tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Wingfield <jon.wingfi...@mkodo.com>
Subject Re: servlet sendRedirect() to j_security_check problem (remember me)
Date Tue, 09 Dec 2003 19:26:59 GMT
You've probably got it fixed by now but...
I think all you need to do is add this before executing the post:
authPost.setFollowRedirects(true);

As memory serves, I think it only follows up to a set maximum number of 
redirects (in an attempt to prevent infinite loops). It's been a while 
since I dug around the HttpClient code so I can't remember if that value 
is configurable.

HTH,

Jon

Chris Ward wrote:

> Tomcat-Users
> (Cc:Matt/Adam),
> 
> 
> I've just tried doing a redirect to j_security_check using the
> commons package "org.apache.commons.httpclient".
> 
> The error I get from the code is 
> 
> [INFO] HttpMethodBase - -Redirect requested but followRedirects is
> disabled
> statusCode : 302
> 
> Any clues given my code below (which is more than a bit similar to
> Matt's ;o) )
> 
> 
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - 
> 
>     static private final String authURL = "j_security_check";
> 
> <snip>
> 
> 
>         HttpClient client = new HttpClient();            
>         client.getHostConfiguration().setHost(
>                 request.getServerName(),
>                 request.getServerPort(),
>                 request.getScheme()
>                 );
>         PostMethod authPost = new PostMethod( request.getContextPath() +
> "/" + authURL );
>         NameValuePair user = new NameValuePair( "j_username", username
> );
>         NameValuePair pass = new NameValuePair( "j_password", password
> );
>         authPost.setRequestBody( new NameValuePair[] { user, pass } );
>         client.executeMethod(authPost);
>         authPost.releaseConnection();
>         int statusCode = authPost.getStatusCode();
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - - - 
> 
> I'm think I've either got the authURL wrong or I need to do something
> in web.xml.
> 
> Any light cast on this would be great.
> 
> Many thanks as always,
> Chris
> 
> 
> 
>>It's standard container managed security stuff - I first invoke a 
>>protected URL - in index.jsp - I redirect to mainMenu.do - 
>>and *.do is 
>>protected.  Based on security constraints in web.xml, I'm presented 
>>with a form-login-page "login.jsp" - rather than having 
>>action="j_security_check" in this form, I have 
>>action="/security/authorize" - which is mapped to my own 
>>LoginServlet.  
>>In the LoginServlet, I encrypt the password (optionally based on an 
>>init-parameter), set some cookies and do an HTTP Post to 
>>j_security_check.  Works on Tomcat 4-5 and Resin 3.x.
>>
>>Matt
>>
>>On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
>>
>>
>>>Matt,
>>>are you really managing to post a form to j_security_check without
>>>invoking it first, or is that some sort of black magic 
>>
>>you've cooked 
>>
>>>up?
>>>
>>>Or have I just misunderstood what Chris said?
>>>
>>>Adam
>>>
>>>On 12/03/2003 09:24 PM Matt Raible wrote:
>>>
>>>>Chris,
>>>>I found your post at
>>>>http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ 
>>>>msg111700.html and I'm cc'ing the list in case anyone else is  
>>>>interested in this info (I'm not subscribed).
>>>>I've actually improved the "Remember Me" feature a fair 
>>
>>amount since 
>>
>>>>I  posted to the Tomcat User list.  The sendRedirect 
>>
>>works, however, 
>>
>>>>it  (in some browsers) puts the URL (with password) into 
>>
>>the address 
>>
>>>>bar.   This isn't a big deal IMO since it's the user that 
>>
>>just logged 
>>
>>>>in and  they don't mind seeing their own passwords.  
>>
>>However, the URL 
>>
>>>>tends to  show up in server log files which can be a 
>>
>>security hole.  
>>
>>>>Because of  this, I changed to using an HTTP Post with Jakarta 
>>>>Common's HttpClient.   I also moved my form-login-page and 
>>>>form-error-page into a "security"  folder and then set my 
>>
>>cookies for 
>>
>>>>the /appname/security path rather  than / - this makes it so the 
>>>>user/pass cookies are more secure and can  only be retrieved when 
>>>>logging in, rather than for any URL in the site.
>>>>That being said, I've updated one of my sample apps with these 
>>>>changes  and you can download it if you'd like:
>>>>http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
>>>>Here's my updated LoginServlet that does an Http Post instead of a 
>>>>Get:
>>>>http://tinyurl.com/xl80
>>>>HTH,
>>>>Matt
>>>>On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
>>>>
>>>>>Hi Matt,
>>>>>
>>>>>Sorry for sending unsolicited email but I've been looking 
>>
>>at some of 
>>
>>>>>your postings to Tomcat-User and wondered if I could ask 
>>
>>a couple of 
>>
>>>>>questions.  I've tried posting to list but had no response from 
>>>>>anyone there.
>>>>>
>>>>>Specifically, it's regarding your "remember me" login stuff.  If 
>>>>>this is a pain feel free to ignore this email.
>>>>>
>>>>>
>>>>>Best regards
>>>>>Chris
>>>>>
>>>>>p.s. My question the list was under the subject
>>>>>"servlet sendRedirect() to j_security_check problem"
>>>
>>>
>>>--
>>>struts 1.1 + tomcat 5.0.14 + java 1.4.2
>>>Linux 2.4.20 RH9
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message