tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ward" <cw...@horizon-asset.co.uk>
Subject RE: servlet sendRedirect() to j_security_check problem (remember me)
Date Thu, 04 Dec 2003 15:00:52 GMT
Thanks for the extra info Matt (& Adam)

I'm going to try to continue with my login work next
week - the newer version of Matt's "Remember-me" JSP/Servlet/Filter
seems to have a lot going on in there.  I feel a little daunted
to be honest.  But I shall play around with it some more.  

Thanks again for all the good advice guys - I'll probably be in
touch next week.

Best regards,
Chris

> -----Original Message-----
> From: Adam Hardy [mailto:ahardy.struts@cyberspaceroad.com]
> Sent: Thursday, 4 December 2003 13:02
> To: Tomcat Users List; Matt Raible
> Subject: Re: servlet sendRedirect() to j_security_check problem
> (remember me)
> 
> 
> That's a fairly circuitous route for a login. I guess you do what you 
> have to do though.
> 
> I was wondering whether I could adapt it to allow an SSL 
> login form to 
> be used to login to non-SSL pages, but I think the httpClient would 
> leave the j_security_check post in plain text on the net - unless it 
> never leaves the server, but I'm not sure that would be possible.
> 
> Adam
> 
> On 12/04/2003 12:52 AM Matt Raible wrote:
> > It's standard container managed security stuff - I first invoke a 
> > protected URL - in index.jsp - I redirect to mainMenu.do - 
> and *.do is 
> > protected.  Based on security constraints in web.xml, I'm 
> presented with 
> > a form-login-page "login.jsp" - rather than having 
> > action="j_security_check" in this form, I have 
> > action="/security/authorize" - which is mapped to my own 
> LoginServlet.  
> > In the LoginServlet, I encrypt the password (optionally based on an 
> > init-parameter), set some cookies and do an HTTP Post to 
> > j_security_check.  Works on Tomcat 4-5 and Resin 3.x.
> > 
> > Matt
> > 
> > On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
> > 
> >> Matt,
> >> are you really managing to post a form to j_security_check without 
> >> invoking it first, or is that some sort of black magic 
> you've cooked up?
> >>
> >> Or have I just misunderstood what Chris said?
> >>
> >> Adam
> >>
> >> On 12/03/2003 09:24 PM Matt Raible wrote:
> >>
> >>> Chris,
> >>> I found your post at  
> >>> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ 
> >>> msg111700.html and I'm cc'ing the list in case anyone else is  
> >>> interested in this info (I'm not subscribed).
> >>> I've actually improved the "Remember Me" feature a fair 
> amount since 
> >>> I  posted to the Tomcat User list.  The sendRedirect 
> works, however, 
> >>> it  (in some browsers) puts the URL (with password) into 
> the address 
> >>> bar.   This isn't a big deal IMO since it's the user that 
> just logged 
> >>> in and  they don't mind seeing their own passwords.  
> However, the URL 
> >>> tends to  show up in server log files which can be a 
> security hole.  
> >>> Because of  this, I changed to using an HTTP Post with Jakarta 
> >>> Common's HttpClient.   I also moved my form-login-page and 
> >>> form-error-page into a "security"  folder and then set my 
> cookies for 
> >>> the /appname/security path rather  than / - this makes it so the 
> >>> user/pass cookies are more secure and can  only be retrieved when 
> >>> logging in, rather than for any URL in the site.
> >>> That being said, I've updated one of my sample apps with these 
> >>> changes  and you can download it if you'd like:
> >>> http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
> >>> Here's my updated LoginServlet that does an Http Post 
> instead of a Get:
> >>> http://tinyurl.com/xl80
> >>> HTH,
> >>> Matt
> >>> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
> >>>
> >>>>
> >>>> Hi Matt,
> >>>>
> >>>> Sorry for sending unsolicited email but I've been looking at some
> >>>> of your postings to Tomcat-User and wondered if I could ask a
> >>>> couple of questions.  I've tried posting to list but had 
> no response
> >>>> from anyone there.
> >>>>
> >>>> Specifically, it's regarding your "remember me" login 
> stuff.  If this
> >>>> is a pain feel free to ignore this email.
> >>>>
> >>>>
> >>>> Best regards
> >>>> Chris
> >>>>
> >>>> p.s. My question the list was under the subject
> >>>> "servlet sendRedirect() to j_security_check problem"
> 
> 
> -- 
> struts 1.1 + tomcat 5.0.16 + java 1.4.2
> Linux 2.4.20 Debian
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message