tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: j_security_check-behaviour - looking for workaround
Date Tue, 02 Dec 2008 14:51:24 GMT
Hash: SHA1


Gregor Schneider wrote:
> However, if you have a webapp working with frames, this scenario does not work.
> Imagine a webpage having this structure:


> Now if the session times out, the user clicks on the menue, the url
> requested is the source of the IFrame.

This shouldn't be the case: the URL requested should be the URL of the
link that was clicked. Am I just interpreting "the source of the iframe"

> After being authorized by j_security_check, it's forwared to said url
> with the consequences, that the menue (in this example) is missing,
> also all the other html "wrapped around" the IFrame.

This scanario should work: the URL being used is the one that should
provide the content for that frame. The only uglinesses that occurs are:

1. If you follow a link in a frame, your login page needs to be
   in-frame friendly.
2. If you reload the entire page, your login page needs to be
   out-of-frame friendly.

The process should still work, it just might require some customization.

> My preferred solution would be that after performing j_security_check
> always was to forward to "/index.html":

You can't do this using Tomcat's built-in authorization.
Securityfilter's cvs repo (i.e. not a release build) has this feature,

- -chris

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message