3 Replies Latest reply on Dec 7, 2005 9:29 AM by jimbrady

    Automatic or hidden login without presenting login-form?

    sburkard
    sburkard Oct 20, 2005 9:27 AM

      Hi all

      My container security works well and I simply can't believe that such a simple requirement (see below) exceeds the possibilities of container security.

      The requirement:
      Beside the opportunity to log in the standard way (call a secured page, fill out form and log in) users should be automatically logged in by another system.

      That means that the user has successfully logged into that other system (where he has the same credentials) and now can press a link that redirects him to my webapp and automatically logs him in.
      The link can obviously send username and password (it's MD5-hash as hex-encoding) as request parameters, but I see some problems:

      1. If I submit a POST request to j_security_check with j_username and j_password, there is no target URL the user is sent to.
      2. Because I would already send the password hash, the container would hash it again (would he?) so the login would fail.

      Is there any other way I can log in a user automatically?

      Thanks and cheers
      Stefan

      • 3640 Views
      • Tags:
        • 1. Re: Automatic or hidden login without presenting login-form?
          sburkard
          sburkard Oct 20, 2005 11:18 AM (in response to sburkard)

          Hi, it's me again

          I've found a possibility (call it a dirty hack) how to post a form to j_security_check and get redirected to some kind of a default page. Perhaps this only works in JBoss, I have not tested this on any other container!

          1. I wrote a simple HTML page that contains an image-tag whose src-attribute targets to the page where I'd like to get redirected after login. Of course this produces a broken link, but that's invisible if the width and height are zero.

          2. This page also contains a link that targets directly to j_security_check and has the j_username and j_password values (clear text) as request parameters. This is totally insecure, but I think (not tested yet) the link can also submit a hidden form over a HTTPS connection

          3. I store this page in the other system's webroot

          What happens when the link is clicked:
          If the (hidden) login is successful, the user will be redirected directly to the URL that was referenced by the src-attribute of the img-tag. The container seems to remember the user's last URL that points into a secured part of the website. Even if the user don't know about it :-)

          Of course the content of the simple HTML page can be placed wherever it's needed (in every other webapp at every position). But the submission to j_security_check should absolutely be HTTPS and POST because the credentials must be clear text.

          Risks:
          - No idea if every browser really "loads" the image of width and height zero. If not, the redirect will not work.
          - No idea if other containers allow this hack with the redirect

          Cheers
          Stefan

            • Actions
          • 2. Re: Automatic or hidden login without presenting login-form?
            jimbrady
            jimbrady Nov 16, 2005 4:19 AM (in response to sburkard)

            Hello. I'm not sure if this will be picked up by everyone interested, but as I had trouble with this issue I thought I would post my solution. If somebody wants to add it to a wiki fine.
            My issue was that I had external (in Apache) authentication but needed a JAAS sign-on and authorisation. AJP13 was setting the RemoteUser via a cookie. I used a version of the DatabaseServerLoginModule for authorisation based on the RemoteUser.

            To trigger the Signon - I needed first to code the following simple Servlet:

            /**
            *
            * Simple Servlet to trigger JAAS Login - passing the RemoteUser as username.
            *
            * @author Jim Brady
            */
            public class LoginServlet extends HttpServlet {

            public void init() throws ServletException {
            }

            public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
            doPost(request,response);
            }

            public void doPost(HttpServletRequest request, HttpServletResponse response) {
            // retrieve form parameter values from request
            Log log = LogFactory.getLog(this.getClass());

            try {
            log.info("User = " + request.getRemoteUser());
            response.sendRedirect("j_security_check?j_username="
            + request.getRemoteUser() + "&j_password=");
            } catch (Exception e) {
            log.warn("Whoah", e);
            }
            }
            }

            This was integrated via the following items in web.xml.

            <servlet-mapping>
            <servlet-name>LoginServlet</servlet-name>
            <url-pattern>*.login</url-pattern>
            </servlet-mapping>


            <servlet-name>LoginServlet</servlet-name>
            <servlet-class>appl.web.login.LoginServlet</servlet-class>


            <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>APACHE</realm-name>
            <form-login-config>
            <form-login-page>/login/apache.login</form-login-page>
            <form-error-page>/login/loginError.htm</form-error-page>
            </form-login-config>
            </login-config>

            It took a long while to work out how to do this, so I hope it helps some other people out there!

              • Actions
            • 3. Re: Automatic or hidden login without presenting login-form?
              jimbrady
              jimbrady Dec 7, 2005 9:29 AM (in response to sburkard)

              The above only works for Jetty - not for Tomcat. For Tomcat see
              http://www.jboss.com/index.html?module=bb&op=viewtopic&t=23094

                • Actions