You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2008/09/02 15:36:04 UTC

Question regarding FormAutenticator

Hi guys,

I have quite a bit of a problem here.

Status quo:

We have some heavily framed static html, which now should be served by
Tomcat (5.5) only via SSL.
The whole content needs to be protected, so I've implemented a
FormAuthenticator.

However, the heavy framing *yuck* of this static html is giving me headaches:

When the Tomcat-session times out, the loginForm shows up as expected, however:

When the URl requested is something like

<a href="/somehwre/in/my/directory/stuff.html" target="someframe">

all the outer frames are lost and only the page
"/somehwre/in/my/directory/stuff.html" is displayed.

What I'd like to achieve is a redirect to "/" (index.html" after
entering the credentials into the LoginForm.

My hope was that I could solve this with the error-page-directive and
a 403-errorpage, however, there's no HTTP403-status.

I know that a while ago we had a similar problem, subclassed
"org.apache.catalina.authenticator.FormAuthenticator" and patched
Tomcat, but this is something I'd like to avoid.

So any ideas how a direct request to the root-context after every
login could be achieved?

TIA

Gregor
-- 
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Question regarding FormAutenticator

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gregor,

Gregor Schneider wrote:
> The only options I'm having seem to be
> 
> - subclass FormAuthenticator and patch Tomcat

Agreed: yuk.

> - use a JAAS-implementation, but I got no Idea if this will work,
> besides, you'll have to deal with the JAAS-implementation (i.e.
> JGuard, JOSS etc.) which again means to spend quite some time to
> understand and customize them.
>
> In Websphere f.e. you can use a filter, filtering "j_securitx_check"
> and then manipulate request / response, however, that does not work
> within Tomcat.
>
> A valve would work, but I doupt that I can modify request / response
> in such a valve.

You probably can do this, but this is not particularly ideal.

You could also use securityfilter
(http://securityfilter.sourceforge.net), which is a bit more hackable
than Tomcat itself. sf has a feature which allows you to override the
URL that gets saved when a user is challenged for a login. Instead of
going to the original URL, they are sent to the other URL after login,
which sounds like it's exactly what you want. You'll need to get a copy
from CVS, because this feature is not yet in any release version --
though the code is quite stable.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjFpxIACgkQ9CaO5/Lv0PC8fACguStHhvitjrUdgqawtad67Q0K
rcMAn0ypQrcyiPU2m/ERG/7MCeayMh3Y
=yEjI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Question regarding FormAutenticator

Posted by Gregor Schneider <rc...@googlemail.com>.

Hi there,

On Wed, Sep 3, 2008 at 1:50 PM, H. Hall <hh...@reedyriver.com> wrote:
>
> Assuming that your login form is a jsp, why don't you put something like
> this in it:
>
> if(isOKLogin ){
>     RequestDispatcher rd = request.getRequestDispatcher("/index.html");
>     rd.forward(request, response);
>     return;
> }
> else etc. etc.
>

nope, that won't work, since I need container-based securitx with
SingleSignOn for all WebApps.

That means that I *must* authenticate via j_security_check to tell
Tomcat that the user is authorized.

However, j_security_check is an internal method from Tomcat, and the
URL to be authenticated is stored somewhere within Tomcat, no way to
change it at all.

The only options I'm having seem to be

- subclass FormAuthenticator and patch Tomcat

- use a JAAS-implementation, but I got no Idea if this will work,
besides, you'll have to deal with the JAAS-implementation (i.e.
JGuard, JOSS etc.) which again means to spend quite some time to
understand and customize them.

In Websphere f.e. you can use a filter, filtering "j_securitx_check"
and then manipulate request / response, however, that does not work
within Tomcat.
A valve would work, but I doupt that I can modify request / response
in such a valve.

Cheers

Gregor
-- 
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Question regarding FormAutenticator

Posted by "H. Hall" <hh...@reedyriver.com>.

Gregor Schneider wrote:
> Hi guys,
>
> I have quite a bit of a problem here.
>
> Status quo:
>
> We have some heavily framed static html, which now should be served by
> Tomcat (5.5) only via SSL.
> The whole content needs to be protected, so I've implemented a
> FormAuthenticator.
>
> However, the heavy framing *yuck* of this static html is giving me headaches:
>
> When the Tomcat-session times out, the loginForm shows up as expected, however:
>
> When the URl requested is something like
>
> <a href="/somehwre/in/my/directory/stuff.html" target="someframe">
>
> all the outer frames are lost and only the page
> "/somehwre/in/my/directory/stuff.html" is displayed.
>
> What I'd like to achieve is a redirect to "/" (index.html" after
> entering the credentials into the LoginForm.
>   
Assuming that your login form is a jsp, why don't you put something like 
this in it:

 if(isOKLogin ){
      RequestDispatcher rd = request.getRequestDispatcher("/index.html");
      rd.forward(request, response);
      return;
}
else etc. etc.

-cheers
HH
> My hope was that I could solve this with the error-page-directive and
> a 403-errorpage, however, there's no HTTP403-status.
>
> I know that a while ago we had a similar problem, subclassed
> "org.apache.catalina.authenticator.FormAuthenticator" and patched
> Tomcat, but this is something I'd like to avoid.
>
> So any ideas how a direct request to the root-context after every
> login could be achieved?
>
> TIA
>
> Gregor
>   


-- 
H. Hall
ReedyRiver Group LLC
http://www.reedyriver.com


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org