tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: servlet sendRedirect() to j_security_check problem (remember me)
Date Thu, 04 Dec 2003 13:02:26 GMT
That's a fairly circuitous route for a login. I guess you do what you 
have to do though.

I was wondering whether I could adapt it to allow an SSL login form to 
be used to login to non-SSL pages, but I think the httpClient would 
leave the j_security_check post in plain text on the net - unless it 
never leaves the server, but I'm not sure that would be possible.


On 12/04/2003 12:52 AM Matt Raible wrote:
> It's standard container managed security stuff - I first invoke a 
> protected URL - in index.jsp - I redirect to - and *.do is 
> protected.  Based on security constraints in web.xml, I'm presented with 
> a form-login-page "login.jsp" - rather than having 
> action="j_security_check" in this form, I have 
> action="/security/authorize" - which is mapped to my own LoginServlet.  
> In the LoginServlet, I encrypt the password (optionally based on an 
> init-parameter), set some cookies and do an HTTP Post to 
> j_security_check.  Works on Tomcat 4-5 and Resin 3.x.
> Matt
> On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
>> Matt,
>> are you really managing to post a form to j_security_check without 
>> invoking it first, or is that some sort of black magic you've cooked up?
>> Or have I just misunderstood what Chris said?
>> Adam
>> On 12/03/2003 09:24 PM Matt Raible wrote:
>>> Chris,
>>> I found your post at  
>>> msg111700.html and I'm cc'ing the list in case anyone else is  
>>> interested in this info (I'm not subscribed).
>>> I've actually improved the "Remember Me" feature a fair amount since 
>>> I  posted to the Tomcat User list.  The sendRedirect works, however, 
>>> it  (in some browsers) puts the URL (with password) into the address 
>>> bar.   This isn't a big deal IMO since it's the user that just logged 
>>> in and  they don't mind seeing their own passwords.  However, the URL 
>>> tends to  show up in server log files which can be a security hole.  
>>> Because of  this, I changed to using an HTTP Post with Jakarta 
>>> Common's HttpClient.   I also moved my form-login-page and 
>>> form-error-page into a "security"  folder and then set my cookies for 
>>> the /appname/security path rather  than / - this makes it so the 
>>> user/pass cookies are more secure and can  only be retrieved when 
>>> logging in, rather than for any URL in the site.
>>> That being said, I've updated one of my sample apps with these 
>>> changes  and you can download it if you'd like:
>>> Here's my updated LoginServlet that does an Http Post instead of a Get:
>>> HTH,
>>> Matt
>>> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
>>>> Hi Matt,
>>>> Sorry for sending unsolicited email but I've been looking at some
>>>> of your postings to Tomcat-User and wondered if I could ask a
>>>> couple of questions.  I've tried posting to list but had no response
>>>> from anyone there.
>>>> Specifically, it's regarding your "remember me" login stuff.  If this
>>>> is a pain feel free to ignore this email.
>>>> Best regards
>>>> Chris
>>>> p.s. My question the list was under the subject
>>>> "servlet sendRedirect() to j_security_check problem"

struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message