REALM question

Discussion in 'Java' started by Rusty Bawa, Jun 3, 2004.

  1. Rusty Bawa

    Rusty Bawa Guest

    Greetings,
    I was wondering if anyone found a workaround the following mystery.
    I have a tomcat ver. 5-24 that uses realm authentication.

    I use form authentication, which, by the way, work great. Below is the
    snip from my web.xml file

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>User Section</web-resource-name>
    <description>no description</description>
    <url-pattern>/protected/*</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
    <description>no description</description>
    <role-name>tomcat</role-name>
    </auth-constraint>
    <user-data-constraint>
    <description>no description</description>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>


    <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp?error=true</form-error-page>
    </form-login-config>
    </login-config>


    when i try to access any files in the protected directory i am
    redirected to
    login.jsp, as expected. the IE location bar says
    http://xxx.xxx.xxx.xxx/login.jsp
    when i enter incorrect name/password i am redirected back to login.jsp
    with querystring error=true. so the above configuration works.
    But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
    is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
    instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
    confusing to users.

    Any help is appreciated.

    Rus
     
    Rusty Bawa, Jun 3, 2004
    #1
    1. Advertising

  2. Rusty Bawa

    Ryan Stewart Guest

    "Rusty Bawa" <> wrote in message
    news:...
    > But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
    > is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
    > instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
    > confusing to users.
    >

    This is a browser thing and a source of continual headaches to web
    developers. Consider Struts where everything is (should be) done by an
    action. Suppose you want to add a user or something. What do you do? Fill
    out the form, click submit, and what's in the address bar? The add action.
    So if you hit refresh, it'll try to add again. Of course Struts has a method
    to prevent things like this, but the short answer to your question (too
    late, huh?) is not without writing an intermediate page that will redirect
    you to your login page.

    I have a question for you, though. I've recently been experimenting with
    container managed security, and have hit a problem. I notice you don't seem
    to be using SSL for your login form. Have you tried it? I'm using Tomcat
    4.1.30 with SSL. Basic authentication works fine, but when I try form based
    auth, it uses secure protocol, but on the wrong port. It tries to access
    https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
    should be trying 8081, which I set as the secure port. Have you run into
    this? I can't figure out what's wrong.
     
    Ryan Stewart, Jun 3, 2004
    #2
    1. Advertising

  3. Rusty Bawa

    Jimbo Johnes Guest

    I do not know how, but this can be done.
    Check www.vectrics.com
    going to http://www.vectrics.com/recruit/profile requires
    authentication so you are forwarded to
    http://www.vectrics.com/recruit/util/login.do
    Hit sign in button and check the location bar.

    Again I do not know who this is done.



    "Ryan Stewart" <> wrote in message news:<>...
    > "Rusty Bawa" <> wrote in message
    > news:...
    > > But the IE location bar says http://xxx.xxx.xxx.xxx/j_security_check
    > > is there a way to show the http://xxx.xxx.xxx.xxx/login.jsp?error=true
    > > instead of http://xxx.xxx.xxx.xxx/j_security_check? this could be
    > > confusing to users.
    > >

    > This is a browser thing and a source of continual headaches to web
    > developers. Consider Struts where everything is (should be) done by an
    > action. Suppose you want to add a user or something. What do you do? Fill
    > out the form, click submit, and what's in the address bar? The add action.
    > So if you hit refresh, it'll try to add again. Of course Struts has a method
    > to prevent things like this, but the short answer to your question (too
    > late, huh?) is not without writing an intermediate page that will redirect
    > you to your login page.
    >
    > I have a question for you, though. I've recently been experimenting with
    > container managed security, and have hit a problem. I notice you don't seem
    > to be using SSL for your login form. Have you tried it? I'm using Tomcat
    > 4.1.30 with SSL. Basic authentication works fine, but when I try form based
    > auth, it uses secure protocol, but on the wrong port. It tries to access
    > https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
    > should be trying 8081, which I set as the secure port. Have you run into
    > this? I can't figure out what's wrong.
     
    Jimbo Johnes, Jun 3, 2004
    #3
  4. Rusty Bawa

    Oscar kind Guest

    Ryan Stewart <> wrote:
    [...]
    > I've recently been experimenting with
    > container managed security, and have hit a problem. I notice you don't seem
    > to be using SSL for your login form. Have you tried it? I'm using Tomcat
    > 4.1.30 with SSL. Basic authentication works fine, but when I try form based
    > auth, it uses secure protocol, but on the wrong port. It tries to access
    > https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port. It
    > should be trying 8081, which I set as the secure port. Have you run into
    > this? I can't figure out what's wrong.


    Assuming that both connectors are configured, does the connector for port
    8080 know that the secure port is 8081? I forgot that one once...


    Oscar

    --
    Oscar Kind http://home.hccnet.nl/okind/
    Software Developer for contact information, see website

    PGP Key fingerprint: 91F3 6C72 F465 5E98 C246 61D9 2C32 8E24 097B B4E2
     
    Oscar kind, Jun 5, 2004
    #4
  5. Rusty Bawa

    Ryan Stewart Guest

    "Oscar kind" <> wrote in message
    news:...
    > Ryan Stewart <> wrote:
    > [...]
    > > I've recently been experimenting with
    > > container managed security, and have hit a problem. I notice you don't

    seem
    > > to be using SSL for your login form. Have you tried it? I'm using Tomcat
    > > 4.1.30 with SSL. Basic authentication works fine, but when I try form

    based
    > > auth, it uses secure protocol, but on the wrong port. It tries to access
    > > https://localhost:8080/secureApp/login.jsp. 8080 is the non-secure port.

    It
    > > should be trying 8081, which I set as the secure port. Have you run into
    > > this? I can't figure out what's wrong.

    >
    > Assuming that both connectors are configured, does the connector for port
    > 8080 know that the secure port is 8081? I forgot that one once...
    >
    >
    > Oscar
    >

    Snippet from my connectors:
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" ...
    port="8080" ... redirectPort="8081" scheme="http" secure="false" ...>
    <Factory
    className="org.apache.catalina.net.DefaultServerSocketFactory"/>
    </Connector>
    <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" ...
    port="8009" ... redirectPort="8081" scheme="http" secure="false" ... >
    <Factory
    className="org.apache.catalina.net.DefaultServerSocketFactory"/>
    </Connector>
    <Connector className="org.apache.catalina.connector.http.HttpConnector"
    port="8081" ... scheme="https" secure="true">
    <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
    clientAuth="false" keystoreFile=".keystore" protocol="TLS"/>
    </Connector>

    Isn't that all the important stuff? This is the same problem that you
    replied to about a week ago under subject: "J2EE container managed
    security". If you recall from that post, other redirects work fine from the
    nonsecure to the secure port, but when I try to use form-based
    authentication with <transport-guarantee>CONFIDENTIAL</transport-guarantee>,
    it tries to access the nonsecure port with https. Unless I'm mistaken, it's
    *supposed* to go to the secure port for the login. It only makes sense for
    it to. It just seems like it only makes it halfway there. I've even
    downloaded some example code of form-based authentication. One was a
    complete webapp. But all of the examples I see don't use a
    transport-guarantee or use NONE, and when I plug in CONFIDENTIAL, it causes
    this problem.
     
    Ryan Stewart, Jun 5, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ones Self

    Configuring a Realm in Tomcat

    Ones Self, Aug 31, 2003, in forum: Java
    Replies:
    2
    Views:
    532
    Ones Self
    Sep 3, 2003
  2. Carsten Zerbst
    Replies:
    0
    Views:
    424
    Carsten Zerbst
    Nov 23, 2004
  3. Replies:
    0
    Views:
    372
  4. Replies:
    0
    Views:
    571
  5. Replies:
    2
    Views:
    410
Loading...

Share This Page