tomcat-5.0.27 authentication/authorization

[mate]

Can I change authorization parameters in code?

I found this:

"1. Check whether there is an Authorization header. If there is
no such header, go to Step 2. If there is, skip over the word
"basic" and reverse the base64 encoding of the remaining part.
This results in a string of the form usernameassword. Check
the username and password against some stored set. If it
matches, return the page. If not, go to Step 2.

2. Return a 401 (Unauthorized) response code and a header of
the following form:
WWW-Authenticate: BASIC realm="some-name"
This response instructs the browser to pop up a dialog box telling
the user to enter a name and password for some-name, then
to reconnect with that username and password embedded in a
single base64 string inside the Authorization header."

Also if <auth-method>BASIC</auth-method> then
request.getHeader("Authorization"); return something like this "Basic
YWRtaW46YWRtaW4=" (this is for admin:admin ), but if
<auth-method>FORM</auth-method> then request.getHeader("Authorization");
return null.
Where is it? In session?

I use this for decoding:
String authorization = request.getHeader("Authorization");
String userInfo = authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
String password = nameAndPassword.substring(index+1);

I try with admin:admin and with sun.misc.BASE64Encoder make encode, and with
response.setHeader("Authorization", "Basic YWRtaW46YWRtaW4="), but nothing
happen and I can't get secure pages?

So, can I /addchange authorization parameters in code or server can only do
this?

 

[mate]

No one know?

OK, is it somehow possible to put with servlet same data that server put
after successfully check user name and password in <auth-method>, BASIC or
FORM?

I want to use my own login way and I need to put this data so web server can
exchange this data with EJB server.
Or there is another way how to send role info to EJB server?

Help me!!!

 

[Daniel Rohe]

You can create your own authentication handler for tomcat and put it into
<tomcat-home>/common/lib or <tomcat-home>/common/classes. For how to code
such a authentication handler look at the existing authentication handler in
the package org.apache.catalina.realms. After that you must define it in the
server-side configuration file of your web application.

Greetings
Daniel

 

[mate]

You can create your own authentication handler for tomcat and put it into

<tomcat-home>/common/lib or <tomcat-home>/common/classes. For how to code
such a authentication handler look at the existing authentication handler
in the package org.apache.catalina.realms. After that you must define it
in the server-side configuration file of your web application.

Greetings
Daniel

Thanks I will try.

But do you know for any article, tutorial or similar about this?
Maybe someone is done this before!

Thanks again.

 

[Daniel Rohe]

I doesn't know any tutorial. Look at the source code of the JDBCRealm or
JAASMemoryRealm. Most times the JAAS implementation could be used. Could you
please explain why and when you want to change the authorization parameters?

Greetings
Daniel

 

[mate]

To make something similar like FORM but with my JSP field name and my action
instead of j_security_check.

Do you know how to do this?

 

[Daniel Rohe]

To make something similar like FORM but with my JSP field name and my
action instead of j_security_check.

Do you know how to do this?

Here you have a problem! Look at the servlet specification 2.3 page 83.
Under SRV.12.5.3 are the field names j_username and j_password for a
form-based authentication specified.

Greetings
Daniel

 

[mate]

To make something similar like FORM but with my JSP field name and my

Here you have a problem! Look at the servlet specification 2.3 page 83.
Under SRV.12.5.3 are the field names j_username and j_password for a
form-based authentication specified.

I know that and I want to have my field names and my action.
Servlet server make this somehow and if "he" can could can also!
But I dont know how!
I did check Tomcat source but I was found j_security_checkin two files and
this files are C++ (?) files!!!

What do yu think?
Is it possible to do this?

 

[mate]

To make something similar like FORM but with my JSP field name and my

 

[John C. Bollinger]

I know that and I want to have my field names and my action.
Servlet server make this somehow and if "he" can could can also!
But I dont know how!
I did check Tomcat source but I was found j_security_checkin two files and
this files are C++ (?) files!!!

You can always write whatever custom authentication and authorization
logic you want on top of servlet / JSP technology. Many people do that
instead of using the built-in stuff. But if you want to use the
declarative security provisions of the Java Servlet framework then you
must abide by the spec, which *defines* the field names used in
form-based authentication. You do not have a choice about them.

Given the source code, it would be possible to hack a servlet container
to redefine the field names that it uses for form-based authentication.
You really do not want to go there, however, because

1) it requires you to modify a complex piece of software whose inner
workings you do not understand very well;

2) you will thereafter have to maintain not only your application, but
also the hacked server it runs on;

3) the hack will be specific to a particular servlet container, possibly
even to a specific version of the container; and

4) your application will not be portable to other servlet containers.


It in any case sure sounds like you're making much ado about nothing.
What's the big deal about field names?


John Bollinger
(e-mail address removed)

 

[Daniel Rohe]

Hello mate,

I know that and I want to have my field names and my action.
Servlet server make this somehow and if "he" can could can also!
But I dont know how!
I did check Tomcat source but I was found j_security_checkin two files and
this files are C++ (?) files!!!

Which Tomcat version. I have version 5.0.29 and in the class
org.apache.catalina.authenticator.FormAuthenticator is the form login
implemented. This class uses org.apache.catalina.authenticator.Constants
where the constants (j_username etc) are defined.

What do yu think?
Is it possible to do this?

Everything is possible ;-)! But how much does it cost.

If you don't use an application server and don't want to propagate the
authentication to it then you could implement your own authentication and
authorization. You should store user information in the session and use a
listener to check authentication and authorization. But you must implement
all the authentication and authorization stuff by your own ;-(.
The listener will check the session and if it founds the user information in
the session it will do nothing. If it founds no user information in the
current request and the request is not the login page, it must store the
current request and forward to the login page. After the user has entered
his authentication information in the login page he presses a button. Then
the listener must authenticate the user and forward to the old request.

With built-in authentication you can do something like the following:
You talk about action, so I think you use Struts as web framework. Wy don't
you make a login action that redirects to a restricted area. Because of the
restricted area tomcat checks the internal session, to see if authentication
was performed. If not it displays the login-page (with j_username,
j_password and j_security_check). After authentication it redirects to the
original url. There can be an action which redirects to the first page. You
can then get the authentication information from the request via
request#getUSerPrincipal(). If the principal object is null no
authentication was performed. Otherwise the principal#getName() contains the
username. With request#isUserInRole() you can check if the authenticated
user has the given role.

Greetings
Daniel

 

[mate]

Which Tomcat version. I have version 5.0.29 and in the class

org.apache.catalina.authenticator.FormAuthenticator is the form login

I can find now! Thanks!

implemented. This class uses org.apache.catalina.authenticator.Constants
where the constants (j_username etc) are defined.

Hi all.

I will try again.

Tomcat, and any other servlet server, when we use
"<auth-method>FORM</auth-method>" with j_security_check,
j_username, j_password and <security-constraint>,
check our user name and password against database
(or anything else - but this wasn't important now) and then
PUT_SOMETHING_FOR_RECOGNITION_SOMEWHERE
(I think in servlet session?) for repossess.

After that we can access resource specified in <web-resource-collection>
if we have THAT_SOMETHING (role). And THAT_SOMETHING will
be passed automatically to EJB if we use EJB, and so on......

Is it possible to put THAT_SOMETHING from my code i.e. servlet?

For example, if I want to use in JSP other name for j_security_check,
j_username, j_password, or I want to use other presentation
for my web app like Swing or simmilar?
I could check user name or anything else by myself and then
put THAT_SOMETHING and proceed like I was make
real j_security_check.

Do you know how to do this?

P.S. I can't use JAAS.