You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eurig Jones <ej...@fugro-robertson.com> on 2006/08/14 17:36:05 UTC
Forwarding during container security
Hi, hopefully someone can help me...
My Secured area is /admin/* which requires the "administrator" role to view.
If someone requests /admin/edit.faces, they are prompted with a login
prompt as expected. If they login correctly they'll proceed to
/admin/edit.faces
What I want to do is forward any request that goes to /admin/*, after
having to login, to go to /admin/index.faces and not the page they
initially requested.
I have looked into extending the JDBCRealm (or JNDI) but I will not be
able to control where request/response from there. Can anyone point me
in the right direction to what I have to extend (or whatever I have to
do) to achieve the above?
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Forwarding during container security
Posted by Eurig Jones <ej...@fugro-robertson.com>.
I've gone a slightly different way now, but what I've done is this...
I've extended the JNDIRealm (or JDBC or whatever), which within this
adds the username of the logged in user into a 1 field table if the user
has successfully logged in.
After the user has logged in, A filter is run (that has the same
wildcards as the security) which checks for the above record. If it
exists, it checks a "justLoggedIn" boolean as true in the session and
delete's the record from the database.
after that in the filter we do...
if (session.justLoggedIn)
{
session.justLoggedIn = false;
redirect to the "index page";
}
else
{
don't redirect
}
I think the above should work without having to fiddle too much with
Tomcat's internals! I would rather not have to access the database, but
I can't think of an object which both the JNDIRealm and the Servlet both
have access to and could be modified with something like a
"justLoggedIn" property as I've used above.
I've considered a ThreadLocal variable, but I've yet to figure out
whether both the execution of the Realm's authenticate() method and the
Filter itself is actualy the same Thread.
Thanks for your help!
Gregor Schneider wrote:
> Forget about all the above, it doesn't work.
>
> You will have to subclass the used Authenticator-Class (i.e.
> org.apache.catalina.authenticator.FormAuthenticator), create a jar
> from it
> and out this jar into server/lib of your Tomcat-Installation-directory.
> Then you'll have to patch catalina.jar: Inside is a file called
> Authentocator.properties, and you will have to exchange Tomcat's
> Authenticator-class with your own.
>
> So far, so easy:
>
> Unfortunately, just subclaiing i.e. FormAuthenticaor and then do your own
> stuff won't work, since the coding of the authenticate()-method is
> spaghetti-code at it's worst: Maybe the author wanted to create
> security by
> obscurity, I don't know:
>
> I copied the whole authenticate()-method and the saveRequest()-method
> (which
> is private) and changed the saveRequest()-method like this (I'm always
> forwarding to "http://myContect/index.htm":
>
> private void saveRequest(HttpRequest request, Session session) {
>
> // Create and populate a SavedRequest object for this request
> HttpServletRequest hreq = (HttpServletRequest)
> request.getRequest();
> SavedRequest saved = new SavedRequest();
> Cookie cookies[] = hreq.getCookies();
> if (cookies != null) {
> for (int i = 0; i < cookies.length; i++)
> saved.addCookie(cookies[i]);
> }
> Enumeration names = hreq.getHeaderNames();
> while (names.hasMoreElements()) {
> String name = (String) names.nextElement();
> Enumeration values = hreq.getHeaders(name);
> while (values.hasMoreElements()) {
> String value = (String) values.nextElement();
> saved.addHeader(name, value);
> }
> }
> Enumeration locales = hreq.getLocales();
> while (locales.hasMoreElements()) {
> Locale locale = (Locale) locales.nextElement();
> saved.addLocale(locale);
> }
> Map parameters = hreq.getParameterMap();
> Iterator paramNames = parameters.keySet().iterator();
> while (paramNames.hasNext()) {
> String paramName = (String) paramNames.next();
> String paramValues[] = (String[]) parameters.get(paramName);
> saved.addParameter(paramName, paramValues);
> }
> saved.setMethod(hreq.getMethod());
> saved.setQueryString(hreq.getQueryString());
> //saved.setRequestURI(hreq.getRequestURI());
> String context = (hreq.getContextPath());
> System.out.println (context);
>
> // IN HERE YOU WILL HAVE TO INSERT YOUR OWN FORWARD
>
> saved.setRequestURI(context + "/index.htm");
>
> // Stash the SavedRequest in our session for later use
> session.setNote(Constants.FORM_REQUEST_NOTE, saved);
>
> }
>
> Somebody else in this mailinglist suggested using a valve, however, a
> valve
> is good enough to get the credentials via picking the request-parameters,
> but I found no way of changing the saved URL in j_security_check without
> subclassing and patching catalina.jar
>
> Btw., I did that for Tomcat 5.0.28
>
> Hope that helps!
>
> Greg
>
--
Fugro Robertson Limited Telephone: +44+ (0)1492 581811
Tyn-y-coed Site Fax: +44+ (0)1492 583416
Llanrhos
Llandudno
North Wales
UK LL30 1SA
General Email: info@fugro-robertson.com
World Wide Website: www.fugro-robertson.com
********************************************************************
* This email may contain confidential and privileged information *
* intended solely for the individual or organisation to whom it is *
* addressed. If the reader is not the intended addressee, or the *
* employee or agent responsible to deliver it to the addressee, *
* you are hereby notified that any dissemination, distribution or *
* copying is strictly prohibited. If you have received this email *
* in error, please notify the sender and either destroy the email *
* or return it to info@fugro-robertson.com *
* Please note this email is not intended to create legal relations.*
********************************************************************
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Forwarding during container security
Posted by Gregor Schneider <rc...@googlemail.com>.
Forget about all the above, it doesn't work.
You will have to subclass the used Authenticator-Class (i.e.
org.apache.catalina.authenticator.FormAuthenticator), create a jar from it
and out this jar into server/lib of your Tomcat-Installation-directory.
Then you'll have to patch catalina.jar: Inside is a file called
Authentocator.properties, and you will have to exchange Tomcat's
Authenticator-class with your own.
So far, so easy:
Unfortunately, just subclaiing i.e. FormAuthenticaor and then do your own
stuff won't work, since the coding of the authenticate()-method is
spaghetti-code at it's worst: Maybe the author wanted to create security by
obscurity, I don't know:
I copied the whole authenticate()-method and the saveRequest()-method (which
is private) and changed the saveRequest()-method like this (I'm always
forwarding to "http://myContect/index.htm":
private void saveRequest(HttpRequest request, Session session) {
// Create and populate a SavedRequest object for this request
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
SavedRequest saved = new SavedRequest();
Cookie cookies[] = hreq.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++)
saved.addCookie(cookies[i]);
}
Enumeration names = hreq.getHeaderNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
Enumeration values = hreq.getHeaders(name);
while (values.hasMoreElements()) {
String value = (String) values.nextElement();
saved.addHeader(name, value);
}
}
Enumeration locales = hreq.getLocales();
while (locales.hasMoreElements()) {
Locale locale = (Locale) locales.nextElement();
saved.addLocale(locale);
}
Map parameters = hreq.getParameterMap();
Iterator paramNames = parameters.keySet().iterator();
while (paramNames.hasNext()) {
String paramName = (String) paramNames.next();
String paramValues[] = (String[]) parameters.get(paramName);
saved.addParameter(paramName, paramValues);
}
saved.setMethod(hreq.getMethod());
saved.setQueryString(hreq.getQueryString());
//saved.setRequestURI(hreq.getRequestURI());
String context = (hreq.getContextPath());
System.out.println (context);
// IN HERE YOU WILL HAVE TO INSERT YOUR OWN FORWARD
saved.setRequestURI(context + "/index.htm");
// Stash the SavedRequest in our session for later use
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
}
Somebody else in this mailinglist suggested using a valve, however, a valve
is good enough to get the credentials via picking the request-parameters,
but I found no way of changing the saved URL in j_security_check without
subclassing and patching catalina.jar
Btw., I did that for Tomcat 5.0.28
Hope that helps!
Greg
Re: Forwarding during container security
Posted by Marc Farrow <ma...@gmail.com>.
It may be ugly, but this comes to mind.
Map all requests to /admin* to your servlet.
Also setup the /admin* to be constrained.
Someone goes to http://www.yourserver.com/admin.
They must log in. Once logged in, all requests go to your servlet.
The servlet strips off the URL information and redirects to a page or
whatever you choose for all requests.
So if you wanted an intro page and then they could click a link to go to
their requested page, then you could send all requests to the servlet
(regardless of URL) and then redirect to the page. Of course you have to be
careful about URI mappings, etc so you don't get yoursefl caught in a loop.
But that is a general idea.
On 8/14/06, Eurig Jones <ej...@fugro-robertson.com> wrote:
>
> That was my guess initially, but there is no way of knowing that the
> request the filter is given has been through the security...
>
> Unless I'm wrong about this...?
>
>
> Marc Farrow wrote:
> > My guess is that the easiest thing to do is to create a filter.
> >
> >
> > On 8/14/06, Eurig Jones <ej...@fugro-robertson.com> wrote:
> >>
> >> Hi, hopefully someone can help me...
> >>
> >> My Secured area is /admin/* which requires the "administrator" role to
> >> view.
> >>
> >> If someone requests /admin/edit.faces, they are prompted with a login
> >> prompt as expected. If they login correctly they'll proceed to
> >> /admin/edit.faces
> >>
> >> What I want to do is forward any request that goes to /admin/*, after
> >> having to login, to go to /admin/index.faces and not the page they
> >> initially requested.
> >>
> >> I have looked into extending the JDBCRealm (or JNDI) but I will not be
> >> able to control where request/response from there. Can anyone point me
> >> in the right direction to what I have to extend (or whatever I have to
> >> do) to achieve the above?
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> >
>
> --
>
> Fugro Robertson Limited Telephone: +44+ (0)1492 581811
> Tyn-y-coed Site Fax: +44+ (0)1492 583416
> Llanrhos
> Llandudno
> North Wales
> UK LL30 1SA
>
> General Email: info@fugro-robertson.com
>
> World Wide Website: www.fugro-robertson.com
>
> ********************************************************************
> * This email may contain confidential and privileged information *
> * intended solely for the individual or organisation to whom it is *
> * addressed. If the reader is not the intended addressee, or the *
> * employee or agent responsible to deliver it to the addressee, *
> * you are hereby notified that any dissemination, distribution or *
> * copying is strictly prohibited. If you have received this email *
> * in error, please notify the sender and either destroy the email *
> * or return it to info@fugro-robertson.com *
> * Please note this email is not intended to create legal relations.*
> ********************************************************************
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Marc Farrow
Re: Forwarding during container security
Posted by Eurig Jones <ej...@fugro-robertson.com>.
That was my guess initially, but there is no way of knowing that the
request the filter is given has been through the security...
Unless I'm wrong about this...?
Marc Farrow wrote:
> My guess is that the easiest thing to do is to create a filter.
>
>
> On 8/14/06, Eurig Jones <ej...@fugro-robertson.com> wrote:
>>
>> Hi, hopefully someone can help me...
>>
>> My Secured area is /admin/* which requires the "administrator" role to
>> view.
>>
>> If someone requests /admin/edit.faces, they are prompted with a login
>> prompt as expected. If they login correctly they'll proceed to
>> /admin/edit.faces
>>
>> What I want to do is forward any request that goes to /admin/*, after
>> having to login, to go to /admin/index.faces and not the page they
>> initially requested.
>>
>> I have looked into extending the JDBCRealm (or JNDI) but I will not be
>> able to control where request/response from there. Can anyone point me
>> in the right direction to what I have to extend (or whatever I have to
>> do) to achieve the above?
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
--
Fugro Robertson Limited Telephone: +44+ (0)1492 581811
Tyn-y-coed Site Fax: +44+ (0)1492 583416
Llanrhos
Llandudno
North Wales
UK LL30 1SA
General Email: info@fugro-robertson.com
World Wide Website: www.fugro-robertson.com
********************************************************************
* This email may contain confidential and privileged information *
* intended solely for the individual or organisation to whom it is *
* addressed. If the reader is not the intended addressee, or the *
* employee or agent responsible to deliver it to the addressee, *
* you are hereby notified that any dissemination, distribution or *
* copying is strictly prohibited. If you have received this email *
* in error, please notify the sender and either destroy the email *
* or return it to info@fugro-robertson.com *
* Please note this email is not intended to create legal relations.*
********************************************************************
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Forwarding during container security
Posted by Marc Farrow <ma...@gmail.com>.
My guess is that the easiest thing to do is to create a filter.
On 8/14/06, Eurig Jones <ej...@fugro-robertson.com> wrote:
>
> Hi, hopefully someone can help me...
>
> My Secured area is /admin/* which requires the "administrator" role to
> view.
>
> If someone requests /admin/edit.faces, they are prompted with a login
> prompt as expected. If they login correctly they'll proceed to
> /admin/edit.faces
>
> What I want to do is forward any request that goes to /admin/*, after
> having to login, to go to /admin/index.faces and not the page they
> initially requested.
>
> I have looked into extending the JDBCRealm (or JNDI) but I will not be
> able to control where request/response from there. Can anyone point me
> in the right direction to what I have to extend (or whatever I have to
> do) to achieve the above?
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Marc Farrow