You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by James Krygowski <ja...@shaws.com> on 2002/07/15 14:55:59 UTC

forwarding through j_security_check

Hi All-

I'm working on a web-app launcher.  The essential idea is to provide users
with a centralized, secure web portal from which they can launch other web
applications.  The other applications will reside in Tomcat servers
different from the portal Tomcat server.

Each application will be protected by standard J2EE security implemented
with j_security_check.  I'd like to be able to forward to applications and
automatically negotiate the j_security_check so that user's don't have to
log on once they've already presented their credentials to the portal
application (i.e. single sign-on).

Is it possible to formulate an href url that simultaneously specifies the
target resource and the credentials being passed to j_security_check?  I
note that in the packet sent in the j_security_check post, all the
information needed is present.  If the read the packet right, the Referrer
in the http header contains the information about the desired "protected"
resource.  Is this Referrer used by j_security_check to forward a request on
to the desired destination?  If so, is it possible to set up a servlet that
could manipulate the Referrer in the header, and redirect a request along to
an application in another Tomcat server, making it look like a post to
j_security_check, complete with referrer, j_username and j_password?

Any suggestions or comments are welcome and appreciated.

Thanks,

Jim



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: forwarding through j_security_check

Posted by James Krygowski <ja...@shaws.com>.

Hi Craig-

I've come up with a solution that seems to work very well for my purposes.
Unfortunately, my project's priority is to build on Jrun, but I'll need to
adapt this solution to Tomcat in the near future.  I post the description of
my implemented solution just to get it out there for comment and possibly
(if the solution is worthy) to help out anyone else trying to solve this
problem.

The essence of the problem, again, was to enable a single sign-on through a
corporate portal.  The portal presents links to other corporate web
applications.  Clicking on those links automatically signs the user on
through the web-app's security service.

My solution was to create a servlet (Jrun)SecurityCredentialForward capable
of interacting with the security service (in the current solution Jrun's
WebAppSecurityService).  By bypassing the FormAuthentication class (the real
manager of the j_security_check workflow) I could avoid the two step
process.  Each url in the portal's application list contains a link to the
security servlet and parameters specifying the applications main url,
username and password.  The SecurityCredentialForward takes the username and
password, authenticates them with the WebAppSecurityService and if
everything is kosher, redirects the user to the main web page.  All
"natural" web container security functions are used from there on and as far
as the container is concerned, the j_security_check process ran as normal.

I'm pretty sure this same approach could be used with Tomcat.  It doesn't
seem to incur any negative performance penalties and doesn't (as far as I
can see) violate the login process since it uses resources that are already
available to the servlet.

Any opinions are gladly accepted.

thanks,

Jim

> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Tuesday, July 16, 2002 12:45 PM
> To: Tomcat Users List
> Subject: RE: forwarding through j_security_check
>
>
>
>
> On Tue, 16 Jul 2002, James Krygowski wrote:
>
> > Date: Tue, 16 Jul 2002 07:09:55 -0400
> > From: James Krygowski <ja...@shaws.com>
> > Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> > To: Tomcat Users List <to...@jakarta.apache.org>
> > Subject: RE: forwarding through j_security_check
> >
> > Hi Craig-
> >
> > >> If so, is it possible to set up a servlet that
> > >> could manipulate the Referrer in the header, and redirect a
> request along
> > to
> > >> an application in another Tomcat server, making it look like
> a post to
> > >> j_security_check, complete with referrer, j_username and j_password?
> > >>
> > >> Any suggestions or comments are welcome and appreciated.
> > >>
> > > Trying to forward security credentials like this is pretty
> much guaranteed
> > > not to work.
> > >
> > > One thing you might consider using is Tomcat's standard
> support for single
> > > sign on across multiple webaps.  Check out the "Single Sign
> On" section
> >
> > Thanks for the response.  Your suggestion is only applicable
> for those who
> > have a homogenous Tomcat environment.  In my situation, my
> portal will have
> > to forward to a mixed environment of Tomcat and JRun servers.
> In the future
> > that may expand to include either WebLogic or WebSphere.  I
> find it hard to
> > believe that there is no way to programmatically manage a login sequence
> > using j_security_check. Is it possible to use a servlet intermediary to
> > handle the login interaction and then redirect the user to a "protected"
> > resource once the login sequence is successfully completed?
>
> Hard to believe or not, the servlet spec is totally silent about
> programmatic interaction with j_security_check.  That means there is
> absolutely no guarantee of behavior consistency in this regard across
> servlet containers -- or even across different versions of the same
> container (Tomcat 3.3 and 4.x do things very differently in this regard,
> for example).
>
> Your use case is something that things like the Liberty Alliance
> <http://www.projectliberty.org> are trying to solve.  Unfortunately,
> you're a bit early on the adoption curve for that to be helpful.
>
> About the only portable thing you can do in the mean time would be a proxy
> app that your users always went through for every request, which knows how
> to do the login interaction with each back end app as needed (i.e.
> whenever they challenge for credentials, answer based on what it knows
> about this user, but pass all other requests through).  But the
> performance impact of such a proxy isn't going to be very attractive.
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: forwarding through j_security_check

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Tue, 16 Jul 2002, James Krygowski wrote:

> Date: Tue, 16 Jul 2002 07:09:55 -0400
> From: James Krygowski <ja...@shaws.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: RE: forwarding through j_security_check
>
> Hi Craig-
>
> >> If so, is it possible to set up a servlet that
> >> could manipulate the Referrer in the header, and redirect a request along
> to
> >> an application in another Tomcat server, making it look like a post to
> >> j_security_check, complete with referrer, j_username and j_password?
> >>
> >> Any suggestions or comments are welcome and appreciated.
> >>
> > Trying to forward security credentials like this is pretty much guaranteed
> > not to work.
> >
> > One thing you might consider using is Tomcat's standard support for single
> > sign on across multiple webaps.  Check out the "Single Sign On" section
>
> Thanks for the response.  Your suggestion is only applicable for those who
> have a homogenous Tomcat environment.  In my situation, my portal will have
> to forward to a mixed environment of Tomcat and JRun servers.  In the future
> that may expand to include either WebLogic or WebSphere.  I find it hard to
> believe that there is no way to programmatically manage a login sequence
> using j_security_check. Is it possible to use a servlet intermediary to
> handle the login interaction and then redirect the user to a "protected"
> resource once the login sequence is successfully completed?

Hard to believe or not, the servlet spec is totally silent about
programmatic interaction with j_security_check.  That means there is
absolutely no guarantee of behavior consistency in this regard across
servlet containers -- or even across different versions of the same
container (Tomcat 3.3 and 4.x do things very differently in this regard,
for example).

Your use case is something that things like the Liberty Alliance
<http://www.projectliberty.org> are trying to solve.  Unfortunately,
you're a bit early on the adoption curve for that to be helpful.

About the only portable thing you can do in the mean time would be a proxy
app that your users always went through for every request, which knows how
to do the login interaction with each back end app as needed (i.e.
whenever they challenge for credentials, answer based on what it knows
about this user, but pass all other requests through).  But the
performance impact of such a proxy isn't going to be very attractive.

Craig

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: forwarding through j_security_check

Posted by James Krygowski <ja...@shaws.com>.

Hi Craig-

>> If so, is it possible to set up a servlet that
>> could manipulate the Referrer in the header, and redirect a request along
to
>> an application in another Tomcat server, making it look like a post to
>> j_security_check, complete with referrer, j_username and j_password?
>>
>> Any suggestions or comments are welcome and appreciated.
>>
> Trying to forward security credentials like this is pretty much guaranteed
> not to work.
>
> One thing you might consider using is Tomcat's standard support for single
> sign on across multiple webaps.  Check out the "Single Sign On" section

Thanks for the response.  Your suggestion is only applicable for those who
have a homogenous Tomcat environment.  In my situation, my portal will have
to forward to a mixed environment of Tomcat and JRun servers.  In the future
that may expand to include either WebLogic or WebSphere.  I find it hard to
believe that there is no way to programmatically manage a login sequence
using j_security_check. Is it possible to use a servlet intermediary to
handle the login interaction and then redirect the user to a "protected"
resource once the login sequence is successfully completed?
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: forwarding through j_security_check

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Mon, 15 Jul 2002, James Krygowski wrote:

> Date: Mon, 15 Jul 2002 08:55:59 -0400
> From: James Krygowski <ja...@shaws.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: forwarding through j_security_check
>
> Hi All-
>
> I'm working on a web-app launcher.  The essential idea is to provide users
> with a centralized, secure web portal from which they can launch other web
> applications.  The other applications will reside in Tomcat servers
> different from the portal Tomcat server.
>
> Each application will be protected by standard J2EE security implemented
> with j_security_check.  I'd like to be able to forward to applications and
> automatically negotiate the j_security_check so that user's don't have to
> log on once they've already presented their credentials to the portal
> application (i.e. single sign-on).
>
> Is it possible to formulate an href url that simultaneously specifies the
> target resource and the credentials being passed to j_security_check?  I
> note that in the packet sent in the j_security_check post, all the
> information needed is present.  If the read the packet right, the Referrer
> in the http header contains the information about the desired "protected"
> resource.  Is this Referrer used by j_security_check to forward a request on
> to the desired destination?

No, it is not.  When form based login detects the need to challenge the
user for credentials, it saves an internal copy of the original request,
and "replays" it once the user is successfully authenticated.

> If so, is it possible to set up a servlet that
> could manipulate the Referrer in the header, and redirect a request along to
> an application in another Tomcat server, making it look like a post to
> j_security_check, complete with referrer, j_username and j_password?
>
> Any suggestions or comments are welcome and appreciated.
>

Trying to forward security credentials like this is pretty much guaranteed
not to work.

One thing you might consider using is Tomcat's standard support for single
sign on across multiple webaps.  Check out the "Single Sign On" section
on:

  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/host.html

> Thanks,
>
> Jim

Craig


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>