• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Authenticator issue

 
Chicken Farmer ()
Posts: 1932
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First off, hey howdy Ranchers! Long time no see

Now on to the problem. Basically, I have a client application that runs a bunch of applets. Our application, at start up, creates a Authenticator and sets it as default. When we first try to get a session from the server (running on Weblogic), which is all done through servlets, we get the little username/password as expected.

The problem is the users have decided they want the ability for an application adminstrator to be able to log in within the same session (so different credentials than logged in previously) and do some administrative stuff, like release a locked resource.

So the flow would be User A (non-administrator) opens the application, realizes something is hosed with a resource, and asks User B (administrator) to release it. User B clicks on an Administrator Release button, which creates a new Authenticator, sets the current default to null (which according to the API should remove any current authenticator) and then sets the default to the new one. A session is then created which when requested should ask the new user for their username and password. That's then validated and checked for admin rights, and the resource is released. We reset back to the previous authenticator, and User A can then go about their work.

I would expect to have the new Authenticator's request for username and password be shown, however it appears to be using the previous credentials, even when I null out the default authenticator without resetting the default.

Oh yeah, this is all on SDK 1.4.1_13. Yay for being behind the times!

I would love to post code snippets, but das ist verboten where I work.

And hopefully this makes sense.

Thanks for any help, peace!
Jason
[ July 07, 2008: Message edited by: jason adam ]
 
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not really sure i got the stuff related to authenticator.
When you say session i assume you are talking about an HTTPSession, isnt?

So, one question, if you update the HTTPSession and add admin privilege, then i assume the other user will also be able to browse through and use admin privileges, isnt? Will this not be a security breach?

The problem is the users have decided they want the ability for an application adminstrator to be able to log in within the same session



I would think that the requirement is to "see" the other user's session and not "use" the same session.
I think using the same session will not be a correct way of doing things as HTTPSessions are not really supposed to be used like that.
I would approach it in this way:

  • Store the HTTP session in a class that can provide access to the session contents. (Clear this using a session listener)
  • Give admin the privilege to see/alter any one's session.
  • If resources can be modified/released only in the same session they were created, then modify them to allow admins to change them from any session.


  • I hope this helps.
     
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    It sounds as if you're using BASIC authentication. Once a user has entered username/password into that, browsers will send it to the server with each request until they're closed. In that sense, there's no concept of "logging out". (Which, incidentally, is one of the reasons I've completely stopped using container-managed servlet security.)

    You could set up a different realm (i.e., a realm with a different name). That would cause the browser to ask the user for the new credentials. But again, that would be sent as long as the browser is running - no "logging out" of the admin realm. Then both usernames/passwords would be sent with each request all the time.
     
    What's wrong? Where are you going? Stop! Read this tiny ad:
    a bit of art, as a gift, the permaculture playing cards
    https://gardener-gift.com
    reply
      Bookmark Topic Watch Topic
    • New Topic