click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <>
Subject Re: Authentication with "injection"
Date Sat, 27 Mar 2010 02:24:12 GMT
Hi Ivan,

On 26/03/2010 06:48 PM, Ivan Furdi wrote:

> I know that's the normal behaviour but I want to ask if there's some way
> to skip login screen using supplied
> request parameters? (for example username and password). I know this is
> not very secure but i need it for
> a test.

This will depend on your security framework. If you are using JEE security then you will be

dependent on the servlet container whether it provides a way to programmatically login via
parameters. For Tomcat see this email which explains about creating a Filter to fake out certain
to make the login work:

You could also try and simulate a login from the remote site (do a post to /j_security_check),
the JSESSIONID cookie, and set it as a cookie for your next request to the server.

Alternative options are to use a different Security framework such as Spring Security or Apache

Shiro. They allow you to programmatically login.

You can find links to these projects here:

Before rolling to production, ensure the site login page is accessed through HTTPS so that
username/password is not sent as cleartext.

> I'm a bit green in security area so if someone can recommend some topics
> to study I would be very thankful.

The login side of security in JEE is not as simple as it should be. The upcoming Servlet 3.0
addresses some of this by adding login/logout API to the ServletRequest:

Let me know if you have other questions.

kind regards


View raw message