my dog learned polymorphism*
The moose likes Tomcat and the fly likes Pass username and password via browser in Formbased Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Pass username and password via browser in Formbased Authentication " Watch "Pass username and password via browser in Formbased Authentication " New topic
Author

Pass username and password via browser in Formbased Authentication

carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

Hi, I am using form based Authentication in my Application. I want to know is there any way i can pass the username and password in the url so that the user need not enter it when accessing a secured resource.

Its somethink like i have 2 different applications App1 and App2 , and i am calling a secured page from App1 in App2 now as the page is secured the contaner will prompt for username and password , therefore while calling the page itself i want to give the usernme and password so that the login is carried out and secured page is seen.

Any suggestions appreciated.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41150
    
  45
What you're looking for is a single sign-on (or SSO) solution; the SecurityFaq lists several of those.

If you're certain that all your web apps will always be running on the same server, and that the server will always be Tomcat, then the Tomcat SSO valve may be for you.


Ping & DNS - my free Android networking tools app
carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

No no .. i want to know how to pass username and password in the browser url when the authetication type is FORM based authentication.

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41150
    
  45
Passing security credentials in the URL is a bad idea for numerous reasons; much better to use proper SSO.
carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

While browsing i found somethink like this..... but what is g2_form i didnt get .... and also i dont no what is UserLogin,Login

Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41150
    
  45
Looks like a random URL to me - what's it have to do with your problem? Obviously you *can* pass in the URL whatever you choose, but that doesn't make it a good idea. FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.
carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

i have taken the above url from the link

http://gallery.menalto.com/node/79854

as Form based authentication has got action="j_security_check" and username field as <input id="userId" type="text" name="j_username" size="30">

and password <input type="password" name="j_password" size="30"> so anything like

http://rsnb:8080/login.jsp?j_username="test"&j_password="test" should work.....

but this is not working.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41150
    
  45
Ulf Dittmer wrote:FORM authentication works with POST, not GET, though - so anything you do in the URL will have no effect.
carina caoor
Ranch Hand

Joined: Jun 23, 2007
Posts: 300

Thanks for your time ... one more question if i use JQuery and post the username and password using $.post then..
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15961
    
  19

Let me make a distinction between "Form-based Authentication" and "Container Managed Security".

Form-based authentication is simply any system where a form is used instead of (for example) a popup dialog to collect login credentials. An application can design its own forms and its own logic to handle login and that will technically be form-based authentication. Of course, if it's like over 95% of the webapps I've seen with DIY security, it won't stand a chance against a halfway determined 10-year old. but that's another matter.

Container Managed security means literally what its name says. Container Managed Security. You don't present a login form when doing form-based Container Managed Security. The container does. It does this when it determines that the user needs to be authenticated, and it does thus by pushing the incoming URL request off to the side, running an internal login process, then resuming the original URL request (assuming the user logged in).

The Container Managed Login Form has no external URL.

The "j_security_check" URL is a postback URL. It cannot be directly invoked, it only functions when the container has posted out a login form. The container has constructed a login context before the form is presented. That context does not exist when a stand-alone URL request to j_security_check is made. That's why any attempt to explicitly login using container-managed form-based security will fail.

You can induce a container-based login by causing the user to invoke a protected URL. You cannot induce a container-based login directly. The converse, however, is also true. You cannot bypass a login on a protected URL. Which is one of my favourite ways to outwit the DIY security systems.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
Consider Paul's rocket mass heater.
 
subject: Pass username and password via browser in Formbased Authentication
 
Similar Threads
Using default JAAS Mechanism in Websphere makes applications to access the context path of the other
Logging out from muliple applications
Is this good approach to design DB i/f?
securitycontext across multiple containers
JaasApiIntegrationFilter sample code