Re: servlet sendRedirect() to j_security_check problem (remember me)
You've probably got it fixed by now but... I think all you need to do is add this before executing the post: authPost.setFollowRedirects(true); As memory serves, I think it only follows up to a set maximum number of redirects (in an attempt to prevent infinite loops). It's been a while since I dug around the HttpClient code so I can't remember if that value is configurable. HTH, Jon Chris Ward wrote: Tomcat-Users (Cc:Matt/Adam), I've just tried doing a redirect to j_security_check using the commons package org.apache.commons.httpclient. The error I get from the code is [INFO] HttpMethodBase - -Redirect requested but followRedirects is disabled statusCode : 302 Any clues given my code below (which is more than a bit similar to Matt's ;o) ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static private final String authURL = j_security_check; snip HttpClient client = new HttpClient(); client.getHostConfiguration().setHost( request.getServerName(), request.getServerPort(), request.getScheme() ); PostMethod authPost = new PostMethod( request.getContextPath() + / + authURL ); NameValuePair user = new NameValuePair( j_username, username ); NameValuePair pass = new NameValuePair( j_password, password ); authPost.setRequestBody( new NameValuePair[] { user, pass } ); client.executeMethod(authPost); authPost.releaseConnection(); int statusCode = authPost.getStatusCode(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I'm think I've either got the authURL wrong or I need to do something in web.xml. Any light cast on this would be great. Many thanks as always, Chris It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet sendRedirect() to j_security_check problem (remember me)
Tomcat-Users (Cc:Matt/Adam), I've just tried doing a redirect to j_security_check using the commons package org.apache.commons.httpclient. The error I get from the code is [INFO] HttpMethodBase - -Redirect requested but followRedirects is disabled statusCode : 302 Any clues given my code below (which is more than a bit similar to Matt's ;o) ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static private final String authURL = j_security_check; snip HttpClient client = new HttpClient(); client.getHostConfiguration().setHost( request.getServerName(), request.getServerPort(), request.getScheme() ); PostMethod authPost = new PostMethod( request.getContextPath() + / + authURL ); NameValuePair user = new NameValuePair( j_username, username ); NameValuePair pass = new NameValuePair( j_password, password ); authPost.setRequestBody( new NameValuePair[] { user, pass } ); client.executeMethod(authPost); authPost.releaseConnection(); int statusCode = authPost.getStatusCode(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I'm think I've either got the authURL wrong or I need to do something in web.xml. Any light cast on this would be great. Many thanks as always, Chris It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet sendRedirect() to j_security_check problem (remember me)
Sounds like a server configuration problem. I don't know where followRedirects is disabled, but it looks like it is somewhere. Matt On Dec 5, 2003, at 8:46 AM, Chris Ward wrote: Tomcat-Users (Cc:Matt/Adam), I've just tried doing a redirect to j_security_check using the commons package org.apache.commons.httpclient. The error I get from the code is [INFO] HttpMethodBase - -Redirect requested but followRedirects is disabled statusCode : 302 Any clues given my code below (which is more than a bit similar to Matt's ;o) ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - static private final String authURL = j_security_check; snip HttpClient client = new HttpClient(); client.getHostConfiguration().setHost( request.getServerName(), request.getServerPort(), request.getScheme() ); PostMethod authPost = new PostMethod( request.getContextPath() + / + authURL ); NameValuePair user = new NameValuePair( j_username, username ); NameValuePair pass = new NameValuePair( j_password, password ); authPost.setRequestBody( new NameValuePair[] { user, pass } ); client.executeMethod(authPost); authPost.releaseConnection(); int statusCode = authPost.getStatusCode(); - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I'm think I've either got the authURL wrong or I need to do something in web.xml. Any light cast on this would be great. Many thanks as always, Chris It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: servlet sendRedirect() to j_security_check problem (remember me)
That's a fairly circuitous route for a login. I guess you do what you have to do though. I was wondering whether I could adapt it to allow an SSL login form to be used to login to non-SSL pages, but I think the httpClient would leave the j_security_check post in plain text on the net - unless it never leaves the server, but I'm not sure that would be possible. Adam On 12/04/2003 12:52 AM Matt Raible wrote: It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet sendRedirect() to j_security_check problem (remember me)
Thanks for the extra info Matt ( Adam) I'm going to try to continue with my login work next week - the newer version of Matt's Remember-me JSP/Servlet/Filter seems to have a lot going on in there. I feel a little daunted to be honest. But I shall play around with it some more. Thanks again for all the good advice guys - I'll probably be in touch next week. Best regards, Chris -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: Thursday, 4 December 2003 13:02 To: Tomcat Users List; Matt Raible Subject: Re: servlet sendRedirect() to j_security_check problem (remember me) That's a fairly circuitous route for a login. I guess you do what you have to do though. I was wondering whether I could adapt it to allow an SSL login form to be used to login to non-SSL pages, but I think the httpClient would leave the j_security_check post in plain text on the net - unless it never leaves the server, but I'm not sure that would be possible. Adam On 12/04/2003 12:52 AM Matt Raible wrote: It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
servlet sendRedirect() to j_security_check problem
Dear all, I'm implementing remember me login functionality using FORM authentication, a LoginServlet and a Filter. It's very much based on the code in an earlier posting to this list From: Raible, Matt Subject: RE: Form based security and Remember Me Date: Fri, 21 Feb 2003 07:33:22 -0800 My set up works fine when my FORM uses j_security_check as it's action but using a redirect from a servlet seems to fail with a 403 error. I've debugged the servlet so I know it's getting to it and doing what I expect. In the original mail, Matt's servlet call is... - - - - - - - - - - - - - - - - - - - - - - - - - - String username = request.getParameter(j_username).toLowerCase(); String password = request.getParameter(j_password); ... String req = j_security_check?j_username= + RequestUtils.encodeURL(username) + j_password= + RequestUtils.encodeURL(password); response.sendRedirect(response.encodeRedirectURL(req)); - - - - - - - - - - - - - - - - - - - - - - - - - - I don't have the RequestUtils.encodeURL() in my version. a) Do I need them? - the html form seems for work even if the password field is plain text when the action is set to j_security_check. b) Where do I get these methods? Aren't they somewhere in Struts? Do I really have to bring down all of that stuff? For completeness here's my code... - - - - - - - - - - - - - - - - - - - - - - - - - - String req = j_security_check?j_username= + request.getParameter(j_username) + j_password= + request.getParameter(j_password); response.sendRedirect(response.encodeRedirectURL(req)); - - - - - - - - - - - - - - - - - - - - - - - - - - Any help would be fantastic. Best regards Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet sendRedirect() to j_security_check problem (remember me)
Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- Chris Ward, Horizon Asset Limited mailto:[EMAIL PROTECTED] Tel +44 (20) 7367 7028, Fax 7367 7029 -- THIS E-MAIL MAY CONTAIN CONFIDENTIAL AND/OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE INTENDED RECIPIENT (OR HAVE RECEIVED THIS E-MAIL IN ERROR) PLEASE NOTIFY THE SENDER IMMEDIATELY AND DESTROY THIS E- MAIL. ANY UNAUTHORISED COPYING, DISCLOSURE OR DISTRIBUTION OF THE MATERIAL IN THIS E-MAIL IS STRICTLY FORBIDDEN. HORIZON ASSET LIMITED IS AUTHORISED AND REGULATED BY THE FINANCIAL SERVICES AUTHORITY. smime.p7s Description: S/MIME cryptographic signature
Re: servlet sendRedirect() to j_security_check problem
Hi Chris, I don't know whether that solution would ever work. I'm sure you can't post straight to j_security_check. Tomcat has to be aware that someone is trying to access a protected resource before it will invoke the login procedure. Adam On 12/03/2003 04:15 PM Chris Ward wrote: Dear all, I'm implementing remember me login functionality using FORM authentication, a LoginServlet and a Filter. It's very much based on the code in an earlier posting to this list From: Raible, Matt Subject: RE: Form based security and Remember Me Date: Fri, 21 Feb 2003 07:33:22 -0800 My set up works fine when my FORM uses j_security_check as it's action but using a redirect from a servlet seems to fail with a 403 error. I've debugged the servlet so I know it's getting to it and doing what I expect. In the original mail, Matt's servlet call is... - - - - - - - - - - - - - - - - - - - - - - - - - - String username = request.getParameter(j_username).toLowerCase(); String password = request.getParameter(j_password); ... String req = j_security_check?j_username= + RequestUtils.encodeURL(username) + j_password= + RequestUtils.encodeURL(password); response.sendRedirect(response.encodeRedirectURL(req)); - - - - - - - - - - - - - - - - - - - - - - - - - - I don't have the RequestUtils.encodeURL() in my version. a) Do I need them? - the html form seems for work even if the password field is plain text when the action is set to j_security_check. b) Where do I get these methods? Aren't they somewhere in Struts? Do I really have to bring down all of that stuff? For completeness here's my code... - - - - - - - - - - - - - - - - - - - - - - - - - - String req = j_security_check?j_username= + request.getParameter(j_username) + j_password= + request.getParameter(j_password); response.sendRedirect(response.encodeRedirectURL(req)); - - - - - - - - - - - - - - - - - - - - - - - - - - Any help would be fantastic. Best regards Chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet sendRedirect() to j_security_check problem (remember me)
Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet sendRedirect() to j_security_check problem (remember me)
It's standard container managed security stuff - I first invoke a protected URL - in index.jsp - I redirect to mainMenu.do - and *.do is protected. Based on security constraints in web.xml, I'm presented with a form-login-page login.jsp - rather than having action=j_security_check in this form, I have action=/security/authorize - which is mapped to my own LoginServlet. In the LoginServlet, I encrypt the password (optionally based on an init-parameter), set some cookies and do an HTTP Post to j_security_check. Works on Tomcat 4-5 and Resin 3.x. Matt On Dec 3, 2003, at 4:21 PM, Adam Hardy wrote: Matt, are you really managing to post a form to j_security_check without invoking it first, or is that some sort of black magic you've cooked up? Or have I just misunderstood what Chris said? Adam On 12/03/2003 09:24 PM Matt Raible wrote: Chris, I found your post at http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/ msg111700.html and I'm cc'ing the list in case anyone else is interested in this info (I'm not subscribed). I've actually improved the Remember Me feature a fair amount since I posted to the Tomcat User list. The sendRedirect works, however, it (in some browsers) puts the URL (with password) into the address bar. This isn't a big deal IMO since it's the user that just logged in and they don't mind seeing their own passwords. However, the URL tends to show up in server log files which can be a security hole. Because of this, I changed to using an HTTP Post with Jakarta Common's HttpClient. I also moved my form-login-page and form-error-page into a security folder and then set my cookies for the /appname/security path rather than / - this makes it so the user/pass cookies are more secure and can only be retrieved when logging in, rather than for any URL in the site. That being said, I've updated one of my sample apps with these changes and you can download it if you'd like: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse Here's my updated LoginServlet that does an Http Post instead of a Get: http://tinyurl.com/xl80 HTH, Matt On Dec 3, 2003, at 12:52 PM, Chris Ward wrote: Hi Matt, Sorry for sending unsolicited email but I've been looking at some of your postings to Tomcat-User and wondered if I could ask a couple of questions. I've tried posting to list but had no response from anyone there. Specifically, it's regarding your remember me login stuff. If this is a pain feel free to ignore this email. Best regards Chris p.s. My question the list was under the subject servlet sendRedirect() to j_security_check problem -- struts 1.1 + tomcat 5.0.14 + java 1.4.2 Linux 2.4.20 RH9 smime.p7s Description: S/MIME cryptographic signature