You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Tcharlie <cm...@gmail.com> on 2009/07/20 15:03:18 UTC
BasicHttpHeader and jsp links
Hi all,
I'm develloping a custom application using shiro (jsecurity 0.9).
I wanted to forbid access to one html page, so, I added the following line
in my web.xml:
[urls]
/jsp/newscorner.html = authc,
perms[urls:/jsp/newscorner.html:access]
It works fine when I use a server redirect (dispatcher.forward(...)).
The problem comes when i try to make a client redirect to this page (via )
Authentication headers are not present so I encounter a 401 error.
Is there any httpsessionfilter implemented (based on jsessionid) or should I
implement this by myself?
Is there an other way to bypass this problem? (I don't want to change
anything in my jsp's and html files).
Thank in advance, Tcharlie
--
View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288699.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: BasicHttpHeader and jsp links
Posted by Les Hazlewood <lh...@apache.org>.
This line is incorrect:
securityManager = org.jsecurity.web.WebRememberMeManager
You've assigned a RememberMeManager, which is definitely not a
SecurityManager. Since it does not appear that you are configuring
the SecurityManager in any way, you should remove that line which will
cause the default web-based SecurityManager to be used.
Regards,
Les
On Mon, Jul 20, 2009 at 11:38 AM, Tcharlie<cm...@gmail.com> wrote:
>
> I did it, this not solve my error:
>
> Here is my filter definition
>
> Tcharlie wrote:
>>
>> <filter>
>> <filter-name>JSecurityFilter</filter-name>
>>
>> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
>> <init-param>
>> <param-name>config</param-name>
>> <param-value>
>> [main]
>> securityManager = org.jsecurity.web.WebRememberMeManager
>> realmA = realm.XaKiRealm
>>
>> [filters]
>> authc =
>> org.jsecurity.web.filter.authc.PassThruAuthenticationFilter
>> authc.successUrl = /jsp/logon.jsp
>> authc.loginUrl = /jsp/logon.jsp
>> roles.unauthorizedUrl = /jsp/accessdenied.html
>>
>> [urls]
>> /jsp/cardmgmt.jsp = authc,
>> perms[urls:/jsp/cardmgmt.*:access]
>> /jsp/newscorner.html = authc,
>> perms[urls:/jsp/newscorner.html:access]
>> /jsp/changepwd.jsp = authc,
>> perms[urls:/jsp/changepwd.*:access]
>> </param-value>
>> </init-param>
>> </filter>
>>
>
> My first jsp:
>
> Tcharlie wrote:
>>
>> <ul>
>> <li> logon.jsp The Logon/Logoff page </li>
>> <li> changepwd.jsp The Change Password page </li>
>> <li> cardmgmt The Card Management page </li>
>> <li> newscorner.html Employee News Corner </li>
>> </ul>
>>
>
> My realm:
>
> Tcharlie wrote:
>>
>> public class XaKiRealm extends AuthorizingRealm {
>> @Override
>> protected AuthorizationInfo doGetAuthorizationInfo(
>> PrincipalCollection principals) {
>>
>> if (principals == null) {
>> throw new AuthorizationException(
>> "Les attributs utilisateurs ne doit pas être vide.");
>> }
>> SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
>> try {
>> info.setStringPermissions(PermissionResolver
>> .resolvePermissions(((Group) principals.asList().get(2))));
>> } catch (NamingException e) {
>> e.printStackTrace();
>> }
>> return info;
>> }
>>
>> @Override
>> protected AuthenticationInfo doGetAuthenticationInfo(
>> AuthenticationToken arg0) throws AuthenticationException {
>> UserPasswordMandatorAuthenticator auth = new
>> UserPasswordMandatorAuthenticator();
>> try {
>> AuthenticationReply r = auth
>> .authenticate((UsernamePasswordMandatorToken) arg0);
>> return r;
>> } catch (UnsupportedCredentialException e) {
>> throw new UnsupportedTokenException(e.getMessage());
>> } catch (AccessTimeException e) {
>> throw new ExcessiveAttemptsException(e.getMessage());
>> } catch (LockedByAdminException e) {
>> throw new LockedAccountException(e.getMessage());
>> } catch (LockedExpiredPasswordException e) {
>> throw new ExpiredCredentialsException(e.getMessage());
>> } catch (LockedInvalidPasswordException e) {
>> throw new IncorrectCredentialsException(e.getMessage());
>> } catch (net.atos.xa.rm.AuthenticationException e) {
>> throw new AuthenticationException(e.getMessage());
>> } catch (NamingException e) {
>> throw new ConcurrentAccessException(e.getMessage());
>> } catch (UserNameValidationException e) {
>> throw new UnknownAccountException(e.getMessage());
>> }
>> }
>>
>> @Override
>> public final boolean supports(final AuthenticationToken token) {
>> boolean supported = false;
>> if (token.getClass().equals(UsernamePasswordMandatorToken.class)) {
>> supported = true;
>> }
>> return supported;
>> }
>> }
>>
>
> and finally my token:
>
>
> Tcharlie wrote:
>>
>>
>> public class UsernamePasswordMandatorToken implements
>> InetAuthenticationToken,
>> RememberMeAuthenticationToken {
>>
>> private static final long serialVersionUID = 1L;
>>
>> // constructeur par defaut
>> public UsernamePasswordMandatorToken() {
>> rememberMe = false;
>> }
>>
>> // constructeurs avec arguments
>> public UsernamePasswordMandatorToken(String username, char password[],
>> String mandator) {
>> this(username, password, mandator, false, null);
>> }
>>
>> public UsernamePasswordMandatorToken(String username, String password,
>> String mandator) {
>> this(username, password == null ? null : password.toCharArray(),
>> mandator, false, null);
>> }
>>
>> public UsernamePasswordMandatorToken(String username, char password[],
>> String mandator, InetAddress inetAddress) {
>> this(username, password, mandator, false, inetAddress);
>> }
>>
>> public UsernamePasswordMandatorToken(String username, String password,
>> String mandator, InetAddress inetAddress) {
>> this(username, password == null ? null : password.toCharArray(),
>> mandator, false, inetAddress);
>> }
>>
>> public UsernamePasswordMandatorToken(String username, char password[],
>> String mandator, boolean rememberMe) {
>> this(username, password, mandator, rememberMe, null);
>> }
>>
>> public UsernamePasswordMandatorToken(String username, String password,
>> String mandator, boolean rememberMe) {
>> this(username, password == null ? null : password.toCharArray(),
>> mandator, rememberMe, null);
>> }
>>
>> // Constructeur effectif
>> public UsernamePasswordMandatorToken(String username, char password[],
>> String mandator, boolean rememberMe, InetAddress inetAddress) {
>> this.rememberMe = false;
>> this.username = username;
>> this.password = password;
>> this.mandator = mandator;
>> this.rememberMe = rememberMe;
>> this.inetAddress = inetAddress;
>> }
>>
>> public UsernamePasswordMandatorToken(String username, String password,
>> String mandator, boolean rememberMe, InetAddress inetAddress) {
>> this(username, password == null ? null : password.toCharArray(),
>> mandator, rememberMe, inetAddress);
>> }
>>
>> // getters & setters
>> public String getUsername() {
>> return username;
>> }
>>
>> public void setUsername(String username) {
>> this.username = username;
>> }
>>
>> public char[] getPassword() {
>> return password;
>> }
>>
>> public void setPassword(char password[]) {
>> this.password = password;
>> }
>>
>> public String getMandator() {
>> return mandator;
>> }
>>
>> public void setMandator(String mandator) {
>> this.mandator = mandator;
>> }
>>
>> public InetAddress getInetAddress() {
>> return inetAddress;
>> }
>>
>> public void setInetAddress(InetAddress inetAddress) {
>> this.inetAddress = inetAddress;
>> }
>>
>> public boolean isRememberMe() {
>> return rememberMe;
>> }
>>
>> public void setRememberMe(boolean rememberMe) {
>> this.rememberMe = rememberMe;
>> }
>>
>> // Override: retourne la liste des principals
>> public Object getPrincipal() {
>> List<String> res = new ArrayList<String>();
>> res.add(getUsername());
>> res.add(getMandator());
>> return res;
>> }
>>
>> // Override: retourne la liste des credentials
>> public Object getCredentials() {
>> return getPassword();
>> }
>>
>> // Vide le token
>> public void clear() {
>> username = null;
>> inetAddress = null;
>> rememberMe = false;
>> if (password != null) {
>> for (int i = 0; i < password.length; i++)
>> password[i] = '\0';
>>
>> password = null;
>> }
>> mandator = null;
>> }
>>
>> public String toString() {
>> StringBuffer sb = new StringBuffer();
>> sb.append(getClass().getName());
>> sb.append(" - ");
>> sb.append(username);
>> sb.append(", rememberMe=").append(rememberMe);
>> if (inetAddress != null)
>> sb.append(" (").append(inetAddress).append(")");
>> sb.append("-mandator:");
>> sb.append(mandator);
>> return sb.toString();
>> }
>>
>> private String username;
>> private char password[];
>> private boolean rememberMe;
>> private InetAddress inetAddress;
>> private String mandator;
>> }
>>
>
> CardManagement authorization works because it's done via servlet.
> But newscorner results in 401 error because it's done via direct link (< A
> href >).
>
> Do you see something going wrong?
>
> Regards, see you tomorrow (end of work for me^^), Tcharlie
>
>
>
>
> Les Hazlewood-2 wrote:
>>
>> If that is the case, you will want to redefine 'authc' to be the
>> PassthroughAuthenticationFilter. This will allow the standard 'authc'
>> behavior, but requires you to implement your own Form and Form
>> controller (which you have already done):
>>
>> [main]
>> authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
>> authc.loginUrl = /path/to/login.jsp
>> authc.successUrl = /path/after/successful/login
>>
>> That should do the trick.
>>
>> Cheers,
>>
>> Les
>>
>> On Mon, Jul 20, 2009 at 11:13 AM, Tcharlie<cm...@gmail.com> wrote:
>>>
>>>
>>>
>>> Les Hazlewood-2 wrote:
>>>>
>>>>>> How is does the user authenticate with your application? Do they fill
>>>>>> in and submit a form or are you using Basic HTTP Authentication or
>>>>>> some other method?
>>>>>>
>>>>>>
>>>>>
>>>>> I've got a jsp form to authenticate my users. the link is good because
>>>>> if
>>>>> my
>>>>> user is not authenticated, he is redirected on my login page
>>>>
>>>> You need to tell the authentication filter what your login url is so
>>>> it knows where to redirect if a user is not authenticated:
>>>>
>>>> [main]
>>>> authc.loginUrl = /some/path/to/login.jsp
>>>>
>>>> Cheers,
>>>>
>>>> Les
>>>>
>>>>
>>>
>>> It's already done and it works fine.
>>>
>>> I forgot to precise that I can't use the FormAuthenticationFilter (I
>>> don't
>>> know wich filter you put as default)r, because my authentication token
>>> encloses 3 params (username, password and mandator, wich represent the
>>> authorisation context (toto may be the hsbc chairman (full application
>>> access), but Citybank customer (restricted access)).
>>> My realm supports this token but FormAuthenticationFilter throws a
>>> listenerstart error if I use it.
>>>
>>> Unfortunately, the link I have to clic on is not hidden to the
>>> unauthorized
>>> users resulting an access permitted by ki when I clic on, but a
>>> " Etat HTTP 401 -
>>>
>>> type Rapport d'�tat
>>>
>>> message
>>>
>>> description La requ�te n�cessite une authentification HTTP ().
>>> Apache Tomcat/6.0.18"
>>>
>>> Error.
>>> I deduce that ki allowed me to pass (I wasn't redirected on login page)
>>> and
>>> challenged my http Headers. Due to the fact that I don't have the
>>> authentication header (I lost it when I clicked on the link), the server
>>> doesn't allow me see my page...
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289410.html
>>> Sent from the Shiro User mailing list archive at Nabble.com.
>>>
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289577.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: BasicHttpHeader and jsp links
Posted by Tcharlie <cm...@gmail.com>.
I did it, this not solve my error:
Here is my filter definition
Tcharlie wrote:
>
> <filter>
> <filter-name>JSecurityFilter</filter-name>
>
> <filter-class>org.jsecurity.web.servlet.JSecurityFilter</filter-class>
> <init-param>
> <param-name>config</param-name>
> <param-value>
> [main]
> securityManager = org.jsecurity.web.WebRememberMeManager
> realmA = realm.XaKiRealm
>
> [filters]
> authc =
> org.jsecurity.web.filter.authc.PassThruAuthenticationFilter
> authc.successUrl = /jsp/logon.jsp
> authc.loginUrl = /jsp/logon.jsp
> roles.unauthorizedUrl = /jsp/accessdenied.html
>
> [urls]
> /jsp/cardmgmt.jsp = authc,
> perms[urls:/jsp/cardmgmt.*:access]
> /jsp/newscorner.html = authc,
> perms[urls:/jsp/newscorner.html:access]
> /jsp/changepwd.jsp = authc,
> perms[urls:/jsp/changepwd.*:access]
> </param-value>
> </init-param>
> </filter>
>
My first jsp:
Tcharlie wrote:
>
> <ul>
> <li> logon.jsp The Logon/Logoff page </li>
> <li> changepwd.jsp The Change Password page </li>
> <li> cardmgmt The Card Management page </li>
> <li> newscorner.html Employee News Corner </li>
> </ul>
>
My realm:
Tcharlie wrote:
>
> public class XaKiRealm extends AuthorizingRealm {
> @Override
> protected AuthorizationInfo doGetAuthorizationInfo(
> PrincipalCollection principals) {
>
> if (principals == null) {
> throw new AuthorizationException(
> "Les attributs utilisateurs ne doit pas être vide.");
> }
> SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
> try {
> info.setStringPermissions(PermissionResolver
> .resolvePermissions(((Group) principals.asList().get(2))));
> } catch (NamingException e) {
> e.printStackTrace();
> }
> return info;
> }
>
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(
> AuthenticationToken arg0) throws AuthenticationException {
> UserPasswordMandatorAuthenticator auth = new
> UserPasswordMandatorAuthenticator();
> try {
> AuthenticationReply r = auth
> .authenticate((UsernamePasswordMandatorToken) arg0);
> return r;
> } catch (UnsupportedCredentialException e) {
> throw new UnsupportedTokenException(e.getMessage());
> } catch (AccessTimeException e) {
> throw new ExcessiveAttemptsException(e.getMessage());
> } catch (LockedByAdminException e) {
> throw new LockedAccountException(e.getMessage());
> } catch (LockedExpiredPasswordException e) {
> throw new ExpiredCredentialsException(e.getMessage());
> } catch (LockedInvalidPasswordException e) {
> throw new IncorrectCredentialsException(e.getMessage());
> } catch (net.atos.xa.rm.AuthenticationException e) {
> throw new AuthenticationException(e.getMessage());
> } catch (NamingException e) {
> throw new ConcurrentAccessException(e.getMessage());
> } catch (UserNameValidationException e) {
> throw new UnknownAccountException(e.getMessage());
> }
> }
>
> @Override
> public final boolean supports(final AuthenticationToken token) {
> boolean supported = false;
> if (token.getClass().equals(UsernamePasswordMandatorToken.class)) {
> supported = true;
> }
> return supported;
> }
> }
>
and finally my token:
Tcharlie wrote:
>
>
> public class UsernamePasswordMandatorToken implements
> InetAuthenticationToken,
> RememberMeAuthenticationToken {
>
> private static final long serialVersionUID = 1L;
>
> // constructeur par defaut
> public UsernamePasswordMandatorToken() {
> rememberMe = false;
> }
>
> // constructeurs avec arguments
> public UsernamePasswordMandatorToken(String username, char password[],
> String mandator) {
> this(username, password, mandator, false, null);
> }
>
> public UsernamePasswordMandatorToken(String username, String password,
> String mandator) {
> this(username, password == null ? null : password.toCharArray(),
> mandator, false, null);
> }
>
> public UsernamePasswordMandatorToken(String username, char password[],
> String mandator, InetAddress inetAddress) {
> this(username, password, mandator, false, inetAddress);
> }
>
> public UsernamePasswordMandatorToken(String username, String password,
> String mandator, InetAddress inetAddress) {
> this(username, password == null ? null : password.toCharArray(),
> mandator, false, inetAddress);
> }
>
> public UsernamePasswordMandatorToken(String username, char password[],
> String mandator, boolean rememberMe) {
> this(username, password, mandator, rememberMe, null);
> }
>
> public UsernamePasswordMandatorToken(String username, String password,
> String mandator, boolean rememberMe) {
> this(username, password == null ? null : password.toCharArray(),
> mandator, rememberMe, null);
> }
>
> // Constructeur effectif
> public UsernamePasswordMandatorToken(String username, char password[],
> String mandator, boolean rememberMe, InetAddress inetAddress) {
> this.rememberMe = false;
> this.username = username;
> this.password = password;
> this.mandator = mandator;
> this.rememberMe = rememberMe;
> this.inetAddress = inetAddress;
> }
>
> public UsernamePasswordMandatorToken(String username, String password,
> String mandator, boolean rememberMe, InetAddress inetAddress) {
> this(username, password == null ? null : password.toCharArray(),
> mandator, rememberMe, inetAddress);
> }
>
> // getters & setters
> public String getUsername() {
> return username;
> }
>
> public void setUsername(String username) {
> this.username = username;
> }
>
> public char[] getPassword() {
> return password;
> }
>
> public void setPassword(char password[]) {
> this.password = password;
> }
>
> public String getMandator() {
> return mandator;
> }
>
> public void setMandator(String mandator) {
> this.mandator = mandator;
> }
>
> public InetAddress getInetAddress() {
> return inetAddress;
> }
>
> public void setInetAddress(InetAddress inetAddress) {
> this.inetAddress = inetAddress;
> }
>
> public boolean isRememberMe() {
> return rememberMe;
> }
>
> public void setRememberMe(boolean rememberMe) {
> this.rememberMe = rememberMe;
> }
>
> // Override: retourne la liste des principals
> public Object getPrincipal() {
> List<String> res = new ArrayList<String>();
> res.add(getUsername());
> res.add(getMandator());
> return res;
> }
>
> // Override: retourne la liste des credentials
> public Object getCredentials() {
> return getPassword();
> }
>
> // Vide le token
> public void clear() {
> username = null;
> inetAddress = null;
> rememberMe = false;
> if (password != null) {
> for (int i = 0; i < password.length; i++)
> password[i] = '\0';
>
> password = null;
> }
> mandator = null;
> }
>
> public String toString() {
> StringBuffer sb = new StringBuffer();
> sb.append(getClass().getName());
> sb.append(" - ");
> sb.append(username);
> sb.append(", rememberMe=").append(rememberMe);
> if (inetAddress != null)
> sb.append(" (").append(inetAddress).append(")");
> sb.append("-mandator:");
> sb.append(mandator);
> return sb.toString();
> }
>
> private String username;
> private char password[];
> private boolean rememberMe;
> private InetAddress inetAddress;
> private String mandator;
> }
>
CardManagement authorization works because it's done via servlet.
But newscorner results in 401 error because it's done via direct link (< A
href >).
Do you see something going wrong?
Regards, see you tomorrow (end of work for me^^), Tcharlie
Les Hazlewood-2 wrote:
>
> If that is the case, you will want to redefine 'authc' to be the
> PassthroughAuthenticationFilter. This will allow the standard 'authc'
> behavior, but requires you to implement your own Form and Form
> controller (which you have already done):
>
> [main]
> authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
> authc.loginUrl = /path/to/login.jsp
> authc.successUrl = /path/after/successful/login
>
> That should do the trick.
>
> Cheers,
>
> Les
>
> On Mon, Jul 20, 2009 at 11:13 AM, Tcharlie<cm...@gmail.com> wrote:
>>
>>
>>
>> Les Hazlewood-2 wrote:
>>>
>>>>> How is does the user authenticate with your application? Do they fill
>>>>> in and submit a form or are you using Basic HTTP Authentication or
>>>>> some other method?
>>>>>
>>>>>
>>>>
>>>> I've got a jsp form to authenticate my users. the link is good because
>>>> if
>>>> my
>>>> user is not authenticated, he is redirected on my login page
>>>
>>> You need to tell the authentication filter what your login url is so
>>> it knows where to redirect if a user is not authenticated:
>>>
>>> [main]
>>> authc.loginUrl = /some/path/to/login.jsp
>>>
>>> Cheers,
>>>
>>> Les
>>>
>>>
>>
>> It's already done and it works fine.
>>
>> I forgot to precise that I can't use the FormAuthenticationFilter (I
>> don't
>> know wich filter you put as default)r, because my authentication token
>> encloses 3 params (username, password and mandator, wich represent the
>> authorisation context (toto may be the hsbc chairman (full application
>> access), but Citybank customer (restricted access)).
>> My realm supports this token but FormAuthenticationFilter throws a
>> listenerstart error if I use it.
>>
>> Unfortunately, the link I have to clic on is not hidden to the
>> unauthorized
>> users resulting an access permitted by ki when I clic on, but a
>> " Etat HTTP 401 -
>>
>> type Rapport d'�tat
>>
>> message
>>
>> description La requ�te n�cessite une authentification HTTP ().
>> Apache Tomcat/6.0.18"
>>
>> Error.
>> I deduce that ki allowed me to pass (I wasn't redirected on login page)
>> and
>> challenged my http Headers. Due to the fact that I don't have the
>> authentication header (I lost it when I clicked on the link), the server
>> doesn't allow me see my page...
>> --
>> View this message in context:
>> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289410.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
--
View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289577.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: BasicHttpHeader and jsp links
Posted by Les Hazlewood <lh...@apache.org>.
If that is the case, you will want to redefine 'authc' to be the
PassthroughAuthenticationFilter. This will allow the standard 'authc'
behavior, but requires you to implement your own Form and Form
controller (which you have already done):
[main]
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /path/to/login.jsp
authc.successUrl = /path/after/successful/login
That should do the trick.
Cheers,
Les
On Mon, Jul 20, 2009 at 11:13 AM, Tcharlie<cm...@gmail.com> wrote:
>
>
>
> Les Hazlewood-2 wrote:
>>
>>>> How is does the user authenticate with your application? Do they fill
>>>> in and submit a form or are you using Basic HTTP Authentication or
>>>> some other method?
>>>>
>>>>
>>>
>>> I've got a jsp form to authenticate my users. the link is good because if
>>> my
>>> user is not authenticated, he is redirected on my login page
>>
>> You need to tell the authentication filter what your login url is so
>> it knows where to redirect if a user is not authenticated:
>>
>> [main]
>> authc.loginUrl = /some/path/to/login.jsp
>>
>> Cheers,
>>
>> Les
>>
>>
>
> It's already done and it works fine.
>
> I forgot to precise that I can't use the FormAuthenticationFilter (I don't
> know wich filter you put as default)r, because my authentication token
> encloses 3 params (username, password and mandator, wich represent the
> authorisation context (toto may be the hsbc chairman (full application
> access), but Citybank customer (restricted access)).
> My realm supports this token but FormAuthenticationFilter throws a
> listenerstart error if I use it.
>
> Unfortunately, the link I have to clic on is not hidden to the unauthorized
> users resulting an access permitted by ki when I clic on, but a
> " Etat HTTP 401 -
>
> type Rapport d'�tat
>
> message
>
> description La requ�te n�cessite une authentification HTTP ().
> Apache Tomcat/6.0.18"
>
> Error.
> I deduce that ki allowed me to pass (I wasn't redirected on login page) and
> challenged my http Headers. Due to the fact that I don't have the
> authentication header (I lost it when I clicked on the link), the server
> doesn't allow me see my page...
> --
> View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289410.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: BasicHttpHeader and jsp links
Posted by Tcharlie <cm...@gmail.com>.
Les Hazlewood-2 wrote:
>
>>> How is does the user authenticate with your application? Do they fill
>>> in and submit a form or are you using Basic HTTP Authentication or
>>> some other method?
>>>
>>>
>>
>> I've got a jsp form to authenticate my users. the link is good because if
>> my
>> user is not authenticated, he is redirected on my login page
>
> You need to tell the authentication filter what your login url is so
> it knows where to redirect if a user is not authenticated:
>
> [main]
> authc.loginUrl = /some/path/to/login.jsp
>
> Cheers,
>
> Les
>
>
It's already done and it works fine.
I forgot to precise that I can't use the FormAuthenticationFilter (I don't
know wich filter you put as default)r, because my authentication token
encloses 3 params (username, password and mandator, wich represent the
authorisation context (toto may be the hsbc chairman (full application
access), but Citybank customer (restricted access)).
My realm supports this token but FormAuthenticationFilter throws a
listenerstart error if I use it.
Unfortunately, the link I have to clic on is not hidden to the unauthorized
users resulting an access permitted by ki when I clic on, but a
" Etat HTTP 401 -
type Rapport d'�tat
message
description La requ�te n�cessite une authentification HTTP ().
Apache Tomcat/6.0.18"
Error.
I deduce that ki allowed me to pass (I wasn't redirected on login page) and
challenged my http Headers. Due to the fact that I don't have the
authentication header (I lost it when I clicked on the link), the server
doesn't allow me see my page...
--
View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3289410.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: BasicHttpHeader and jsp links
Posted by Les Hazlewood <lh...@apache.org>.
>> How is does the user authenticate with your application? Do they fill
>> in and submit a form or are you using Basic HTTP Authentication or
>> some other method?
>>
>>
>
> I've got a jsp form to authenticate my users. the link is good because if my
> user is not authenticated, he is redirected on my login page
You need to tell the authentication filter what your login url is so
it knows where to redirect if a user is not authenticated:
[main]
authc.loginUrl = /some/path/to/login.jsp
Cheers,
Les
Re: BasicHttpHeader and jsp links
Posted by Tcharlie <cm...@gmail.com>.
Hi Les,
Les Hazlewood-2 wrote:
>
> Hi Tcharlie,
>
> How is does the user authenticate with your application? Do they fill
> in and submit a form or are you using Basic HTTP Authentication or
> some other method?
>
>
I've got a jsp form to authenticate my users. the link is good because if my
user is not authenticated, he is redirected on my login page
Les Hazlewood-2 wrote:
>
> Also as a side note, although your permission mechanism will
> definitely work ('urls:/jsp/newscorner.html:access'), it is typically
> much better to describe system authorizations based on functionality,
> not based on how they access the application. For example, this is
> usually a cleaner/easier to manage approach:
>
> perms[newsFeed:read].
>
> (or something similar that makes sense for your particular application).
>
> URLs and web frameworks and front-end GUIs technology change or are
> added often over the life of a project, whereas my permission example
> above is rooted in raw functionality only and has no bearing on what
> front-end technology might be used. That you have the permission
> filter defined for that url is enough to perform the url safety you
> require.
>
> Regards,
>
> Les
>
In fact, I'm mixing an other security framework with Shiro (wich provides
much more fonctionnalities, for example PCI compliance or calendar logging
restriction) and should make 0 impact when upgrading to this "mixed"
framework. So I need to provided the permission category, resource name and
then the action to perform.
I'm sure that my custom realm works fine, I tested it with server redirect
(servlet dispatcher) and it's ok...
My only problem remains with client redirect ( ) wich results a 401 error.
"Les Hazlewood-2
On Mon, Jul 20, 2009 at 9:03 AM, Tcharlie<cmordant1@gmail.com wrote:
> wrote:
>>
>> Hi all,
>>
>> I'm develloping a custom application using shiro (jsecurity 0.9).
>> I wanted to forbid access to one html page, so, I added the following
>> line
>> in my web.xml:
>> [urls]
>> /jsp/newscorner.html = authc,
>> perms[urls:/jsp/newscorner.html:access]
>>
>> It works fine when I use a server redirect (dispatcher.forward(...)).
>> The problem comes when i try to make a client redirect to this page (via
>> )
>> Authentication headers are not present so I encounter a 401 error.
>>
>> Is there any httpsessionfilter implemented (based on jsessionid) or
>> should I
>> implement this by myself?
>> Is there an other way to bypass this problem? (I don't want to change
>> anything in my jsp's and html files).
>>
>> Thank in advance, Tcharlie
>>
>> --
>> View this message in context:
>> http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288699.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
--
View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288978.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: BasicHttpHeader and jsp links
Posted by Les Hazlewood <lh...@apache.org>.
Hi Tcharlie,
How is does the user authenticate with your application? Do they fill
in and submit a form or are you using Basic HTTP Authentication or
some other method?
Also as a side note, although your permission mechanism will
definitely work ('urls:/jsp/newscorner.html:access'), it is typically
much better to describe system authorizations based on functionality,
not based on how they access the application. For example, this is
usually a cleaner/easier to manage approach:
perms[newsFeed:read].
(or something similar that makes sense for your particular application).
URLs and web frameworks and front-end GUIs technology change or are
added often over the life of a project, whereas my permission example
above is rooted in raw functionality only and has no bearing on what
front-end technology might be used. That you have the permission
filter defined for that url is enough to perform the url safety you
require.
Regards,
Les
On Mon, Jul 20, 2009 at 9:03 AM, Tcharlie<cm...@gmail.com> wrote:
>
> Hi all,
>
> I'm develloping a custom application using shiro (jsecurity 0.9).
> I wanted to forbid access to one html page, so, I added the following line
> in my web.xml:
> [urls]
> /jsp/newscorner.html = authc,
> perms[urls:/jsp/newscorner.html:access]
>
> It works fine when I use a server redirect (dispatcher.forward(...)).
> The problem comes when i try to make a client redirect to this page (via )
> Authentication headers are not present so I encounter a 401 error.
>
> Is there any httpsessionfilter implemented (based on jsessionid) or should I
> implement this by myself?
> Is there an other way to bypass this problem? (I don't want to change
> anything in my jsp's and html files).
>
> Thank in advance, Tcharlie
>
> --
> View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3288699.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: BasicHttpHeader and jsp links
Posted by Tcharlie <cm...@gmail.com>.
Hi Les,
Thank you for your advice, I've a clear configuration now.
I found my problem, my token's default constructor set the rememberMe
property to false, so that the authentication params were passed in the http
headers and were not saved in the session.
I've finished my project, and now know many things about security
frameworks^^.
It's possible that I give some of my modules to your community in the
future, depending on my entreprise politic.
See you, Tcharlie
Tcharlie wrote:
>
> Hi all,
>
> I'm develloping a custom application using shiro (jsecurity 0.9).
> I wanted to forbid access to one html page, so, I added the following line
> in my web.xml:
> [urls]
> /jsp/newscorner.html = authc,
> perms[urls:/jsp/newscorner.html:access]
>
> It works fine when I use a server redirect (dispatcher.forward(...)).
> The problem comes when i try to make a client redirect to this page (via <
> a href... >)
> Authentication headers are not present so I encounter a 401 error.
>
> Is there any httpsessionfilter implemented (based on jsessionid) or should
> I implement it by myself?
> Is there an other way to bypass this problem? (I don't want to change
> anything in my jsp's and html files).
>
> Thank in advance, Tcharlie
>
>
--
View this message in context: http://n2.nabble.com/BasicHttpHeader-and-jsp-links-tp3288699p3293793.html
Sent from the Shiro User mailing list archive at Nabble.com.