click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Schellink <sab...@gmail.com>
Subject Re: Authentication with "injection"
Date Sat, 27 Mar 2010 02:24:12 GMT
Hi Ivan,


On 26/03/2010 06:48 PM, Ivan Furdi wrote:

> I know that's the normal behaviour but I want to ask if there's some way
> to skip login screen using supplied
> request parameters? (for example username and password). I know this is
> not very secure but i need it for
> a test.


This will depend on your security framework. If you are using JEE security then you will be

dependent on the servlet container whether it provides a way to programmatically login via
request 
parameters. For Tomcat see this email which explains about creating a Filter to fake out certain
API 
to make the login work:

http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg41324.html

You could also try and simulate a login from the remote site (do a post to /j_security_check),
grab 
the JSESSIONID cookie, and set it as a cookie for your next request to the server.

Alternative options are to use a different Security framework such as Spring Security or Apache

Shiro. They allow you to programmatically login.

You can find links to these projects here:

http://click.apache.org/docs/user-guide/html/ch05.html#alternatve-security-solutions

Before rolling to production, ensure the site login page is accessed through HTTPS so that
the 
username/password is not sent as cleartext.


>
> I'm a bit green in security area so if someone can recommend some topics
> to study I would be very thankful.


The login side of security in JEE is not as simple as it should be. The upcoming Servlet 3.0
spec 
addresses some of this by adding login/logout API to the ServletRequest:

Let me know if you have other questions.

kind regards

bob

Mime
View raw message