You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alejandro Soto <sm...@gmail.com> on 2011/10/13 16:09:17 UTC
filters on j_security_check
Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know
how can I apply filters to j_security_check to verify the status of login
before continue with my authentication process.
I was thinking to use valves, but I read on internet that valves will be
replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do
.
Please, this is very important to me and any help will be appreciated.
Best Regards.
--
Alejandro Soto
RE: filters on j_security_check
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Chema [mailto:demablogia@gmail.com]
> Subject: Re: filters on j_security_check
> where I can find info about SecurityFilter ?
The first hit on Google...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 10/16/2011 1:55 PM, Chema wrote:
>>
>>
>>
>> Frankly, if you're using Spring Security, I'd stick with it. I
>> myself am thinking of making the switch.
>>
>>
> Yes, I tried it and like it , but I need Single Sign On support and
> the solutions what Spring Security offers are complicated to
> implement by me
sf does not support SSO at all, so there's definitely no reason for
you to switch.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6cRs8ACgkQ9CaO5/Lv0PCtHwCgxA1AkaSclPEsb06SHcKaLF2F
T4EAoIItWnxsiIAnzh+kKW6Lji2cjjVl
=gqf5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Chema <de...@gmail.com>.
>
>
>
> Frankly, if you're using Spring Security, I'd stick with it. I myself
> am thinking of making the switch.
>
>
Yes, I tried it and like it , but I need Single Sign On support and the
solutions what Spring Security offers are complicated to implement by me
Re: filters on j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chema,
On 10/15/2011 4:18 PM, Chema wrote:
> This is one of the reasons I switched to SecurityFilter: there is
> a
>
>> FlexibleRealmInterface that passes-in the HttpServletRequest that
>> was used to attempt authentication. That allows you to get nice
>> things like the ip address of the request for logging.
>>
>>
> I'm interested on what are talking about , where I can find info
> about SecurityFilter ? I've used Spring Security for reasons like
> you but I want try another options
Frankly, if you're using Spring Security, I'd stick with it. I myself
am thinking of making the switch.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6bC1QACgkQ9CaO5/Lv0PCQOgCfaFI5mg1TtXUa8OK3aWQfo/S1
Cu0AnRYPLLjdLF6v/G4hlFxSQbYDfvD4
=ZyEQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Chema <de...@gmail.com>.
This is one of the reasons I switched to SecurityFilter: there is a
> FlexibleRealmInterface that passes-in the HttpServletRequest that was
> used to attempt authentication. That allows you to get nice things
> like the ip address of the request for logging.
>
>
I'm interested on what are talking about , where I can find info
about SecurityFilter ?
I've used Spring Security for reasons like you but I want try another
options
Thanks
Re: filters on j_security_check
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 10/13/2011 2:11 PM, Caldarale, Charles R wrote:
>> From: Alejandro Soto [mailto:smalejandro@gmail.com] Subject: Re:
>> filters on j_security_check
>
>> what i need is to know if the authentication was successful or
>> not
>
> What are you going to do with said information?
>
>> I just need to know that status and has to be before the
>> authentication mechanism continues.
>
> Why? It seems like you might actually need to write a custom
> <Realm>, not a filter.
Checking for authentication pass/fail can be done in a Realm, but you
can't really do anything with the information other than write it to
the database. And all you have is username/password (or other
credential-only information) to log.
This is one of the reasons I switched to SecurityFilter: there is a
FlexibleRealmInterface that passes-in the HttpServletRequest that was
used to attempt authentication. That allows you to get nice things
like the ip address of the request for logging.
>> I am trying to invoke j_security_check from inside another
>> servlet.
>
> That sounds really, really wrong.
Yes. Yes, it does.
If you (Alejandro) want to trigger authentication manually, servlet
3.0 has added the HttpServletRequest.authenticate method to allow you
to do this yourself.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6XRM4ACgkQ9CaO5/Lv0PBgoQCcC7SCZRzkx15PLBVLRxW45198
C6EAn2Q6RjtCy2VvbWBYvzIB4tkQZzqG
=Y+bH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Pid <pi...@pidster.com>.
On 13/10/2011 20:53, Caldarale, Charles R wrote:
> If you want to do programmatic security in addition to declarative security,
Or use the Servlet 3.0 APIs, supported by Tomcat.
p
RE: filters on j_security_check
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Alejandro Soto [mailto:smalejandro@gmail.com]
> Subject: Re: filters on j_security_check
> call j_security_check from inside another servlet is
> just an idea, why is bad idea?
Because it's not supported by the spec; please read SRV.12. If you want to do programmatic security in addition to declarative security, you can use the getRemoteUser(), isUserInRole(), and getUserPrincipal() methods of the object implementing HttpServletRequest. You can, of course, completely roll your own programmatic security, but in that case you must not configure any spec-defined declarative security elements in web.xml.
The field names j_username and j_password are for use by the web server to handle form-based authentication. You may customize the content of the form, but not the processing of the submitted form. Since the spec leaves the implementation undefined, Tomcat chooses to handle that with <Realm>s. If you want to perform additional checks, either create a custom <Realm>, or use the methods listed above.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Alejandro Soto <sm...@gmail.com>.
Hi Chuck, call j_security_check from inside another servlet is just an idea,
why is bad idea?
If possible, I don't want a custom <Realm>, I want to use the authentication
mechanism of the container (JDBCRealm), use something like this:
.........
Context context = (Context) host.findChild("myContext");
Realm realm = context.getRealm();
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
Principal principal = realm.authenticate(username, password);
if (principal == null)
{
// some tasks
} else {
//
}
But this give me problems with catalina.jar library inside of my .war file.
Thanks.
Alejandro
On Thu, Oct 13, 2011 at 2:11 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Alejandro Soto [mailto:smalejandro@gmail.com]
> > Subject: Re: filters on j_security_check
>
> > what i need is to know if the authentication was successful or not
>
> What are you going to do with said information?
>
> > I just need to know that status and has to be before the authentication
> > mechanism continues.
>
> Why? It seems like you might actually need to write a custom <Realm>, not
> a filter.
>
> > I am trying to invoke j_security_check from inside another servlet.
>
> That sounds really, really wrong.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: filters on j_security_check
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Alejandro Soto [mailto:smalejandro@gmail.com]
> Subject: Re: filters on j_security_check
> what i need is to know if the authentication was successful or not
What are you going to do with said information?
> I just need to know that status and has to be before the authentication
> mechanism continues.
Why? It seems like you might actually need to write a custom <Realm>, not a filter.
> I am trying to invoke j_security_check from inside another servlet.
That sounds really, really wrong.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: filters on j_security_check
Posted by Alejandro Soto <sm...@gmail.com>.
Hi, thanks for reply, well, what i need is to know if the authentication was
successful or not, I want to get the status of that authentication, I just
need to know that status and has to be before the authentication mechanism
continues.
I am trying to invoke j_security_check from inside another servlet.
Any suggestions about how resolve my requirement?
Thanks in advance.
Alejandro
On Thu, Oct 13, 2011 at 12:50 PM, Pid <pi...@pidster.com> wrote:
> On 13/10/2011 15:09, Alejandro Soto wrote:
> > Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to
> know
> > how can I apply filters to j_security_check to verify the status of login
> > before continue with my authentication process.
>
> You can't use Filters because the Authentication Valves act before the
> Filter chain.
>
> Why do you need to filter on j_security_check?
>
>
> p
>
> > I was thinking to use valves, but I read on internet that valves will be
> > replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to
> do
> > .
> >
> > Please, this is very important to me and any help will be appreciated.
> >
> > Best Regards.
> >
>
>
>
--
Alejandro Soto M.
Cel: 705-63861
Re: filters on j_security_check
Posted by Pid <pi...@pidster.com>.
On 13/10/2011 15:09, Alejandro Soto wrote:
> Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know
> how can I apply filters to j_security_check to verify the status of login
> before continue with my authentication process.
You can't use Filters because the Authentication Valves act before the
Filter chain.
Why do you need to filter on j_security_check?
p
> I was thinking to use valves, but I read on internet that valves will be
> replaced with Filters - GSOC since Tomcat 7.0.x, so, I'm not sure what to do
> .
>
> Please, this is very important to me and any help will be appreciated.
>
> Best Regards.
>