tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben <newread...@gmail.com>
Subject Re: Access to j_security_check directly
Date Wed, 20 Oct 2004 22:41:29 GMT
I created a filter that rejects the "get" request method to the
j_security_check (in my login page I use "post" method). So if the
users access to j_security_check, my filter responses with a resource
not found code.

It seems to be working find.

Cheers


On Wed, 20 Oct 2004 11:29:22 +0100, Andoni <andonilist@eurokom.ie> wrote:
> Hi,
> 
> This is an age-old problem, if you ever find a complete answer let me know.
> 
> As for 95% complete answers here goes:
> 
> 1. Your biggest problem is bookmarks. You need to always load you login page
> inside a frame. A single HTML page with a single frame can work fine, that
> way they'll bookmark  xxx.com/jsp/index.html instead of
> xxx.com/jsp/login.jsp. This will mean that they will still always call the
> secure page even if they have book-marked the login screen.
> 
> 2. The second problem is the back button. You need to use a JSP for your
> login screen and use the session.isNew() method to check if the session is
> being started by your login screen. If not then you should redirect to your
> single-framed page.
> 
> 3. You can also re-direct with a custom error page from the error you
> receive to the single framed page.
> 
> 4. Search the history of this list and find more suggestions. This question
> has come up several times over the years and usually gets some responses. I
> am using j_security_check in all my production apps. and with a combination
> of measures in place it works fine.  I do suggest that you work out
> *Exactly* what is going on before trying to proceed as false assumptions can
> have your head spinning :-)
> 
> Hope that helps,
> Andoni OConchubhair.
> 
> 
> 
> 
> ----- Original Message -----
> From: "Ben" <newreaders@gmail.com>
> To: "Tomcat" <tomcat-user@jakarta.apache.org>
> Sent: Wednesday, October 20, 2004 1:58 AM
> Subject: Access to j_security_check directly
> 
> > Hi
> >
> > How can I deal with users that access to j_security_check directly? I
> > have used the error-code 400 and redirect the users to the index page
> > but the system doesn't recognise the them as logged in users.
> >
> > Any help? Thanks.
> >
> > Cheers,
> > Ben
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message