You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Tim K <ti...@gmail.com> on 2021/04/07 18:22:43 UTC
Setting a Request Attribute from a custom Realm
I have a custom realm which I'm receiving custom messages back within
the realm code and I want to display these messages on the login page,
but I have no idea how this can be accomplished with a custom realm
which is overriding the Principle authenticate method. Any help would
be appreciated, Tomcat is version 9.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Setting a Request Attribute from a custom Realm
Posted by Tim K <ti...@gmail.com>.
On Tue, Apr 13, 2021 at 9:22 PM Tim K <ti...@gmail.com> wrote:
>
> On Fri, Apr 9, 2021 at 7:48 AM Tim K <ti...@gmail.com> wrote:
> > As mentioned in that url, doing a pre-login of sorts before calling
> > HttpServletRequest.login() may be a workaround to accomplish this, but
> > then I would need to call my backend authentication service twice for
> > each login.
> >
> > -Tim
>
> I've been looking into this further. Is it possible to completely
> disable or change the URL for the "j_security_check" to something else
> while still keeping form-login? I want to write my own servlet to
> perform the login via HttpServletRequest.login() instead of putting
> the password verification logic in the realm so that I have scope to
> the request to display custom error messages back to the user. I'll
> want the realm to be very generic, almost just creating a Principle
> for anything that hits it, but I want to ensure my custom login is the
> only thing that performs the login() for obvious reasons.
>
> -Tim
Bringing back this one as I never got any bites on it. I'm still
faced with figuring out a solution.
If I only want to programmatically login the user via
HttpServletRequest.login(), how could I prevent users from just
directly POST-ing to j_security_check on their own and bypassing my
own login action?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Setting a Request Attribute from a custom Realm
Posted by Tim K <ti...@gmail.com>.
On Fri, Apr 9, 2021 at 7:48 AM Tim K <ti...@gmail.com> wrote:
> As mentioned in that url, doing a pre-login of sorts before calling
> HttpServletRequest.login() may be a workaround to accomplish this, but
> then I would need to call my backend authentication service twice for
> each login.
>
> -Tim
I've been looking into this further. Is it possible to completely
disable or change the URL for the "j_security_check" to something else
while still keeping form-login? I want to write my own servlet to
perform the login via HttpServletRequest.login() instead of putting
the password verification logic in the realm so that I have scope to
the request to display custom error messages back to the user. I'll
want the realm to be very generic, almost just creating a Principle
for anything that hits it, but I want to ensure my custom login is the
only thing that performs the login() for obvious reasons.
-Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Setting a Request Attribute from a custom Realm
Posted by Tim K <ti...@gmail.com>.
On Thu, Apr 8, 2021 at 1:38 PM Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> I have some sketches of something like this literally on paper somewhere
> around here to create an interface for applications subscribe to
> authentication events. It would, for example, allow you to write a
> "failed login" record to your database that includes not only the user's
> username who failed, but also their IP address (which comes from the
> request, of course.
>
> Would that kind of thing help in your use-case?
I'm looking for a way to give more information back to the user if
their account is locked or not... Right now it's very generic and
that is good from a security perspective, but I need to be able to
tell the user that their account is locked after so many attempts and
they will need to take action to unlock it.
I found this on the web:
https://stackoverflow.com/questions/7584208/detect-a-realm-authentication-failure-reason-in-tomcat
Is the "com.ofc.tomcat.LOGIN_FAILURE_MESSAGE" still around in Tomcat
9? Not sure how to use it even if it way...
As mentioned in that url, doing a pre-login of sorts before calling
HttpServletRequest.login() may be a workaround to accomplish this, but
then I would need to call my backend authentication service twice for
each login.
-Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Setting a Request Attribute from a custom Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 4/8/21 09:11, Tim K wrote:
> On Wed, Apr 7, 2021, 3:43 PM Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> You can't, using the existing API.
>>
>> You might be able to do it with some nasty ThreadLocal solution, but I
>> think you are stuck without resorting to legerdemain.
>>
>> -chris
>
>
> Would it be possible to implement a new feature to the existing realm API
> so it can accommodate messages passed back to the front end?
I have some sketches of something like this literally on paper somewhere
around here to create an interface for applications subscribe to
authentication events. It would, for example, allow you to write a
"failed login" record to your database that includes not only the user's
username who failed, but also their IP address (which comes from the
request, of course.
Would that kind of thing help in your use-case?
> For example, when using the LockoutRealm, is there from the front-end
> to alert the user that they are actually locked out?
No, it doesn't do that. You simply get an authentication failure.
Something I hadn't considered was the potential flexibility of the
JASPIC authenticator, which may be able to do stuff like this. I have
never dived-into how all that works.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Setting a Request Attribute from a custom Realm
Posted by Tim K <ti...@gmail.com>.
On Wed, Apr 7, 2021, 3:43 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> You can't, using the existing API.
>
> You might be able to do it with some nasty ThreadLocal solution, but I
> think you are stuck without resorting to legerdemain.
>
> -chris
Would it be possible to implement a new feature to the existing realm API
so it can accommodate messages passed back to the front end? For example,
when using the LockoutRealm, is there from the front-end to alert the user
that they are actually locked out?
- Tim
Re: Setting a Request Attribute from a custom Realm
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Tim,
On 4/7/21 14:22, Tim K wrote:
> I have a custom realm which I'm receiving custom messages back within
> the realm code and I want to display these messages on the login page,
> but I have no idea how this can be accomplished with a custom realm
> which is overriding the Principle authenticate method. Any help would
> be appreciated, Tomcat is version 9.
You can't, using the existing API.
You might be able to do it with some nasty ThreadLocal solution, but I
think you are stuck without resorting to legerdemain.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org