RE: Form based security and Remember Me
Here's how I've done it -
First of all, I don't use j_security_check as my action, but rather
auth/ which maps to a LoginServlet. That servlet does some other things,
but here's the relevant code. The StringUtil.encodeString(password) method
changes to cookie to be base64 encrypted. Not a very good encryption, but
better than nothing.
LoginServlet.java
=
String username = request.getParameter(j_username).toLowerCase();
String password = request.getParameter(j_password);
if (request.getParameter(rememberMe) != null) {
response =
RequestUtil.setCookie(response, rememberMe, true, false);
response =
RequestUtil.setCookie(response, password,
StringUtil.encodeString(password),
false);
}
String req =
j_security_check?j_username= + RequestUtils.encodeURL(username)
+ j_password= + RequestUtils.encodeURL(password);
response.sendRedirect(response.encodeRedirectURL(req));
Then I have a filter mapped to /* and it has the following code:
Cookie rememberMe = RequestUtil.getCookie(request, rememberMe);
Cookie passCookie = RequestUtil.getCookie(request, password);
String password =
(passCookie != null)
? URLDecoder.decode(passCookie.getValue(), UTF-8) : null;
// form-error-page/login.jsp?error=true/form-error-page
boolean authFailed =
StringUtils.equals(request.getParameter(error), true);
// check to see if the user is logging out, if so, remove the
// rememberMe cookie and password Cookie
if ((request.getRequestURL().indexOf(logout) != -1) || authFailed) {
if (log.isDebugEnabled()) {
log.debug(deleting rememberMe-related cookies);
}
response =
RequestUtil.deleteCookie(response,
RequestUtil.getCookie(request,
rememberMe));
response = RequestUtil.deleteCookie(response, passCookie);
}
if ((request.getRequestURL().indexOf(login) != -1) !authFailed) {
// Check to see if we should automatically login the user
// container is routing user to login page, check for remember me cookie
Cookie userCookie = RequestUtil.getCookie(request, username);
String username =
(passCookie != null)
? URLDecoder.decode(userCookie.getValue(), UTF-8) : null;
if ((rememberMe != null) (password != null)) {
// authenticate user without displaying login page
String route =
j_security_check?j_username= + username
+ j_password= + StringUtil.decodeString(password);
if (log.isDebugEnabled()) {
log.debug(I remember you ' + username
+ ', attempting authentication...);
}
response.sendRedirect(response.encodeRedirectURL(route));
return;
}
}
chain.doFilter(req, resp);
This has been working great for me, but I've only tested it on Tomcat.
HTH,
Matt
-Original Message-
From: John Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 1:12 PM
To: [EMAIL PROTECTED]
Subject: Form based security and Remember Me
I seached the archive and only saw one message pertaining to this.
Is anyone doing this at all? And if so how?
Thanks,
John
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Form based security and Remember Me
I seached the archive and only saw one message pertaining to this. Is anyone doing this at all? And if so how? Thanks, John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans their cache
every time their browser is closed (12Ghosts auto wash is among the
greatest tools I've ever seen for any computing purpose, ever), so
Remember Me functionality doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You can
retrieve the information in a fairly cross-browser, server-independent
way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or whatever) or do it
in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do
you let the realm know that the user remembered so the login can be
bypassed?
John
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 3:23 PM
To: Tomcat Users List
Subject: RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans
their cache every time their browser is closed (12Ghosts auto
wash is among the greatest tools I've ever seen for any
computing purpose, ever), so Remember Me functionality
doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You
can retrieve the information in a fairly cross-browser,
server-independent way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or
whatever) or do it in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential
business communication, and may contain information that is
confidential, proprietary and/or privileged. This e-mail is
intended only for the individual(s) to whom it is addressed,
and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient,
please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security and Remember Me
From: John Trollinger [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 12:31 PM Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? This was touched on before, but the basic problem is that a Servlet does not have a portable way of actually setting the authentication details necessary for you to do what you want to do. What you want to do, essentially, is have a servlet do your authentication before in order to bypass the containers inherent authentication mechanism. But, the API doesn't let you do this. Which means you have to implement all of your own security some other way. Which is a drag. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
A thought (just started following the thread).
I can see a problem, in that the cookies may never get initialised because
of the use of the checkbox. If the checkbox hasn't been selected, you'll
always receive null from the form.
Would suggest using a radio button instead, where the parameter will always
return a value (null is definitely an error).
Hope this is relevant to the thread
Bill
-Original Message-
From: John Trollinger [mailto:[EMAIL PROTECTED]]
Sent: Friday, 21 February 2003 7:32 AM
To: 'Tomcat Users List'
Subject: RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do
you let the realm know that the user remembered so the login can be
bypassed?
John
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 3:23 PM
To: Tomcat Users List
Subject: RE: Form based security and Remember Me
Howdy,
I'm not doing this, and I'm one of those people who cleans
their cache every time their browser is closed (12Ghosts auto
wash is among the greatest tools I've ever seen for any
computing purpose, ever), so Remember Me functionality
doesn't typically work for me, but...
Is anyone doing this at all? And if so how?
Assuming remember me is a checkbox, e.g.
input type=checkbox name=rememberUserRemember Me/input
Then something like:
String rememberUserString = request.getParameter(rememeberUser);
if((rememebrUserString != null)
(rememeberUserString.equalsIgnoreCase(true)) {
// Create cookie
Cookie userInfoCookie = new Cookie(...);
response.addCookie(userInfoCookie);
}
Then other pages in the app attempt to retrieve the cookie (using
request.getCookies() and iterating through the cookies. You
can retrieve the information in a fairly cross-browser,
server-independent way.
You can also set attributes in the session
(HttpSession.setAttribute(myUserName, username) or
whatever) or do it in many other ways.
Yoav Shapira
Millennium ChemInformatics
This e-mail, including any attachments, is a confidential
business communication, and may contain information that is
confidential, proprietary and/or privileged. This e-mail is
intended only for the individual(s) to whom it is addressed,
and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient,
please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
