Return-Path: 
 <tomcat-user-return-85822-apmail-jakarta-tomcat-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org
Received: (qmail 71744 invoked from network); 5 Dec 2003 15:46:57 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 5 Dec 2003 15:46:57 -0000
Received: (qmail 3640 invoked by uid 500); 5 Dec 2003 15:46:20 -0000
Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org
Received: (qmail 3602 invoked by uid 500); 5 Dec 2003 15:46:20 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 3529 invoked from network); 5 Dec 2003 15:46:19 -0000
Received: from unknown (HELO mail.horizon-asset.co.uk) (195.157.145.29)
  by daedalus.apache.org with SMTP; 5 Dec 2003 15:46:19 -0000
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Subject: RE: servlet sendRedirect() to j_security_check problem (remember me)
Date: Fri, 5 Dec 2003 15:46:20 -0000
Message-ID: 
 <D11FD8AE7B15D64285EA3A41DFCCFFB19F0735@HORIZON2.horizon-asset.co.uk>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: servlet sendRedirect() to j_security_check problem (remember me)
Thread-Index: AcO5+JyJjRZ1jIypRViRNPOOCThqhQBTG8Yg
From: "Chris Ward" <cward@horizon-asset.co.uk>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Cc: "Adam Hardy" <ahardy.struts@cyberspaceroad.com>,
	<matt@raibledesigns.com>
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N


Tomcat-Users
(Cc:Matt/Adam),


I've just tried doing a redirect to j_security_check using the
commons package "org.apache.commons.httpclient".

The error I get from the code is=20

[INFO] HttpMethodBase - -Redirect requested but followRedirects is
disabled
statusCode : 302

Any clues given my code below (which is more than a bit similar to
Matt's ;o) )



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -=20

    static private final String authURL =3D "j_security_check";

<snip>


        HttpClient client =3D new HttpClient();           =20
        client.getHostConfiguration().setHost(
                request.getServerName(),
                request.getServerPort(),
                request.getScheme()
                );
        PostMethod authPost =3D new PostMethod( request.getContextPath() =
+
"/" + authURL );
        NameValuePair user =3D new NameValuePair( "j_username", username
);
        NameValuePair pass =3D new NameValuePair( "j_password", password
);
        authPost.setRequestBody( new NameValuePair[] { user, pass } );
        client.executeMethod(authPost);
        authPost.releaseConnection();
        int statusCode =3D authPost.getStatusCode();

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - -=20

I'm think I've either got the authURL wrong or I need to do something
in web.xml.

Any light cast on this would be great.

Many thanks as always,
Chris


> It's standard container managed security stuff - I first invoke a=20
> protected URL - in index.jsp - I redirect to mainMenu.do -=20
> and *.do is=20
> protected.  Based on security constraints in web.xml, I'm presented=20
> with a form-login-page "login.jsp" - rather than having=20
> action=3D"j_security_check" in this form, I have=20
> action=3D"/security/authorize" - which is mapped to my own=20
> LoginServlet. =20
> In the LoginServlet, I encrypt the password (optionally based on an=20
> init-parameter), set some cookies and do an HTTP Post to=20
> j_security_check.  Works on Tomcat 4-5 and Resin 3.x.
>=20
> Matt
>=20
> On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:
>=20
> > Matt,
> > are you really managing to post a form to j_security_check without
> > invoking it first, or is that some sort of black magic=20
> you've cooked=20
> > up?
> >
> > Or have I just misunderstood what Chris said?
> >
> > Adam
> >
> > On 12/03/2003 09:24 PM Matt Raible wrote:
> >> Chris,
> >> I found your post at
> >> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/=20
> >> msg111700.html and I'm cc'ing the list in case anyone else is =20
> >> interested in this info (I'm not subscribed).
> >> I've actually improved the "Remember Me" feature a fair=20
> amount since=20
> >> I  posted to the Tomcat User list.  The sendRedirect=20
> works, however,=20
> >> it  (in some browsers) puts the URL (with password) into=20
> the address=20
> >> bar.   This isn't a big deal IMO since it's the user that=20
> just logged=20
> >> in and  they don't mind seeing their own passwords. =20
> However, the URL=20
> >> tends to  show up in server log files which can be a=20
> security hole. =20
> >> Because of  this, I changed to using an HTTP Post with Jakarta=20
> >> Common's HttpClient.   I also moved my form-login-page and=20
> >> form-error-page into a "security"  folder and then set my=20
> cookies for=20
> >> the /appname/security path rather  than / - this makes it so the=20
> >> user/pass cookies are more secure and can  only be retrieved when=20
> >> logging in, rather than for any URL in the site.
> >> That being said, I've updated one of my sample apps with these=20
> >> changes  and you can download it if you'd like:
> >> http://raibledesigns.com/wiki/Wiki.jsp?page=3DAppFuse
> >> Here's my updated LoginServlet that does an Http Post instead of a=20
> >> Get:
> >> http://tinyurl.com/xl80
> >> HTH,
> >> Matt
> >> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
> >>>
> >>> Hi Matt,
> >>>
> >>> Sorry for sending unsolicited email but I've been looking=20
> at some of=20
> >>> your postings to Tomcat-User and wondered if I could ask=20
> a couple of=20
> >>> questions.  I've tried posting to list but had no response from=20
> >>> anyone there.
> >>>
> >>> Specifically, it's regarding your "remember me" login stuff.  If=20
> >>> this is a pain feel free to ignore this email.
> >>>
> >>>
> >>> Best regards
> >>> Chris
> >>>
> >>> p.s. My question the list was under the subject
> >>> "servlet sendRedirect() to j_security_check problem"
> >
> >
> > --
> > struts 1.1 + tomcat 5.0.14 + java 1.4.2
> > Linux 2.4.20 RH9
>=20

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org