You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Santosh Puranshettiwar <sa...@wirkle.com> on 2006/11/22 09:00:41 UTC
Realm authentication - unconventional usage
Hello,
I wish to user a JDBCRealm with the username & password coming in the
HTTP request as key-value pairs.
Is it possible?
Elaborate: -
They request uri: -
http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
The Realm must authenticate with 'foo' & 'bar'.
--
Santosh.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm authentication - unconventional usage
Posted by "Daniel L. Gross" <dg...@atlc-inc.com>.
I think that will be my next attempt. There are two reasons I haven't
done that.
1. The original code for this application was written with a
direct-connect to the database because it was set up to run on either
Oracle or MySql, and it has been working fine up until we went to Tomcat
5.5.
2. I am not an XML wizard, and the documentation for tomcat XML
configuration files leaves something to be desired. So I am not exactly
sure how to do that.
Thanks again much, Dan
Caldarale, Charles R wrote:
>>From: Santosh Puranshettiwar [mailto:santosh@wirkle.com]
>>Subject: Re: Realm authentication - unconventional usage
>>
>>So seems like I *will* have to stick to application layer
>>authentication, or is there a way out?
>>
>>
>
>Why can't you use one of the standard, spec-defined, container-managed
>mechanisms?
>
> - Chuck
>
>
>THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>MATERIAL and is thus for use only by the intended recipient. If you
>received this in error, please contact the sender and delete the e-mail
>and its attachments from all computers.
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
Re: Realm authentication - unconventional usage
Posted by Santosh Puranshettiwar <sa...@wirkle.com>.
Caldarale, Charles R wrote:
Thanks.
>> From: Santosh Puranshettiwar [mailto:santosh@wirkle.com]
>> Subject: Re: Realm authentication - unconventional usage
>>
>> So seems like I *will* have to stick to application layer
>> authentication, or is there a way out?
>>
>
> Why can't you use one of the standard, spec-defined, container-managed
> mechanisms?
>
> - Chuck
>
That's because, the client in my case is not a generic browser but a
application client.
If I go for any of the standard techniques, I will have to make the
appropriate changes
in the client too, which is not feasible right now.
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
Santosh.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Realm authentication - unconventional usage
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Santosh Puranshettiwar [mailto:santosh@wirkle.com]
> Subject: Re: Realm authentication - unconventional usage
>
> So seems like I *will* have to stick to application layer
> authentication, or is there a way out?
Why can't you use one of the standard, spec-defined, container-managed
mechanisms?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm authentication - unconventional usage
Posted by Santosh Puranshettiwar <sa...@wirkle.com>.
David Delbecq wrote:
> There are only 5 ways to do authentification on a servlet application:
>
> The first, FORM, use form that POST to /j_security_check the j_username
> and the j_password
>
> |web.xml:
> <web-app>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-error-page>/Error.html
> </form-error-page>
> <form-login-page>/SignOn.html
> </form-login-page>
> </form-login-config>
> </login-config>
> </web-app>|
>
> |html:
> <form method="POST" action="j_security_check">
> <input type="text" name="j_username">
> <input type="password" name="j_password">
> </form>|
>
>
> The second and third, BASIC and DIGEST, use http protocol based
> identification:
>
> <web-app>
> <login-config>
> <auth-method>BASIC|DIGEST</auth-method>
> <realm-name>jpets</realm-name>
> </login-config>
> </web-app>
>
>
> The fourth use a ssl certificate client side
>
> <web-app>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> </web-app>
>
>
> And the fifth is to handle yourself all the work of authentification.
> You lose container managed security, you must do more work to securize
> your application but you can gain in flexibility.
>
> In the first four ways, using container managed security, it's
> impossible to attempt to force a login. It's when the user tries to
> access a security protected url that the container redirect user to the
> FORM or show the http login dialog or request the client SSL certificate.
>
Thanks you so much.
That was certainly informative.
> PS: i agree with Olivier, don't put that damn password in the url!
>
Yes. I agree with both Olivier and David.
But that's why I called it *unconventional*.
So seems like I *will* have to stick to application layer
authentication, or is there a way out?
> olivier nouguier a écrit :
>
>> I just like to point you the usual / standard use of J2EE
>> authentication in
>> a web tier !
>>
>> http://java.sun.com/products/servlet/download.html
>>
>> With restricted resources define in web.xml
>> Login page (FORM)
>> And a defined realm in context.xml (or server.xml)
>>
>> No more ...
>>
>> PS: I don't think it really smart to GET login & password in (clear)
>> URL ;-)
>>
>>
>> On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>>
>>> olivier nouguier wrote:
>>> Thanks.
>>>
>>>> Hi
>>>> The "natural" *post* should be
>>>> http://localhost/realm-test
>>>>
>>>>> /j_security_check?j_username=foo&j_password=bar
>>>>>
>>> Let me make sure I got it right.
>>>
>>> So you mean the request should be something like this: -
>>> URL: -
>>> http://localhost/realm-test?j_security_check
>>> (method=POST)
>>> message body: -
>>> j_username=foo&j_password=bar
>>>
>>> So appending a 'j_' will do the job?
>>>
>>> Also, in your case 'j_security_check' is the resource.
>>> But in my case, *'RealmTestServetlet'* is the resource.
>>>
>>>> And should be OK.
>>>>
>>>> What are your need ?
>>>>
>>> Till now, my authentication code used to be in the application layer.
>>> But now, I wish to offload the task to my container (Tomcat) without any
>>> changes to the
>>> application protocol; which is to send username and password as _plain
>>> key-value pairs_ in
>>> the request URL.
>>>
>>>> On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I wish to user a JDBCRealm with the username & password coming in the
>>>>> HTTP request as key-value pairs.
>>>>>
>>>>> Is it possible?
>>>>>
>>>>> Elaborate: -
>>>>> They request uri: -
>>>>>
>>>>>
>>> http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
>>>
>>>>> The Realm must authenticate with 'foo' & 'bar'.
>>>>>
>>>>> --
>>>>> Santosh.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>> --
>>> Santosh.
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
Santosh.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm authentication - unconventional usage
Posted by David Delbecq <de...@oma.be>.
There are only 5 ways to do authentification on a servlet application:
The first, FORM, use form that POST to /j_security_check the j_username
and the j_password
|web.xml:
<web-app>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-error-page>/Error.html
</form-error-page>
<form-login-page>/SignOn.html
</form-login-page>
</form-login-config>
</login-config>
</web-app>|
|html:
<form method="POST" action="j_security_check">
<input type="text" name="j_username">
<input type="password" name="j_password">
</form>|
The second and third, BASIC and DIGEST, use http protocol based
identification:
<web-app>
<login-config>
<auth-method>BASIC|DIGEST</auth-method>
<realm-name>jpets</realm-name>
</login-config>
</web-app>
The fourth use a ssl certificate client side
<web-app>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
</web-app>
And the fifth is to handle yourself all the work of authentification.
You lose container managed security, you must do more work to securize
your application but you can gain in flexibility.
In the first four ways, using container managed security, it's
impossible to attempt to force a login. It's when the user tries to
access a security protected url that the container redirect user to the
FORM or show the http login dialog or request the client SSL certificate.
PS: i agree with Olivier, don't put that damn password in the url!
olivier nouguier a écrit :
> I just like to point you the usual / standard use of J2EE
> authentication in
> a web tier !
>
> http://java.sun.com/products/servlet/download.html
>
> With restricted resources define in web.xml
> Login page (FORM)
> And a defined realm in context.xml (or server.xml)
>
> No more ...
>
> PS: I don't think it really smart to GET login & password in (clear)
> URL ;-)
>
>
> On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>>
>> olivier nouguier wrote:
>> Thanks.
>> > Hi
>> > The "natural" *post* should be
>> > http://localhost/realm-test
>> >>
>> >> /j_security_check?j_username=foo&j_password=bar
>> >
>> Let me make sure I got it right.
>>
>> So you mean the request should be something like this: -
>> URL: -
>> http://localhost/realm-test?j_security_check
>> (method=POST)
>> message body: -
>> j_username=foo&j_password=bar
>>
>> So appending a 'j_' will do the job?
>>
>> Also, in your case 'j_security_check' is the resource.
>> But in my case, *'RealmTestServetlet'* is the resource.
>> > And should be OK.
>> >
>> > What are your need ?
>> Till now, my authentication code used to be in the application layer.
>> But now, I wish to offload the task to my container (Tomcat) without any
>> changes to the
>> application protocol; which is to send username and password as _plain
>> key-value pairs_ in
>> the request URL.
>> >
>> >
>> > On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I wish to user a JDBCRealm with the username & password coming in the
>> >> HTTP request as key-value pairs.
>> >>
>> >> Is it possible?
>> >>
>> >> Elaborate: -
>> >> They request uri: -
>> >>
>> http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
>> >>
>> >> The Realm must authenticate with 'foo' & 'bar'.
>> >>
>> >> --
>> >> Santosh.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To start a new topic, e-mail: users@tomcat.apache.org
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>> >
>> >
>>
>> --
>> Santosh.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm authentication - unconventional usage
Posted by olivier nouguier <ol...@gmail.com>.
I just like to point you the usual / standard use of J2EE authentication in
a web tier !
http://java.sun.com/products/servlet/download.html
With restricted resources define in web.xml
Login page (FORM)
And a defined realm in context.xml (or server.xml)
No more ...
PS: I don't think it really smart to GET login & password in (clear) URL ;-)
On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>
> olivier nouguier wrote:
> Thanks.
> > Hi
> > The "natural" *post* should be
> > http://localhost/realm-test
> >>
> >> /j_security_check?j_username=foo&j_password=bar
> >
> Let me make sure I got it right.
>
> So you mean the request should be something like this: -
> URL: -
> http://localhost/realm-test?j_security_check
> (method=POST)
> message body: -
> j_username=foo&j_password=bar
>
> So appending a 'j_' will do the job?
>
> Also, in your case 'j_security_check' is the resource.
> But in my case, *'RealmTestServetlet'* is the resource.
> > And should be OK.
> >
> > What are your need ?
> Till now, my authentication code used to be in the application layer.
> But now, I wish to offload the task to my container (Tomcat) without any
> changes to the
> application protocol; which is to send username and password as _plain
> key-value pairs_ in
> the request URL.
> >
> >
> > On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
> >>
> >> Hello,
> >>
> >> I wish to user a JDBCRealm with the username & password coming in the
> >> HTTP request as key-value pairs.
> >>
> >> Is it possible?
> >>
> >> Elaborate: -
> >> They request uri: -
> >>
> http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
> >>
> >> The Realm must authenticate with 'foo' & 'bar'.
> >>
> >> --
> >> Santosh.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> >
>
> --
> Santosh.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Souviens-toi qu'au moment de ta naissance tout le monde était dans la joie
et toi dans les pleurs.
Vis de manière qu'au moment de ta mort, tout le monde soit dans les pleurs
et toi dans la joie."
Re: Realm authentication - unconventional usage
Posted by Santosh Puranshettiwar <sa...@wirkle.com>.
olivier nouguier wrote:
Thanks.
> Hi
> The "natural" *post* should be
> http://localhost/realm-test
>>
>> /j_security_check?j_username=foo&j_password=bar
>
Let me make sure I got it right.
So you mean the request should be something like this: -
URL: -
http://localhost/realm-test?j_security_check
(method=POST)
message body: -
j_username=foo&j_password=bar
So appending a 'j_' will do the job?
Also, in your case 'j_security_check' is the resource.
But in my case, *'RealmTestServetlet'* is the resource.
> And should be OK.
>
> What are your need ?
Till now, my authentication code used to be in the application layer.
But now, I wish to offload the task to my container (Tomcat) without any
changes to the
application protocol; which is to send username and password as _plain
key-value pairs_ in
the request URL.
>
>
> On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>>
>> Hello,
>>
>> I wish to user a JDBCRealm with the username & password coming in the
>> HTTP request as key-value pairs.
>>
>> Is it possible?
>>
>> Elaborate: -
>> They request uri: -
>> http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
>>
>> The Realm must authenticate with 'foo' & 'bar'.
>>
>> --
>> Santosh.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
--
Santosh.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Realm authentication - unconventional usage
Posted by olivier nouguier <ol...@gmail.com>.
Hi
The "natural" *post* should be
http://localhost/realm-test
>
> /j_security_check?j_username=foo&j_password=bar
And should be OK.
What are your need ?
On 11/22/06, Santosh Puranshettiwar <sa...@wirkle.com> wrote:
>
> Hello,
>
> I wish to user a JDBCRealm with the username & password coming in the
> HTTP request as key-value pairs.
>
> Is it possible?
>
> Elaborate: -
> They request uri: -
> http://localhost/realm-test/RealmTestServetlet?username=foo&password=bar
>
> The Realm must authenticate with 'foo' & 'bar'.
>
> --
> Santosh.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
"Souviens-toi qu'au moment de ta naissance tout le monde était dans la joie
et toi dans les pleurs.
Vis de manière qu'au moment de ta mort, tout le monde soit dans les pleurs
et toi dans la joie."