I have tried this, and was able to make it work, although slightly
differently.
I had a secured URL (a servlet in my case), to which I posted a form that
contained the j_username and j_password fields, along with some additional
application specific data. If the user specified the correct info, the
session was immediately authenticated, and my normal login form was never
displayed. If the user entered invalid information, he would get my
configured login form.
I think it may have even worked when submitting to an unsecured URL, which
was convenient, because the user could log in before it was required, and
gain additional functionality.
This was in the Orion 1.3 timeframe, almost a year ago so my memory is a
little fuzzy, but give it a try.
Andre
-----Original Message-----
From: Aaron Tavistock [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 7:21 PM
To: Orion-Interest
Subject: RE: j_security_check
I've not tried this but I doubt it will work.
1. Since this is dubbed 'Container based authentication' in the J2EE spec,
and you're posting from outside the container, I would guess it won't work.
2. Since you are not authenticated when you are trying to post, the
container should attempt to do the atuhentication (e.g. after you post you
will be prompted for authentication).
3. The 'j_security_check' form name is essentially an internally recognized
keyword, not a true form.
4. If you could post from another server it would make me (and probably
alot of other security concious people) feel uncomfortable. If you could
post from outside the container it would be a no brainer to make a wrapper
and capture keystrokes when someone mistyped a URL (e.g. www.bakn.com
instead of www.bank.com) and the user would never notice. As it stands now,
its a bit more difficult to spoof this interaction.
-----Original Message-----
From: Trujillo, Kris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 4:15 PM
To: Orion-Interest
Subject: j_security_check
Does anyone know if it is possible to post to "j_security_check" from an
external form. What I mean by external is a form that isn't the form
referenced in the web.xml as form to show the user when they're not logged
in. I am hoping be able to use a form on another server that will post to
the oc4j server for authentication and session establishment on the oc4j
server. Anybody attempted this??
