You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Luis Gervaso <lu...@gmail.com> on 2006/01/27 21:48:25 UTC
Authentication crisis
Hello
I need how to put subject information returned of lc.login() in webapp
context
int order to invoke getUserPrincipal and not retur null
LoginServlet.java
protected void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
String host = req.getHeader("Host");
MyCallbackHandler cbh = new
MyCallbackHandler(username,password,host);
try {
LoginContext lc = new LoginContext("websecure",cbh);
lc.login();
Subject s = lc.getSubject();
log.info(s.getPrincipals().toString());
ses.setAttribute("authcs.subject",lc.getSubject());
//log.info(req.getUserPrincipal().getName());
RequestDispatcher rd = req.getRequestDispatcher("test.jsp");
rd.forward(req,res);
} catch (LoginException e) {
e.printStackTrace();
//log.warning(e.getMessage());
}
}
source: test.jsp
<%
out.println("User: " + request.getParameter("user") + "<br>");
out.println("Pass (clear): " + request.getParameter("pass") + "<br>");
out.println("User Principal: " + request.getUserPrincipal() + "<br>");
out.println("Remote User: " + request.getRemoteUser());
%>
output : test.jsp
User: null
Pass (clear): null
User Principal: null
Remote User: null
--
Un saludo
Re: Authentication crisis
Posted by Luis Gervaso <lu...@gmail.com>.
the real problem is that we can't do anything before or after authentication
using a filter solve this problem with url pattern j_securty_check
but this is avoided because this authentication method "must be" equal basic
authentication?
this makes real authentication scenarios where we need create user session
with application data an autentic hell, adventages with container-based
applications turn back 0 and we need implements a custom authenticator, what
i see: i real subproject because security concerns is very important
ok, this is code of application, but the tomcat architecture avoid us (the
application programmers use the api of authentication in order to use these
type of methods) because of these jar are in server/lib folder
how you can see I'm very frustrated with this,
ok this is J2EE?
this is simple?
kindest regards
2006/1/30, Luis Gervaso <lu...@gmail.com>:
>
> yes there is an entry in web.xml - security-constraint
>
> and the user is authenticated using doPost() method of LoginServlet
>
> regards
>
> 2006/1/30, deepak < deepak@ltp.soft.net>:
> >
> > It seems that the request.getUserPrincipal() will return non-null value
> > only
> > when you request the protected resource secured by <security-constraint
> > > in
> > web.xml even if the user sent the request has been authenticated.
> >
> > ----- Original Message -----
> > From: "Luis Gervaso" < luis.gervaso@gmail.com>
> > To: "Struts Users Mailing List" <us...@struts.apache.org>; "Tomcat Users
> > List" < users@tomcat.apache.org>
> > Sent: Saturday, January 28, 2006 2:18 AM
> > Subject: Authentication crisis
> >
> >
> > Hello
> >
> > I need how to put subject information returned of lc.login() in webapp
> > context
> > int order to invoke getUserPrincipal and not retur null
> >
> > LoginServlet.java
> >
> > protected void doPost(HttpServletRequest req, HttpServletResponse res)
> > throws ServletException, IOException {
> >
> > String username = req.getParameter("j_username");
> > String password = req.getParameter("j_password");
> > String host = req.getHeader("Host");
> > MyCallbackHandler cbh = new
> > MyCallbackHandler(username,password,host);
> > try {
> > LoginContext lc = new LoginContext("websecure",cbh);
> > lc.login();
> > Subject s = lc.getSubject();
> > log.info(s.getPrincipals().toString());
> > ses.setAttribute("authcs.subject",lc.getSubject());
> > //log.info(req.getUserPrincipal().getName());
> > RequestDispatcher rd = req.getRequestDispatcher ("test.jsp
> > ");
> > rd.forward(req,res);
> >
> > } catch (LoginException e) {
> > e.printStackTrace();
> > //log.warning(e.getMessage());
> > }
> > }
> >
> >
> > source: test.jsp
> > <%
> > out.println("User: " + request.getParameter("user") + "<br>");
> > out.println("Pass (clear): " + request.getParameter("pass") +
> > "<br>");
> > out.println("User Principal: " + request.getUserPrincipal() +
> > "<br>");
> > out.println("Remote User: " + request.getRemoteUser());
> > %>
> >
> > output : test.jsp
> > User: null
> > Pass (clear): null
> > User Principal: null
> > Remote User: null
> >
> > --
> > Un saludo
> >
> >
> > ------------------------------DISCLAIMER------------------------------
> > This message is for the named person's use only. It may contain
> > confidential, proprietary or legally privileged information. No
> > confidentiality or privilege is waived or lost by any mistransmission.
> >
> > If you receive this message in error, please immediately delete it and
> > all copies of it from your system, destroy any hard copies of it and
> > notify the sender. You must not, directly or indirectly, use, disclose,
> > distribute, print, or copy any part of this message if you are not the
> > intended recipient.
> >
> > Lisle Technology Partners Pvt. Ltd. and any of its subsidiaries each
> > reserve the right to monitor all e-mail communications through its
> > networks.
> >
> > Any views expressed in this message are those of the
> > individual sender, except where the message states otherwise and the
> > sender is authorized to state them to be the views of any such entity.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> --
> Un saludo
--
Un saludo
Re: Authentication crisis
Posted by Luis Gervaso <lu...@gmail.com>.
the real problem is that we can't do anything before or after authentication
using a filter solve this problem with url pattern j_securty_check
but this is avoided because this authentication method "must be" equal basic
authentication?
this makes real authentication scenarios where we need create user session
with application data an autentic hell, adventages with container-based
applications turn back 0 and we need implements a custom authenticator, what
i see: i real subproject because security concerns is very important
ok, this is code of application, but the tomcat architecture avoid us (the
application programmers use the api of authentication in order to use these
type of methods) because of these jar are in server/lib folder
how you can see I'm very frustrated with this,
ok this is J2EE?
this is simple?
kindest regards
2006/1/30, Luis Gervaso <lu...@gmail.com>:
>
> yes there is an entry in web.xml - security-constraint
>
> and the user is authenticated using doPost() method of LoginServlet
>
> regards
>
> 2006/1/30, deepak < deepak@ltp.soft.net>:
> >
> > It seems that the request.getUserPrincipal() will return non-null value
> > only
> > when you request the protected resource secured by <security-constraint
> > > in
> > web.xml even if the user sent the request has been authenticated.
> >
> > ----- Original Message -----
> > From: "Luis Gervaso" < luis.gervaso@gmail.com>
> > To: "Struts Users Mailing List" <us...@struts.apache.org>; "Tomcat Users
> > List" < users@tomcat.apache.org>
> > Sent: Saturday, January 28, 2006 2:18 AM
> > Subject: Authentication crisis
> >
> >
> > Hello
> >
> > I need how to put subject information returned of lc.login() in webapp
> > context
> > int order to invoke getUserPrincipal and not retur null
> >
> > LoginServlet.java
> >
> > protected void doPost(HttpServletRequest req, HttpServletResponse res)
> > throws ServletException, IOException {
> >
> > String username = req.getParameter("j_username");
> > String password = req.getParameter("j_password");
> > String host = req.getHeader("Host");
> > MyCallbackHandler cbh = new
> > MyCallbackHandler(username,password,host);
> > try {
> > LoginContext lc = new LoginContext("websecure",cbh);
> > lc.login();
> > Subject s = lc.getSubject();
> > log.info(s.getPrincipals().toString());
> > ses.setAttribute("authcs.subject",lc.getSubject());
> > //log.info(req.getUserPrincipal().getName());
> > RequestDispatcher rd = req.getRequestDispatcher ("test.jsp
> > ");
> > rd.forward(req,res);
> >
> > } catch (LoginException e) {
> > e.printStackTrace();
> > //log.warning(e.getMessage());
> > }
> > }
> >
> >
> > source: test.jsp
> > <%
> > out.println("User: " + request.getParameter("user") + "<br>");
> > out.println("Pass (clear): " + request.getParameter("pass") +
> > "<br>");
> > out.println("User Principal: " + request.getUserPrincipal() +
> > "<br>");
> > out.println("Remote User: " + request.getRemoteUser());
> > %>
> >
> > output : test.jsp
> > User: null
> > Pass (clear): null
> > User Principal: null
> > Remote User: null
> >
> > --
> > Un saludo
> >
> >
> > ------------------------------DISCLAIMER------------------------------
> > This message is for the named person's use only. It may contain
> > confidential, proprietary or legally privileged information. No
> > confidentiality or privilege is waived or lost by any mistransmission.
> >
> > If you receive this message in error, please immediately delete it and
> > all copies of it from your system, destroy any hard copies of it and
> > notify the sender. You must not, directly or indirectly, use, disclose,
> > distribute, print, or copy any part of this message if you are not the
> > intended recipient.
> >
> > Lisle Technology Partners Pvt. Ltd. and any of its subsidiaries each
> > reserve the right to monitor all e-mail communications through its
> > networks.
> >
> > Any views expressed in this message are those of the
> > individual sender, except where the message states otherwise and the
> > sender is authorized to state them to be the views of any such entity.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> --
> Un saludo
--
Un saludo
Re: Authentication crisis
Posted by Luis Gervaso <lu...@gmail.com>.
yes there is an entry in web.xml - security-constraint
and the user is authenticated using doPost() method of LoginServlet
regards
2006/1/30, deepak <de...@ltp.soft.net>:
>
> It seems that the request.getUserPrincipal() will return non-null value
> only
> when you request the protected resource secured by <security-constraint >
> in
> web.xml even if the user sent the request has been authenticated.
>
> ----- Original Message -----
> From: "Luis Gervaso" <lu...@gmail.com>
> To: "Struts Users Mailing List" <us...@struts.apache.org>; "Tomcat Users
> List" <us...@tomcat.apache.org>
> Sent: Saturday, January 28, 2006 2:18 AM
> Subject: Authentication crisis
>
>
> Hello
>
> I need how to put subject information returned of lc.login() in webapp
> context
> int order to invoke getUserPrincipal and not retur null
>
> LoginServlet.java
>
> protected void doPost(HttpServletRequest req, HttpServletResponse res)
> throws ServletException, IOException {
>
> String username = req.getParameter("j_username");
> String password = req.getParameter("j_password");
> String host = req.getHeader("Host");
> MyCallbackHandler cbh = new
> MyCallbackHandler(username,password,host);
> try {
> LoginContext lc = new LoginContext("websecure",cbh);
> lc.login();
> Subject s = lc.getSubject();
> log.info(s.getPrincipals().toString());
> ses.setAttribute("authcs.subject",lc.getSubject());
> //log.info(req.getUserPrincipal().getName());
> RequestDispatcher rd = req.getRequestDispatcher("test.jsp");
> rd.forward(req,res);
>
> } catch (LoginException e) {
> e.printStackTrace();
> //log.warning(e.getMessage());
> }
> }
>
>
> source: test.jsp
> <%
> out.println("User: " + request.getParameter("user") + "<br>");
> out.println("Pass (clear): " + request.getParameter("pass") + "<br>");
> out.println("User Principal: " + request.getUserPrincipal() + "<br>");
> out.println("Remote User: " + request.getRemoteUser());
> %>
>
> output : test.jsp
> User: null
> Pass (clear): null
> User Principal: null
> Remote User: null
>
> --
> Un saludo
>
>
> ------------------------------DISCLAIMER------------------------------
> This message is for the named person's use only. It may contain
> confidential, proprietary or legally privileged information. No
> confidentiality or privilege is waived or lost by any mistransmission.
>
> If you receive this message in error, please immediately delete it and
> all copies of it from your system, destroy any hard copies of it and
> notify the sender. You must not, directly or indirectly, use, disclose,
> distribute, print, or copy any part of this message if you are not the
> intended recipient.
>
> Lisle Technology Partners Pvt. Ltd. and any of its subsidiaries each
> reserve the right to monitor all e-mail communications through its
> networks.
>
> Any views expressed in this message are those of the
> individual sender, except where the message states otherwise and the
> sender is authorized to state them to be the views of any such entity.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
--
Un saludo
Re: Authentication crisis
Posted by deepak <de...@ltp.soft.net>.
It seems that the request.getUserPrincipal() will return non-null value only
when you request the protected resource secured by <security-constraint > in
web.xml even if the user sent the request has been authenticated.
----- Original Message -----
From: "Luis Gervaso" <lu...@gmail.com>
To: "Struts Users Mailing List" <us...@struts.apache.org>; "Tomcat Users
List" <us...@tomcat.apache.org>
Sent: Saturday, January 28, 2006 2:18 AM
Subject: Authentication crisis
Hello
I need how to put subject information returned of lc.login() in webapp
context
int order to invoke getUserPrincipal and not retur null
LoginServlet.java
protected void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
String host = req.getHeader("Host");
MyCallbackHandler cbh = new
MyCallbackHandler(username,password,host);
try {
LoginContext lc = new LoginContext("websecure",cbh);
lc.login();
Subject s = lc.getSubject();
log.info(s.getPrincipals().toString());
ses.setAttribute("authcs.subject",lc.getSubject());
//log.info(req.getUserPrincipal().getName());
RequestDispatcher rd = req.getRequestDispatcher("test.jsp");
rd.forward(req,res);
} catch (LoginException e) {
e.printStackTrace();
//log.warning(e.getMessage());
}
}
source: test.jsp
<%
out.println("User: " + request.getParameter("user") + "<br>");
out.println("Pass (clear): " + request.getParameter("pass") + "<br>");
out.println("User Principal: " + request.getUserPrincipal() + "<br>");
out.println("Remote User: " + request.getRemoteUser());
%>
output : test.jsp
User: null
Pass (clear): null
User Principal: null
Remote User: null
--
Un saludo
------------------------------DISCLAIMER------------------------------
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please immediately delete it and
all copies of it from your system, destroy any hard copies of it and
notify the sender. You must not, directly or indirectly, use, disclose,
distribute, print, or copy any part of this message if you are not the
intended recipient.
Lisle Technology Partners Pvt. Ltd. and any of its subsidiaries each
reserve the right to monitor all e-mail communications through its
networks.
Any views expressed in this message are those of the
individual sender, except where the message states otherwise and the
sender is authorized to state them to be the views of any such entity.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org