You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by neo21 zerro <ne...@yahoo.com> on 2011/01/20 11:02:26 UTC
Programatic JAAS login in Tomcat 6.0.26!
Hello,
I'm using Tomcat 6.0.26 and java 1.5 SDK and I'm trying to implement a
programmatic login in tomcat.
I'm using JAAS for the container based security. Is there anyone that has
done this before?
I've tryied to bypass it by making a post with the username and the password
in this request
http://localhost:8080/acm/flex/j_security_check&username=test&password=test but
it seems that Tomcat caches this request and then expects another request. I
don't know what else to do.
Please help!
Thanks!!!
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 1/20/2011 12:28 PM, Mark Thomas wrote:
> On 20/01/2011 17:25, neo21 zerro wrote:
>> Hi Mikolaj and Mark,
>>
>>
>> Thanks for the replay. The problem is that I read the specifications and I
>> still don't know how to push the login details
>> and the request for the main page in one call.
>
> In Tomcat 6.0.x you can't.
The OP should be able to do the following, since he's got complete
control over the client:
1. Issue a request to http://host/some/protected/resource
2. Capture the JSESSIONID cookie that comes back with the request
3. Use the existing j_security_check URL plus ";jsessionid=" shoved into
it with the JSESSIONID from step #2 to open the browser window
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk04l6EACgkQ9CaO5/Lv0PC60wCfbafrd+6h7IhPZuY2AbR2vuu5
jFAAn2Q1k0NcmwaPFcfMyo/O0LJ3W1Z4
=5ASP
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by Pid <pi...@pidster.com>.
On 1/20/11 5:41 PM, neo21 zerro wrote:
> How do I set it?Is it a configuration is my deployment descriptor or in the
> server.xml file?In tomcat 7 ......
If you're using Tomcat 7.0, just login programmatically using the
HttpServletRequest.login(user, pass) method.
p
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by neo21 zerro <ne...@yahoo.com>.
How do I set it?Is it a configuration is my deployment descriptor or in the
server.xml file?In tomcat 7 ......
Thanks!
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by Mark Thomas <ma...@apache.org>.
On 20/01/2011 17:25, neo21 zerro wrote:
> Hi Mikolaj and Mark,
>
>
> Thanks for the replay. The problem is that I read the specifications and I
> still don't know how to push the login details
> and the request for the main page in one call.
In Tomcat 6.0.x you can't. In Tomcat 7, the landing page attribute of
the form authenticator may help.
Alternatively, don't use FORM authentication. Seems like BASIC auth is
more appropriate.
Mark
> The fact is that I need to open a browser from a swing app with the main page
> for my other application(that uses JAAS) programatic. So the real problem is
> how do push the request from the swing app to open an browser with an
> authenticated user and the main page from my other app. Because as I already
> said I cannot push to the application that uses JAAS my login credentials and
> the request to my main app. So I push the credentials as I already said but HTTP
> Status 400 - Invalid direct reference to form login page because I have no
> initial request with my main page, so that Tomcat can restore it.
> I cannot use JSP, my login page is a simple html page.
>
>
>
>
> Thanks a lot for your time!
>
>
>
>
> ________________________________
> From: Mikolaj Rydzewski <mi...@ceti.pl>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Sent: Thu, January 20, 2011 5:53:04 PM
> Subject: Re: Programatic JAAS login in Tomcat 6.0.26!
>
>
> On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <ma...@apache.org> wrote:
>
>> Read up on FORM auth in the Servlet spec. There is a specific sequence
>> of events that looks roughly like (for a successful auth):
>>
>> 1. Browser sends original request
>> 2. Server saves request, creates session and responds with login page
>> 3. Browser sends login details to server
>> 4. Server validates login details
>> 5. Server restores saved request and processes it
>> 6. Server sends response to original request to browser.
>
> Hi Mark,
>
> That explains problem some people complain about:
> When you invalidate session in second step, server is not able to restore
> previous request and leaves user with the same login form with URL
> /j_security_check. Real problem is, that now cryptic error appears: HTTP Status
> 400 - Invalid direct reference to form login page.
> It's enough for user to open login form page, wait until session invalidates due
> to inactivity time, then try to login.
> One solution is to use HttpSession.isNew() check on login JSP page and perform
> redirect to e.g. to main page.
>
> -- Mikolaj Rydzewski <mi...@ceti.pl>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by neo21 zerro <ne...@yahoo.com>.
Hi Mikolaj and Mark,
Thanks for the replay. The problem is that I read the specifications and I
still don't know how to push the login details
and the request for the main page in one call.
The fact is that I need to open a browser from a swing app with the main page
for my other application(that uses JAAS) programatic. So the real problem is
how do push the request from the swing app to open an browser with an
authenticated user and the main page from my other app. Because as I already
said I cannot push to the application that uses JAAS my login credentials and
the request to my main app. So I push the credentials as I already said but HTTP
Status 400 - Invalid direct reference to form login page because I have no
initial request with my main page, so that Tomcat can restore it.
I cannot use JSP, my login page is a simple html page.
Thanks a lot for your time!
________________________________
From: Mikolaj Rydzewski <mi...@ceti.pl>
To: Tomcat Users List <us...@tomcat.apache.org>
Sent: Thu, January 20, 2011 5:53:04 PM
Subject: Re: Programatic JAAS login in Tomcat 6.0.26!
On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <ma...@apache.org> wrote:
> Read up on FORM auth in the Servlet spec. There is a specific sequence
> of events that looks roughly like (for a successful auth):
>
> 1. Browser sends original request
> 2. Server saves request, creates session and responds with login page
> 3. Browser sends login details to server
> 4. Server validates login details
> 5. Server restores saved request and processes it
> 6. Server sends response to original request to browser.
Hi Mark,
That explains problem some people complain about:
When you invalidate session in second step, server is not able to restore
previous request and leaves user with the same login form with URL
/j_security_check. Real problem is, that now cryptic error appears: HTTP Status
400 - Invalid direct reference to form login page.
It's enough for user to open login form page, wait until session invalidates due
to inactivity time, then try to login.
One solution is to use HttpSession.isNew() check on login JSP page and perform
redirect to e.g. to main page.
-- Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <ma...@apache.org>
wrote:
> Read up on FORM auth in the Servlet spec. There is a specific
> sequence
> of events that looks roughly like (for a successful auth):
>
> 1. Browser sends original request
> 2. Server saves request, creates session and responds with login page
> 3. Browser sends login details to server
> 4. Server validates login details
> 5. Server restores saved request and processes it
> 6. Server sends response to original request to browser.
Hi Mark,
That explains problem some people complain about:
When you invalidate session in second step, server is not able to
restore previous request and leaves user with the same login form with
URL /j_security_check. Real problem is, that now cryptic error appears:
HTTP Status 400 - Invalid direct reference to form login page.
It's enough for user to open login form page, wait until session
invalidates due to inactivity time, then try to login.
One solution is to use HttpSession.isNew() check on login JSP page and
perform redirect to e.g. to main page.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Programatic JAAS login in Tomcat 6.0.26!
Posted by Mark Thomas <ma...@apache.org>.
On 20/01/2011 10:02, neo21 zerro wrote:
> Hello,
>
>
> I'm using Tomcat 6.0.26 and java 1.5 SDK and I'm trying to implement a
> programmatic login in tomcat.
> I'm using JAAS for the container based security. Is there anyone that has
> done this before?
> I've tryied to bypass it by making a post with the username and the password
> in this request
> http://localhost:8080/acm/flex/j_security_check&username=test&password=test but
> it seems that Tomcat caches this request and then expects another request. I
> don't know what else to do.
Read up on FORM auth in the Servlet spec. There is a specific sequence
of events that looks roughly like (for a successful auth):
1. Browser sends original request
2. Server saves request, creates session and responds with login page
3. Browser sends login details to server
4. Server validates login details
5. Server restores saved request and processes it
6. Server sends response to original request to browser.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org