tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Ward" <cw...@horizon-asset.co.uk>
Subject RE: servlet sendRedirect() to j_security_check problem (remember me)
Date Fri, 05 Dec 2003 15:46:20 GMT

Tomcat-Users
(Cc:Matt/Adam),


I've just tried doing a redirect to j_security_check using the
commons package "org.apache.commons.httpclient".

The error I get from the code is 

[INFO] HttpMethodBase - -Redirect requested but followRedirects is
disabled
statusCode : 302

Any clues given my code below (which is more than a bit similar to
Matt's ;o) )



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 

    static private final String authURL = "j_security_check";

<snip>


        HttpClient client = new HttpClient();            
        client.getHostConfiguration().setHost(
                request.getServerName(),
                request.getServerPort(),
                request.getScheme()
                );
        PostMethod authPost = new PostMethod( request.getContextPath() +
"/" + authURL );
        NameValuePair user = new NameValuePair( "j_username", username
);
        NameValuePair pass = new NameValuePair( "j_password", password
);
        authPost.setRequestBody( new NameValuePair[] { user, pass } );
        client.executeMethod(authPost);
        authPost.releaseConnection();
        int statusCode = authPost.getStatusCode();

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - 

I'm think I've either got the authURL wrong or I need to do something
in web.xml.

Any light cast on this would be great.

Many thanks as always,
Chris


> It's standard container managed security stuff - I first invoke a 
> protected URL - in index.jsp - I redirect to mainMenu.do - 
> and *.do is 
> protected.  Based on security constraints in web.xml, I'm presented 
> with a form-login-page "login.jsp" - rather than having 
> action="j_security_check" in this form, I have 
> action="/security/authorize" - which is mapped to my own 
> LoginServlet.  
> In the LoginServlet, I encrypt the password (optionally based on an 
> init-parameter), set some cookies and do an HTTP Post to 
> j_security_check.  Works on Tomcat 4-5 and Resin 3.x.
> 
> Matt
> 
> On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
> 
> > Matt,
> > are you really managing to post a form to j_security_check without
> > invoking it first, or is that some sort of black magic 
> you've cooked 
> > up?
> >
> > Or have I just misunderstood what Chris said?
> >
> > Adam
> >
> > On 12/03/2003 09:24 PM Matt Raible wrote:
> >> Chris,
> >> I found your post at
> >> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ 
> >> msg111700.html and I'm cc'ing the list in case anyone else is  
> >> interested in this info (I'm not subscribed).
> >> I've actually improved the "Remember Me" feature a fair 
> amount since 
> >> I  posted to the Tomcat User list.  The sendRedirect 
> works, however, 
> >> it  (in some browsers) puts the URL (with password) into 
> the address 
> >> bar.   This isn't a big deal IMO since it's the user that 
> just logged 
> >> in and  they don't mind seeing their own passwords.  
> However, the URL 
> >> tends to  show up in server log files which can be a 
> security hole.  
> >> Because of  this, I changed to using an HTTP Post with Jakarta 
> >> Common's HttpClient.   I also moved my form-login-page and 
> >> form-error-page into a "security"  folder and then set my 
> cookies for 
> >> the /appname/security path rather  than / - this makes it so the 
> >> user/pass cookies are more secure and can  only be retrieved when 
> >> logging in, rather than for any URL in the site.
> >> That being said, I've updated one of my sample apps with these 
> >> changes  and you can download it if you'd like:
> >> http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
> >> Here's my updated LoginServlet that does an Http Post instead of a 
> >> Get:
> >> http://tinyurl.com/xl80
> >> HTH,
> >> Matt
> >> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
> >>>
> >>> Hi Matt,
> >>>
> >>> Sorry for sending unsolicited email but I've been looking 
> at some of 
> >>> your postings to Tomcat-User and wondered if I could ask 
> a couple of 
> >>> questions.  I've tried posting to list but had no response from 
> >>> anyone there.
> >>>
> >>> Specifically, it's regarding your "remember me" login stuff.  If 
> >>> this is a pain feel free to ignore this email.
> >>>
> >>>
> >>> Best regards
> >>> Chris
> >>>
> >>> p.s. My question the list was under the subject
> >>> "servlet sendRedirect() to j_security_check problem"
> >
> >
> > --
> > struts 1.1 + tomcat 5.0.14 + java 1.4.2
> > Linux 2.4.20 RH9
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message