You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jill Han <ji...@alverno.edu> on 2009/04/22 16:46:06 UTC
form based authentication
I tried to use form based authentication with JNDIRealm. What I want to
accomplish is to have the two applications with the same realm be
authenticated once. It seems the tomcat ignored the realm. I have to
login twice. For example: when I login to http://localhost:8080/app1
successfully, then change the url to http://localhost:8080/app2, the
login page will be prompted again. I hope I describe my issue clearly.
Here is the snippet of web.xml for the app1 and app2
..
<login-config>
<auth-method>FORM</auth-method>
<realm-name>FACRES</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
</security-role>
..
Here is the login.jsp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Login Page</title>
</head>
<body>
<form method="POST" action="j_security_check" >
<input type="text" name="j_username">
<br>
<input type="password" name="j_password">
<br>
<input type="submit">
</form>
</body>
</html>
Your help will be appreciated very much as always.
Jill
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
The correct tag should be
<error-page>
<error-code>401</error-code>
<location>/error401.jsp</location>
</error-page>
Thanks,
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, April 23, 2009 10:18 AM
To: Tomcat Users List
Subject: Re: customize HTTP Status 401 error page
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
You've hijacked your own thread. :(
On 4/23/2009 11:09 AM, Jill Han wrote:
> If using Basic authentication, the unsuccessful login, or just click
> "Cancel" button will trigger the 401 page.
<
> My question is
> 1. is there a way to customize "cancel" action? So there will be no error message prompted.
No.
> 2. Is there a way to customize tomcat HTTP Status 401 error message
> to a more user meaningful one?
Yes. See the section of web.xml that has <error-page> entries.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs
CGsAn1VpRpeMpCps63lgXkS8nGS1FA61
=6j3U
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> On 4/24/2009 11:35 AM, Caldarale, Charles R wrote:
>> I'm not sure what you're trying to accomplish by defining an error
>> page for a 401 status; my understanding is that a 401 just triggers
>> the login dialog for the browser - there's no HTML or other data to
>> display with the status.
>
> If the client aborts (such as too many attempts or user chooses "cancel"
> instead of submitting credentials), the 401 page will be displayed, so
> there is some utility in defining a page for this status if HTTP Auth
> will be used.
>
Let's nitpick here.
If you're using IE, you may define 401 pages all you want, it's going to
show its own anyway.
;-)
(ok, unless you think of making your 401 page larger than 1024 bytes or
so, and probably also turn off its "friendly error messages" option).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 4/24/2009 11:35 AM, Caldarale, Charles R wrote:
> I'm not sure what you're trying to accomplish by defining an error
> page for a 401 status; my understanding is that a 401 just triggers
> the login dialog for the browser - there's no HTML or other data to
> display with the status.
If the client aborts (such as too many attempts or user chooses "cancel"
instead of submitting credentials), the 401 page will be displayed, so
there is some utility in defining a page for this status if HTTP Auth
will be used.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkn1wYgACgkQ9CaO5/Lv0PBYcgCfXtuc8344m3cBkQYQDxqq+TTK
86oAn0+LZoOvruSeLFj2DG6C9/+UO8zD
=VJ/C
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jill Han [mailto:jill.han@alverno.edu]
> Subject: RE: customize HTTP Status 401 error page
There is at least one thing wrong with your web.xml:
> <url-pattern>*</url-pattern>
That's not a valid URL pattern; perhaps you meant "/*".
I'm not sure what you're trying to accomplish by defining an error page for a 401 status; my understanding is that a 401 just triggers the login dialog for the browser - there's no HTML or other data to display with the status. Customizing a 403 would be meaningful.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: customize HTTP Status 401 error page
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Martin Gainty [mailto:mgainty@hotmail.com]
> Subject: RE: customize HTTP Status 401 error page
>
> what happens when you supply the webapplication name to
> <url-pattern> and restart TC?
That would violate the servlet spec. The webapp name *never* appears in web.xml, other than perhaps as documenation.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/24/2009 10:55 AM, Jill Han wrote:
> At this point, I just explored the options between basic and form-based authentication.
> No real webapp is build yet. The displayed name is just directory name, app1, under webapps.
I think it would be helpful if you were to post your entire web.xml
file. Also, are you using Tomcat all by itself, or are you using Apache
httpd or some other web server out in front? That could be complicating
things. If you /are/ using httpd, please post the configuration you use
to connect the two.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkn1wGgACgkQ9CaO5/Lv0PDbGwCfQJSNGaw0tzr/4ZGwxRnZwlBJ
cOYAmwQ8SB0MwNfOWGRsD0+SUzEJ+owH
=f2OE
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
At this point, I just explored the options between basic and form-based authentication.
No real webapp is build yet. The displayed name is just directory name, app1, under webapps.
As I stated before, if it is run on window, http://localhost:8080/app1, there will be no authentication window prompted, instead error.html; even after I restarted the TC, and put http://localhost:8080/app1 in the address bar.
If it is run on Linux, http://serverName:8080/app1, authentication window is prompted, but error.html will not replace 401 message when authentication failed.
If I choose to use form-based authentication, there will be other issues as I stated in the previous email about form-based authentication.
Right now, I am not quite sure which route.
Jill
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Friday, April 24, 2009 9:23 AM
To: Tomcat Users List
Subject: Re: customize HTTP Status 401 error page
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/24/2009 9:04 AM, Jill Han wrote:
> The display-name is Faculty Resources. If I supply this name to the
> url, http://localhost:8080/Faculty Resources, it will generate 404
> error.
I think you may be very confused about a lot of things. The
<display-name> element basically just names the webapp so that if you
are using a tool to browse webapps (like LambdaProbe or others) that's
the name that gets displayed.
It has nothing to do with deployment, and certainly won't respond to a
request in any meaningful way.
Do you have a resource defined for "Faculty Resources"? I suspect not.
What is the name of your webapp? That's either the name of the WAR file
or the name of the context XML file (without the .xml extension) you put
into conf/[engine]/[host]/myContextName.xml.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknxyzoACgkQ9CaO5/Lv0PBOPwCePKi5y7Hw96zrN0bMQ96utxE3
ePcAn20+xPa694Plp1+bZXyOntHGS57d
=L0NA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/24/2009 9:04 AM, Jill Han wrote:
> The display-name is Faculty Resources. If I supply this name to the
> url, http://localhost:8080/Faculty Resources, it will generate 404
> error.
I think you may be very confused about a lot of things. The
<display-name> element basically just names the webapp so that if you
are using a tool to browse webapps (like LambdaProbe or others) that's
the name that gets displayed.
It has nothing to do with deployment, and certainly won't respond to a
request in any meaningful way.
Do you have a resource defined for "Faculty Resources"? I suspect not.
What is the name of your webapp? That's either the name of the WAR file
or the name of the context XML file (without the .xml extension) you put
into conf/[engine]/[host]/myContextName.xml.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknxyzoACgkQ9CaO5/Lv0PBOPwCePKi5y7Hw96zrN0bMQ96utxE3
ePcAn20+xPa694Plp1+bZXyOntHGS57d
=L0NA
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
The display-name is Faculty Resources.
If I supply this name to the url, http://localhost:8080/Faculty Resources, it will generate 404 error.
-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com]
Sent: Thursday, April 23, 2009 4:08 PM
To: Tomcat Users List
Subject: RE: customize HTTP Status 401 error page
X-HOSTLOC: alverno.edu/10.0.60.10
the url-pattern is usually the contextPath such as
http://host:port + ContextPath is compared to the <url-pattern>
http://edocs.bea.com/wls/docs61/webapp/web_xml.html
what is the webapplication name?
what happens when you supply the webapplication name to <url-pattern>
and restart TC?
Martin
______________________________________________
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Subject: RE: customize HTTP Status 401 error page
> Date: Thu, 23 Apr 2009 15:19:39 -0500
> From: jill.han@alverno.edu
> To: users@tomcat.apache.org
>
> Here is web.xml
> <web-app>
> <display-name>Faculty Resources</display-name>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>FACRES</web-resource-name>
> <url-pattern>*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>TESTING</realm-name>
> </login-config>
> <error-page>
> <error-code>401</error-code>
> <location>/error.html</location>
> </error-page>
>
> <security-role>
> <role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
> </security-role>
>
> <session-config>
> <session-timeout>2</session-timeout>
> </session-config>
> </web-app>
>
> Yes, if it is run on Window, no credential window was prompted, but instead, the error.html
> However, if it is run on Linux, credential window was prompted, but, if unsuccessful, or clicking "Cancel", 401 error message still show up. <error-page> was ignored.
>
> Jill
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Thursday, April 23, 2009 2:55 PM
> To: Tomcat Users List
> Subject: Re: customize HTTP Status 401 error page
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jill,
>
> On 4/23/2009 1:20 PM, Jill Han wrote:
> > I still need helps.
> > Here is the web.xml
> > ...
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > <realm-name>TESTING</realm-name>
> > </login-config>
> >
> > <error-page>
> > <error-code>401</error-code>
> > <location>/error.html</location>
> > </error-page>
> > ...
> > The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time.
>
> What do your <security-constraint> elements look like?
>
> Are you saying you are getting a 401 response but never being asked for
> your credentials?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9
> rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS
> =xKJK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Rediscover Hotmail®: Now available on your iPhone or BlackBerry
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile2_042009
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by Martin Gainty <mg...@hotmail.com>.
the url-pattern is usually the contextPath such as
http://host:port + ContextPath is compared to the <url-pattern>
http://edocs.bea.com/wls/docs61/webapp/web_xml.html
what is the webapplication name?
what happens when you supply the webapplication name to <url-pattern>
and restart TC?
Martin
______________________________________________
Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité
This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents.
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.
> Subject: RE: customize HTTP Status 401 error page
> Date: Thu, 23 Apr 2009 15:19:39 -0500
> From: jill.han@alverno.edu
> To: users@tomcat.apache.org
>
> Here is web.xml
> <web-app>
> <display-name>Faculty Resources</display-name>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>FACRES</web-resource-name>
> <url-pattern>*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>TESTING</realm-name>
> </login-config>
> <error-page>
> <error-code>401</error-code>
> <location>/error.html</location>
> </error-page>
>
> <security-role>
> <role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
> </security-role>
>
> <session-config>
> <session-timeout>2</session-timeout>
> </session-config>
> </web-app>
>
> Yes, if it is run on Window, no credential window was prompted, but instead, the error.html
> However, if it is run on Linux, credential window was prompted, but, if unsuccessful, or clicking "Cancel", 401 error message still show up. <error-page> was ignored.
>
> Jill
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Sent: Thursday, April 23, 2009 2:55 PM
> To: Tomcat Users List
> Subject: Re: customize HTTP Status 401 error page
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jill,
>
> On 4/23/2009 1:20 PM, Jill Han wrote:
> > I still need helps.
> > Here is the web.xml
> > ...
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > <realm-name>TESTING</realm-name>
> > </login-config>
> >
> > <error-page>
> > <error-code>401</error-code>
> > <location>/error.html</location>
> > </error-page>
> > ...
> > The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time.
>
> What do your <security-constraint> elements look like?
>
> Are you saying you are getting a 401 response but never being asked for
> your credentials?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9
> rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS
> =xKJK
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Rediscover Hotmail®: Now available on your iPhone or BlackBerry
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Mobile2_042009
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
Here is web.xml
<web-app>
<display-name>Faculty Resources</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>FACRES</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TESTING</realm-name>
</login-config>
<error-page>
<error-code>401</error-code>
<location>/error.html</location>
</error-page>
<security-role>
<role-name>CN=FacultyStaff,OU=Groups,OU=EMP,DC=AC</role-name>
</security-role>
<session-config>
<session-timeout>2</session-timeout>
</session-config>
</web-app>
Yes, if it is run on Window, no credential window was prompted, but instead, the error.html
However, if it is run on Linux, credential window was prompted, but, if unsuccessful, or clicking "Cancel", 401 error message still show up. <error-page> was ignored.
Jill
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, April 23, 2009 2:55 PM
To: Tomcat Users List
Subject: Re: customize HTTP Status 401 error page
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/23/2009 1:20 PM, Jill Han wrote:
> I still need helps.
> Here is the web.xml
> ...
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>TESTING</realm-name>
> </login-config>
>
> <error-page>
> <error-code>401</error-code>
> <location>/error.html</location>
> </error-page>
> ...
> The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time.
What do your <security-constraint> elements look like?
Are you saying you are getting a 401 response but never being asked for
your credentials?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9
rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS
=xKJK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/23/2009 1:20 PM, Jill Han wrote:
> I still need helps.
> Here is the web.xml
> ...
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>TESTING</realm-name>
> </login-config>
>
> <error-page>
> <error-code>401</error-code>
> <location>/error.html</location>
> </error-page>
> ...
> The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time.
What do your <security-constraint> elements look like?
Are you saying you are getting a 401 response but never being asked for
your credentials?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwx6UACgkQ9CaO5/Lv0PBfLACfU2OGHvHDUX0qeCeaIVoRoJz9
rO4AoK5hbI7c96Dz31J0ZCaOhLzgPcaS
=xKJK
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
I still need helps.
Here is the web.xml
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TESTING</realm-name>
</login-config>
<error-page>
<error-code>401</error-code>
<location>/error.html</location>
</error-page>
...
The error.html is replaced the 401 error message, however there will be no authentication window prompted, error.html is somehow loaded all the time.
Thanks,
Jill
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, April 23, 2009 10:18 AM
To: Tomcat Users List
Subject: Re: customize HTTP Status 401 error page
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
You've hijacked your own thread. :(
On 4/23/2009 11:09 AM, Jill Han wrote:
> If using Basic authentication, the unsuccessful login, or just click
> "Cancel" button will trigger the 401 page.
<
> My question is
> 1. is there a way to customize "cancel" action? So there will be no error message prompted.
No.
> 2. Is there a way to customize tomcat HTTP Status 401 error message
> to a more user meaningful one?
Yes. See the section of web.xml that has <error-page> entries.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs
CGsAn1VpRpeMpCps63lgXkS8nGS1FA61
=6j3U
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
Would you give some instructions on doing that?
I tried to put <error-page>/error.html</error-page> in application own web.xml
And tomcat conf/web.xml, they won't work. The HTTP Status 401 error page is still used.
Thanks,
Jill
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Thursday, April 23, 2009 10:18 AM
To: Tomcat Users List
Subject: Re: customize HTTP Status 401 error page
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
You've hijacked your own thread. :(
On 4/23/2009 11:09 AM, Jill Han wrote:
> If using Basic authentication, the unsuccessful login, or just click
> "Cancel" button will trigger the 401 page.
<
> My question is
> 1. is there a way to customize "cancel" action? So there will be no error message prompted.
No.
> 2. Is there a way to customize tomcat HTTP Status 401 error message
> to a more user meaningful one?
Yes. See the section of web.xml that has <error-page> entries.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs
CGsAn1VpRpeMpCps63lgXkS8nGS1FA61
=6j3U
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: customize HTTP Status 401 error page
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
You've hijacked your own thread. :(
On 4/23/2009 11:09 AM, Jill Han wrote:
> If using Basic authentication, the unsuccessful login, or just click
> "Cancel" button will trigger the 401 page.
<
> My question is
> 1. is there a way to customize "cancel" action? So there will be no error message prompted.
No.
> 2. Is there a way to customize tomcat HTTP Status 401 error message
> to a more user meaningful one?
Yes. See the section of web.xml that has <error-page> entries.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknwhqwACgkQ9CaO5/Lv0PDMlwCfaUP6+zxHQPeY2aTAfnNg2vPs
CGsAn1VpRpeMpCps63lgXkS8nGS1FA61
=6j3U
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
customize HTTP Status 401 error page
Posted by Jill Han <ji...@alverno.edu>.
If using Basic authentication, the unsuccessful login, or just click "Cancel" button will trigger the 401 page.
My question is
1. is there a way to customize "cancel" action? So there will be no error message prompted.
2. Is there a way to customize tomcat HTTP Status 401 error message to a more user meaningful one?
Thanks,
Jill
Re: form based authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/22/2009 3:11 PM, Jill Han wrote:
> What I want to do is all the applications have the same realm config
> in server.xml.
That's not what you said earlier: you said you wanted /certain/
applications to have SSO behavior. SSO works by creating a single Realm
for all applications within the same <Host> and authenticating only a
single time.
> When it comes to the different Applications, the
> authentication will be performed based on application very own
> web.xml.
This is not possible using SSO, since it always uses the same Realm
configuration. The only things you can control with web.xml are the form
where authentication is requested (the login-form) which could be
different for each webapp and the recognized security roles and what
they are allowed to access.
> If the applications in the web.xml have the same
> <realm-name>, those applications just need to be authenticated once.
Tomcat does not provide this capability. You will have to roll your own
authentication scheme to do this.
> If the applications in the web.xml have different <realm-name>, those
> applications need to be authenticated separately.
Your best option is to use multiple <Host> entries in server.xml, but
this requires that you have different host names or IP addresses in
order to make it work, which may not be possible or reasonable for your
requirements.
> Those tasks can be achieved if basic authentication as
> <login-config> <auth-method>BASIC</auth-method>
> <realm-name>TEST</realm-name> </login-config> is used.
This is because of a coincidence in how HTTP Auth works. Your browser
sends a special HTTP header regardless of the webapp being used, and
then the webapp does whatever it wants in order to authenticate and
authorize the request. Form authentication is different, since once the
authentication is performed, the session is tied to that user and only
authorization checks are done after that.
If you still can't get this to work, I can think of another solution
(and you're not going to like it):
1. Use securityfilter (http://securityfilter.sourceforge.net)
2. Write a servlet that accepts an encrypted identifier from your other
applications and crams the Principal into the session (where sf keeps
its user info)
3. Encode all your URLs that take you from one application to the other
to to provide this encrypted identifier to the login-forcing servlet and
then redirect to where you /really/ want to go
Of course, this doesn't work if users randomly jump between applications
without actually clicking on your links.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknvc9MACgkQ9CaO5/Lv0PDI0gCeMz5jpM1h8sqAxVGAqyatHOcP
Di8Amwc5K5mhG8unhenRq6Cw2iprgzCk
=rvrX
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: form based authentication
Posted by Jill Han <ji...@alverno.edu>.
Some corrections on the previous email.
I should say
When singleSignOn is commented, those tasks can be achieved if basic authentication as
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TEST</realm-name>
</login-config>
is used.
-----Original Message-----
From: Jill Han
Sent: Wednesday, April 22, 2009 2:12 PM
To: 'Tomcat Users List'
Subject: RE: form based authentication
There is single <Host> in server.xml
<Engine name="Catalina" defaultHost="localhost">
...
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="****"
connectionPassword="****"
connectionURL="ldap://url:389"
alternateURL="ldap://url:389"
userBase="DC=AC"
userSearch="(sAMAccountName={0})"
userRoleName="memberof"
roleBase="DC=AC"
roleName="cn"
roleSearch="(uniqueMember={0})"
userSubtree="true"
roleSubtree="false"
/>
...
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
</Host>
</Engine>
What I want to do is all the applications have the same realm config in server.xml. When it comes to the different
Applications, the authentication will be performed based on application very own web.xml.
If the applications in the web.xml have the same <realm-name>, those applications just need to be authenticated once.
If the applications in the web.xml have different <realm-name>, those applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TEST</realm-name>
</login-config>
is used.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
> From: Jill Han [mailto:jill.han@alverno.edu]
> Subject: RE: form based authentication
>
> However, this makes authentication activated only once although the
> applications have different realms.
To quote from the SSO doc:
"All web applications configured for this virtual host must share the same Realm."
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various <Realm>s by <Host>? Or are you stuck with a single <Host>?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: form based authentication
Posted by Jill Han <ji...@alverno.edu>.
There is single <Host> in server.xml
<Engine name="Catalina" defaultHost="localhost">
...
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionName="****"
connectionPassword="****"
connectionURL="ldap://url:389"
alternateURL="ldap://url:389"
userBase="DC=AC"
userSearch="(sAMAccountName={0})"
userRoleName="memberof"
roleBase="DC=AC"
roleName="cn"
roleSearch="(uniqueMember={0})"
userSubtree="true"
roleSubtree="false"
/>
...
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
</Host>
</Engine>
What I want to do is all the applications have the same realm config in server.xml. When it comes to the different
Applications, the authentication will be performed based on application very own web.xml.
If the applications in the web.xml have the same <realm-name>, those applications just need to be authenticated once.
If the applications in the web.xml have different <realm-name>, those applications need to be authenticated separately.
Those tasks can be achieved if basic authentication as
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>TEST</realm-name>
</login-config>
is used.
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Wednesday, April 22, 2009 12:12 PM
To: Tomcat Users List
Subject: RE: form based authentication
> From: Jill Han [mailto:jill.han@alverno.edu]
> Subject: RE: form based authentication
>
> However, this makes authentication activated only once although the
> applications have different realms.
To quote from the SSO doc:
"All web applications configured for this virtual host must share the same Realm."
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various <Realm>s by <Host>? Or are you stuck with a single <Host>?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: form based authentication
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Jill Han [mailto:jill.han@alverno.edu]
> Subject: RE: form based authentication
>
> However, this makes authentication activated only once although the
> applications have different realms.
To quote from the SSO doc:
"All web applications configured for this virtual host must share the same Realm."
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
Can you separate the various <Realm>s by <Host>? Or are you stuck with a single <Host>?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: form based authentication
Posted by Jill Han <ji...@alverno.edu>.
Thanks,
I commented off SingleSignOn as instructed on the link.
<Host name="localhost" ...>
...
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
...
</Host>
However, this makes authentication activated only once although the applications have different realms.
For example,
App1 and app2 have the same realm in web.xml, I just need to login once which is what I want to see.
however app3 has different realm in web.xml. when I change the url from app1 to app3,
it didn't trigger the login page and allowed me in.
is there anything else missing?
Jill
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Wednesday, April 22, 2009 11:11 AM
To: Tomcat Users List
Subject: Re: form based authentication
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
> I tried to use form based authentication with JNDIRealm. What I want to
> accomplish is to have the two applications with the same realm be
> authenticated once. It seems the tomcat ignored the realm. I have to
> login twice.
You're looking for SSI (Single Sign-On):
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknvQXYACgkQ9CaO5/Lv0PCwYgCdE1SF1t1FR4NLwZ+VqcHWftQl
XE0AoLwID8h7EN052aW0eS2ifmSfeOBN
=Nkum
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: form based authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jill,
On 4/22/2009 10:46 AM, Jill Han wrote:
> I tried to use form based authentication with JNDIRealm. What I want to
> accomplish is to have the two applications with the same realm be
> authenticated once. It seems the tomcat ignored the realm. I have to
> login twice.
You're looking for SSI (Single Sign-On):
http://tomcat.apache.org/tomcat-6.0-doc/config/host.html#Single%20Sign%20On
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknvQXYACgkQ9CaO5/Lv0PCwYgCdE1SF1t1FR4NLwZ+VqcHWftQl
XE0AoLwID8h7EN052aW0eS2ifmSfeOBN
=Nkum
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org