Question working with security realms

[Roland <ro...@netquant.com.br>]

Hello,
I have programmed an application that has a login.jsp page. Now I will add
the additional security realm(using jdbc-realms). This means that the user
will have to login twice! My question is, how can I pass information from
the security-realm login to the jsp-login, so that the user doesnt have to
login twice?

Thanks..Roland

RE: Question working with security realms

[Filip Hanik <ma...@filip.net>]

javax.servlet.http.HttpServletRequest.

public java.security.Principal getUserPrincipal()

~
Namaste - I bow to the divine in you
~
Filip Hanik
Software Architect
filip@filip.net
www.filip.net 

>-----Original Message-----
>From: Roland [mailto:roland@netquant.com.br]
>Sent: Friday, August 24, 2001 11:27 AM
>To: tomcat-user@jakarta.apache.org
>Subject: Re: Question working with security realms
>
>
>> Using container managed security means you should *not* do your own
>> application-managed security -- it's an either/or thing.  You should
>> design your app so that you use one or the other, but not both.
>>
>Yes, sure, but my question is, how can I forward the user from the 
>container
>security to my application, after he has logged on. This is because my
>application needs to know which user is logged on and adjust its behaviour
>accordingly!
>
>Thanks Roland
>
>
>

Re: Question working with security realms/Bug discovered?

[Roland <ro...@netquant.com.br>]

I think the problem is with the error.jsp page:

Login error -- please try <a href="login.jsp">again</a>.

It has a direct reference to login.jsp, and maybe this is causing the
problem?

Thanks Roland

Re: Question working with security realms/Bug discovered?

["Craig R. McClanahan" <cr...@apache.org>]

Users should *never* try to request the login page correctly.  Likewise,
the user interface of your app should never reference it.

Just set up your links to point at the real pages.  The servlet container
will "pop up" the form login page whenever the user accesses a protected
page, and then honor the original request for you -- just like the user
experience when you are using BASIC authentication.

Craig


On Fri, 24 Aug 2001, Roland wrote:

> Date: Fri, 24 Aug 2001 17:36:14 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Question working with security realms/Bug discovered?
>
>
> >   http://localhost:8080/examples/jsp/security/protected/index.jsp
>
> I was playing around with that example a little:
> I encountered the following behaviour:
>
> as long as I type in incorrect logins and passwords everything is fine(he
> keeps sending me back to the login page), but when I type in correct stuff,
> like tomcat/tomcat ( a valid login) suddenly I encounter the following error
> message:
>
> http://localhost:8080/examples/jsp/security/login/j_security_check
> PAGE NOT FOUND
>
> But then when I go directly to:
>
> http://localhost:8080/examples/jsp/security/protected/index.jsp
> You are logged in as remote user tomcat
>
> Your user principal name is tomcat
>
> To check whether your username has been granted a particular role, enter it
> here:
>
> everything is fine, so he recognized the login.
>
> Is this a bug?
>
> Roland
>
>
>

Re: Question working with security realms/Bug discovered?

[Roland <ro...@netquant.com.br>]

>   http://localhost:8080/examples/jsp/security/protected/index.jsp

I was playing around with that example a little:
I encountered the following behaviour:

as long as I type in incorrect logins and passwords everything is fine(he
keeps sending me back to the login page), but when I type in correct stuff,
like tomcat/tomcat ( a valid login) suddenly I encounter the following error
message:

http://localhost:8080/examples/jsp/security/login/j_security_check
PAGE NOT FOUND

But then when I go directly to:

http://localhost:8080/examples/jsp/security/protected/index.jsp
You are logged in as remote user tomcat

Your user principal name is tomcat

To check whether your username has been granted a particular role, enter it
here:

everything is fine, so he recognized the login.

Is this a bug?

Roland

Re: Question working with security realms

["Craig R. McClanahan" <cr...@apache.org>]

On Fri, 24 Aug 2001, Roland wrote:

> Date: Fri, 24 Aug 2001 17:28:08 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Question working with security realms
>
>
> > You don't have to do any "forwarding".  Consider the various login methods
> > that might be in use, and assume that the user just requested a protected
> > resource for the first time:
> >
> > * BASIC and DIGEST:  The browser will pop up the login dialog.  Once the
> >   user authenticates correctly, the original request will be honored.
> >
> > * FORM BASED:  The container will save the original request and display
> >   the form login page.  After you type in your username and password and
> >   press submit, the container will automatically return the user to
> >   the original request.
> >
> > * CLIENT-CERT:  You will be asked which or your client certificates should
> >   be sent to the server.  Once it's checked, the original request
> >   will be honored.
>
> Where can I find more infor and documentation especially on the FORM BASED
> thing?
>

All of these are defined in the Servlet Specification:

  http://java.sun.com/products/servlet/download.html

I also did a BOF at JavaOne (so popular that people couldn't even get in
to the room :-) that covered these features in a slightly more detailed
fashion.  The info I presented will ultimately be included in the Tomcat
docs -- in the mean time, contact me privately <cr...@apache.org> if
you'd like a copy of the slides (PowerPoint or StarOffice format).

As shipped, the examples application included with Tomcat is set up for
form-based login.  Start up Tomcat and try:

  http://localhost:8080/examples/jsp/security/protected/index.jsp

The usernames and passwords are defined in "conf/tomcat-users.xml" (by
default).

> Thanks...Roland
>
>
>

Craig

Re: Question working with security realms

[Roland <ro...@netquant.com.br>]

> You don't have to do any "forwarding".  Consider the various login methods
> that might be in use, and assume that the user just requested a protected
> resource for the first time:
>
> * BASIC and DIGEST:  The browser will pop up the login dialog.  Once the
>   user authenticates correctly, the original request will be honored.
>
> * FORM BASED:  The container will save the original request and display
>   the form login page.  After you type in your username and password and
>   press submit, the container will automatically return the user to
>   the original request.
>
> * CLIENT-CERT:  You will be asked which or your client certificates should
>   be sent to the server.  Once it's checked, the original request
>   will be honored.

Where can I find more infor and documentation especially on the FORM BASED
thing?

Thanks...Roland

Re: Question working with security realms

["Craig R. McClanahan" <cr...@apache.org>]

On Fri, 24 Aug 2001, Roland wrote:

> Date: Fri, 24 Aug 2001 15:27:22 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Re: Question working with security realms
>
> > Using container managed security means you should *not* do your own
> > application-managed security -- it's an either/or thing.  You should
> > design your app so that you use one or the other, but not both.
> >
> Yes, sure, but my question is, how can I forward the user from the container
> security to my application, after he has logged on. This is because my
> application needs to know which user is logged on and adjust its behaviour
> accordingly!
>

You don't have to do any "forwarding".  Consider the various login methods
that might be in use, and assume that the user just requested a protected
resource for the first time:

* BASIC and DIGEST:  The browser will pop up the login dialog.  Once the
  user authenticates correctly, the original request will be honored.

* FORM BASED:  The container will save the original request and display
  the form login page.  After you type in your username and password and
  press submit, the container will automatically return the user to
  the original request.

* CLIENT-CERT:  You will be asked which or your client certificates should
  be sent to the server.  Once it's checked, the original request
  will be honored.

As for how your application can adjust its behavior, look at the javadocs
for HttpServletRequest.getRemoteUser(),
HttpServletRequest.getUserPrincipal(), and
HttpServletRequest.isUserInRole().  These calls can be used to vary the
application's behavior based on who the user is, or what roles they have.
For example, it's real easy to add some extra menu options for a manager:

  out.println("... HTML for the menu options everyone sees ...");
  if (request.isUserInRole("manager"))
    out.println("... HTML for extra options just for managers ...");

You can experiment with container managed security using the example app.
Just start Tomcat and try to access:

  http://localhost:8080/examples/jsp/security/protected/index.jsp

and you can look at the code there.  You will see that there is absolutely
nothing in the protected page itself that worries about login, because
that is what the container is doing for you.

> Thanks Roland

Craig

Re: Question working with security realms

[Roland <ro...@netquant.com.br>]

> Using container managed security means you should *not* do your own
> application-managed security -- it's an either/or thing.  You should
> design your app so that you use one or the other, but not both.
>
Yes, sure, but my question is, how can I forward the user from the container
security to my application, after he has logged on. This is because my
application needs to know which user is logged on and adjust its behaviour
accordingly!

Thanks Roland

Re: Question working with security realms

["Craig R. McClanahan" <cr...@apache.org>]

On Thu, 23 Aug 2001, Roland wrote:

> Date: Thu, 23 Aug 2001 20:01:30 -0300
> From: Roland <ro...@netquant.com.br>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Question working with security realms
>
> Hello,
> I have programmed an application that has a login.jsp page. Now I will add
> the additional security realm(using jdbc-realms). This means that the user
> will have to login twice! My question is, how can I pass information from
> the security-realm login to the jsp-login, so that the user doesnt have to
> login twice?
>
> Thanks..Roland
>
>
>

Using container managed security means you should *not* do your own
application-managed security -- it's an either/or thing.  You should
design your app so that you use one or the other, but not both.

Craig