Please let me clarify: the authentication information itself would never be stored--just the last attempted POST in the event of session expiration. I'm looking for a mechanism instead that will save a memento of the content of a regular HTML form if the user takes too long to complete and submit the form. If the user takes 16 minutes to fill out a form, but the session only lasts 15 minutes, then the posted form data would be lost.
I've seen this implemented in a hand-rolled fashion before. The servlet would check to see if a session exists for each HTTP POST. If the session does exist and the user has been authenticated, then the servlet processes the transaction normally. However, if the session does not exist, the servlet would create a new session and store those parameters in the new session. The servlet would then display a login page and prompt for reauthentication. After reauthenticating, the servlet would pull the original POST parameters out of the session, and it would process them just as it would if the reauthentication was not required. I realize that this may cause a creation of a session that could open the door for a denial of service attack, so an alternative to this method would be encoding the HTTP POST content into a Base64-encoded string and passing it to the login screen in a hidden field. That gets around the need to create a new session upon the receipt of any post. On 6/12/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Send Acegisecurity-developer mailing list submissions to > acegisecurity-developer@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Acegisecurity-developer digest..." > > > Today's Topics: > > 1. Support for HTTP request memento in Form Authenticator (Curtis Light) > 2. Re: Support for HTTP request memento in > Form Authenticator (Luke Taylor) > > --__--__-- > > Message: 1 > Date: Sun, 12 Jun 2005 11:59:46 -0400 > From: Curtis Light <[EMAIL PROTECTED]> > To: acegisecurity-developer@lists.sourceforge.net > Subject: [Acegisecurity-developer] Support for HTTP request memento in Form > Authenticator > Reply-To: acegisecurity-developer@lists.sourceforge.net > > Hello, > =20 > I've been looking through the AuthenticationProcessingFilter source > in Acegi Security, and I haven't seen support for storing a memento of > the original HTTP request in the session, providing the ability to let > a user re-authenticate without losing the original HTTP post > parameters in the event of session expiration. Is this available in > Acegi Security and I'm just not seeing its implementation? > =20 > As a side note, Apache Tomcat 5.5.9 does provide this support in its > container managed authentication. See the "authenticate" method. > =20 > http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/sha= > re/org/apache/catalina/authenticator/FormAuthenticator.java?rev=3D1.23&view= > =3Dmarkup > =20 > If this feature is not currently available in Acegi Security, is > there interest in adding (configurable) support for it to the > AuthenticationProcessingFilter? I could see reasons for NOT wanting > to use this (e.g. session creation denial-of-service attacks), but in > other situations it can be useful. > =20 > Thanks, > =20 > Curtis > > > --__--__-- > > Message: 2 > Date: Sun, 12 Jun 2005 21:50:40 +0100 > From: Luke Taylor <[EMAIL PROTECTED]> > To: acegisecurity-developer@lists.sourceforge.net > Subject: Re: [Acegisecurity-developer] Support for HTTP request memento in > Form Authenticator > Reply-To: acegisecurity-developer@lists.sourceforge.net > > Hi, > > I don't see how you can store a copy of the login parameters in the > session and then retrieve them "in the event of session expiration". > Won't an expired session be destroyed by the container, along with any > attributes it contains? > > The tomcat code (saveRequest, restoreRequest methods) looks like it is > being used for restoring an original secured request after successful > form authentication. > > Luke. > > > Curtis Light wrote: > > Hello, > > > > I've been looking through the AuthenticationProcessingFilter source > > in Acegi Security, and I haven't seen support for storing a memento of > > the original HTTP request in the session, providing the ability to let > > a user re-authenticate without losing the original HTTP post > > parameters in the event of session expiration. Is this available in > > Acegi Security and I'm just not seeing its implementation? > > > > As a side note, Apache Tomcat 5.5.9 does provide this support in its > > container managed authentication. See the "authenticate" method. > > > > > > http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1.23&view=markup > > > > If this feature is not currently available in Acegi Security, is > > there interest in adding (configurable) support for it to the > > AuthenticationProcessingFilter? I could see reasons for NOT wanting > > to use this (e.g. session creation denial-of-service attacks), but in > > other situations it can be useful. > > > > Thanks, > > > > Curtis > > > > > > -- > Luke Taylor. Monkey Machine Ltd. > PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk > > > > > --__--__-- > > _______________________________________________ > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > End of Acegisecurity-developer Digest > ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
