incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <>
Subject Re: login via url parameters
Date Mon, 25 May 2009 19:39:57 GMT
Alexey Kakunin wrote:
> One of the implementation for SSO is donewith storing some security token in
> cookies.
> Like:
> 1. Login is done in System1, System1 generated some security token and
> placed it into cookies
> 2. User navigated to System2 (JspWiki in our case) - security filter in
> System2 analized security token in cookies, and perform (if it is possible)
> login with using information in this security token
> Spring-Security (for example) has algorithms for SSO implemented.
> I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong

As far as I can tell from my own experience, jspWiki ships with a 
web.xml that defines certain urls as protected resources within an 
"authenticated area". When you go to one of those pages, e.g. 
Upload.jsp, the webapp container (tomcat in my case) intercepts the 
request and executes LoginForm.jsp according to the <login-config>.

***IF*** (like me) you want to use the standard tomcat single signon 
valve, then your login code MUST POST to j_security_check the j_username 
and j_password fields provided by the user. If acceptable within the 
security realm of the container, then the security valve redirects to 
the original protected url.

The tomcat SSO valve does use a browser cookie to recognise a request 
for a protected resource within the same, or a different container. If 
you trash your cookies, SSO doesn't remember you.

So, I conclude that if you are using tomcat and the standard SSO valve, 
whatever code you have that knows the userid and password MUST POST 
j_username and j_password to a url of "j_security_check" to get 
authenticated. However, if that POST hasn't been triggered by 
<login-config> intercepting the protected resource, I don't know how you 
will achieve the automatic redirect back to your desired page.

I guess you need to look at the tomcat source for j_security_check.

Good luck!


View raw message