Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Login to different web-application

 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Scenario:
There exists two web-applications A and B deployed in diffrent machines.
A and B has diffrent authentication mechanisms.
Requirement:
Once an user is logged-in to A , it needs a link in a JSP (in A) to navigate straight to a protected page in B (the user needs to post the hard-coded userId/password which is valid for B). B is using JAAS mechanism.

Can anyone please some code snippet of how to post hard coded userId/password in A to access B ?

Thanks
Kawa
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This sounds a bit too specific. Is this homework?
I just ask since imbedding the username and password in a link on site A doesn't sound like a very secure way to authenticate against B. Personally I believe you should never include a user's password on a page where it may be snooped, cached or otherwise gathered or seen.

Is what you have described hard requirements, or is this the current solution to requirements which you haven't shared yet?

Dave
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David
I need a way of accessing a protected JSP in B from A without going via B's login page but I know B's userid/password.
FYI: Both the application are in the intranet and extreme security is not the immediate requirement. Once I establish the link I'll investigate beeter ways of achieving proper security.

I'd appreciate some solutions.

Thanks
Kawa
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If they are in an intranet and you control the browsers, one way is to have A make a HTTP connection to B and log in, get the session cookie and pass that to the client specifying B's domain.

Another is to log in to to B from A as above, but get B to pass a single use token. You pass this token to the client, they pass it to B and B agrees to authenticate them.

There are several ways to do it assuming you control A and B and they are allowed to trust each other.
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David
Can you please give me some code snippets of what I need to have in A and in B ?

Thanks
Kawa
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Depends how you authenticate in B. Search the Ranch for code snippets on Http Connectrions and tailor to log in to B. You can write this in a stand-alone app before writing it to work with A.

Get B to log in and send a token to A. Any sufficiently long string value will work. Strore this on B with the time it was sent and the person it is supposed to authenticate. The time is to prevent tokens lasting forever. They should probably live a minute or two.

Sequence looks like this:
1) client shows their intention to access B.
2) A does what it needs to get the token and writes it in the response to the client.
3) The client clicks the link and sends the request and token to B
4) B gets the token, tests its age then logs in the client.

Sorry about a lack of actual code, but it's a bit hard without actually writing everything. I can give you this:
 
rahul V kumar
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Approach 1)

Why dont you use javascript to do a post to App B with the user id and password when you click on the link

Approach 2)

How about making a round trip to both the applications during the sign-on.

1) User enters user_id and password in app A
2) On submit you would authenticate the user in app A & then redirect to App B and authenticate him there. On successful authentication in App B the user is redirected to App A's jsp page.
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Ravi
Can you give a code snippet of how to post to app B using javascript ?
Thanks
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me rephrase the question:
A and B are two difrent J2EE applications deployed in two diffrent machines(FYI: A is on weblogic and B is on apache).
A and B have diffrent login mechanisms. Once I am logged into A I need link in a JSP to take me to a protected JSP in B (I know the userid/password to log into B, but I don't want to type them in B's login page, instead want to hard code it when am sending a request to access B).
I cannot change any code in B as it is developed by a third party.
The security aspect is not a issue as both A and B will be on the company intranet.

Any help will be welcome (My thanks to David and Rahul who responded earlier)

Thanks
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So it doesn't matter if the username and password for B get shown to the client?

Have you tried encoding the username and password in the URL for the link to B? I believe a version of IE6 disables this, but you may just be able to write the link like this:
" target="_blank">http://dave:daverules@www.b-host.com/secure.html[/CODE]
Simple, but try it, it might work.
[ November 03, 2004: Message edited by: David O'Meara ]
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David
It didn't work. 'Page cannot be displayed' shown !
What I used:
In a JSP in A:
<a href = http://username assword@devbox.internal:8888/frontend/reports/index.jsp>See Reports</a>

Note: The page I want to access is:
http://devbox.internal:8888/frontend/reports/index.jsp

Thanks
Kawa
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To add to the above:

I got
Invalid syntax error - Microsoft Internet Explorer
as the page title too
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yep, looks like IE is blocking it. Check this site:
http://support.microsoft.com/default.aspx?scid=kb;en-us;834489
In particular, it has registry edits to disable this behaviour, but read the article so you know what the implications are.

Dave
 
rahul V kumar
Ranch Hand
Posts: 82
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have a form with two hidden fields. Those hidden fields are nothing but username and password the user entered.

Now when the user hits the link for Application B call a javascript function. The javascript could be as simple as this.

<script language="javascript">
function submitHiddenForm() {
document.hidden_form_name.submit();
}
</script>
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David
Does the
http://username assword@<url>/protected.jsp
mechanism works if it trying to bypass form-based authetication ?

FYI:I am still getting the Invalid Syntax error mentioned before

Thanks
Kawa
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
no, it bypases basic authentication. Try the hidden form mentioned above.
 
Gerome Kawa
Ranch Hand
Posts: 61
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi David
http://username assword@<hosturl>/protected.jsp

is not working even on Mozilla when trying to bypass the basic JAAS authentication of application B !

Says page cannot be displayed !

Any ideas why ?

Thanks
Kawa
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic