Hi,
ones more i have an urgent question. After successfully authenticated via a normal HTML-Form, i
only can get the username out of the security-request - but when i want to use
both, name and password for access the exist-db, i have a problem
:-(
Does anyone can offer a solution to that? For REST
or WebDAV i need both information! :-(
Every help is appeciated :-)
Regards, Marcus
-- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
Marcus,
On 8/4/07, Marcus <[hidden email]> wrote: > ones more i have an urgent question. After successfully authenticated via a > normal HTML-Form, i only can get the username out of the security-request - > but when i want to use both, name and password for access the exist-db, i > have a problem :-( When the servlet container handles users authentication, AFAIK you can't access users' password from your application. The servlet container will only expose the user name and roles. I can see 2 ways to handle this: 1) Since you are the one generating the form used for authentication, you first capture the login/password, and store it somewhere (e.g. in the application context) before you post it to Tomcat. If authentication succeeds, you retrieve the login/password you last stored. 2) You do not use the servlet authentication mechanism, and handle authentication yourself. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi Alex,
i don't use the app-server, but i use a securityfilter, which authenticates the user against the embedded exist-db. While i have to use the Form authentication with submit to "j_security_check" and because i use a normale html-form an no xforms, whil i couldn't get it work with xforms :-(( i have no idea, how i can store the user-information lets say to the session-scope (or app context??) So, if you have some hints, on how i could perform this, i think that would be the way to prefer! Even i have no clue on how to get this done :-( Thanks, Marcus ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> To: <[hidden email]> Sent: Monday, August 06, 2007 9:02 PM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > Marcus, > > On 8/4/07, Marcus <[hidden email]> wrote: >> ones more i have an urgent question. After successfully authenticated via >> a >> normal HTML-Form, i only can get the username out of the >> security-request - >> but when i want to use both, name and password for access the exist-db, i >> have a problem :-( > > When the servlet container handles users authentication, AFAIK you > can't access users' password from your application. The servlet > container will only expose the user name and roles. I can see 2 ways > to handle this: > > 1) Since you are the one generating the form used for authentication, > you first capture the login/password, and store it somewhere (e.g. in > the application context) before you post it to Tomcat. If > authentication succeeds, you retrieve the login/password you last > stored. > > 2) You do not use the servlet authentication mechanism, and handle > authentication yourself. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] > mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
Marcus,
That seems to be depending on the way that security filter works. What I know is that as a matter of general practice, it is usually not possible for an application to have an access to the user's password. That would open the door to too many security issues. Rather, security realms deal themselves with passwords and just tell the application whether the user is authenticated or not. Sometimes passwords are even encrypted early in the process so that they don't circulate in clear. Why do you need the password? -Erik Marcus wrote: > Hi Alex, > > i don't use the app-server, but i use a securityfilter, which > authenticates the user against the embedded exist-db. > While i have to use the Form authentication with submit to > "j_security_check" and because i use a normale html-form an no xforms, > whil i couldn't get it work with xforms :-(( i have no idea, how i can > store the user-information lets say to the session-scope (or app context??) > > So, if you have some hints, on how i could perform this, i think that > would be the way to prefer! Even i have no clue on how to get this done :-( > > Thanks, Marcus > > > > ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> > To: <[hidden email]> > Sent: Monday, August 06, 2007 9:02 PM > Subject: Re: [ops-users] How to get username and Password out of the > security-request!? > > >> Marcus, >> >> On 8/4/07, Marcus <[hidden email]> wrote: >>> ones more i have an urgent question. After successfully authenticated >>> via a >>> normal HTML-Form, i only can get the username out of the >>> security-request - >>> but when i want to use both, name and password for access the >>> exist-db, i >>> have a problem :-( >> >> When the servlet container handles users authentication, AFAIK you >> can't access users' password from your application. The servlet >> container will only expose the user name and roles. I can see 2 ways >> to handle this: >> >> 1) Since you are the one generating the form used for authentication, >> you first capture the login/password, and store it somewhere (e.g. in >> the application context) before you post it to Tomcat. If >> authentication succeeds, you retrieve the login/password you last >> stored. >> >> 2) You do not use the servlet authentication mechanism, and handle >> authentication yourself. >> >> Alex >> -- >> Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise >> http://www.orbeon.com/ Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi Erik,
you'll find the answer why i need it in my first post :-) In my webapp there is are some admin-functions. Here you can enter new data or manipulate and delete them. For that i used the REST and also the WebDAV protocol in my submissions. But as you know, therefor i need the informations for "xxforms:username" and "xxforms:password" or the same in the "datasource.xml" file when i use a XPL. Right? The answer to your question on the security-filter should be the following. The filter is configured in the web.xml. there i can define a sublink i.e. (server)/myapp/admin/ as a secure section. /myapp is my normal webapp, but all admin functions are linked to /myapp/admin. When i try access a subpage i'm redirected to an login-page with a html-form, i enter my data and submit them. The filter uses the exist-realm the validate the userdata against the database usermanagement - i would say, just the same way the tomcat-authentication would work. And then a session is created and i can access the my admin-funktions. But when i try to create, alter or delete data with REST or WebDAV i need username AND password, right? Or is there any other way than to save those data in the beginning and don't have to use them later? Ar the moment i use those submissions with an hardcoded admin-account, but at least i want to use the data of the currently logged-in user. Any idea how to solve that problem? Thanks, Marcus ----- Original Message ----- From: "Erik Bruchez" <[hidden email]> To: <[hidden email]> Sent: Tuesday, August 07, 2007 6:04 PM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > Marcus, > > That seems to be depending on the way that security filter works. What I > know is that as a matter of general practice, it is usually not possible > for an application to have an access to the user's password. That would > open the door to too many security issues. Rather, security realms deal > themselves with passwords and just tell the application whether the user > is authenticated or not. Sometimes passwords are even encrypted early in > the process so that they don't circulate in clear. > > Why do you need the password? > > -Erik > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
On 8/6/07, Marcus <[hidden email]> wrote:
> i don't use the app-server, but i use a securityfilter, which authenticates > the user against the embedded exist-db. Can you somehow modify the security filter to save the login/password information in the application context? Otherwise: with a login form in XForms, when the user hits the "login" button, you first run a pipeline that saves the login/password in the application context with the context serializer. Then you run a submission with method="get" that sends the login/password using request parameters. For this to work, the security filter needs to also be able to access the login/password as request parameters, not only as part of a POST. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi Alex,
the problem is, that i have not so much plan of modifying the securityfilter, which is fully programmed in java. But i can give you the link, and perhaps you have any idea? http://securityfilter.sourceforge.net/ i think it would also be a good extension to your ops in general, so that you can use the exist-db for restrictions and authentification and don't need to modify the tomcat users! So that every developed webapp is independent and could deployed to every useable app-server. That was the main reason that i integrated the filter to my app. But be sure, i will also try to find a way to modify the filter, but i have not enough knowledge about how to deal with transactions and which method i have to use in wich way. i'm always glad when i get things to work without having to do many modifications. But another point is, that i tried to use the filter with an xforms-form, but i could not make it work - perhaps while using the wrong method? :-( Regards, Marcus ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> To: <[hidden email]> Sent: Wednesday, August 08, 2007 1:00 AM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > On 8/6/07, Marcus <[hidden email]> wrote: >> i don't use the app-server, but i use a securityfilter, which >> authenticates >> the user against the embedded exist-db. > > Can you somehow modify the security filter to save the login/password > information in the application context? > > Otherwise: with a login form in XForms, when the user hits the "login" > button, you first run a pipeline that saves the login/password in the > application context with the context serializer. Then you run a > submission with method="get" that sends the login/password using > request parameters. For this to work, the security filter needs to > also be able to access the login/password as request parameters, not > only as part of a POST. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] > mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
In reply to this post by Alessandro Vernet
Its me again :-)
OK, i had another idea, but i don't know if it is possible to realize it. When i use my normal HTML-Form for authentication, it should be possible first to do some javascripts before the form is submitted, right? Can i call out of such a javascript a xpl that saves the entered data to the app-context.? Sometimes such javascripts are used for testing some constraints befor submitting, but can't i use it here to save my form data? I think you know it better if something like that is possible or not. Best regards, Marcus ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> To: <[hidden email]> Sent: Wednesday, August 08, 2007 1:00 AM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > On 8/6/07, Marcus <[hidden email]> wrote: >> i don't use the app-server, but i use a securityfilter, which >> authenticates >> the user against the embedded exist-db. > > Can you somehow modify the security filter to save the login/password > information in the application context? > > Otherwise: with a login form in XForms, when the user hits the "login" > button, you first run a pipeline that saves the login/password in the > application context with the context serializer. Then you run a > submission with method="get" that sends the login/password using > request parameters. For this to work, the security filter needs to > also be able to access the login/password as request parameters, not > only as part of a POST. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] > mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
On 8/7/07, Marcus <[hidden email]> wrote:
> So that every developed webapp is independent and could deployed to every > useable app-server. That was the main reason that i integrated the filter to > my app. But be sure, i will also try to find a way to modify the filter, but > i have not enough knowledge about how to deal with transactions and which > method i have to use in wich way. i'm always glad when i get things to work > without having to do many modifications. Yes, I agree, it is better if don't have to modify the security filter. > But another point is, that i tried to use the filter with an xforms-form, > but i could not make it work - perhaps while using the wrong method? :-( Could you attach the simple working HTML form you are using for authentication? Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
On 8/7/07, Marcus <[hidden email]> wrote:
> OK, i had another idea, but i don't know if it is possible to realize it. > When i use my normal HTML-Form for authentication, it should be possible > first to do some javascripts before the form is submitted, right? Can i call > out of such a javascript a xpl that saves the entered data to the > app-context.? Yes, I guess you could. But that seems awfully complex. I think we should be able to do this in XForms, without having to write any JavaScript. This is the intent of my previous message, as I'd like to see what parameters the security filter is expecting. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi,
the Filter exspects the same data as the app-server would. * The form action is set to j_security_check. * The name of the field used to get the username is j_username. * The name of the field used to get the password is j_password. It would be a bit complex to explain exactly, but for a short overview, i don't use a extra page, but i added a main-theme to every page through a XSLT that i added to the epilog before the transformation from xforms to xhtml. I found that the best way to work with a functional menu and language option and so i don't have to add anything to each page. I attache my xslt to this mail and my epilogue too. Thanks for your help, regards, Marcus ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> To: <[hidden email]> Sent: Wednesday, August 08, 2007 3:38 AM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > On 8/7/07, Marcus <[hidden email]> wrote: >> OK, i had another idea, but i don't know if it is possible to realize it. >> When i use my normal HTML-Form for authentication, it should be possible >> first to do some javascripts before the form is submitted, right? Can i >> call >> out of such a javascript a xpl that saves the entered data to the >> app-context.? > > Yes, I guess you could. But that seems awfully complex. I think we > should be able to do this in XForms, without having to write any > JavaScript. This is the intent of my previous message, as I'd like to > see what parameters the security filter is expecting. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] > mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
I think that an ideal setup wouldn't require forwarding passwords, but
using some kind of single sign-on mechanism between the Orbeon Forms application and the service called. This sometimes works with a sign-on mechanism setting some headers, which can then be forwarded to the service. Orbeon Forms already forwards the Servlet JSESSIONID cookie, for example, which allows authentication to work when you call other servlets with XForms. I am not sure that this helps you much, just saying that it is another way to look at the problem. It may or may not be implementable in your case. -Erik Marcus wrote: > Hi Erik, > you'll find the answer why i need it in my first post :-) > > In my webapp there is are some admin-functions. Here you can enter new > data or manipulate and delete them. For that i used the REST and also > the WebDAV protocol in my submissions. But as you know, therefor i need > the informations for "xxforms:username" and "xxforms:password" or the > same in the "datasource.xml" file when i use a XPL. Right? > > The answer to your question on the security-filter should be the following. > The filter is configured in the web.xml. there i can define a sublink > i.e. (server)/myapp/admin/ as a secure section. /myapp is my normal > webapp, but all admin functions are linked to /myapp/admin. When i try > access a subpage i'm redirected to an login-page with a html-form, i > enter my data and submit them. The filter uses the exist-realm the > validate the userdata against the database usermanagement - i would say, > just the same way the tomcat-authentication would work. And then a > session is created and i can access the my admin-funktions. > But when i try to create, alter or delete data with REST or WebDAV i > need username AND password, right? > > Or is there any other way than to save those data in the beginning and > don't have to use them later? > Ar the moment i use those submissions with an hardcoded admin-account, > but at least i want to use the data of the currently logged-in user. > > Any idea how to solve that problem? > Thanks, Marcus > > > ----- Original Message ----- From: "Erik Bruchez" <[hidden email]> > To: <[hidden email]> > Sent: Tuesday, August 07, 2007 6:04 PM > Subject: Re: [ops-users] How to get username and Password out of the > security-request!? > > >> Marcus, >> >> That seems to be depending on the way that security filter works. What I >> know is that as a matter of general practice, it is usually not possible >> for an application to have an access to the user's password. That would >> open the door to too many security issues. Rather, security realms deal >> themselves with passwords and just tell the application whether the user >> is authenticated or not. Sometimes passwords are even encrypted early in >> the process so that they don't circulate in clear. >> >> Why do you need the password? >> >> -Erik >> > > -- Orbeon Forms - Web Forms for the Enterprise Done the Right Way http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
On 8/7/07, Marcus <[hidden email]> wrote:
> the Filter exspects the same data as the app-server would. > * The form action is set to j_security_check. > * The name of the field used to get the username is j_username. > * The name of the field used to get the password is j_password. OK, so let's try this. Write the page where users login in XForms. Have an instance: <login> <j_username/> <j_password/> </login> Bind the username/password field to this instance appropriately. When the user submits the form, run a submission with method="get" ref="the above instance" action="j_security_check". See if this works. If it does, before doing the submission, post that instance to a pipeline that saves the username/password in the application context. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
In reply to this post by Erik Bruchez
Hi Erik, Hi Alex
>I think that an ideal setup wouldn't require forwarding passwords, but > using some kind of single sign-on mechanism between the Orbeon Forms > application and the service called. This sometimes works with a sign-on > mechanism setting some headers, which can then be forwarded to the > service. Orbeon Forms already forwards the Servlet JSESSIONID cookie, > for example, which allows authentication to work when you call other > servlets with XForms. the problem is, that we need the userdata (name, pass) to make the submissions work! Of course it would be ideal only to authenticate ones, thats the way i want to keep it, but without a hardcoded account, is there any other way? > OK, so let's try this. Write the page where users login in XForms. > Have an instance: > <login> > <j_username/> > <j_password/> > </login> > Bind the username/password field to this instance appropriately. When > the user submits the form, run a submission with method="get" ref="the > above instance" action="j_security_check". See if this works. If it > does, before doing the submission, post that instance to a pipeline > that saves the username/password in the application context. A submission with "get" results in a NPE - and with method "post" seems to submit something, but it doesn't work either :( Regards, Marcus -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws login.xhtml (2K) Download Attachment |
Administrator
|
On 8/8/07, Marcus <[hidden email]> wrote:
> I attached my login.xhtml page - but it doesn't work :-( > A submission with "get" results in a NPE - and with method "post" seems to > submit something, but it doesn't work either :( Using a POST won't work, as this will POST the XML document to j_security_check, which doesn't know what to do with it. So for this case you need to use method="get" here. Can you quote the NPE exception you are getting? Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi Alex, > Using a POST won't work, as this will POST the XML document to > j_security_check, which doesn't know what to do with it. So for this > case you need to use method="get" here. Can you quote the NPE > exception you are getting? Here is the exception out of the browser: ----------------------------------------- type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Error matching patterns org.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:148) root cause java.lang.NullPointerException org.securityfilter.exist.realm.catalina.ExistCatalinaRealm.authenticate(ExistCatalinaRealm.java:136) org.securityfilter.realm.catalina.CatalinaRealmAdapter.authenticate(CatalinaRealmAdapter.java:95) org.securityfilter.authenticator.FormAuthenticator.processLogin(FormAuthenticator.java:178) org.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:138)note The full stack trace of the root cause is available in the ApacheTomcat/5.5.20 logs.Here the important part out of my log:--------------------------------------2007-08-09 02:59:19,442 http-8085-1 INFO webapp.ProcessorService -/admin/login.xhtml - Timing: 9952 - Cache hits: 285, fault: 57, adds: 46,success rate: 83%2007-08-09 02:59:45,138 http-8085-1 INFO webapp.ProcessorService -/xforms-server - Received request2007-08-09 02:59:45,223 http-8085-1 INFO xml.XMLUtils - Deleting temporaryfile: C:\Program Files\Tomcat5.5\work\Catalina\localhost\exist-1.1.1-newcore\cocoon-files\cache-dir\upload_00000219.tmp2007-08-09 02:59:45,226 http-8085-1 INFO webapp.ProcessorService -/xforms-server - Timing: 88 - Cache hits: 31, fault: 3, adds: 2, successrate: 91%2007-08-09 02:59:45,359 http-8085-1 WARN security.MD5 - Digest creationfailed. Using plain string as password!2007-08-09 02:59:45,360 http-8085-1 ERROR [/kkbib].[ops-main-servlet] -Servlet.service() for servlet ops-main-servlet threw exceptionjava.lang.NullPointerException atorg.securityfilter.exist.realm.catalina.ExistCatalinaRealm.authenticate(ExistCatalinaRealm.java:136) atorg.securityfilter.realm.catalina.CatalinaRealmAdapter.authenticate(CatalinaRealmAdapter.java:95) atorg.securityfilter.authenticator.FormAuthenticator.processLogin(FormAuthenticator.java:178) atorg.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:138) atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) atorg.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:495) atorg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541) atorg.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392) atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) atorg.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:833) atorg.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:639) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1285) at java.lang.Thread.run(Unknown Source)To be better informed i sent you the source code of the Security Filter andalso my own coded existRealm.Hope my code will help you!?regards, Marcus -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws CatalinaRealmAdapter.java (5K) Download Attachment ExistCatalinaRealm.java (12K) Download Attachment securityfilter-2.0-src.zip (3M) Download Attachment |
In reply to this post by Alessandro Vernet
Hi Alex,
i have found out another little detail, but don't know how to handle it. Back to the "pre" method and the NPE. The problem was, after carefully i took a look at the url: http://stmarcus.dyndns.org:8085/kkbib/admin/j_security_check?j_username=kkbib01;j_password=kkbib First i didn't saw it, but between j_username and j_password there is a ";" and not a "&" as usual. Testing the same URL with a "&" it works! But i don't know why the XForms produce a false URL. :-(( Any idea? Thanks, Marcus ----- Original Message ----- From: "Alessandro Vernet" <[hidden email]> To: <[hidden email]> Sent: Thursday, August 09, 2007 2:39 AM Subject: Re: [ops-users] How to get username and Password out of the security-request!? > On 8/8/07, Marcus <[hidden email]> wrote: >> I attached my login.xhtml page - but it doesn't work :-( >> A submission with "get" results in a NPE - and with method "post" seems >> to >> submit something, but it doesn't work either :( > > Using a POST won't work, as this will POST the XML document to > j_security_check, which doesn't know what to do with it. So for this > case you need to use method="get" here. Can you quote the NPE > exception you are getting? > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > > -------------------------------------------------------------------------------- > > -- > You receive this message as a subscriber of the [hidden email] > mailing list. > To unsubscribe: mailto:[hidden email] > For general help: mailto:[hidden email]?subject=help > ObjectWeb mailing lists service home page: http://www.objectweb.org/wws > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
"separator" is an optional attribute for <submission> and semicolon is the default. I didn't immediately find where this is in the spec. I read it from this book: http://xformsinstitute.com/essentials/browse/book.php --Hank Ratzesberger > Hi Alex, > i have found out another little detail, but don't know how to handle it. > Back to the "pre" method and the NPE. The problem was, after carefully i > took a look at the url: > http://stmarcus.dyndns.org:8085/kkbib/admin/j_security_check?j_username=kkbib01;j_password=kkbib > > First i didn't saw it, but between j_username and j_password there is a > ";" > and not a "&" as usual. Testing the same URL with a "&" it works! But i > don't know why the XForms produce a false URL. :-(( > Any idea? > > Thanks, Marcus > > > > ----- Original Message ----- > From: "Alessandro Vernet" <[hidden email]> > To: <[hidden email]> > Sent: Thursday, August 09, 2007 2:39 AM > Subject: Re: [ops-users] How to get username and Password out of the > security-request!? > > >> On 8/8/07, Marcus <[hidden email]> wrote: >>> I attached my login.xhtml page - but it doesn't work :-( >>> A submission with "get" results in a NPE - and with method "post" seems >>> to >>> submit something, but it doesn't work either :( >> >> Using a POST won't work, as this will POST the XML document to >> j_security_check, which doesn't know what to do with it. So for this >> case you need to use method="get" here. Can you quote the NPE >> exception you are getting? >> >> Alex >> -- >> Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise >> http://www.orbeon.com/ >> >> > > > -------------------------------------------------------------------------------- > > >> >> -- >> You receive this message as a subscriber of the [hidden email] >> mailing list. >> To unsubscribe: mailto:[hidden email] >> For general help: mailto:[hidden email]?subject=help >> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws >> > > > -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Administrator
|
In reply to this post by Marcus-2
Marcus,
On 8/13/07, Marcus <[hidden email]> wrote: > Hi Alex, > i have found out another little detail, but don't know how to handle it. > Back to the "pre" method and the NPE. The problem was, after carefully i > took a look at the url: > http://stmarcus.dyndns.org:8085/kkbib/admin/j_security_check?j_username=kkbib01;j_password=kkbib > > First i didn't saw it, but between j_username and j_password there is a ";" > and not a "&" as usual. Testing the same URL with a "&" it works! But i > don't know why the XForms produce a false URL. :-(( > Any idea? This is a good catch: the default separator in XForms is ";". I am not sure why this would be the default separator, as in 99% of the cases you want & to be the separator with a GET. So when you have method="get", in most cases you also want to have separator="&" as well on your xforms:submission, as Hank suggested. You'll let us know if this works for you. Alex -- Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise http://www.orbeon.com/ -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Hi Alex,
after Hanks Mail i tried separator="&" and that worked for me as well. So, the next question only seems to be, why i should use the application context for storing the username&password instead of the session context!? After my logout i destroy the session information, but will this also delete the information in the application context? Or am i getting something wrong about that? And another simple question may be: Will a processor inside a XPL be executed without any input, but if its output is used by another processor? When the user-information are stored in the context, i want to creat my "datasource.xml" dynamical, so i have to request them, otherwise i need the "datasource.xml" to be loaded. But this processor needs no input and gives me only the result as output. Right? Thanks, Marcus -------- Original-Nachricht -------- Datum: Wed, 15 Aug 2007 18:07:49 -0700 Von: "Alessandro Vernet" <[hidden email]> An: [hidden email] Betreff: Re: [ops-users] How to get username and Password out of the security-request!? > Marcus, > > On 8/13/07, Marcus <[hidden email]> wrote: > > Hi Alex, > > i have found out another little detail, but don't know how to handle it. > > Back to the "pre" method and the NPE. The problem was, after carefully i > > took a look at the url: > > > http://stmarcus.dyndns.org:8085/kkbib/admin/j_security_check?j_username=kkbib01;j_password=kkbib > > > > First i didn't saw it, but between j_username and j_password there is a > ";" > > and not a "&" as usual. Testing the same URL with a "&" it works! But i > > don't know why the XForms produce a false URL. :-(( > > Any idea? > > Sorry for the delay; I intended to get back to you earlier about this. > This is a good catch: the default separator in XForms is ";". I am not > sure why this would be the default separator, as in 99% of the cases > you want & to be the separator with a GET. So when you have > method="get", in most cases you also want to have separator="&" as > well on your xforms:submission, as Hank suggested. You'll let us know > if this works for you. > > Alex > -- > Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise > http://www.orbeon.com/ > Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser -- You receive this message as a subscriber of the [hidden email] mailing list. To unsubscribe: mailto:[hidden email] For general help: mailto:[hidden email]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws |
Free forum by Nabble | Edit this page |