You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Tim Christopher <ti...@gmail.com> on 2005/02/08 03:08:16 UTC
Application Security
Hi,
I've recently discovered that it is not possible to map an action to
j_security_check. Given this situation how is it possible to populate
a form bean with user data, or create a log of any failed login
attempts (bad username / password) if the container takes control of
the entire login process?
Looking back at previous posts to the newsgroup I can see that in the
past people have just used plain html to produce the j_security_check
form. Is it possible to do this using the <sslext:form> tag, but so
that it does not require a Struts action mapping for j_security_check
to be present?
I was currently intending on using JDBCRealm and the security-filter
to control the site's security, though given the above problems I'm
starting to think there might be a better way? Or are these problems
everyone has already solved, as surely some form of login system is
present in the vast majority of Struts applications.
Cheers for any help / suggestions.
Tim Christopher
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Bill Siggelkow <bi...@bellsouth.net>.
Tim,
The first problem of populating a form bean with user data can be
handled by populating/creating a UserBean using techniques such as a
servlet filter. Alternatively, you can extend the RequestProcessor.
Other techniques that work, but are not as global in nature, are using a
base action. The last technique which provides the least coverage is to
use a <jsp:useBean> tag which creates/retrieves a UserBean and populates
user data on the setter method for the user name.
As far as logging of failed attempts, using container-managed security,
this will vary by container. Have you tried applying a filter to
j_security_check? I don't know if this is allowed by the servlet spec,
but it would seem to be one way you could check for successful login.
AFAIK, SecurityFilter should allow you to "roll your own" security while
still permitting similar ease of configuration for authentication and
authorization as container-managed security.
-Bill Siggelkow
Tim Christopher wrote:
> Hi,
>
> I've recently discovered that it is not possible to map an action to
> j_security_check. Given this situation how is it possible to populate
> a form bean with user data, or create a log of any failed login
> attempts (bad username / password) if the container takes control of
> the entire login process?
>
> Looking back at previous posts to the newsgroup I can see that in the
> past people have just used plain html to produce the j_security_check
> form. Is it possible to do this using the <sslext:form> tag, but so
> that it does not require a Struts action mapping for j_security_check
> to be present?
>
> I was currently intending on using JDBCRealm and the security-filter
> to control the site's security, though given the above problems I'm
> starting to think there might be a better way? Or are these problems
> everyone has already solved, as surely some form of login system is
> present in the vast majority of Struts applications.
>
> Cheers for any help / suggestions.
>
> Tim Christopher
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Tim Christopher <ti...@gmail.com>.
All works fine now - cheers :o)
On Tue, 08 Feb 2005 21:55:03 -0500, Erik Weber <er...@mindspring.com> wrote:
> JDBC driver jar files belong in $TOMCAT_HOME/common/lib (I think that's
> what you are asking).
>
> Erik
>
>
> Tim Christopher wrote:
>
> >Turned out that the database driver could not be found, which resulted
> >in the same error that I was being given by the Container when it
> >tried to connect for the JDBCRealm.
> >
> >Adding the file to the WEB-INF/lib folder allows a connection to be
> >made from a JSP, however Tomcat still gives the same error as before -
> >does adding the jar to WEB-INF/lib give the container access to the
> >class files stored in it?!
> >
> >The contents of the server.xml file (which does not work correctly) is:
> > <Realm className="org.apache.catalina.realm.JDBCRealm"
> > debug="99"
> > driverName="com.borland.datastore.jdbc.DataStoreDriver"
> > connectionURL="jdbc:borland:dslocal:C:\\Documents
> >and Settings\\SIS_Db.jds"
> > connectionName="sysdba"
> > connectionPassword="masterkey"
> > userTable="users"
> > userNameCol="user_name"
> > userCredCol="user_pass"
> > userRoleTable="user_roles"
> > roleNameCol="role_name" />
> >
> >
> >
> >
> >For anyone with a similar problem the driver (DataStoreDriver) can be
> >found in <JBuilder>\lib\jdsserver.jar. The code I added to the top of
> >the JSP to test the database connection is below:
> >
> ><%
> >
> >try {
> > Class.forName("com.borland.datastore.jdbc.DataStoreDriver");
> >}
> >catch (Exception e) {
> > System.out.println("Driver Error\n" + e);
> >}
> >
> >try {
> > String username = "sysdba";
> > String password = "masterkey";
> > String db_url = "jdbc:borland:dslocal:";
> > String db_file = "C:\\Documents and Settings\\SIS_Db.jds";
> > java.sql.Connection
> >connection=java.sql.DriverManager.getConnection(db_url + db_file,
> >username, password);
> >
> > java.sql.ResultSet
> >rs=connection.createStatement().executeQuery("SELECT * FROM users");
> > System.out.println("Column count is: " + rs.getMetaData().getColumnCount());
> >}
> >catch (Exception e) {
> > System.out.println("Error\n" + e);
> >}
> >
> >%>
> >
> >
> >On Tue, 8 Feb 2005 20:17:49 -0500, David G. Friedman
> ><hu...@ix.netcom.com> wrote:
> >
> >
> >>Tim,
> >>
> >>Have you tried using any command line tools to get to your datastore?
> >>Knowing that could rule out permissions issues on the database site as well
> >>as the connection host/port/URL.
> >>
> >>Regards,
> >>David
> >>
> >>-----Original Message-----
> >>From: Tim Christopher [mailto:tim.christopher@gmail.com]
> >>Sent: Tuesday, February 08, 2005 5:45 PM
> >>To: Struts Users Mailing List
> >>Subject: Re: Application Security
> >>
> >>I managed to solve the first error by reordering the elements within
> >>the server.xml file, however I'm now stuck with the following error
> >>(which occurs when the server is started):
> >>
> >>JDBCRealm[Catalina]: Exception opening database connection
> >>java.sql.SQLException: com.borland.datastore.jdbc.DataStoreDriver
> >> at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:589)
> >> at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:663)
> >> <snip/>
> >>
> >>Does anyone know if this is a problem with the database driver, or the
> >>location of the database? I've tried changing the URL to a path that
> >>doesn't exist and I still get the same error, however I'm confident
> >>that the connectionURL is correct as it connects perfectly when using
> >>the same information within JBuilder's database pilot.
> >>
> >>Any suggestions would be appreciated. :o)
> >>
> >>Tim
> >>
> >>On Tue, 8 Feb 2005 12:07:16 -0500, David G. Friedman
> >><hu...@ix.netcom.com> wrote:
> >>
> >>
> >>>Tim,
> >>>
> >>>Have you also updated your web.xml and Tomcat conifgurations?
> >>>
> >>>-----Original Message-----
> >>>From: Tim Christopher [mailto:tim.christopher@gmail.com]
> >>>Sent: Tuesday, February 08, 2005 12:05 PM
> >>>To: Struts Users Mailing List
> >>>Subject: Re: Application Security
> >>>
> >>>Cheers for all your advice.
> >>>
> >>>I've just tried implementing the JDBCRealm, though unfortunaltly it
> >>>does not work. The Log4j error file contains the following:
> >>>
> >>>http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
> >>>JAASRealm.java:269 Unexpected error
> >>>java.lang.SecurityException: Unable to locate a login configuration
> >>> at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
> >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> >>>Method)
> >>> <snip/>
> >>>
> >>>To be honest, I'm not really sure what that means... All I've done so
> >>>far is copy a simple example and I've got that error. Do I need to
> >>>add anything to the classpath?
> >>>
> >>>I can post the code I'm using if anything thinks that will help....
> >>>
> >>>On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
> >>><ni...@blueyonder.co.uk> wrote:
> >>>
> >>>
> >>>>The forms for container managed security don't have to be plain html -
> >>>>
> >>>>
> >>you
> >>
> >>
> >>>>can configure in the web.xml custom "Logon" and "Logon Error" pages
> >>>>
> >>>>
> >>which
> >>
> >>
> >>>>can be jsps, not just plain html. I have a custom tag on each of these
> >>>>
> >>>>
> >>>pages
> >>>
> >>>
> >>>>which writes the fact that a user has arrived at that page to log4j
> >>>>
> >>>>
> >>along
> >>
> >>
> >>>>with details from the request (e.g. IP address). Log4j is pretty
> >>>>
> >>>>
> >>powerful
> >>
> >>
> >>>in
> >>>
> >>>
> >>>>how you can configure it to filter that info and where to send it to.
> >>>>
> >>>>There are tags in the Jakarta Taglibs which you could use to achieve the
> >>>>same thing...
> >>>> http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> >>>> http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
> >>>>
> >>>>For example on your "Logon Error Page", you might have something like
> >>>>this...
> >>>>
> >>>><req:request id="req"/>
> >>>><log:error category="myapp.logon.failed">
> >>>> <bean:write name="req" property="remoteAddr"/>
> >>>> <bean:write name="req" property="remoteHost"/>
> >>>></log:error>
> >>>>
> >>>>Once a user has "logged on", you can get the user name from from the
> >>>>
> >>>>
> >>>request
> >>>
> >>>
> >>>>and then look up the user details wherever they are stored...
> >>>> request.getUserPrincipal().getName()
> >>>>
> >>>>The actual form elements required are, as you say, plain html - but is
> >>>>
> >>>>
> >>>there
> >>>
> >>>
> >>>>any need for special tags since the action your posting to is fixed?
> >>>>
> >>>>Niall
> >>>>
> >>>>----- Original Message -----
> >>>>From: "Tim Christopher" <ti...@gmail.com>
> >>>>Sent: Tuesday, February 08, 2005 2:08 AM
> >>>>
> >>>>
> >>>>
> >>>>>I've recently discovered that it is not possible to map an action to
> >>>>>j_security_check. Given this situation how is it possible to populate
> >>>>>a form bean with user data, or create a log of any failed login
> >>>>>attempts (bad username / password) if the container takes control of
> >>>>>the entire login process?
> >>>>>
> >>>>>Looking back at previous posts to the newsgroup I can see that in the
> >>>>>past people have just used plain html to produce the j_security_check
> >>>>>form. Is it possible to do this using the <sslext:form> tag, but so
> >>>>>that it does not require a Struts action mapping for j_security_check
> >>>>>to be present?
> >>>>>
> >>>>>I was currently intending on using JDBCRealm and the security-filter
> >>>>>to control the site's security, though given the above problems I'm
> >>>>>starting to think there might be a better way? Or are these problems
> >>>>>everyone has already solved, as surely some form of login system is
> >>>>>present in the vast majority of Struts applications.
> >>>>>
> >>>>>
> >>>>---------------------------------------------------------------------
> >>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >>>>For additional commands, e-mail: user-help@struts.apache.org
> >>>>
> >>>>
> >>>>
> >>>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >>>For additional commands, e-mail: user-help@struts.apache.org
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >>For additional commands, e-mail: user-help@struts.apache.org
> >>
> >>
> >>
> >>
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Erik Weber <er...@mindspring.com>.
JDBC driver jar files belong in $TOMCAT_HOME/common/lib (I think that's
what you are asking).
Erik
Tim Christopher wrote:
>Turned out that the database driver could not be found, which resulted
>in the same error that I was being given by the Container when it
>tried to connect for the JDBCRealm.
>
>Adding the file to the WEB-INF/lib folder allows a connection to be
>made from a JSP, however Tomcat still gives the same error as before -
>does adding the jar to WEB-INF/lib give the container access to the
>class files stored in it?!
>
>The contents of the server.xml file (which does not work correctly) is:
> <Realm className="org.apache.catalina.realm.JDBCRealm"
> debug="99"
> driverName="com.borland.datastore.jdbc.DataStoreDriver"
> connectionURL="jdbc:borland:dslocal:C:\\Documents
>and Settings\\SIS_Db.jds"
> connectionName="sysdba"
> connectionPassword="masterkey"
> userTable="users"
> userNameCol="user_name"
> userCredCol="user_pass"
> userRoleTable="user_roles"
> roleNameCol="role_name" />
>
>
>
>
>For anyone with a similar problem the driver (DataStoreDriver) can be
>found in <JBuilder>\lib\jdsserver.jar. The code I added to the top of
>the JSP to test the database connection is below:
>
><%
>
>try {
> Class.forName("com.borland.datastore.jdbc.DataStoreDriver");
>}
>catch (Exception e) {
> System.out.println("Driver Error\n" + e);
>}
>
>try {
> String username = "sysdba";
> String password = "masterkey";
> String db_url = "jdbc:borland:dslocal:";
> String db_file = "C:\\Documents and Settings\\SIS_Db.jds";
> java.sql.Connection
>connection=java.sql.DriverManager.getConnection(db_url + db_file,
>username, password);
>
> java.sql.ResultSet
>rs=connection.createStatement().executeQuery("SELECT * FROM users");
> System.out.println("Column count is: " + rs.getMetaData().getColumnCount());
>}
>catch (Exception e) {
> System.out.println("Error\n" + e);
>}
>
>%>
>
>
>On Tue, 8 Feb 2005 20:17:49 -0500, David G. Friedman
><hu...@ix.netcom.com> wrote:
>
>
>>Tim,
>>
>>Have you tried using any command line tools to get to your datastore?
>>Knowing that could rule out permissions issues on the database site as well
>>as the connection host/port/URL.
>>
>>Regards,
>>David
>>
>>-----Original Message-----
>>From: Tim Christopher [mailto:tim.christopher@gmail.com]
>>Sent: Tuesday, February 08, 2005 5:45 PM
>>To: Struts Users Mailing List
>>Subject: Re: Application Security
>>
>>I managed to solve the first error by reordering the elements within
>>the server.xml file, however I'm now stuck with the following error
>>(which occurs when the server is started):
>>
>>JDBCRealm[Catalina]: Exception opening database connection
>>java.sql.SQLException: com.borland.datastore.jdbc.DataStoreDriver
>> at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:589)
>> at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:663)
>> <snip/>
>>
>>Does anyone know if this is a problem with the database driver, or the
>>location of the database? I've tried changing the URL to a path that
>>doesn't exist and I still get the same error, however I'm confident
>>that the connectionURL is correct as it connects perfectly when using
>>the same information within JBuilder's database pilot.
>>
>>Any suggestions would be appreciated. :o)
>>
>>Tim
>>
>>On Tue, 8 Feb 2005 12:07:16 -0500, David G. Friedman
>><hu...@ix.netcom.com> wrote:
>>
>>
>>>Tim,
>>>
>>>Have you also updated your web.xml and Tomcat conifgurations?
>>>
>>>-----Original Message-----
>>>From: Tim Christopher [mailto:tim.christopher@gmail.com]
>>>Sent: Tuesday, February 08, 2005 12:05 PM
>>>To: Struts Users Mailing List
>>>Subject: Re: Application Security
>>>
>>>Cheers for all your advice.
>>>
>>>I've just tried implementing the JDBCRealm, though unfortunaltly it
>>>does not work. The Log4j error file contains the following:
>>>
>>>http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
>>>JAASRealm.java:269 Unexpected error
>>>java.lang.SecurityException: Unable to locate a login configuration
>>> at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>Method)
>>> <snip/>
>>>
>>>To be honest, I'm not really sure what that means... All I've done so
>>>far is copy a simple example and I've got that error. Do I need to
>>>add anything to the classpath?
>>>
>>>I can post the code I'm using if anything thinks that will help....
>>>
>>>On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
>>><ni...@blueyonder.co.uk> wrote:
>>>
>>>
>>>>The forms for container managed security don't have to be plain html -
>>>>
>>>>
>>you
>>
>>
>>>>can configure in the web.xml custom "Logon" and "Logon Error" pages
>>>>
>>>>
>>which
>>
>>
>>>>can be jsps, not just plain html. I have a custom tag on each of these
>>>>
>>>>
>>>pages
>>>
>>>
>>>>which writes the fact that a user has arrived at that page to log4j
>>>>
>>>>
>>along
>>
>>
>>>>with details from the request (e.g. IP address). Log4j is pretty
>>>>
>>>>
>>powerful
>>
>>
>>>in
>>>
>>>
>>>>how you can configure it to filter that info and where to send it to.
>>>>
>>>>There are tags in the Jakarta Taglibs which you could use to achieve the
>>>>same thing...
>>>> http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
>>>> http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
>>>>
>>>>For example on your "Logon Error Page", you might have something like
>>>>this...
>>>>
>>>><req:request id="req"/>
>>>><log:error category="myapp.logon.failed">
>>>> <bean:write name="req" property="remoteAddr"/>
>>>> <bean:write name="req" property="remoteHost"/>
>>>></log:error>
>>>>
>>>>Once a user has "logged on", you can get the user name from from the
>>>>
>>>>
>>>request
>>>
>>>
>>>>and then look up the user details wherever they are stored...
>>>> request.getUserPrincipal().getName()
>>>>
>>>>The actual form elements required are, as you say, plain html - but is
>>>>
>>>>
>>>there
>>>
>>>
>>>>any need for special tags since the action your posting to is fixed?
>>>>
>>>>Niall
>>>>
>>>>----- Original Message -----
>>>>From: "Tim Christopher" <ti...@gmail.com>
>>>>Sent: Tuesday, February 08, 2005 2:08 AM
>>>>
>>>>
>>>>
>>>>>I've recently discovered that it is not possible to map an action to
>>>>>j_security_check. Given this situation how is it possible to populate
>>>>>a form bean with user data, or create a log of any failed login
>>>>>attempts (bad username / password) if the container takes control of
>>>>>the entire login process?
>>>>>
>>>>>Looking back at previous posts to the newsgroup I can see that in the
>>>>>past people have just used plain html to produce the j_security_check
>>>>>form. Is it possible to do this using the <sslext:form> tag, but so
>>>>>that it does not require a Struts action mapping for j_security_check
>>>>>to be present?
>>>>>
>>>>>I was currently intending on using JDBCRealm and the security-filter
>>>>>to control the site's security, though given the above problems I'm
>>>>>starting to think there might be a better way? Or are these problems
>>>>>everyone has already solved, as surely some form of login system is
>>>>>present in the vast majority of Struts applications.
>>>>>
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>>For additional commands, e-mail: user-help@struts.apache.org
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Tim Christopher <ti...@gmail.com>.
Turned out that the database driver could not be found, which resulted
in the same error that I was being given by the Container when it
tried to connect for the JDBCRealm.
Adding the file to the WEB-INF/lib folder allows a connection to be
made from a JSP, however Tomcat still gives the same error as before -
does adding the jar to WEB-INF/lib give the container access to the
class files stored in it?!
The contents of the server.xml file (which does not work correctly) is:
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.borland.datastore.jdbc.DataStoreDriver"
connectionURL="jdbc:borland:dslocal:C:\\Documents
and Settings\\SIS_Db.jds"
connectionName="sysdba"
connectionPassword="masterkey"
userTable="users"
userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles"
roleNameCol="role_name" />
>>>>>>
For anyone with a similar problem the driver (DataStoreDriver) can be
found in <JBuilder>\lib\jdsserver.jar. The code I added to the top of
the JSP to test the database connection is below:
<%
try {
Class.forName("com.borland.datastore.jdbc.DataStoreDriver");
}
catch (Exception e) {
System.out.println("Driver Error\n" + e);
}
try {
String username = "sysdba";
String password = "masterkey";
String db_url = "jdbc:borland:dslocal:";
String db_file = "C:\\Documents and Settings\\SIS_Db.jds";
java.sql.Connection
connection=java.sql.DriverManager.getConnection(db_url + db_file,
username, password);
java.sql.ResultSet
rs=connection.createStatement().executeQuery("SELECT * FROM users");
System.out.println("Column count is: " + rs.getMetaData().getColumnCount());
}
catch (Exception e) {
System.out.println("Error\n" + e);
}
%>
On Tue, 8 Feb 2005 20:17:49 -0500, David G. Friedman
<hu...@ix.netcom.com> wrote:
> Tim,
>
> Have you tried using any command line tools to get to your datastore?
> Knowing that could rule out permissions issues on the database site as well
> as the connection host/port/URL.
>
> Regards,
> David
>
> -----Original Message-----
> From: Tim Christopher [mailto:tim.christopher@gmail.com]
> Sent: Tuesday, February 08, 2005 5:45 PM
> To: Struts Users Mailing List
> Subject: Re: Application Security
>
> I managed to solve the first error by reordering the elements within
> the server.xml file, however I'm now stuck with the following error
> (which occurs when the server is started):
>
> JDBCRealm[Catalina]: Exception opening database connection
> java.sql.SQLException: com.borland.datastore.jdbc.DataStoreDriver
> at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:589)
> at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:663)
> <snip/>
>
> Does anyone know if this is a problem with the database driver, or the
> location of the database? I've tried changing the URL to a path that
> doesn't exist and I still get the same error, however I'm confident
> that the connectionURL is correct as it connects perfectly when using
> the same information within JBuilder's database pilot.
>
> Any suggestions would be appreciated. :o)
>
> Tim
>
> On Tue, 8 Feb 2005 12:07:16 -0500, David G. Friedman
> <hu...@ix.netcom.com> wrote:
> > Tim,
> >
> > Have you also updated your web.xml and Tomcat conifgurations?
> >
> > -----Original Message-----
> > From: Tim Christopher [mailto:tim.christopher@gmail.com]
> > Sent: Tuesday, February 08, 2005 12:05 PM
> > To: Struts Users Mailing List
> > Subject: Re: Application Security
> >
> > Cheers for all your advice.
> >
> > I've just tried implementing the JDBCRealm, though unfortunaltly it
> > does not work. The Log4j error file contains the following:
> >
> > http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
> > JAASRealm.java:269 Unexpected error
> > java.lang.SecurityException: Unable to locate a login configuration
> > at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
> > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> > Method)
> > <snip/>
> >
> > To be honest, I'm not really sure what that means... All I've done so
> > far is copy a simple example and I've got that error. Do I need to
> > add anything to the classpath?
> >
> > I can post the code I'm using if anything thinks that will help....
> >
> > On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
> > <ni...@blueyonder.co.uk> wrote:
> > > The forms for container managed security don't have to be plain html -
> you
> > > can configure in the web.xml custom "Logon" and "Logon Error" pages
> which
> > > can be jsps, not just plain html. I have a custom tag on each of these
> > pages
> > > which writes the fact that a user has arrived at that page to log4j
> along
> > > with details from the request (e.g. IP address). Log4j is pretty
> powerful
> > in
> > > how you can configure it to filter that info and where to send it to.
> > >
> > > There are tags in the Jakarta Taglibs which you could use to achieve the
> > > same thing...
> > > http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> > > http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
> > >
> > > For example on your "Logon Error Page", you might have something like
> > > this...
> > >
> > > <req:request id="req"/>
> > > <log:error category="myapp.logon.failed">
> > > <bean:write name="req" property="remoteAddr"/>
> > > <bean:write name="req" property="remoteHost"/>
> > > </log:error>
> > >
> > > Once a user has "logged on", you can get the user name from from the
> > request
> > > and then look up the user details wherever they are stored...
> > > request.getUserPrincipal().getName()
> > >
> > > The actual form elements required are, as you say, plain html - but is
> > there
> > > any need for special tags since the action your posting to is fixed?
> > >
> > > Niall
> > >
> > > ----- Original Message -----
> > > From: "Tim Christopher" <ti...@gmail.com>
> > > Sent: Tuesday, February 08, 2005 2:08 AM
> > >
> > > > I've recently discovered that it is not possible to map an action to
> > > > j_security_check. Given this situation how is it possible to populate
> > > > a form bean with user data, or create a log of any failed login
> > > > attempts (bad username / password) if the container takes control of
> > > > the entire login process?
> > > >
> > > > Looking back at previous posts to the newsgroup I can see that in the
> > > > past people have just used plain html to produce the j_security_check
> > > > form. Is it possible to do this using the <sslext:form> tag, but so
> > > > that it does not require a Struts action mapping for j_security_check
> > > > to be present?
> > > >
> > > > I was currently intending on using JDBCRealm and the security-filter
> > > > to control the site's security, though given the above problems I'm
> > > > starting to think there might be a better way? Or are these problems
> > > > everyone has already solved, as surely some form of login system is
> > > > present in the vast majority of Struts applications.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Application Security
Posted by "David G. Friedman" <hu...@ix.netcom.com>.
Tim,
Have you tried using any command line tools to get to your datastore?
Knowing that could rule out permissions issues on the database site as well
as the connection host/port/URL.
Regards,
David
-----Original Message-----
From: Tim Christopher [mailto:tim.christopher@gmail.com]
Sent: Tuesday, February 08, 2005 5:45 PM
To: Struts Users Mailing List
Subject: Re: Application Security
I managed to solve the first error by reordering the elements within
the server.xml file, however I'm now stuck with the following error
(which occurs when the server is started):
JDBCRealm[Catalina]: Exception opening database connection
java.sql.SQLException: com.borland.datastore.jdbc.DataStoreDriver
at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:589)
at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:663)
<snip/>
Does anyone know if this is a problem with the database driver, or the
location of the database? I've tried changing the URL to a path that
doesn't exist and I still get the same error, however I'm confident
that the connectionURL is correct as it connects perfectly when using
the same information within JBuilder's database pilot.
Any suggestions would be appreciated. :o)
Tim
On Tue, 8 Feb 2005 12:07:16 -0500, David G. Friedman
<hu...@ix.netcom.com> wrote:
> Tim,
>
> Have you also updated your web.xml and Tomcat conifgurations?
>
> -----Original Message-----
> From: Tim Christopher [mailto:tim.christopher@gmail.com]
> Sent: Tuesday, February 08, 2005 12:05 PM
> To: Struts Users Mailing List
> Subject: Re: Application Security
>
> Cheers for all your advice.
>
> I've just tried implementing the JDBCRealm, though unfortunaltly it
> does not work. The Log4j error file contains the following:
>
> http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
> JAASRealm.java:269 Unexpected error
> java.lang.SecurityException: Unable to locate a login configuration
> at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> <snip/>
>
> To be honest, I'm not really sure what that means... All I've done so
> far is copy a simple example and I've got that error. Do I need to
> add anything to the classpath?
>
> I can post the code I'm using if anything thinks that will help....
>
> On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
> <ni...@blueyonder.co.uk> wrote:
> > The forms for container managed security don't have to be plain html -
you
> > can configure in the web.xml custom "Logon" and "Logon Error" pages
which
> > can be jsps, not just plain html. I have a custom tag on each of these
> pages
> > which writes the fact that a user has arrived at that page to log4j
along
> > with details from the request (e.g. IP address). Log4j is pretty
powerful
> in
> > how you can configure it to filter that info and where to send it to.
> >
> > There are tags in the Jakarta Taglibs which you could use to achieve the
> > same thing...
> > http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> > http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
> >
> > For example on your "Logon Error Page", you might have something like
> > this...
> >
> > <req:request id="req"/>
> > <log:error category="myapp.logon.failed">
> > <bean:write name="req" property="remoteAddr"/>
> > <bean:write name="req" property="remoteHost"/>
> > </log:error>
> >
> > Once a user has "logged on", you can get the user name from from the
> request
> > and then look up the user details wherever they are stored...
> > request.getUserPrincipal().getName()
> >
> > The actual form elements required are, as you say, plain html - but is
> there
> > any need for special tags since the action your posting to is fixed?
> >
> > Niall
> >
> > ----- Original Message -----
> > From: "Tim Christopher" <ti...@gmail.com>
> > Sent: Tuesday, February 08, 2005 2:08 AM
> >
> > > I've recently discovered that it is not possible to map an action to
> > > j_security_check. Given this situation how is it possible to populate
> > > a form bean with user data, or create a log of any failed login
> > > attempts (bad username / password) if the container takes control of
> > > the entire login process?
> > >
> > > Looking back at previous posts to the newsgroup I can see that in the
> > > past people have just used plain html to produce the j_security_check
> > > form. Is it possible to do this using the <sslext:form> tag, but so
> > > that it does not require a Struts action mapping for j_security_check
> > > to be present?
> > >
> > > I was currently intending on using JDBCRealm and the security-filter
> > > to control the site's security, though given the above problems I'm
> > > starting to think there might be a better way? Or are these problems
> > > everyone has already solved, as surely some form of login system is
> > > present in the vast majority of Struts applications.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Tim Christopher <ti...@gmail.com>.
I managed to solve the first error by reordering the elements within
the server.xml file, however I'm now stuck with the following error
(which occurs when the server is started):
JDBCRealm[Catalina]: Exception opening database connection
java.sql.SQLException: com.borland.datastore.jdbc.DataStoreDriver
at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:589)
at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:663)
<snip/>
Does anyone know if this is a problem with the database driver, or the
location of the database? I've tried changing the URL to a path that
doesn't exist and I still get the same error, however I'm confident
that the connectionURL is correct as it connects perfectly when using
the same information within JBuilder's database pilot.
Any suggestions would be appreciated. :o)
Tim
On Tue, 8 Feb 2005 12:07:16 -0500, David G. Friedman
<hu...@ix.netcom.com> wrote:
> Tim,
>
> Have you also updated your web.xml and Tomcat conifgurations?
>
> -----Original Message-----
> From: Tim Christopher [mailto:tim.christopher@gmail.com]
> Sent: Tuesday, February 08, 2005 12:05 PM
> To: Struts Users Mailing List
> Subject: Re: Application Security
>
> Cheers for all your advice.
>
> I've just tried implementing the JDBCRealm, though unfortunaltly it
> does not work. The Log4j error file contains the following:
>
> http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
> JAASRealm.java:269 Unexpected error
> java.lang.SecurityException: Unable to locate a login configuration
> at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> <snip/>
>
> To be honest, I'm not really sure what that means... All I've done so
> far is copy a simple example and I've got that error. Do I need to
> add anything to the classpath?
>
> I can post the code I'm using if anything thinks that will help....
>
> On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
> <ni...@blueyonder.co.uk> wrote:
> > The forms for container managed security don't have to be plain html - you
> > can configure in the web.xml custom "Logon" and "Logon Error" pages which
> > can be jsps, not just plain html. I have a custom tag on each of these
> pages
> > which writes the fact that a user has arrived at that page to log4j along
> > with details from the request (e.g. IP address). Log4j is pretty powerful
> in
> > how you can configure it to filter that info and where to send it to.
> >
> > There are tags in the Jakarta Taglibs which you could use to achieve the
> > same thing...
> > http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> > http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
> >
> > For example on your "Logon Error Page", you might have something like
> > this...
> >
> > <req:request id="req"/>
> > <log:error category="myapp.logon.failed">
> > <bean:write name="req" property="remoteAddr"/>
> > <bean:write name="req" property="remoteHost"/>
> > </log:error>
> >
> > Once a user has "logged on", you can get the user name from from the
> request
> > and then look up the user details wherever they are stored...
> > request.getUserPrincipal().getName()
> >
> > The actual form elements required are, as you say, plain html - but is
> there
> > any need for special tags since the action your posting to is fixed?
> >
> > Niall
> >
> > ----- Original Message -----
> > From: "Tim Christopher" <ti...@gmail.com>
> > Sent: Tuesday, February 08, 2005 2:08 AM
> >
> > > I've recently discovered that it is not possible to map an action to
> > > j_security_check. Given this situation how is it possible to populate
> > > a form bean with user data, or create a log of any failed login
> > > attempts (bad username / password) if the container takes control of
> > > the entire login process?
> > >
> > > Looking back at previous posts to the newsgroup I can see that in the
> > > past people have just used plain html to produce the j_security_check
> > > form. Is it possible to do this using the <sslext:form> tag, but so
> > > that it does not require a Struts action mapping for j_security_check
> > > to be present?
> > >
> > > I was currently intending on using JDBCRealm and the security-filter
> > > to control the site's security, though given the above problems I'm
> > > starting to think there might be a better way? Or are these problems
> > > everyone has already solved, as surely some form of login system is
> > > present in the vast majority of Struts applications.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Application Security
Posted by "David G. Friedman" <hu...@ix.netcom.com>.
Tim,
Have you also updated your web.xml and Tomcat conifgurations?
-----Original Message-----
From: Tim Christopher [mailto:tim.christopher@gmail.com]
Sent: Tuesday, February 08, 2005 12:05 PM
To: Struts Users Mailing List
Subject: Re: Application Security
Cheers for all your advice.
I've just tried implementing the JDBCRealm, though unfortunaltly it
does not work. The Log4j error file contains the following:
http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
JAASRealm.java:269 Unexpected error
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
<snip/>
To be honest, I'm not really sure what that means... All I've done so
far is copy a simple example and I've got that error. Do I need to
add anything to the classpath?
I can post the code I'm using if anything thinks that will help....
On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
<ni...@blueyonder.co.uk> wrote:
> The forms for container managed security don't have to be plain html - you
> can configure in the web.xml custom "Logon" and "Logon Error" pages which
> can be jsps, not just plain html. I have a custom tag on each of these
pages
> which writes the fact that a user has arrived at that page to log4j along
> with details from the request (e.g. IP address). Log4j is pretty powerful
in
> how you can configure it to filter that info and where to send it to.
>
> There are tags in the Jakarta Taglibs which you could use to achieve the
> same thing...
> http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
>
> For example on your "Logon Error Page", you might have something like
> this...
>
> <req:request id="req"/>
> <log:error category="myapp.logon.failed">
> <bean:write name="req" property="remoteAddr"/>
> <bean:write name="req" property="remoteHost"/>
> </log:error>
>
> Once a user has "logged on", you can get the user name from from the
request
> and then look up the user details wherever they are stored...
> request.getUserPrincipal().getName()
>
> The actual form elements required are, as you say, plain html - but is
there
> any need for special tags since the action your posting to is fixed?
>
> Niall
>
> ----- Original Message -----
> From: "Tim Christopher" <ti...@gmail.com>
> Sent: Tuesday, February 08, 2005 2:08 AM
>
> > I've recently discovered that it is not possible to map an action to
> > j_security_check. Given this situation how is it possible to populate
> > a form bean with user data, or create a log of any failed login
> > attempts (bad username / password) if the container takes control of
> > the entire login process?
> >
> > Looking back at previous posts to the newsgroup I can see that in the
> > past people have just used plain html to produce the j_security_check
> > form. Is it possible to do this using the <sslext:form> tag, but so
> > that it does not require a Struts action mapping for j_security_check
> > to be present?
> >
> > I was currently intending on using JDBCRealm and the security-filter
> > to control the site's security, though given the above problems I'm
> > starting to think there might be a better way? Or are these problems
> > everyone has already solved, as surely some form of login system is
> > present in the vast majority of Struts applications.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Tim Christopher <ti...@gmail.com>.
Cheers for all your advice.
I've just tried implementing the JDBCRealm, though unfortunaltly it
does not work. The Log4j error file contains the following:
http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
JAASRealm.java:269 Unexpected error
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
<snip/>
To be honest, I'm not really sure what that means... All I've done so
far is copy a simple example and I've got that error. Do I need to
add anything to the classpath?
I can post the code I'm using if anything thinks that will help....
On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
<ni...@blueyonder.co.uk> wrote:
> The forms for container managed security don't have to be plain html - you
> can configure in the web.xml custom "Logon" and "Logon Error" pages which
> can be jsps, not just plain html. I have a custom tag on each of these pages
> which writes the fact that a user has arrived at that page to log4j along
> with details from the request (e.g. IP address). Log4j is pretty powerful in
> how you can configure it to filter that info and where to send it to.
>
> There are tags in the Jakarta Taglibs which you could use to achieve the
> same thing...
> http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
> http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
>
> For example on your "Logon Error Page", you might have something like
> this...
>
> <req:request id="req"/>
> <log:error category="myapp.logon.failed">
> <bean:write name="req" property="remoteAddr"/>
> <bean:write name="req" property="remoteHost"/>
> </log:error>
>
> Once a user has "logged on", you can get the user name from from the request
> and then look up the user details wherever they are stored...
> request.getUserPrincipal().getName()
>
> The actual form elements required are, as you say, plain html - but is there
> any need for special tags since the action your posting to is fixed?
>
> Niall
>
> ----- Original Message -----
> From: "Tim Christopher" <ti...@gmail.com>
> Sent: Tuesday, February 08, 2005 2:08 AM
>
> > I've recently discovered that it is not possible to map an action to
> > j_security_check. Given this situation how is it possible to populate
> > a form bean with user data, or create a log of any failed login
> > attempts (bad username / password) if the container takes control of
> > the entire login process?
> >
> > Looking back at previous posts to the newsgroup I can see that in the
> > past people have just used plain html to produce the j_security_check
> > form. Is it possible to do this using the <sslext:form> tag, but so
> > that it does not require a Struts action mapping for j_security_check
> > to be present?
> >
> > I was currently intending on using JDBCRealm and the security-filter
> > to control the site's security, though given the above problems I'm
> > starting to think there might be a better way? Or are these problems
> > everyone has already solved, as surely some form of login system is
> > present in the vast majority of Struts applications.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Application Security
Posted by Niall Pemberton <ni...@blueyonder.co.uk>.
The forms for container managed security don't have to be plain html - you
can configure in the web.xml custom "Logon" and "Logon Error" pages which
can be jsps, not just plain html. I have a custom tag on each of these pages
which writes the fact that a user has arrived at that page to log4j along
with details from the request (e.g. IP address). Log4j is pretty powerful in
how you can configure it to filter that info and where to send it to.
There are tags in the Jakarta Taglibs which you could use to achieve the
same thing...
http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
For example on your "Logon Error Page", you might have something like
this...
<req:request id="req"/>
<log:error category="myapp.logon.failed">
<bean:write name="req" property="remoteAddr"/>
<bean:write name="req" property="remoteHost"/>
</log:error>
Once a user has "logged on", you can get the user name from from the request
and then look up the user details wherever they are stored...
request.getUserPrincipal().getName()
The actual form elements required are, as you say, plain html - but is there
any need for special tags since the action your posting to is fixed?
Niall
----- Original Message -----
From: "Tim Christopher" <ti...@gmail.com>
Sent: Tuesday, February 08, 2005 2:08 AM
> I've recently discovered that it is not possible to map an action to
> j_security_check. Given this situation how is it possible to populate
> a form bean with user data, or create a log of any failed login
> attempts (bad username / password) if the container takes control of
> the entire login process?
>
> Looking back at previous posts to the newsgroup I can see that in the
> past people have just used plain html to produce the j_security_check
> form. Is it possible to do this using the <sslext:form> tag, but so
> that it does not require a Struts action mapping for j_security_check
> to be present?
>
> I was currently intending on using JDBCRealm and the security-filter
> to control the site's security, though given the above problems I'm
> starting to think there might be a better way? Or are these problems
> everyone has already solved, as surely some form of login system is
> present in the vast majority of Struts applications.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org