: David Jencks

> Login established without tomcat notification
> ---------------------------------------------
>
>                 Key: GERONIMO-3923
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3923
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0.2, 2.1
>         Environment: Windows, Linux
>            Reporter: Ralf Baumhof
>            Assignee: David Jencks
>
> I have set up a security realm (sql realm). In web.xml tomcat is advised to keep a watch an all pages lying in directory /pages. I use a form login. If the  login form is designed to use j_security_check action, the servlet authentication works. The first try to access a page in /pages/* area leads to the login form and after successful login the page is diplayed. However, the application has strong security impacts, so we would prefer to use a JSF backing bean which performs a LoginContext method for login to geronimo. This also works. The login succeeds and i get a principal. But the application is not logged in at tomcat webcontainer. It's not possible to access the pages in /pages/* area. Is this a bug or a feature???? What must be done if one want's to use the LoginContext way??? According to the geronimo wiki i suggest that it should work. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (GERONIMO-3923) Login established without tomcat notification

Posted by "Ralf Baumhof (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/GERONIMO-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ralf Baumhof closed GERONIMO-3923.
----------------------------------

    Resolution: Invalid

Works as designed

> Login established without tomcat notification
> ---------------------------------------------
>
>                 Key: GERONIMO-3923
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3923
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0.2, 2.1
>         Environment: Windows, Linux
>            Reporter: Ralf Baumhof
>            Assignee: David Jencks
>
> I have set up a security realm (sql realm). In web.xml tomcat is advised to keep a watch an all pages lying in directory /pages. I use a form login. If the  login form is designed to use j_security_check action, the servlet authentication works. The first try to access a page in /pages/* area leads to the login form and after successful login the page is diplayed. However, the application has strong security impacts, so we would prefer to use a JSF backing bean which performs a LoginContext method for login to geronimo. This also works. The login succeeds and i get a principal. But the application is not logged in at tomcat webcontainer. It's not possible to access the pages in /pages/* area. Is this a bug or a feature???? What must be done if one want's to use the LoginContext way??? According to the geronimo wiki i suggest that it should work. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (GERONIMO-3923) Login established without tomcat notification

Posted by "David Jencks (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/GERONIMO-3923?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12579503#action_12579503 ] 

David Jencks commented on GERONIMO-3923:
----------------------------------------

Could you please ask about this on the user mailing list?  So far you haven't described anything that looks like a bug to me.  JavaEE security is designed for the container to do the login, not the application, so its not too surprising that having your application do the login doesn't work.

In your post please describe the jsf bean code, whether you wrote it and have control over it, and where you are looking in the wiki.   I think I may have dealt with a similar issue once integrating the jetspeed 2 portal.  Hopefully we will be able to find a solution that is consistent with javaee and does what you need.



> Login established without tomcat notification
> ---------------------------------------------
>
>                 Key: GERONIMO-3923
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3923
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0.2, 2.1
>         Environment: Windows, Linux
>            Reporter: Ralf Baumhof
>            Assignee: David Jencks
>
> I have set up a security realm (sql realm). In web.xml tomcat is advised to keep a watch an all pages lying in directory /pages. I use a form login. If the  login form is designed to use j_security_check action, the servlet authentication works. The first try to access a page in /pages/* area leads to the login form and after successful login the page is diplayed. However, the application has strong security impacts, so we would prefer to use a JSF backing bean which performs a LoginContext method for login to geronimo. This also works. The login succeeds and i get a principal. But the application is not logged in at tomcat webcontainer. It's not possible to access the pages in /pages/* area. Is this a bug or a feature???? What must be done if one want's to use the LoginContext way??? According to the geronimo wiki i suggest that it should work. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.