Re: How to prevent direct access to login.jsp
I think there is another option that noone has mentioned yet :-P When the login.jsp page is presented as part of the login process, there will be some standard request attributes containing the original requested page (I don't remember the names now, but you can find them in the servlet spec). They are used by the servlet container to redirect to the correct page once your login data is validated, and will be not present if you point to the page directly from the browser. You can check for the existence of these attributes, and if they are not present redirect to your webapp homepage. This way, the correct login steps will be followed. HTH, Rodrigo Ruiz Adam Hardy wrote: On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote: I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Hi Yaakov, I think the best way to deal with this situation is to configure tomcat to catch the error status 403 or whatever it is and then serve up an error page with a calm, logical explanation of why they shouldn't do that. Or upgrade to tomcat 5. Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
Sure On 12/09/2003 02:52 PM Chaikin, Yaakov Y (US SSA) wrote: Tomcat 5 is a stable release now? Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 5:10 AM To: Tomcat Users List Subject: Re: How to prevent direct access to login.jsp On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote: I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Hi Yaakov, I think the best way to deal with this situation is to configure tomcat to catch the error status 403 or whatever it is and then serve up an error page with a calm, logical explanation of why they shouldn't do that. Or upgrade to tomcat 5. Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to prevent direct access to login.jsp
Tom, You are confusing programmatic security with declarative. Yes, it's a piece of cake with programmatic security since YOU are doing all the work. However, unless your application requires it for some special reason, there is no need to for programmatic security. Thanks for trying though. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] > -Original Message- > From: Tom Holmes Jr. [mailto:[EMAIL PROTECTED] > Sent: Monday, December 08, 2003 8:35 PM > To: Tomcat Users List > Subject: Re: How to prevent direct access to login.jsp > > I realize that you're asking if there is a Tomcat-configurable solution to > this problem but that isn't the best way to handle this in the Java > world. > > The Tomcat-configurable way might be to force a directory (or web-app) to > force a new hit to the server instead of allowing the page to be cached in > the browser. I'm not sure how you do this, but I am sure someone does. > > There is also a way to put a directive in the JSP page that forces it to > refresh every time the page is hit ... there's a way to do it, but I've > since forgotten yeah, I know, I am just so full of information. > > My personal best way to solve this is to use Servlets ... if my user goes to > my login.jsp page, that's fine ... when they submit though it goes to a > Login Servlet which does all the work and then re-directs to the login.jsp > page with errors or failed validation. The Servlet uses a javabean to query > the database, and if all is well, then the servlet redirects to the web-site > itself. The Login Servlet also sets a user object in session ... so that if > a user tries to bookmark a URL ... if the user object doesn't exist (because > of timing out, or whatever), then I redirect them back to the login.jsp. > > I know a lot of people don't like that because they have server farms and > the user has to be re-directed back to the same machine and objects in > session take-up system memory. But, I don't put a lot into that object, > it's very minimal, and I don't get many users for it to be an issue, and I > bumped up the memory on that web-server anyway. > > Hope this helps. Thanks. > > Tom > > - Original Message - > From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, December 08, 2003 5:59 PM > Subject: How to prevent direct access to login.jsp > > > Hi, > > I realized that my user can mess himself by bookmarking the login page > he is asked to log in. The login.jsp appears in the URL address in the > browser... > > Does anyone know how to avoid this? How do I block that URL for the user > and not for the server? > > Thanks. > > Yaakov Chaikin > Software Engineer > BAE SYSTEMS > 301-838-6899 (phone) > 301-838-6802 (fax) > [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
I realize that you're asking if there is a Tomcat-configurable solution to this problem but that isn't the best way to handle this in the Java world. The Tomcat-configurable way might be to force a directory (or web-app) to force a new hit to the server instead of allowing the page to be cached in the browser. I'm not sure how you do this, but I am sure someone does. There is also a way to put a directive in the JSP page that forces it to refresh every time the page is hit ... there's a way to do it, but I've since forgotten yeah, I know, I am just so full of information. My personal best way to solve this is to use Servlets ... if my user goes to my login.jsp page, that's fine ... when they submit though it goes to a Login Servlet which does all the work and then re-directs to the login.jsp page with errors or failed validation. The Servlet uses a javabean to query the database, and if all is well, then the servlet redirects to the web-site itself. The Login Servlet also sets a user object in session ... so that if a user tries to bookmark a URL ... if the user object doesn't exist (because of timing out, or whatever), then I redirect them back to the login.jsp. I know a lot of people don't like that because they have server farms and the user has to be re-directed back to the same machine and objects in session take-up system memory. But, I don't put a lot into that object, it's very minimal, and I don't get many users for it to be an issue, and I bumped up the memory on that web-server anyway. Hope this helps. Thanks. Tom - Original Message - From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 08, 2003 5:59 PM Subject: How to prevent direct access to login.jsp Hi, I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Thanks. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to prevent direct access to login.jsp
Tomcat 5 is a stable release now? Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] > -Original Message- > From: Adam Hardy [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 09, 2003 5:10 AM > To: Tomcat Users List > Subject: Re: How to prevent direct access to login.jsp > > On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote: > > I realized that my user can mess himself by bookmarking the login page > > he is asked to log in. The login.jsp appears in the URL address in the > > browser... > > > > Does anyone know how to avoid this? How do I block that URL for the user > > and not for the server? > > Hi Yaakov, > I think the best way to deal with this situation is to configure tomcat > to catch the error status 403 or whatever it is and then serve up an > error page with a calm, logical explanation of why they shouldn't do that. > > Or upgrade to tomcat 5. > > > Adam > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
You could create a mapping for login.jsp that points to an error page from your web.xml descriptor. Then you will only be able to get to login.jsp with server side forwards. On Tuesday 09 December 2003 05:33 am, you wrote: > I had this excact problem some time ago. > > You might search the archive for the subject line I used: > > j_security_check - Bookmarking the login page. A teaser! > > The problem was solved for me then. > > Andoni. > > - Original Message - > From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, December 08, 2003 10:59 PM > Subject: How to prevent direct access to login.jsp > > > Hi, > > I realized that my user can mess himself by bookmarking the login page > he is asked to log in. The login.jsp appears in the URL address in the > browser... > > Does anyone know how to avoid this? How do I block that URL for the user > and not for the server? > > Thanks. > > Yaakov Chaikin > Software Engineer > BAE SYSTEMS > 301-838-6899 (phone) > 301-838-6802 (fax) > [EMAIL PROTECTED] > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
I had this excact problem some time ago. You might search the archive for the subject line I used: j_security_check - Bookmarking the login page. A teaser! The problem was solved for me then. Andoni. - Original Message - From: "Chaikin, Yaakov Y (US SSA)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 08, 2003 10:59 PM Subject: How to prevent direct access to login.jsp Hi, I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Thanks. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
On 12/08/2003 11:59 PM Chaikin, Yaakov Y (US SSA) wrote: I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Hi Yaakov, I think the best way to deal with this situation is to configure tomcat to catch the error status 403 or whatever it is and then serve up an error page with a calm, logical explanation of why they shouldn't do that. Or upgrade to tomcat 5. Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
Tomcat 4.0.x, 4.1.x does a redirect to the login page specified in the web.xml Tomcat 5 does a forward so the login page url never reaches the browser. There are a number of workarounds/hacks in the archives for tc4. eg the thread "j_security_check - Bookmarking the login page. A teaser!" Jon Jacob Kjome wrote: At 01:54 AM 12/9/2003 -0500, you wrote: > Put the file in something like WEB-INF/jsp/login.jsp. Then either > configure form-based authentication for the path to that JSP I tried doing that, but when I specified /WEB-INF/jsp/login.html in FORM /WEB-INF/jsp /login.html /WEB-INF/jsp /loginError.html The server tried to actually put that into the URL of the browser! Am I doing something wrong? Hmm... haven't use FORM auth in a while, but I thought the idea was to show the login file content in at the requested URL, not the actual location of the login form page. What version of Tomcat are you using? Maybe I'm misremembering what expected behavior is I can't really do your second option since I am not using struts. I am using a much simpler custom MVC package that doesn't support things like this very easily. It is a simple RequestDispatcher.forward() call to the form page. The forward will not force the browser to display another URL like a redirect would. Any MVC framework should support this. It is part of the servlet spec. Would you be able to explain to me what I am doing wrong or how to set up your first option? Try searching the list or look at the Tomcat docs for FORM Auth configuration and expected behavior. I'd be surprised if the behavior you are seeing currently is expected. Thanks, Yaakov. Jake - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to prevent direct access to login.jsp
At 01:54 AM 12/9/2003 -0500, you wrote: > Put the file in something like WEB-INF/jsp/login.jsp. Then either > configure form-based authentication for the path to that JSP I tried doing that, but when I specified /WEB-INF/jsp/login.html in FORM /WEB-INF/jsp /login.html /WEB-INF/jsp /loginError.html The server tried to actually put that into the URL of the browser! Am I doing something wrong? Hmm... haven't use FORM auth in a while, but I thought the idea was to show the login file content in at the requested URL, not the actual location of the login form page. What version of Tomcat are you using? Maybe I'm misremembering what expected behavior is I can't really do your second option since I am not using struts. I am using a much simpler custom MVC package that doesn't support things like this very easily. It is a simple RequestDispatcher.forward() call to the form page. The forward will not force the browser to display another URL like a redirect would. Any MVC framework should support this. It is part of the servlet spec. Would you be able to explain to me what I am doing wrong or how to set up your first option? Try searching the list or look at the Tomcat docs for FORM Auth configuration and expected behavior. I'd be surprised if the behavior you are seeing currently is expected. Thanks, Yaakov. Jake - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to prevent direct access to login.jsp
> Put the file in something like WEB-INF/jsp/login.jsp. Then either > configure form-based authentication for the path to that JSP I tried doing that, but when I specified /WEB-INF/jsp/login.html in FORM /WEB-INF/jsp /login.html /WEB-INF/jsp /loginError.html The server tried to actually put that into the URL of the browser! Am I doing something wrong? I can't really do your second option since I am not using struts. I am using a much simpler custom MVC package that doesn't support things like this very easily. Would you be able to explain to me what I am doing wrong or how to set up your first option? Thanks, Yaakov. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to prevent direct access to login.jsp
Put the file in something like WEB-INF/jsp/login.jsp. Then either configure form-based authentication for the path to that JSP or have your MVC framework serve up that JSP page upon access to a protected resource. The "back" button will never know the exact location of the page. Jake At 05:59 PM 12/8/2003 -0500, you wrote: Hi, I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Thanks. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to prevent direct access to login.jsp
Hi, I realized that my user can mess himself by bookmarking the login page he is asked to log in. The login.jsp appears in the URL address in the browser... Does anyone know how to avoid this? How do I block that URL for the user and not for the server? Thanks. Yaakov Chaikin Software Engineer BAE SYSTEMS 301-838-6899 (phone) 301-838-6802 (fax) [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]