tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andoni <>
Subject Re: Access to j_security_check directly
Date Wed, 20 Oct 2004 10:29:22 GMT

This is an age-old problem, if you ever find a complete answer let me know.

As for 95% complete answers here goes:

1. Your biggest problem is bookmarks. You need to always load you login page
inside a frame. A single HTML page with a single frame can work fine, that
way they'll bookmark instead of This will mean that they will still always call the
secure page even if they have book-marked the login screen.

2. The second problem is the back button. You need to use a JSP for your
login screen and use the session.isNew() method to check if the session is
being started by your login screen. If not then you should redirect to your
single-framed page.

3. You can also re-direct with a custom error page from the error you
receive to the single framed page.

4. Search the history of this list and find more suggestions. This question
has come up several times over the years and usually gets some responses. I
am using j_security_check in all my production apps. and with a combination
of measures in place it works fine.  I do suggest that you work out
*Exactly* what is going on before trying to proceed as false assumptions can
have your head spinning :-)

Hope that helps,
Andoni OConchubhair.

----- Original Message ----- 
From: "Ben" <>
To: "Tomcat" <>
Sent: Wednesday, October 20, 2004 1:58 AM
Subject: Access to j_security_check directly

> Hi
> How can I deal with users that access to j_security_check directly? I
> have used the error-code 400 and redirect the users to the index page
> but the system doesn't recognise the them as logged in users.
> Any help? Thanks.
> Cheers,
> Ben
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message