Re: servlet sendRedirect() to j_security_check problem (remember me)

Wed, 03 Dec 2003 16:56:28 -0800

It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page "login.jsp" - rather than having action="j_security_check" in this form, I have action="/security/authorize" - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x.

Matt

On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote:

Matt,
are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up?

Or have I just misunderstood what Chris said?

Adam

On 12/03/2003 09:24 PM Matt Raible wrote:
Chris,
I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed).
I've actually improved the "Remember Me" feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a "security" folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site.
That being said, I've updated one of my sample apps with these changes and you can download it if you'd like:
http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
Here's my updated LoginServlet that does an Http Post instead of a Get:
http://tinyurl.com/xl80
HTH,
Matt
On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:

Hi Matt,

Sorry for sending unsolicited email but I've been looking at some
of your postings to Tomcat-User and wondered if I could ask a
couple of questions.  I've tried posting to list but had no response
from anyone there.

Specifically, it's regarding your "remember me" login stuff.  If this
is a pain feel free to ignore this email.


Best regards
Chris

p.s. My question the list was under the subject
"servlet sendRedirect() to j_security_check problem"



--
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to