Get Username/Passwd from Basic Authentication in Handler

Similar Messages

• (JAAS) Getting LoginContext when using BASIC authentication

  I am using basic authentication in JAAS to authenticate users for JSF web resources. My web.xml is configured as follows:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>eccgroup</realm-name>
  </login-config>
  How can I get hold of the LoginContext that (I assume) was created in order to logout?
  The Principal is available on the HTTPRequest but I cannot find where the LoginContext is stored?

  As far as I know, vendors are not required to rely on a JAAS LoginContext to perform BASIC auth. Different vendor implementations may do different things. So you may have to rely on a programmatic logout API, but I'm not personally aware of any standard API for this.

• URGENT : Unprotect a virtual directory from basic authentication

  All,
  Server : Weblogic 8.1
  OS : Windoes 2000 Adv Server SP4
  I am very successfull in configuring a web application with basic authentication
  and all works fine for me. Now i have a virtual directory for downloading certain
  files. These i have to unprotect meaning no authentication mode should be enabled
  for this virtual directory.
  Unfortunately i am using weblogic as both web and appserver. I know how to do
  the same with webservers like IIS or Apache.
  IS it possible to do this config with weblogic 8.1 ? To configure a web application
  with basic auth and ignore or unprotect (enable anonymous access) for a virtual
  directory.
  Thanks in Advance
  Viswanathan

  Hi,
  I agree with Tim that we can ask for better help in the following IIS forum.
  IIS.NET forum
  http://forums.iis.net/
  Best regards,
  Frank Shen

• How to get user attributes from LDAP authenticator

  I am using an LDAP authenticator and identity asserter to get user / group information.
  I would like to access LDAP attributes for the user in my ADF Taskflow (Deployed into webcenter spaces).
  Is there an available api to get all the user attributes through the established weblogic authenticator provider or do i have to directly connect to the LDAP server again?
  Any help would be appreciated

  Hi Julián,
  in fact, I've never worked with BSP iViews and so I don't know if there is a direct way to achieve what you want. Maybe you should ask within BSP forum...
  A possibility would be to create a proxy iView around the BSP iView (in fact: before the BSP AppIntegrator component) which reads the user names and passes this as application params to the BSP component. But this is
  Beginner
  Medium
  Advanced
  Also see http://help.sap.com/saphelp_nw04/helpdata/en/16/1e0541a407f06fe10000000a1550b0/frameset.htm
  Hope it helps
  Detlev

• Migration of legacy Customer from Basic Authentication to OAuth 2.0

  Hi Team,
  I have tested OAuth 2.0 and able to fetch and insert data. The user I have created is 1 month back, so both Basic and OAuth 2.0 is working.
  What about the legacy customers, who are using Basic as their authentication mechanism. Can they use OAuth 2.0?
  And if not, how much time it will take to migrate to the OAuth 2.0?
  Is there any cost involved?
  Awaiting your response.
  Thanks & Regards,
  Brajmohan

  What do you mean by "legacy"?  OAuth can be used with any of our RESTful APIs, so unless you are using the SOAP API (which only supports Basic), you can move to OAuth.

• Multiple popups for username/password for basic authentication.

  Safari 4.0.5 (5531.22.7) gives multiple popups for username/password while requesting a page which has more than one 'secure' items in it (basic auth). We expected that Safari to reuse the credentials entered the first time around and pass it on for subsequent requests. (Although RFC 2617 specifies that the credentials 'may' be reused, not really sure what Safari is doing here, though this seems to be the behavior on other popular browsers).
  There's another discussion that listed this problem but that too seems to be unresolved yet (http://discussions.apple.com/message.jspa?messageID=2074214).

  HI and welcome to Apple Discussions...
  If you have tried the suggestions at that link but nothing worked, update Safari.
  Apple Menu / Software Updates.
  Repair disk permissions after the updates are installed.
  Carolyn

• How to get event source from value property changed handler?

  I am relatively new to JavaFX, so perhaps this is an easy question to answer. I am creating in Java code several (e.g., 5) ChoiceBox instances. I add a handler for when the value of the ChoiceBox changes. My code:
  ChoiceBox<String> rpmSelector = new ChoiceBox<>();
  ObservableList<String> rpmSelectorItems = FXCollections.observableArrayList();
  rpmSelectorItems.add(ALL_RPM);
  for (Double engSpeed : engSpeeds) {
      rpmSelectorItems.add(String.format("%.0f", engSpeed.doubleValue()));
  rpmSelector.setItems(rpmSelectorItems);
  rpmSelector.getSelectionModel().selectFirst();
  rpmSelector.valueProperty().addListener(new ChangeListener<String>() {
      @Override
      public void changed(ObservableValue<? extends String> obsValue,
              String oldValue, String newValue) {
         // How can I get the ChoiceBox that was the source of this event?
  });My question is: in the "changed" method, how do I determine which of the ChoiceBox instances had its value changed?
  Thanks!
  Chris
  Edited by: 976245 on May 15, 2013 1:05 PM
  Edited by: 976245 on May 15, 2013 1:05 PM

       My question is: in the "changed" method, how do I determine which of the ChoiceBox instances had its value changed?You have only one ChoiceBox control. Probably you want to get the selected item. If it is the case you can get it through selectedItemProperty(),
  selectedIndexProperty(), and valueProperty()
          rpmSelector.getSelectionModel().selectedItemProperty().addListener(new ChangeListener<String>() {
              public void changed(ObservableValue<? extends String> ov, String old_val, String new_val) {
                  System.out.println("Selected item is: " + new_val);
          rpmSelector.getSelectionModel().selectedIndexProperty().addListener(new ChangeListener<Number>() {
              @Override
              public void changed(ObservableValue<? extends Number> observableValue, Number oldv, Number newv) {
                  System.out.println("Selected index is: " + newv.intValue());
          rpmSelector.valueProperty().addListener(new ChangeListener<String>() {
              public void changed(ObservableValue<? extends String> ov, String old_val, String new_val) {
                  System.out.println("Selected   value: " + new_val);
          });

• BASIC authentication and web client problems

  I have a very simple web service that is working. Now before attempting to use
  SSL, I want to test authenticating using BASIC authentication. I’ve made the
  changes to web.xml and even though the other web service pages authenticate ok
  (ex. http://localhost:7001/fileexchange/FileExchangeFacade), I am prompted again
  for authentication for web service itself. I can never authenticate to http://localhost:7001/fileexchange/FileExchangeFacade?operation.view=helloWorld.
  Has anyone completed this and if so, how does it work? I must have missed something
  simple.
  First, I setup the security constraint as follows:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>file-exchange-resources</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>Administrators</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>myrealm</realm-name>
  </login-config>
  <security-role>
  <description>An administrators</description>
  <role-name>Administrators</role-name>
  </security-role>
  That allows me to secure / authenticate to the JSPs in the web service test app
  provided. Then I tried working with the admin server console to setup roles /
  privileges. I couldn’t get this to work but I easily could have done something
  wrong since there are no step by step examples other than the general docs in
  the programming guide.
  Next, since the web service deploys as a web application, I figured the problem
  must be that the internal WLS servlet needs security information defined in web.xml.
  I saw the programming guide listed the servlet name and discussed servlet mapping
  so I added the normal security entries for a servlet as follows and re-jarred
  the WAR and EAR.
  <servlet>
  <servlet-name>WebServiceServlet</servlet-name>
  <servlet-class>
  weblogic.webservice.server.servlet.WebServiceServlet
  </servlet-class>
  </servlet>
  <servlet-mapping>
  <servlet-name>WebServiceServlet</servlet-name>
  <url-pattern>/FileExchangeFacade/*</url-pattern>
  <security-role-ref>
  <role-name>Administrators</role-name>
  <role-link>Administrators</role-link>
  </security-role-ref>
  </servlet-mapping>
  It still doesn’t work. Any idea on how to get it to authenticate?
  Thanks,
  Dave

  Ok, this looks like an issue with the test page.
  When the test page gets a request to invoke a
  web service, it creates a client proxy and call invoke
  on the proxy. This will case the client proxy to
  create a new HTTP post connection to the server.
  Test page pulls out the username/passwd from the
  GET request from the browser and pass it to the
  POST request it makes to the web service. I think,
  the test page needs to do the same for realm. I will
  file a CR for this (CR105320).
  Please contact support with the case number if you
  need a patch for this.
  http://manojc.com
  "Malcolm Robbins" <[email protected]> wrote in message
  news:[email protected]...
  "Malcolm Robbins" <[email protected]> wrote in message
  news:[email protected]...
  One more thing.
  I took out explicit realm mapping and noticed that the firstauthentication
  challenge was for the WebLogic standard realm which was fine and
  authentication was successful. (i.e. I got to the web service "homepage").
  Actually I meant it was listed as "Weblogic Server" in the 1st challenge.
  When I stepped into the web service method and pressed the Invoke buttonon
  the web service methods the realm was "default" and authenticationfailed.
  Why does the domain change and how do I cover this?Is was actually listed as "Default".
  However this is the same domain I believe because I've done a further
  experiment and set the domains explicitely
  in the deployment WAR deployment (Other tab) and in the web.xml file. The
  second challange is then asking for re-authentication in the correctdomain
  (myrealm) but it does not accept the valid user/password and just re
  challenges until 3 attempts then it displays the SOAP message and theserver
  log file has the following exception:
  java.io.FileNotFoundException: Response: '401: Unauthorized xxx' for url:
  'http://localhost:7001/webservice/TraderService?WSDL'
  at
  weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:36
  2)
  at java.net.URL.openStream(URL.java:793)
  at
  weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(Definitio
  nFactory.java:73)
  at
  weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.java:63)
  at
  weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
  108)
  at
  weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
  84)
  at
  weblogic.webservice.server.servlet.ServletBase.invokeOperation(ServletBase.j
  ava:230)
  at
  weblogic.webservice.server.servlet.WebServiceServlet.invokeOperation(WebServ
  iceServlet.java:306)
  at
  weblogic.webservice.server.servlet.ServletBase.handleGet(ServletBase.java:19
  8)
  at
  weblogic.webservice.server.servlet.ServletBase.doGet(ServletBase.java:124)
  at
  weblogic.webservice.server.servlet.WebServiceServlet.doGet(WebServiceServlet
  .java:224)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at
  weblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1058)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :401)
  at
  weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :306)
  at
  weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:5412)
  at
  weblogic.security.service.SecurityServiceManager.runAs(SecurityServiceManage
  r.java:744)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3086)
  at
  weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2544)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)

• How set  UserName and Password for HTTP Basic Authentication for a servlet

  Hi..
  How set UserName and Password for HTTP Basic Authentication for a servlet in JBoss server?
  Using Tomcat i can do it .(By setting roles in web.xml, and user credintails in tomcat-user.xml).
  But i dont know how do it in JBOSS..
  I am using Netbeans and Eclipse IDEs.. Can we do it by using them also!?
  Thank u

  Hi Raj,
  You can do this by creating a Login screen for the users and check the authentication of each user in PAI i.e. PROCESS AFTER INPUT.
  Store the user information in a database table and check the username and password when the user enters it.
  You can display password as *** also. For this double click on input box designed for password and goto Display tab. Select Invisible in the list and check it.
    CASE sy-ucomm.
      WHEN 'BACK'.
        LEAVE PROGRAM.
      WHEN <fcode for submit>.
        SELECT SINGLE uname pwd
         FROM <DB table>
         INTO (user, pass)
         WHERE username = user AND
                 password = passwd.
        IF sy-subrc = 0.
  <Go to next screen for further processing>
        ELSE.
  <Display Error message and exit>
        ENDIF.
    ENDCASE.
  Regards,
  Amit
  Message was edited by:
          Amit Kumar

• Basic Authentication username

  Hi
  I have an Application Module exposed as a web service.
  Basic authentication is required via web.xml and the users can be authenticated via jazn or principals or something :), but is there anyway to get to the username in the code?
  Thanx

  Hi, did you solve this.
  I'm trying to do the same.
  Using jdeveloper 9.0.5.2 I generate a j2ee webservice from a java class.
  I have set up basic authetication.
  And are trying to find out how to get the username (username of client calling webservice) into the implementing class.
  Thanks in advance
  Dag

• How to call a web service from BPEL that requires HTTP basic authentication

  Hi All,
  I need to calling some Web Services from BPEL (SOA 10.1.3.1 production running on XP machine). The services require HTTP basic authentication.
  I have tried adding httpUsername and httpPassword properties to the ParnterLink, and I see in BPEL Console that they are deployed by checking the descriptor page. But I still get a SOAP fault, HTTP 401: Unathenticated.
  I have also tried using basicHeaders (from memory) = credentials, httpBasicUsername, and httpBasicPassword. Same result.
  I have done a packet trace using Ethereal, and the headers do not seem to contain the userid and password at all.
  Can anyone help?
  Thanks,
  Mark Nelson

  Thanks Bas,
  I have resolved the issue. The provider of the Web Service had not configured if for Basic Authentication. For some reason it worked when they tested, or maybe the did not test. The only thing I had to change was to use:
  <property name="basicHeaders">credentials</property>
  <property name="basicUsername">WMDATA</property>
  <property name="basicPassword">WMDATA</property>
  Instead of:
  <property name="httpUsername">WMDATA</property>
  <property name="httpPassword">WMDATA</property>
  I don’t know why this is, maybe because it is an Axis Web Service.
  Sorry for wasting your time.
  Regards Pete

• WPF UI running in seperate runspace - able to set/get controls via synchronized hash table, but referencing the control via the hash table from within an event handler causes both runspaces to hang.

  I am trying to build a proof of concept where a WPF form is hosted in a seperate runspace and updates are handled from the primary shell/runspace. I have had some success thanks to a great article by Boe Prox, but I am having an issue I wanted to open up
  to see if anyone had a suggestion.
  My goals are as follows:
  1.) Set control properties from the primary runspace (Completed)
  2.) Get control properties from the primary runspace (Completed)
  3.) Respond to WPF form events in the UI runspace from the primary runspace (Kind of broken).
  I have the ability to read/write values to the form, but I am having difficulty with events. Specifically, I can fire and handle events, but the minute I try to reference the $SyncHash from within the event it appears to cause a blocking condition hanging both
  runspaces. As a result, I am unable to update the form based on an event being fired by a control.
  In the example below, the form is loaded and the following steps occur:
  1.) Update-Combobox is called and it populates the combobox with a list of service names and selects the first item.
  2.) update-textbox is called and sets the Text property of the textbox.
  3.) The Text value of the textbox is read by the function read-textbox and output using write-host.
  4.) An event handle is registered for the SelectionChanged event for the combobox to call the update-textbox function used earlier.
  5.) If you change the selection on the combobox, the shell and UI hangs as soon as $SyncHash is referenced. I suspect this is causing some sort of blocking condition from multiple threads trying to access the synchronized nature of the hash table, but I am
  unsure as to why / how to work around it. If you comment out the line "$SyncHash.TXT_Output.Dispatcher.Invoke("Send",[action]{$SyncHash.TXT_Output.Text = $Value})" within update-textbox the event handler will execute/complete.
  $UI_JobScript =
  try{
  Function New-Form ([XML]$XAML_Form){
  $XML_Node_Reader=(New-Object System.Xml.XmlNodeReader $XAML_Form)
  [Windows.Markup.XamlReader]::Load($XML_Node_Reader)
  try{
  Add-Type –AssemblyName PresentationFramework
  Add-Type –AssemblyName PresentationCore
  Add-Type –AssemblyName WindowsBase
  catch{
  Throw "Unable to load the requisite Windows Presentation Foundation assemblies. Please verify that the .NET Framework 3.5 Service Pack 1 or later is installed on this system."
  $Form = New-Form -XAML_Form $SyncHash.XAML_Form
  $SyncHash.Form = $Form
  $SyncHash.CMB_Services = $SyncHash.Form.FindName("CMB_Services")
  $SyncHash.TXT_Output = $SyncHash.Form.FindName("TXT_Output")
  $SyncHash.Form.ShowDialog() | Out-Null
  $SyncHash.Error = $Error
  catch{
  write-host $_.Exception.Message
  #End UI_JobScript
  #Begin Main
  add-type -AssemblyName WindowsBase
  [XML]$XAML_Form = @"
  <Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
  xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
  <Window.Resources>
  <DataTemplate x:Key="DTMPL_Name">
  <TextBlock Text="{Binding Path=Name}" />
  </DataTemplate>
  </Window.Resources>
  <DockPanel LastChildFill="True">
  <StackPanel Orientation="Horizontal" DockPanel.Dock="Top">
  <Label Name="LBL_Services" Content="Services:" />
  <ComboBox Name="CMB_Services" ItemTemplate="{StaticResource DTMPL_Name}"/>
  </StackPanel>
  <TextBox Name="TXT_Output"/>
  </DockPanel>
  </Window>
  $SyncHash = [hashtable]::Synchronized(@{})
  $SyncHash.Add("XAML_Form",$XAML_Form)
  $SyncHash.Add("InitialScript", $InitialScript)
  $Normal = [System.Windows.Threading.DispatcherPriority]::Normal
  $UI_Runspace =[RunspaceFactory]::CreateRunspace()
  $UI_Runspace.ApartmentState = [System.Threading.ApartmentState]::STA
  $UI_Runspace.ThreadOptions = [System.Management.Automation.Runspaces.PSThreadOptions]::ReuseThread
  $UI_Runspace.Open()
  $UI_Runspace.SessionStateProxy.SetVariable("SyncHash",$SyncHash)
  $UI_Pipeline = [PowerShell]::Create()
  $UI_Pipeline.Runspace=$UI_Runspace
  $UI_Pipeline.AddScript($UI_JobScript) | out-Null
  $Job = $UI_Pipeline.BeginInvoke()
  $SyncHash.ServiceList = get-service | select name, status | Sort-Object -Property Name
  Function Update-Combobox{
  write-host "`nBegin Update-Combobox [$(get-date)]"
  $SyncHash.CMB_Services.Dispatcher.Invoke($Normal,[action]{$SyncHash.CMB_Services.ItemsSource = $SyncHash.ServiceList})
  $SyncHash.CMB_Services.Dispatcher.Invoke($Normal,[action]{$SyncHash.CMB_Services.SelectedIndex = 0})
  write-host "`End Update-Combobox [$(get-date)]"
  Function Update-Textbox([string]$Value){
  write-host "`nBegin Update-Textbox [$(get-date)]"
  $SyncHash.TXT_Output.Dispatcher.Invoke("Send",[action]{$SyncHash.TXT_Output.Text = $Value})
  write-host "End Update-Textbox [$(get-date)]"
  Function Read-Textbox(){
  write-host "`nBegin Read-Textbox [$(get-date)]"
  $SyncHash.TXT_Output.Dispatcher.Invoke($Normal,[action]{$Global:Return = $SyncHash.TXT_Output.Text})
  $Global:Return
  remove-variable -Name Return -scope Global
  write-host "End Read-Textbox [$(get-date)]"
  #Give the form some time to load in the other runspace
  $MaxWaitCycles = 5
  while (($SyncHash.Form.IsInitialized -eq $Null)-and ($MaxWaitCycles -gt 0)){
  Start-Sleep -Milliseconds 200
  $MaxWaitCycles--
  Update-ComboBox
  Update-Textbox -Value $("Initial Load: $(get-date)")
  Write-Host "Value Read From Textbox: $(Read-TextBox)"
  Register-ObjectEvent -InputObject $SyncHash.CMB_Services -EventName SelectionChanged -SourceIdentifier "CMB_Services.SelectionChanged" -action {Update-Textbox -Value $("From Selection Changed Event: $(get-date)")}

  Thanks again for the responses. This may not be possible, but I thought I would throw it out there. I appreciate your help in looking into this.
  To clarify the "Respond to control events in the main runspace"... I'm would like to have an event generated by a form object in the UI runspace (ex: combo box selectionchanged event) trigger a delegate within the main runspace and have that delegate in
  the main runspace update the form in the UI runspace.
  ex:
  1.) User changes selection on combo box generating form event
  2.) Event calls delegate (which I have gotten to work)
  3.) Delegate does some basic processing (works)
  4.) Delegate attempts to update form in UI runspace (hangs)
  As to the delegates / which runspace they are running in. I see the $synchash variable if I run get-var within a delegate, but I do not see the $Form variable so I am assuming that they are in the main runspace. Do you agree with that assumption?

• Calling web service with basic authentication from EP "unauthorized"

  Hello,
  I need to call a .NET web service with basic authentication on the IIS from my portal application (no http proxy between portal and IIS). But always I get the following exception:
  <b>com.sap.engine. services.webservices.jaxm.soap.accessor. NestedSOAPException:
  Problem in server response: [Unauthorized].</b>
  I'm using the following code for calling the .NET web service:
  <b>...</b><i>Licence_GetList lParameter = new Licence_GetList();
  lParameter.setStatus(CEnvironment.TransformStatus_WebService(search));
  ILicenceManager lLicMan = (ILicenceManager) PortalRuntime.getRuntimeResources().getService("LicenceManager");
  ILicenceManager lLicManSecure = lLicMan.getSecurisedServiceConnection(request.getUser());
  Licence_GetListResponse lGetListResponse = lLicManSecure.Licence_GetList(lParameter);</i><b>...</b>
  I've also configured a http system in the portal system landscape using the following parameters:
  <i>Authentication Method : Basic Authentication
  Authentication Type : Server
  User Mapping Type : admin,user</i>
  The user mapping is also personalized for this system!
  What's wrong? Please help! This is really urgent!
  Kind Regards
  Joerg Loechner

  Hello Renjith,
  here is a small cutout of my "portapp.xml";
  <services>
    <service alias="LicenceManager" name="LicenceManager">
      <service-config>
        <property name="className" value="de.camelotidpro.
               pct.xi.scm.webservice.LicenceManager"/>
        <property name="startup" value="false"/>
        <property name="WebEnable" value="false"/>
        <property name="WebProxy" value="true"/>
        <property name="SecurityZone" value="de.camelotidpro.
               pct.xi.scm.webservice.LicenceManager/
                 DefaultSecurity"/>
      </service-config>
      <service-profile>
        <property name="SystemAlias" value="LicMan_NET"/
      </service-profile>
    </service>
  </services>
  I'm using a http system created in the system landscape (alias LicMan_NET). But it seems that this system is not used by the web service call (No error, even if I delete this system!). The code used to call this web service can be found at the top of this threat...
  Regards
  Joerg Loechner

• How do I get around a limitation of Basic Authentication

  Dear all,
  your input on the following problem would be appreciated:
  We have encountered a problem with both the "logout" and "timeout" functionality used in eCRM, due to the use of basic authentication.
  Following a users logout and/or timeout period expiring, we are invalidating the user's session, so any user info will be removed from the server memory, and if the user attempts to access the site again there will be a security challenge.
  But since basic authentication is being used and the browser already has your authentication information, it just sends it again transparently.
  Whether users will notice will depend on how many windows they have open, and which browser they're using.
  For example, in IE 5, if you open the secure site in a browser window, and close that window (using the close button on the logout confirmation page), it will "forget" the authentication information. But if I open other windows while connected to the secure site, it remembers the authentication info. Even if the users don't notice, there is a security issue associated with this behaviour.......
  Any thoughts/ideas on getting around this problem (other than the obvious - not using basic authentication!!)
  Regards,
  Chris Adianto

  Chris Adianto wrote:
  Dear all,
  your input on the following problem would be appreciated:
  We have encountered a problem with both the "logout" and "timeout" functionality used in eCRM, due to the use of basic authentication.
  Following a users logout and/or timeout period expiring, we are invalidating the user's session, so any user info will be removed from the server memory, and if the user attempts to access the site again there will be a security challenge.
  But since basic authentication is being used and the browser already has your authentication information, it just sends it again transparently.
  Whether users will notice will depend on how many windows they have open, and which browser they're using.
  For example, in IE 5, if you open the secure site in a browser window, and close that window (using the close button on the logout confirmation page), it will "forget" the authentication information. But if I open other windows while connected to the secure site, it remembers the authentication info. Even if the users don't notice, there is a security issue associated with this behaviour.......
  Any thoughts/ideas on getting around this problem (other than the obvious - not using basic authentication!!)Send HttpServletResponse.SC_UNAUTHORIZED (401) in the response header: http://www.tapsellferrier.co.uk/Servlets/FAQ/authentication.html has more info.
  Cheers,
  Alex

• Web application security. Getting username and password from database

  Hi!
  I need to write the following web application (I write it using java server faces):
  1) User enters his username/password on the login page
  2) Program goes to database where there are tens of thousands of usernames/passwords, and verifies it.
  3) If user and password exist in DB, user gets access to the other pages of the application
  Maybe I don't understand some point. I tried to use j_security_check(it's very easy to configure secured pages in web.xmp). The problem is that it works(as far as I understand) only with roles defined on server before the application runs. I can't add ALL these usernames to the roles on server. The best way, as I see it, is to go to DB, check username/password, create new role for the time of session, go to j_security_check where the j_username and j_password get the values from db and get the access to secured pages(as far as the roles have been dinamically added).
  Am I right and this should be the algorithm?
  How can I implement it?
  I've read about JAAS. How can it help to solve the problem? Do I need j_security_check if I use JAAS? How should I configure my application if I use it?
  Could you please give me some code example?
  All this must work on IIS (for now, I develope it in Netbeans and run it on Java Application Server)
  Please help.
  Edited by: nemaria on Jul 7, 2008 2:39 AM

  Hi,
  Any security constrained url pattern which calls the action j_security_check passes the parameter to the realm mentioned in the server.xml.If the realm is set as JAAS,then the authenticate method of the jaasrealm does the basic validation like non empty field value from the input form.The appname set as the realm parameter points to the one or more loginmodules which has the life cycle methods like initialize(...),login(),commit(),abort() and logout().Once the basic validation is done in the JaasRealm class of the webcontainer,the LoginContext is created and user is autheticated (against DB username/password) via the login().Then the user is authourised in the commit().Then Jaasrealm takes care of creating the LoginContext,calling login(),creating Subject with principals,credentials added and setting that in the session.
  I have a big trouble in accessing the HttpServletRequest object in the LoginModules.i.e getting the j_username and j_password in the LoginModules or in the CallBackHandlers.PolicyContext doesn't work for me.Is there any other way?
  Regards,
  Ganesh