4 Replies Latest reply on Nov 1, 2003 8:37 AM by juha

    Possible? User login via URL parameters

    sradford
    sradford Jun 15, 2003 7:14 PM

      Hi,

      Can anyone guide me with this problem...?

      I will have users accessing an application with a url parameter (or maybe a cookie) as a token. For protected resources I then need to use this token to asertain their roles. (The token is thus similar to a username).

      I thus need to know if I could write some type of LoginModule that gets triggered on protected resources, that can then look for this token on the HttpServeltRequest or HttpSession and then log the user in with the token (and if necessary a server known password) so that all other authentication works as per usual.

      Any help much, much, appreciated,

      Regards,

      Sean

      • 2779 Views
      • Tags:
        • 1. Re: Possible? User login via URL parameters
          sradford
          sradford Jun 18, 2003 8:51 AM (in response to sradford)

          Well I've been digging into my problem and come up with the following...

          as an example if I protect all of my webapp and GET the following:

          http://localhost:8080/myApp/welcome.jsp/j_security_check?j_username=sean&j_password=hmm

          I get the following log:

          2003-06-18 13:32:14,701 DEBUG [org.jboss.jetty.security.JBossUserRealm#MyApplicationRealm] JBossUserPrincipal: sean
          2003-06-18 13:32:14,701 DEBUG [org.jboss.jetty.security.JBossUserRealm#MyApplicationRealm] created JBossUserRealm::JBossUserPrincipal: sean
          2003-06-18 13:32:14,701 DEBUG [org.jboss.jetty.security.JBossUserRealm#MyApplicationRealm] authenticating: Name:sean Password:****
          2003-06-18 13:32:14,702 DEBUG [com.aegeus.itrustjaas.MyLoginModule] initialized
          2003-06-18 13:32:14,702 DEBUG [com.aegeus.itrustjaas.MyLoginModule] enter getUsersPassword()
          2003-06-18 13:32:14,703 DEBUG [com.aegeus.itrustjaas.MyLoginModule] enter getRoleSets()
          2003-06-18 13:32:14,703 DEBUG [org.jboss.jetty.security.JBossUserRealm#MyApplicationRealm] authenticated: sean
          2003-06-18 13:32:14,703 DEBUG [org.jboss.jetty.security.JBossUserRealm#MyApplicationRealm] setting JAAS subjectAttributeName(j_subject) : Subject:
          Principal: john
          Principal: Roles

          2003-06-18 13:32:14,824 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/template.jsp'.
          2003-06-18 13:32:14,825 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/htmlhead.jsp'.
          2003-06-18 13:32:14,827 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/header.jsp'.
          2003-06-18 13:32:14,827 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/menu.jsp'.
          2003-06-18 13:32:14,829 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/actionerrors.jsp'.
          2003-06-18 13:32:14,830 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/actionmessages.jsp'.
          2003-06-18 13:32:14,831 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/loginerror_content.jsp'.
          2003-06-18 13:32:14,832 DEBUG [org.apache.struts.taglib.tiles.InsertTag] insert page='/WEB-INF/footer.jsp'.
          2003-06-18 13:37:51,640 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] run: IdleRemover notifying pools, interval: 450000

          From the log you can see that authenitcation is happening, but then I am being re-directed to the loginerror page!!

          (normal form-based login is working by the way)

          It seems to be something to do with the __J_URI session attribute not being set, but in the source code (FormAuthenticator.authenticate) if that isn't found it should defualt to the root of the context.

          Any ideas much, much, MUCH appreciated,

          Regards,

          Sean

            • Actions
          • 2. Re: Possible? User login via URL parameters
            j_agra
            j_agra Jun 23, 2003 9:54 AM (in response to sradford)


            What you want is not possible without changing web server source.

            I presume you are using jetty because, with tomcat, direct access to j_security_check isn't possible at all.

            If you have a previous establisehd valid session cookie you can use it in your url with :
            http://server:port/path1/page.jsp;jsessionid=xpto

            If you want to create a new session, then dive into the code :(

              • Actions
            • 3. Re: Possible? User login via URL parameters
              mfk786
              mfk786 Oct 28, 2003 7:43 AM (in response to sradford)

              Hi

              Does j_uri work at all with JBoss? If so how could it be used?

              I have tried having it as a hidden field in the login.jsp but does not have any affect.

              Thanka

                • Actions
              • 4. Re: Possible? User login via URL parameters
                juha Nov 1, 2003 8:37 AM (in response to sradford)

                j_uri
                Optional Resin extension for the successful display page.

                -- Juha

                  • Actions