Hi Ivan,
On 26/03/2010 06:48 PM, Ivan Furdi wrote:
I know that's the normal behaviour but I want to ask if there's some way
to skip login screen using supplied
request parameters? (for example username and password). I know this is
not very secure but i need it for
a test.
This will depend on your security framework. If you are using JEE security then you will be
dependent on the servlet container whether it provides a way to programmatically login via request
parameters. For Tomcat see this email which explains about creating a Filter to fake out certain API
to make the login work:
http://www.mail-archive.com/[email protected]/msg41324.html
You could also try and simulate a login from the remote site (do a post to /j_security_check), grab
the JSESSIONID cookie, and set it as a cookie for your next request to the server.
Alternative options are to use a different Security framework such as Spring Security or Apache
Shiro. They allow you to programmatically login.
You can find links to these projects here:
http://click.apache.org/docs/user-guide/html/ch05.html#alternatve-security-solutions
Before rolling to production, ensure the site login page is accessed through HTTPS so that the
username/password is not sent as cleartext.
I'm a bit green in security area so if someone can recommend some topics
to study I would be very thankful.
The login side of security in JEE is not as simple as it should be. The upcoming Servlet 3.0 spec
addresses some of this by adding login/logout API to the ServletRequest:
Let me know if you have other questions.
kind regards
bob
