Andrew M. Hust wrote: > I am trying to authenticate users from parameters passed plan text in > the url. I know it's not the most security minded but the > functionality is required.
Proxy servers, logs, history lists etc. It is a bad idea putting passwords and usernames into URL query strings. > Ideally a user would be able to get to a page requiring authentication using: > https://host/page.html?j_username=john&j_password=doe > > or even posting to the j_secuirty_check manually with an additional > parameter of destination: > https://host/j_security_check?j_username=john&j_password=doe&destination=page.html > > Anyone have tips / examples doing this with the acegi framework. If you read the section of the reference guide about the principle of authentication mechanisms, you need to write an authentication mechanism. It is probably going to end up a filter that implements your first example above. It will simply setup the SecurityContextHolder based on the query string. Cheers Ben ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
