• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Pass username and password via browser in Formbased Authentication

 
Ranch Hand
Posts: 300
Eclipse IDE Oracle Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I am using form based Authentication in my Application. I want to know is there any way i can pass the username and password in the url so that the user need not enter it when accessing a secured resource.

Its somethink like i have 2 different applications App1 and App2 , and i am calling a secured page from App1 in App2 now as the page is secured the contaner will prompt for username and password , therefore while calling the page itself i want to give the usernme and password so that the login is carried out and secured page is seen.

Any suggestions appreciated.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What you're looking for is a single sign-on (or SSO) solution; the SecurityFaq lists several of those.

If you're certain that all your web apps will always be running on the same server, and that the server will always be Tomcat, then the Tomcat SSO valve may be for you.
 
carina caoor
Ranch Hand
Posts: 300
Eclipse IDE Oracle Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No no .. i want to know how to pass username and password in the browser url when the authetication type is FORM based authentication.

 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Passing security credentials in the URL is a bad idea for numerous reasons; much better to use proper SSO.
 
carina caoor
Ranch Hand
Posts: 300
Eclipse IDE Oracle Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
While browsing i found somethink like this..... but what is g2_form i didnt get .... and also i dont no what is UserLogin,Login

 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Looks like a random URL to me - what's it have to do with your problem? Obviously you *can* pass in the URL whatever you choose, but that doesn't make it a good idea. FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.
 
carina caoor
Ranch Hand
Posts: 300
Eclipse IDE Oracle Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have taken the above url from the link

http://gallery.menalto.com/node/79854

as Form based authentication has got action="j_security_check" and username field as <input id="userId" type="text" name="j_username" size="30">

and password <input type="password" name="j_password" size="30"> so anything like

http://rsnb:8080/login.jsp?j_username="test"&j_password="test" should work.....

but this is not working.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.

 
carina caoor
Ranch Hand
Posts: 300
Eclipse IDE Oracle Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your time ... one more question if i use JQuery and post the username and password using $.post then..
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Let me make a distinction between "Form-based Authentication" and "Container Managed Security".

Form-based authentication is simply any system where a form is used instead of (for example) a popup dialog to collect login credentials. An application can design its own forms and its own logic to handle login and that will technically be form-based authentication. Of course, if it's like over 95% of the webapps I've seen with DIY security, it won't stand a chance against a halfway determined 10-year old. but that's another matter.

Container Managed security means literally what its name says. Container Managed Security. You don't present a login form when doing form-based Container Managed Security. The container does. It does this when it determines that the user needs to be authenticated, and it does thus by pushing the incoming URL request off to the side, running an internal login process, then resuming the original URL request (assuming the user logged in).

The Container Managed Login Form has no external URL.

The "j_security_check" URL is a postback URL. It cannot be directly invoked, it only functions when the container has posted out a login form. The container has constructed a login context before the form is presented. That context does not exist when a stand-alone URL request to j_security_check is made. That's why any attempt to explicitly login using container-managed form-based security will fail.

You can induce a container-based login by causing the user to invoke a protected URL. You cannot induce a container-based login directly. The converse, however, is also true. You cannot bypass a login on a protected URL. Which is one of my favourite ways to outwit the DIY security systems.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic