Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > REALM question

Reply
Thread Tools

REALM question

 
 
Rusty Bawa
Guest
Posts: n/a
 
      06-02-2004
Greetings,
I was wondering if anyone found a workaround the following mystery.
I have a tomcat ver. 5-24 that uses realm authentication.

I use form authentication, which, by the way, work great. Below is the
snip from my web.xml file

<security-constraint>
<web-resource-collection>
<web-resource-name>User Section</web-resource-name>
<description>no description</description>
<url-pattern>/protected/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>no description</description>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>


when i try to access any files in the protected directory i am
redirected to
login.jsp, as expected. the IE location bar says
http://xxx.xxx.xxx.xxx/login.jsp
when i enter incorrect name/password i am redirected back to login.jsp
with querystring error=true. so the above configuration works.
But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
confusing to users.

Any help is appreciated.

Rus
 
Reply With Quote
 
 
 
 
Ryan Stewart
Guest
Posts: n/a
 
      06-02-2004
"Rusty Bawa" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
> is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
> instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
> confusing to users.
>

This is a browser thing and a source of continual headaches to web
developers. Consider Struts where everything is (should be) done by an
action. Suppose you want to add a user or something. What do you do? Fill
out the form, click submit, and what's in the address bar? The add action.
So if you hit refresh, it'll try to add again. Of course Struts has a method
to prevent things like this, but the short answer to your question (too
late, huh?) is not without writing an intermediate page that will redirect
you to your login page.

I have a question for you, though. I've recently been experimenting with
container managed security, and have hit a problem. I notice you don't seem
to be using SSL for your login form. Have you tried it? I'm using Tomcat
4.1.30 with SSL. Basic authentication works fine, but when I try form based
auth, it uses secure protocol, but on the wrong port. It tries to access
https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
should be trying 8081, which I set as the secure port. Have you run into
this? I can't figure out what's wrong.


 
Reply With Quote
 
 
 
 
Jimbo Johnes
Guest
Posts: n/a
 
      06-03-2004
I do not know how, but this can be done.
Check www.vectrics.com
going to http://www.vectrics.com/recruit/profile requires
authentication so you are forwarded to
http://www.vectrics.com/recruit/util/login.do
Hit sign in button and check the location bar.

Again I do not know who this is done.



"Ryan Stewart" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> "Rusty Bawa" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
> > is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
> > instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
> > confusing to users.
> >

> This is a browser thing and a source of continual headaches to web
> developers. Consider Struts where everything is (should be) done by an
> action. Suppose you want to add a user or something. What do you do? Fill
> out the form, click submit, and what's in the address bar? The add action.
> So if you hit refresh, it'll try to add again. Of course Struts has a method
> to prevent things like this, but the short answer to your question (too
> late, huh?) is not without writing an intermediate page that will redirect
> you to your login page.
>
> I have a question for you, though. I've recently been experimenting with
> container managed security, and have hit a problem. I notice you don't seem
> to be using SSL for your login form. Have you tried it? I'm using Tomcat
> 4.1.30 with SSL. Basic authentication works fine, but when I try form based
> auth, it uses secure protocol, but on the wrong port. It tries to access
> https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
> should be trying 8081, which I set as the secure port. Have you run into
> this? I can't figure out what's wrong.

 
Reply With Quote
 
Oscar kind
Guest
Posts: n/a
 
      06-04-2004
Ryan Stewart <(E-Mail Removed)> wrote:
[...]
> I've recently been experimenting with
> container managed security, and have hit a problem. I notice you don't seem
> to be using SSL for your login form. Have you tried it? I'm using Tomcat
> 4.1.30 with SSL. Basic authentication works fine, but when I try form based
> auth, it uses secure protocol, but on the wrong port. It tries to access
> https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
> should be trying 8081, which I set as the secure port. Have you run into
> this? I can't figure out what's wrong.


Assuming that both connectors are configured, does the connector for port
8080 know that the secure port is 8081? I forgot that one once...


Oscar

--
Oscar Kind http://home.hccnet.nl/okind/
Software Developer for contact information, see website

PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
 
Reply With Quote
 
Ryan Stewart
Guest
Posts: n/a
 
      06-05-2004
"Oscar kind" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Ryan Stewart <(E-Mail Removed)> wrote:
> [...]
> > I've recently been experimenting with
> > container managed security, and have hit a problem. I notice you don't

seem
> > to be using SSL for your login form. Have you tried it? I'm using Tomcat
> > 4.1.30 with SSL. Basic authentication works fine, but when I try form

based
> > auth, it uses secure protocol, but on the wrong port. It tries to access
> > https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port.

It
> > should be trying 8081, which I set as the secure port. Have you run into
> > this? I can't figure out what's wrong.

>
> Assuming that both connectors are configured, does the connector for port
> 8080 know that the secure port is 8081? I forgot that one once...
>
>
> Oscar
>

Snippet from my connectors:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnect or" ...
port="8080" ... redirectPort="8081" scheme="http" secure="false" ...>
<Factory
className="org.apache.catalina.net.DefaultServerSo cketFactory"/>
</Connector>
<Connector className="org.apache.coyote.tomcat4.CoyoteConnect or" ...
port="8009" ... redirectPort="8081" scheme="http" secure="false" ... >
<Factory
className="org.apache.catalina.net.DefaultServerSo cketFactory"/>
</Connector>
<Connector className="org.apache.catalina.connector.http.Http Connector"
port="8081" ... scheme="https" secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocket Factory"
clientAuth="false" keystoreFile=".keystore" protocol="TLS"/>
</Connector>

Isn't that all the important stuff? This is the same problem that you
replied to about a week ago under subject: "J2EE container managed
security". If you recall from that post, other redirects work fine from the
nonsecure to the secure port, but when I try to use form-based
authentication with <transport-guarantee>CONFIDENTIAL</transport-guarantee>,
it tries to access the nonsecure port with https. Unless I'm mistaken, it's
*supposed* to go to the secure port for the login. It only makes sense for
it to. It just seems like it only makes it halfway there. I've even
downloaded some example code of form-based authentication. One was a
complete webapp. But all of the examples I see don't use a
transport-guarantee or use NONE, and when I plug in CONFIDENTIAL, it causes
this problem.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Realm Systems BlackDog Portable Linux Server Review at XYZ Computing Silverstrand Front Page News 0 12-15-2005 11:15 PM
Help needed with Realm authorization and Authentication sheidaei@gmail.com Java 0 04-16-2005 04:29 AM
Acess to tomcat realm authentification data ? Carsten Zerbst Java 0 11-23-2004 09:49 PM
Harsh Realm question Brian The Demolition Man Little DVD Video 4 08-22-2004 08:46 PM
Configuring a Realm in Tomcat Ones Self Java 2 09-03-2003 03:11 AM



Advertisments