Return-Path: Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 86880 invoked from network); 28 Sep 2003 17:49:21 -0000 Received: from unknown (HELO smtp6.wanadoo.nl) (194.134.35.177) by daedalus.apache.org with SMTP; 28 Sep 2003 17:49:21 -0000 Received: from sjoerd (d511462d.cable.wanadoo.nl [213.17.70.45]) by smtp6.wanadoo.nl (Postfix) with ESMTP id 84F9777263 for ; Sun, 28 Sep 2003 19:49:23 +0200 (CEST) From: "Sjoerd van Leent" To: "'Tomcat Users List'" Subject: RE: form-based login / cookies disabled / JSPs in WEB-INF Date: Sun, 28 Sep 2003 19:49:35 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook, Build 11.0.4920 In-Reply-To: <20030928160953.GA27187@linuxcenter.com.mx> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOF16if/GClRNMXQOaFCggtkd1NLQAEOUDQ Message-Id: <20030928174923.84F9777263@smtp6.wanadoo.nl> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Jose, Adam It's not the best solution, but it should be possible to not set the SESSIONID in a cookie, but in (a) hidden form field(s). Remember when = you do this, that you need a very strong security encryption. It requires that = you overload the SESSIONID get function, which I think must be possible, although I didn't try it. Sjoerd -----Original Message----- From: Jose Alfonso Martinez [mailto:trilock@linuxcenter.com.mx]=20 Sent: zondag 28 september 2003 18:10 To: Tomcat Users List Adam, I am in the same issue as you and haven't come out with any workaround yet... However, in my site, the login form could be an html because I don't = need to maintain a session until the user has logged-in. Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, = then you could have an html login form. Jose On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote: > I think I have a problem. >=20 > I want form-based container-managed authentication on my app. >=20 > I also want to allow cookies to be disabled. >=20 > And I want to keep my JSPs under WEB-INF for security. >=20 > It seems I cannot have these 3 combined, because disabling cookies = means=20 > I have to do URL rewriting in the login form action URL, therefore my=20 > login form has to be a JSP and cannot be just plain .html . >=20 > But while I do not want any JSPs outside of WEB-INF, I can't configure = > my login form to be in WEB-INF. >=20 > Is this true, or is there a work-around? >=20 > Thanks > Adam >=20 >=20 > --=20 > struts 1.1 + tomcat 4.1.27 + java 1.4.2 > Linux 2.4.20 RH9 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org