You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Willie Vu <wi...@yahoo.com> on 2001/10/05 05:27:59 UTC
Question on FORM based authentication in Tomcat 4.0
I would like to achieve the following:
- allow user to login directly without first accessing a protected area.
After successful login, I want to forward the user to a default mypage.jsp.
To do the above, I have to detect if login page is accessed directly. If
so, I need to force in the default mypage.jsp. In Tomcat 3.2.1, there is
the session attribute "tomcat.auth.originalLocation" where I can force in
the default page. However, in Tomcat 4.0, a new Note API is employed. It
hides internal attributes from external use. So, the only hook -
"tomcat.auth.originalLocation", is not available in Tomcat 4.0.
I know that Servlet 2.3 spec doesn't spell out how to handle direct access
to the login page. I scan through the mail archive and notice a lot of
people want to do this. Can someone give us a sound solution?
Regards,
Willie
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Re: Question on FORM based authentication in Tomcat 4.0
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 5 Oct 2001, Pae Choi wrote:
> Date: Fri, 5 Oct 2001 01:47:30 -0700
> From: Pae Choi <pa...@earthlink.net>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org, Willie Vu <wi...@yahoo.com>
> Cc: tomcat-user@jakarta.apache.org
> Subject: Re: Question on FORM based authentication in Tomcat 4.0
>
> Among many options proposed by Craig, I personally like the
> "Get Some New Users" option. Wouldn't it be wonderful to
> be able to work in the environment we have a such option. :-)
>
I wish ... :-)
> I will be more than happy to hear about if there is such working
> environment.
>
> To return from the digressiion, I am not awaring the initial issue
> of this thread so that I may missing the point here. But I do not
> see any big issue whether we use the BASIC or FORM-based
> authenthication from the SECURITY perspective. Both of them
> transmitted in the clear text which is more critical issue to me.
> I am not saying that we do not have solution for that though.
>
You're correct -- there is basically no difference from a security
perspective. The only advantage of form-based login is you can customize
the look and feel of the login page, instead of just living with the
little pop-up window that your browser creates for BASIC login.
> Since user authentication is still performed by the servlet
> container either way we go, we can put some code to trace
> the accessing object which is the only and valid way to
> access the login page. Then, we can prevent the accessing
> from the user's bookmark. Does it make sense to you?
>
> As I mentioned before, I maybe missing something here. So
> I still don't see why this has to be an issue.
>
My point about trying your app under BASIC authentication is that there is
no such thing as a "login page" that you can bookmark, or create a
hyperlink to off your main menu, or anything like that. It just shows up
whenever the container needs to know who you are.
Problems happen when your application design tries to treat the form login
page as part of the normal flow of control, instead of letting the
container simply display it when it needs to authenticate you. The
container even saves the original request and replays it (which is what
causes the problem that started this thread - there's no original request
to replay if you link to j_security_check yourself), so the user
experience is exactly like BASIC authentication.
>
> Pae
Craig
>
> >
> >
> > On Fri, 5 Oct 2001, Willie Vu wrote:
> >
> > > Date: Fri, 5 Oct 2001 12:14:27 +0800
> > > From: Willie Vu <wi...@yahoo.com>
> > > To: Craig R. McClanahan <cr...@apache.org>, tomcat-user@jakarta.apache.org
> > > Subject: RE: Question on FORM based authentication in Tomcat 4.0
> > >
> > > Thanks for your prompt reply Craig.
> > >
> > > Your advice leads me to another question. OK, say I don't do that. I let
> > > Tomcat handle the login for me. However, you can bookmark the login page
> > > that Tomcat forwards them to. In this case, there is no way to stop users
> > > from access the login page directly. Tomcat will not have a previous
> > > request to forward user to. It results an error. How should I resolve this
> > > problem then?
> > >
> >
> > It seems that you only have the following options:
> >
> > * Tell your users "don't do that" and they listen.
> >
> > * Tell your users "don't do that", and they don't listen, so they
> > keep getting errors.
> >
> > * Switch to BASIC authentication so they cannot cause this kind of grief.
> >
> > * Figure out a solution that works with the particular servlet container
> > you first deploy your application on (i.e. assume you can get Tomcat to
> > do what you think you want :-), but then have to redo everything when
> > you switch to a new container later.
> >
> > * Use application-managed security instead of container-managed security.
> >
> > * Get some new users :-)
> >
> > Look ... the world is not a perfect place. Form based authentication is
> > GUARANTEED to cause portability problems if users insist on abusing it
> > (becuase it was specifically designed to emulate an existing web based
> > design pattern that is incredibly widely used). If you can't train users
> > not to abuse it, you are MUCH better off not using form-based
> > authentication at all.
> >
> > > Regards,
> > >
> > > Willie
> > >
> >
> > Craig
> >
> >
> > >
> > >
> > > > -----Original Message-----
> > > > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > > > R. McClanahan
> > > > Sent: Friday, October 05, 2001 11:56 AM
> > > > To: tomcat-user@jakarta.apache.org; willievu@yahoo.com
> > > > Subject: Re: Question on FORM based authentication in Tomcat 4.0
> > > >
> > > >
> > > >
> > > >
> > > > On Fri, 5 Oct 2001, Willie Vu wrote:
> > > >
> > > > > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > > > > From: Willie Vu <wi...@yahoo.com>
> > > > > Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> > > > > To: tomcat-user@jakarta.apache.org
> > > > > Subject: Question on FORM based authentication in Tomcat 4.0
> > > > >
> > > > > I would like to achieve the following:
> > > > >
> > > > > - allow user to login directly without first accessing a protected area.
> > > > > After successful login, I want to forward the user to a default
> > > > mypage.jsp.
> > > > >
> > > > > To do the above, I have to detect if login page is accessed
> > > > directly. If
> > > > > so, I need to force in the default mypage.jsp. In Tomcat
> > > > 3.2.1, there is
> > > > > the session attribute "tomcat.auth.originalLocation" where I
> > > > can force in
> > > > > the default page. However, in Tomcat 4.0, a new Note API is
> > > > employed. It
> > > > > hides internal attributes from external use. So, the only hook -
> > > > > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> > > > >
> > > > > I know that Servlet 2.3 spec doesn't spell out how to handle
> > > > direct access
> > > > > to the login page. I scan through the mail archive and notice a lot of
> > > > > people want to do this. Can someone give us a sound solution?
> > > > >
> > > >
> > > > It's not a solution ... just advice if you want your app to work ...
> > > > don't do that.
> > > >
> > > > My advice during development: make your app work with BASIC
> > > > authentication (where there is no such thing as a login page). That is
> > > > *exactly* the model that form-based login was designed to emulate. Then,
> > > > just before release production, add the <form-login-page> and
> > > > <form-error-page> directives pointing at the appropriate pges.
> > > >
> > > > If you don't design for that pattern, then you are just fighting what
> > > > container managed security is all about (which is a total waste of time),
> > > > and you are probably better off doing your own login management (instead
> > > > of using container managed security). There is absolutely no way you are
> > > > going to be happy if you expect users to attempt to bookmark, or link to,
> > > > the login page directly.
> > > >
> > > >
> > > > > Regards,
> > > > >
> > > > > Willie
> > > > >
> > > >
> > > > Craig McClanahan
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> >
>
Re: Question on FORM based authentication in Tomcat 4.0
Posted by Pae Choi <pa...@earthlink.net>.
Among many options proposed by Craig, I personally like the
"Get Some New Users" option. Wouldn't it be wonderful to
be able to work in the environment we have a such option. :-)
I will be more than happy to hear about if there is such working
environment.
To return from the digressiion, I am not awaring the initial issue
of this thread so that I may missing the point here. But I do not
see any big issue whether we use the BASIC or FORM-based
authenthication from the SECURITY perspective. Both of them
transmitted in the clear text which is more critical issue to me.
I am not saying that we do not have solution for that though.
Since user authentication is still performed by the servlet
container either way we go, we can put some code to trace
the accessing object which is the only and valid way to
access the login page. Then, we can prevent the accessing
from the user's bookmark. Does it make sense to you?
As I mentioned before, I maybe missing something here. So
I still don't see why this has to be an issue.
Pae
>
>
> On Fri, 5 Oct 2001, Willie Vu wrote:
>
> > Date: Fri, 5 Oct 2001 12:14:27 +0800
> > From: Willie Vu <wi...@yahoo.com>
> > To: Craig R. McClanahan <cr...@apache.org>, tomcat-user@jakarta.apache.org
> > Subject: RE: Question on FORM based authentication in Tomcat 4.0
> >
> > Thanks for your prompt reply Craig.
> >
> > Your advice leads me to another question. OK, say I don't do that. I let
> > Tomcat handle the login for me. However, you can bookmark the login page
> > that Tomcat forwards them to. In this case, there is no way to stop users
> > from access the login page directly. Tomcat will not have a previous
> > request to forward user to. It results an error. How should I resolve this
> > problem then?
> >
>
> It seems that you only have the following options:
>
> * Tell your users "don't do that" and they listen.
>
> * Tell your users "don't do that", and they don't listen, so they
> keep getting errors.
>
> * Switch to BASIC authentication so they cannot cause this kind of grief.
>
> * Figure out a solution that works with the particular servlet container
> you first deploy your application on (i.e. assume you can get Tomcat to
> do what you think you want :-), but then have to redo everything when
> you switch to a new container later.
>
> * Use application-managed security instead of container-managed security.
>
> * Get some new users :-)
>
> Look ... the world is not a perfect place. Form based authentication is
> GUARANTEED to cause portability problems if users insist on abusing it
> (becuase it was specifically designed to emulate an existing web based
> design pattern that is incredibly widely used). If you can't train users
> not to abuse it, you are MUCH better off not using form-based
> authentication at all.
>
> > Regards,
> >
> > Willie
> >
>
> Craig
>
>
> >
> >
> > > -----Original Message-----
> > > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > > R. McClanahan
> > > Sent: Friday, October 05, 2001 11:56 AM
> > > To: tomcat-user@jakarta.apache.org; willievu@yahoo.com
> > > Subject: Re: Question on FORM based authentication in Tomcat 4.0
> > >
> > >
> > >
> > >
> > > On Fri, 5 Oct 2001, Willie Vu wrote:
> > >
> > > > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > > > From: Willie Vu <wi...@yahoo.com>
> > > > Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> > > > To: tomcat-user@jakarta.apache.org
> > > > Subject: Question on FORM based authentication in Tomcat 4.0
> > > >
> > > > I would like to achieve the following:
> > > >
> > > > - allow user to login directly without first accessing a protected area.
> > > > After successful login, I want to forward the user to a default
> > > mypage.jsp.
> > > >
> > > > To do the above, I have to detect if login page is accessed
> > > directly. If
> > > > so, I need to force in the default mypage.jsp. In Tomcat
> > > 3.2.1, there is
> > > > the session attribute "tomcat.auth.originalLocation" where I
> > > can force in
> > > > the default page. However, in Tomcat 4.0, a new Note API is
> > > employed. It
> > > > hides internal attributes from external use. So, the only hook -
> > > > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> > > >
> > > > I know that Servlet 2.3 spec doesn't spell out how to handle
> > > direct access
> > > > to the login page. I scan through the mail archive and notice a lot of
> > > > people want to do this. Can someone give us a sound solution?
> > > >
> > >
> > > It's not a solution ... just advice if you want your app to work ...
> > > don't do that.
> > >
> > > My advice during development: make your app work with BASIC
> > > authentication (where there is no such thing as a login page). That is
> > > *exactly* the model that form-based login was designed to emulate. Then,
> > > just before release production, add the <form-login-page> and
> > > <form-error-page> directives pointing at the appropriate pges.
> > >
> > > If you don't design for that pattern, then you are just fighting what
> > > container managed security is all about (which is a total waste of time),
> > > and you are probably better off doing your own login management (instead
> > > of using container managed security). There is absolutely no way you are
> > > going to be happy if you expect users to attempt to bookmark, or link to,
> > > the login page directly.
> > >
> > >
> > > > Regards,
> > > >
> > > > Willie
> > > >
> > >
> > > Craig McClanahan
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
>
RE: Question on FORM based authentication in Tomcat 4.0
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 5 Oct 2001, Willie Vu wrote:
> Date: Fri, 5 Oct 2001 12:14:27 +0800
> From: Willie Vu <wi...@yahoo.com>
> To: Craig R. McClanahan <cr...@apache.org>, tomcat-user@jakarta.apache.org
> Subject: RE: Question on FORM based authentication in Tomcat 4.0
>
> Thanks for your prompt reply Craig.
>
> Your advice leads me to another question. OK, say I don't do that. I let
> Tomcat handle the login for me. However, you can bookmark the login page
> that Tomcat forwards them to. In this case, there is no way to stop users
> from access the login page directly. Tomcat will not have a previous
> request to forward user to. It results an error. How should I resolve this
> problem then?
>
It seems that you only have the following options:
* Tell your users "don't do that" and they listen.
* Tell your users "don't do that", and they don't listen, so they
keep getting errors.
* Switch to BASIC authentication so they cannot cause this kind of grief.
* Figure out a solution that works with the particular servlet container
you first deploy your application on (i.e. assume you can get Tomcat to
do what you think you want :-), but then have to redo everything when
you switch to a new container later.
* Use application-managed security instead of container-managed security.
* Get some new users :-)
Look ... the world is not a perfect place. Form based authentication is
GUARANTEED to cause portability problems if users insist on abusing it
(becuase it was specifically designed to emulate an existing web based
design pattern that is incredibly widely used). If you can't train users
not to abuse it, you are MUCH better off not using form-based
authentication at all.
> Regards,
>
> Willie
>
Craig
>
>
> > -----Original Message-----
> > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > R. McClanahan
> > Sent: Friday, October 05, 2001 11:56 AM
> > To: tomcat-user@jakarta.apache.org; willievu@yahoo.com
> > Subject: Re: Question on FORM based authentication in Tomcat 4.0
> >
> >
> >
> >
> > On Fri, 5 Oct 2001, Willie Vu wrote:
> >
> > > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > > From: Willie Vu <wi...@yahoo.com>
> > > Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Question on FORM based authentication in Tomcat 4.0
> > >
> > > I would like to achieve the following:
> > >
> > > - allow user to login directly without first accessing a protected area.
> > > After successful login, I want to forward the user to a default
> > mypage.jsp.
> > >
> > > To do the above, I have to detect if login page is accessed
> > directly. If
> > > so, I need to force in the default mypage.jsp. In Tomcat
> > 3.2.1, there is
> > > the session attribute "tomcat.auth.originalLocation" where I
> > can force in
> > > the default page. However, in Tomcat 4.0, a new Note API is
> > employed. It
> > > hides internal attributes from external use. So, the only hook -
> > > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> > >
> > > I know that Servlet 2.3 spec doesn't spell out how to handle
> > direct access
> > > to the login page. I scan through the mail archive and notice a lot of
> > > people want to do this. Can someone give us a sound solution?
> > >
> >
> > It's not a solution ... just advice if you want your app to work ...
> > don't do that.
> >
> > My advice during development: make your app work with BASIC
> > authentication (where there is no such thing as a login page). That is
> > *exactly* the model that form-based login was designed to emulate. Then,
> > just before release production, add the <form-login-page> and
> > <form-error-page> directives pointing at the appropriate pges.
> >
> > If you don't design for that pattern, then you are just fighting what
> > container managed security is all about (which is a total waste of time),
> > and you are probably better off doing your own login management (instead
> > of using container managed security). There is absolutely no way you are
> > going to be happy if you expect users to attempt to bookmark, or link to,
> > the login page directly.
> >
> >
> > > Regards,
> > >
> > > Willie
> > >
> >
> > Craig McClanahan
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
RE: Question on FORM based authentication in Tomcat 4.0
Posted by Willie Vu <wi...@yahoo.com>.
Thanks for your prompt reply Craig.
Your advice leads me to another question. OK, say I don't do that. I let
Tomcat handle the login for me. However, you can bookmark the login page
that Tomcat forwards them to. In this case, there is no way to stop users
from access the login page directly. Tomcat will not have a previous
request to forward user to. It results an error. How should I resolve this
problem then?
Regards,
Willie
> -----Original Message-----
> From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> R. McClanahan
> Sent: Friday, October 05, 2001 11:56 AM
> To: tomcat-user@jakarta.apache.org; willievu@yahoo.com
> Subject: Re: Question on FORM based authentication in Tomcat 4.0
>
>
>
>
> On Fri, 5 Oct 2001, Willie Vu wrote:
>
> > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > From: Willie Vu <wi...@yahoo.com>
> > Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> > To: tomcat-user@jakarta.apache.org
> > Subject: Question on FORM based authentication in Tomcat 4.0
> >
> > I would like to achieve the following:
> >
> > - allow user to login directly without first accessing a protected area.
> > After successful login, I want to forward the user to a default
> mypage.jsp.
> >
> > To do the above, I have to detect if login page is accessed
> directly. If
> > so, I need to force in the default mypage.jsp. In Tomcat
> 3.2.1, there is
> > the session attribute "tomcat.auth.originalLocation" where I
> can force in
> > the default page. However, in Tomcat 4.0, a new Note API is
> employed. It
> > hides internal attributes from external use. So, the only hook -
> > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> >
> > I know that Servlet 2.3 spec doesn't spell out how to handle
> direct access
> > to the login page. I scan through the mail archive and notice a lot of
> > people want to do this. Can someone give us a sound solution?
> >
>
> It's not a solution ... just advice if you want your app to work ...
> don't do that.
>
> My advice during development: make your app work with BASIC
> authentication (where there is no such thing as a login page). That is
> *exactly* the model that form-based login was designed to emulate. Then,
> just before release production, add the <form-login-page> and
> <form-error-page> directives pointing at the appropriate pges.
>
> If you don't design for that pattern, then you are just fighting what
> container managed security is all about (which is a total waste of time),
> and you are probably better off doing your own login management (instead
> of using container managed security). There is absolutely no way you are
> going to be happy if you expect users to attempt to bookmark, or link to,
> the login page directly.
>
>
> > Regards,
> >
> > Willie
> >
>
> Craig McClanahan
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Re: Question on FORM based authentication in Tomcat 4.0
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 5 Oct 2001, Willie Vu wrote:
> Date: Fri, 5 Oct 2001 11:27:59 +0800
> From: Willie Vu <wi...@yahoo.com>
> Reply-To: tomcat-user@jakarta.apache.org, willievu@yahoo.com
> To: tomcat-user@jakarta.apache.org
> Subject: Question on FORM based authentication in Tomcat 4.0
>
> I would like to achieve the following:
>
> - allow user to login directly without first accessing a protected area.
> After successful login, I want to forward the user to a default mypage.jsp.
>
> To do the above, I have to detect if login page is accessed directly. If
> so, I need to force in the default mypage.jsp. In Tomcat 3.2.1, there is
> the session attribute "tomcat.auth.originalLocation" where I can force in
> the default page. However, in Tomcat 4.0, a new Note API is employed. It
> hides internal attributes from external use. So, the only hook -
> "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
>
> I know that Servlet 2.3 spec doesn't spell out how to handle direct access
> to the login page. I scan through the mail archive and notice a lot of
> people want to do this. Can someone give us a sound solution?
>
It's not a solution ... just advice if you want your app to work ...
don't do that.
My advice during development: make your app work with BASIC
authentication (where there is no such thing as a login page). That is
*exactly* the model that form-based login was designed to emulate. Then,
just before release production, add the <form-login-page> and
<form-error-page> directives pointing at the appropriate pges.
If you don't design for that pattern, then you are just fighting what
container managed security is all about (which is a total waste of time),
and you are probably better off doing your own login management (instead
of using container managed security). There is absolutely no way you are
going to be happy if you expect users to attempt to bookmark, or link to,
the login page directly.
> Regards,
>
> Willie
>
Craig McClanahan