tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregor Schneider" <rc4...@googlemail.com>
Subject j_security_check-behaviour - looking for workaround
Date Mon, 01 Dec 2008 12:15:37 GMT
Hi there,

we're running some websites which are heavily framed (unfortunately)
using IFrames.

Authorization is done via FormBased Auth using Tomcat's built-in
j_security_check-method.

However, this is giving us some headaches when an application times out.

As you may know, j_security_check operates in the following way:

Pre-Condition: Authorization for web-app has timed out

- requested URL is sent to tomcat
- Tomcat delegates the request to j_security_check to authorize the request
- j_security_check stores the originally URL
- j_security_check forwards to a defined form to request userid / password
- if authorization is ok, j_security_check will forward to the url
which initially was requested.

Sounds good so far, hm?

However, if you have a webapp working with frames, this scenario does not work.

Imagine a webpage having this structure:

<html>
<body>
<some html here chaning the source of the iframe - a menue i.e.>
<iframe src="../../../index.htm">
</iframe>
<some more html there>
</body>
</html>

Now if the session times out, the user clicks on the menue, the url
requested is the source of the IFrame.
After being authorized by j_security_check, it's forwared to said url
with the consequences, that the menue (in this example) is missing,
also all the other html "wrapped around" the IFrame.

I know that using frames actually is a no-go in web-design, however,
due to budgetary reasons a complete re-design using CSS is not an
option.

Now my question:

Does any of you have a clue how to workaround this problems?

My first thought was to generate a JavaScript on top of each page
making sure it's called within an IFrame, however, I dislike this.

My preferred solution would be that after performing j_security_check
always was to forward to "/index.html":

I tried to write a servlet that would use chaining and forward to
"/index.html", howver, j_security_check simply ignores that and
forwards to the url originally requested.

Now enlarge your personal karma and be so kind to post some
suggestions, please ;)

Cheers

Gregor
-- 
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message