-
1. Re: Automatic or hidden login without presenting login-form?
sburkard Oct 20, 2005 11:18 AM (in response to sburkard)Hi, it's me again
I've found a possibility (call it a dirty hack) how to post a form to j_security_check and get redirected to some kind of a default page. Perhaps this only works in JBoss, I have not tested this on any other container!
1. I wrote a simple HTML page that contains an image-tag whose src-attribute targets to the page where I'd like to get redirected after login. Of course this produces a broken link, but that's invisible if the width and height are zero.
2. This page also contains a link that targets directly to j_security_check and has the j_username and j_password values (clear text) as request parameters. This is totally insecure, but I think (not tested yet) the link can also submit a hidden form over a HTTPS connection
3. I store this page in the other system's webroot
What happens when the link is clicked:
If the (hidden) login is successful, the user will be redirected directly to the URL that was referenced by the src-attribute of the img-tag. The container seems to remember the user's last URL that points into a secured part of the website. Even if the user don't know about it :-)
Of course the content of the simple HTML page can be placed wherever it's needed (in every other webapp at every position). But the submission to j_security_check should absolutely be HTTPS and POST because the credentials must be clear text.
Risks:
- No idea if every browser really "loads" the image of width and height zero. If not, the redirect will not work.
- No idea if other containers allow this hack with the redirect
Cheers
Stefan -
2. Re: Automatic or hidden login without presenting login-form?
jimbrady Nov 16, 2005 4:19 AM (in response to sburkard)Hello. I'm not sure if this will be picked up by everyone interested, but as I had trouble with this issue I thought I would post my solution. If somebody wants to add it to a wiki fine.
My issue was that I had external (in Apache) authentication but needed a JAAS sign-on and authorisation. AJP13 was setting the RemoteUser via a cookie. I used a version of the DatabaseServerLoginModule for authorisation based on the RemoteUser.
To trigger the Signon - I needed first to code the following simple Servlet:
/**
*
* Simple Servlet to trigger JAAS Login - passing the RemoteUser as username.
*
* @author Jim Brady
*/
public class LoginServlet extends HttpServlet {
public void init() throws ServletException {
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request,response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response) {
// retrieve form parameter values from request
Log log = LogFactory.getLog(this.getClass());
try {
log.info("User = " + request.getRemoteUser());
response.sendRedirect("j_security_check?j_username="
+ request.getRemoteUser() + "&j_password=");
} catch (Exception e) {
log.warn("Whoah", e);
}
}
}
This was integrated via the following items in web.xml.
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>*.login</url-pattern>
</servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>appl.web.login.LoginServlet</servlet-class>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>APACHE</realm-name>
<form-login-config>
<form-login-page>/login/apache.login</form-login-page>
<form-error-page>/login/loginError.htm</form-error-page>
</form-login-config>
</login-config>
It took a long while to work out how to do this, so I hope it helps some other people out there! -
3. Re: Automatic or hidden login without presenting login-form?
jimbrady Dec 7, 2005 9:29 AM (in response to sburkard)The above only works for Jetty - not for Tomcat. For Tomcat see
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=23094