How to get username and Password out of the security-request!?

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Marcus,

On 8/4/07, Marcus <[hidden email]> wrote:
> ones more i have an urgent question. After successfully authenticated via a
> normal HTML-Form, i only can get the username out of the security-request -
> but when i want to use both, name and password for access the exist-db, i
> have a problem :-(

When the servlet container handles users authentication, AFAIK you
can't access users' password from your application. The servlet
container will only expose the user name and roles. I can see 2 ways
to handle this:

1) Since you are the one generating the form used for authentication,
you first capture the login/password, and store it somewhere (e.g. in
the application context) before you post it to Tomcat. If
authentication succeeds, you retrieve the login/password you last
stored.

2) You do not use the servlet authentication mechanism, and handle
authentication yourself.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Alex,

i don't use the app-server, but i use a securityfilter, which authenticates
the user against the embedded exist-db.
While i have to use the Form authentication with submit to
"j_security_check" and because i use a normale html-form an no xforms, whil
i couldn't get it work with xforms :-(( i have no idea, how i can store the
user-information lets say to the session-scope (or app context??)

So, if you have some hints, on how i could perform this, i think that would
be the way to prefer! Even i have no clue on how to get this done :-(

Thanks, Marcus



----- Original Message -----
From: "Alessandro Vernet" <[hidden email]>
To: <[hidden email]>
Sent: Monday, August 06, 2007 9:02 PM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?


--------------------------------------------------------------------------------


>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Marcus,

That seems to be depending on the way that security filter works. What I
know is that as a matter of general practice, it is usually not possible
for an application to have an access to the user's password. That would
open the door to too many security issues. Rather, security realms deal
themselves with passwords and just tell the application whether the user
is authenticated or not. Sometimes passwords are even encrypted early in
the process so that they don't circulate in clear.

Why do you need the password?

-Erik

Marcus wrote: --
Orbeon Forms - Web Forms for the Enterprise Done the Right Way
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Erik,
you'll find the answer why i need it in my first post :-)

In my webapp there is are some admin-functions. Here you can enter new data
or manipulate and delete them. For that i used the REST and also the WebDAV
protocol in my submissions. But as you know, therefor i need the
informations for "xxforms:username" and "xxforms:password" or the same in
the "datasource.xml" file when i use a XPL. Right?

The answer to your question on the security-filter should be the following.
The filter is configured in the web.xml. there i can define a sublink i.e.
(server)/myapp/admin/ as a secure section. /myapp is my normal webapp, but
all admin functions are linked to /myapp/admin. When i try access a subpage
i'm redirected to an login-page with a html-form, i enter my data and submit
them. The filter uses the exist-realm the validate the userdata against the
database usermanagement - i would say, just the same way the
tomcat-authentication would work. And then a session is created and i can
access the my admin-funktions.
But when i try to create, alter or delete data with REST or WebDAV i need
username AND password, right?

Or is there any other way than to save those data in the beginning and don't
have to use them later?
Ar the moment i use those submissions with an hardcoded admin-account, but
at least i want to use the data of the currently logged-in user.

Any idea how to solve that problem?
Thanks, Marcus


----- Original Message -----
From: "Erik Bruchez" <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, August 07, 2007 6:04 PM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

On 8/6/07, Marcus <[hidden email]> wrote:
> i don't use the app-server, but i use a securityfilter, which authenticates
> the user against the embedded exist-db.

Can you somehow modify the security filter to save the login/password
information in the application context?

Otherwise: with a login form in XForms, when the user hits the "login"
button, you first run a pipeline that saves the login/password in the
application context with the context serializer. Then you run a
submission with method="get" that sends the login/password using
request parameters. For this to work, the security filter needs to
also be able to access the login/password as request parameters, not
only as part of a POST.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Alex,

the problem is, that i have not so much plan of modifying the
securityfilter, which is fully programmed in java. But i can give you the
link, and perhaps you have any idea? http://securityfilter.sourceforge.net/
i think it would also be a good extension to your ops in general, so that
you can use the exist-db for restrictions and authentification and don't
need to modify the tomcat users!

So that every developed webapp is independent and could deployed to every
useable app-server. That was the main reason that i integrated the filter to
my app. But be sure, i will also try to find a way to modify the filter, but
i have not enough knowledge about how to deal with transactions and which
method i have to use in wich way. i'm always glad when i get things to work
without having to do many modifications.

But another point is, that i tried to use the filter with an xforms-form,
but i could not make it work - perhaps while using the wrong method? :-(

Regards, Marcus


----- Original Message -----
From: "Alessandro Vernet" <[hidden email]>
To: <[hidden email]>
Sent: Wednesday, August 08, 2007 1:00 AM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?


--------------------------------------------------------------------------------


>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Its me again :-)

OK, i had another idea, but i don't know if it is possible to realize it.
When i use my normal HTML-Form for authentication, it should be possible
first to do some javascripts before the form is submitted, right? Can i call
out of such a javascript a xpl that saves the entered data to the
app-context.?
Sometimes such javascripts are used for testing some constraints befor
submitting, but can't i use it here to save my form data? I think you know
it better if something like that is possible or not.

Best regards, Marcus


----- Original Message -----
From: "Alessandro Vernet" <[hidden email]>
To: <[hidden email]>
Sent: Wednesday, August 08, 2007 1:00 AM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?


--------------------------------------------------------------------------------


>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

On 8/7/07, Marcus <[hidden email]> wrote:
> So that every developed webapp is independent and could deployed to every
> useable app-server. That was the main reason that i integrated the filter to
> my app. But be sure, i will also try to find a way to modify the filter, but
> i have not enough knowledge about how to deal with transactions and which
> method i have to use in wich way. i'm always glad when i get things to work
> without having to do many modifications.

Yes, I agree, it is better if don't have to modify the security filter.

> But another point is, that i tried to use the filter with an xforms-form,
> but i could not make it work - perhaps while using the wrong method? :-(

Could you attach the simple working HTML form you are using for authentication?

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

On 8/7/07, Marcus <[hidden email]> wrote:
> OK, i had another idea, but i don't know if it is possible to realize it.
> When i use my normal HTML-Form for authentication, it should be possible
> first to do some javascripts before the form is submitted, right? Can i call
> out of such a javascript a xpl that saves the entered data to the
> app-context.?

Yes, I guess you could. But that seems awfully complex. I think we
should be able to do this in XForms, without having to write any
JavaScript. This is the intent of my previous message, as I'd like to
see what parameters the security filter is expecting.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi,

the Filter exspects the same data as the app-server would.
    *  The form action is set to j_security_check.
    * The name of the field used to get the username is j_username.
    * The name of the field used to get the password is j_password.

It would be a bit complex to explain exactly, but for a short overview, i
don't use a extra page, but i added a main-theme to every page through a
XSLT that i added to the epilog before the transformation from xforms to
xhtml. I found that the best way to work with a functional menu and language
option and so i don't have to add anything to each page.

I attache my xslt to this mail and my epilogue too.
Thanks for your help,
regards, Marcus


----- Original Message -----
From: "Alessandro Vernet" <[hidden email]>
To: <[hidden email]>
Sent: Wednesday, August 08, 2007 3:38 AM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?


--------------------------------------------------------------------------------


>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

I think that an ideal setup wouldn't require forwarding passwords, but
using some kind of single sign-on mechanism between the Orbeon Forms
application and the service called. This sometimes works with a sign-on
mechanism setting some headers, which can then be forwarded to the
service. Orbeon Forms already forwards the Servlet JSESSIONID cookie,
for example, which allows authentication to work when you call other
servlets with XForms.

I am not sure that this helps you much, just saying that it is another
way to look at the problem. It may or may not be implementable in your case.

-Erik

Marcus wrote:
--
Orbeon Forms - Web Forms for the Enterprise Done the Right Way
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

On 8/7/07, Marcus <[hidden email]> wrote:
> the Filter exspects the same data as the app-server would.
>     *  The form action is set to j_security_check.
>     * The name of the field used to get the username is j_username.
>     * The name of the field used to get the password is j_password.

OK, so let's try this. Write the page where users login in XForms.
Have an instance:

<login>
    <j_username/>
    <j_password/>
</login>

Bind the username/password field to this instance appropriately. When
the user submits the form, run a submission with method="get" ref="the
above instance" action="j_security_check". See if this works. If it
does, before doing the submission, post that instance to a pipeline
that saves the username/password in the application context.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Erik, Hi Alex

>I think that an ideal setup wouldn't require forwarding passwords, but
> using some kind of single sign-on mechanism between the Orbeon Forms
> application and the service called. This sometimes works with a sign-on
> mechanism setting some headers, which can then be forwarded to the
> service. Orbeon Forms already forwards the Servlet JSESSIONID cookie,
> for example, which allows authentication to work when you call other
> servlets with XForms.

the problem is, that we need the userdata (name, pass) to make the
submissions work!
Of course it would be ideal only to authenticate ones, thats the way i want
to keep it, but without a hardcoded account, is there any other way?
 I attached my login.xhtml page - but it doesn't work :-(
A submission with "get" results in a NPE - and with method "post" seems to
submit something, but it doesn't work either :(

Regards, Marcus


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

On 8/8/07, Marcus <[hidden email]> wrote:
>  I attached my login.xhtml page - but it doesn't work :-(
> A submission with "get" results in a NPE - and with method "post" seems to
> submit something, but it doesn't work either :(

Using a POST won't work, as this will POST the XML document to
j_security_check, which doesn't know what to do with it. So for this
case you need to use method="get" here. Can you quote the NPE
exception you are getting?

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Alex,

> Using a POST won't work, as this will POST the XML document to
> j_security_check, which doesn't know what to do with it. So for this
> case you need to use method="get" here. Can you quote the NPE
> exception you are getting?

Here is the exception out of the browser:
-----------------------------------------

type Exception report
message
description The server encountered an internal error () that prevented it
from fulfilling this request.
exception
javax.servlet.ServletException: Error matching patterns
 org.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:148)

root cause
java.lang.NullPointerException
 org.securityfilter.exist.realm.catalina.ExistCatalinaRealm.authenticate(ExistCatalinaRealm.java:136) org.securityfilter.realm.catalina.CatalinaRealmAdapter.authenticate(CatalinaRealmAdapter.java:95) org.securityfilter.authenticator.FormAuthenticator.processLogin(FormAuthenticator.java:178) org.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:138)note The full stack trace of the root cause is available in the ApacheTomcat/5.5.20 logs.Here the important part out of my log:--------------------------------------2007-08-09 02:59:19,442 http-8085-1 INFO  webapp.ProcessorService  -/admin/login.xhtml - Timing: 9952 - Cache hits: 285, fault: 57, adds: 46,success rate: 83%2007-08-09 02:59:45,138 http-8085-1 INFO  webapp.ProcessorService  -/xforms-server - Received request2007-08-09 02:59:45,223 http-8085-1 INFO  xml.XMLUtils  - Deleting temporaryfile: C:\Program Files\Tomcat5.5\work\Catalina\localhost\exist-1.1.1-newcore\cocoon-files\cache-dir\upload_00000219.tmp2007-08-09 02:59:45,226 http-8085-1 INFO  webapp.ProcessorService  -/xforms-server - Timing: 88 - Cache hits: 31, fault: 3, adds: 2, successrate: 91%2007-08-09 02:59:45,359 http-8085-1 WARN  security.MD5  - Digest creationfailed. Using plain string as password!2007-08-09 02:59:45,360 http-8085-1 ERROR [/kkbib].[ops-main-servlet]  -Servlet.service() for servlet ops-main-servlet threw exceptionjava.lang.NullPointerException atorg.securityfilter.exist.realm.catalina.ExistCatalinaRealm.authenticate(ExistCatalinaRealm.java:136) atorg.securityfilter.realm.catalina.CatalinaRealmAdapter.authenticate(CatalinaRealmAdapter.java:95) atorg.securityfilter.authenticator.FormAuthenticator.processLogin(FormAuthenticator.java:178) atorg.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:138) atorg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) atorg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) atorg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) atorg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) atorg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) atorg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) atorg.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:495) atorg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541) atorg.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392) atorg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) atorg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) atorg.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:833) atorg.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:639) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1285) at java.lang.Thread.run(Unknown Source)To be better informed i sent you the source code of the Security Filter andalso my own coded existRealm.Hope my code will help you!?regards, Marcus

--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Alex,
i have found out another little detail, but don't know how to handle it.
Back to the "pre" method and the NPE. The problem was, after carefully i
took a look at the url:
http://stmarcus.dyndns.org:8085/kkbib/admin/j_security_check?j_username=kkbib01;j_password=kkbib

First i didn't saw it, but between j_username and j_password there is a ";"
and not a "&" as usual. Testing the same URL with a "&" it works! But i
don't know why the XForms produce a false URL. :-((
Any idea?

Thanks, Marcus



----- Original Message -----
From: "Alessandro Vernet" <[hidden email]>
To: <[hidden email]>
Sent: Thursday, August 09, 2007 2:39 AM
Subject: Re: [ops-users] How to get username and Password out of the
security-request!?


--------------------------------------------------------------------------------


>
> --
> You receive this message as a subscriber of the [hidden email]
> mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

"separator" is an optional attribute for <submission> and semicolon
is the default.  I didn't immediately find where this is in the
spec.  I read it from this book:

http://xformsinstitute.com/essentials/browse/book.php

--Hank Ratzesberger





--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Marcus,

On 8/13/07, Marcus <[hidden email]> wrote: Sorry for the delay; I intended to get back to you earlier about this.
This is a good catch: the default separator in XForms is ";". I am not
sure why this would be the default separator, as in 99% of the cases
you want & to be the separator with a GET. So when you have
method="get", in most cases you also want to have separator="&amp;" as
well on your xforms:submission, as Hank suggested. You'll let us know
if this works for you.

Alex
--
Orbeon Forms - Web 2.0 Forms, open-source, for the Enterprise
http://www.orbeon.com/



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

Hi Alex,
after Hanks Mail i tried  separator="&amp;"  and that worked for me as well. So, the next question only seems to be, why i should use the application context for storing the username&password instead of the session context!? After my logout i destroy the session information, but will this also delete the information in the application context?
Or am i getting something wrong about that?

And another simple question may be: Will a processor inside a XPL be executed without any input, but if its output is used by another processor? When the user-information are stored in the context, i want to creat my "datasource.xml" dynamical, so i have to request them, otherwise i need the "datasource.xml" to be loaded. But this processor needs no input and gives me only the result as output. Right?

Thanks,
Marcus


-------- Original-Nachricht --------
Datum: Wed, 15 Aug 2007 18:07:49 -0700
Von: "Alessandro Vernet" <[hidden email]>
An: [hidden email]
Betreff: Re: [ops-users] How to get username and Password out of the security-request!?
--
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws