RE: Form based security and Remember Me
Here's how I've done it - First of all, I don't use j_security_check as my action, but rather auth/ which maps to a LoginServlet. That servlet does some other things, but here's the relevant code. The StringUtil.encodeString(password) method changes to cookie to be base64 encrypted. Not a very good encryption, but better than nothing. LoginServlet.java = String username = request.getParameter(j_username).toLowerCase(); String password = request.getParameter(j_password); if (request.getParameter(rememberMe) != null) { response = RequestUtil.setCookie(response, rememberMe, true, false); response = RequestUtil.setCookie(response, password, StringUtil.encodeString(password), false); } String req = j_security_check?j_username= + RequestUtils.encodeURL(username) + j_password= + RequestUtils.encodeURL(password); response.sendRedirect(response.encodeRedirectURL(req)); Then I have a filter mapped to /* and it has the following code: Cookie rememberMe = RequestUtil.getCookie(request, rememberMe); Cookie passCookie = RequestUtil.getCookie(request, password); String password = (passCookie != null) ? URLDecoder.decode(passCookie.getValue(), UTF-8) : null; // form-error-page/login.jsp?error=true/form-error-page boolean authFailed = StringUtils.equals(request.getParameter(error), true); // check to see if the user is logging out, if so, remove the // rememberMe cookie and password Cookie if ((request.getRequestURL().indexOf(logout) != -1) || authFailed) { if (log.isDebugEnabled()) { log.debug(deleting rememberMe-related cookies); } response = RequestUtil.deleteCookie(response, RequestUtil.getCookie(request, rememberMe)); response = RequestUtil.deleteCookie(response, passCookie); } if ((request.getRequestURL().indexOf(login) != -1) !authFailed) { // Check to see if we should automatically login the user // container is routing user to login page, check for remember me cookie Cookie userCookie = RequestUtil.getCookie(request, username); String username = (passCookie != null) ? URLDecoder.decode(userCookie.getValue(), UTF-8) : null; if ((rememberMe != null) (password != null)) { // authenticate user without displaying login page String route = j_security_check?j_username= + username + j_password= + StringUtil.decodeString(password); if (log.isDebugEnabled()) { log.debug(I remember you ' + username + ', attempting authentication...); } response.sendRedirect(response.encodeRedirectURL(route)); return; } } chain.doFilter(req, resp); This has been working great for me, but I've only tested it on Tomcat. HTH, Matt -Original Message- From: John Trollinger [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 1:12 PM To: [EMAIL PROTECTED] Subject: Form based security and Remember Me I seached the archive and only saw one message pertaining to this. Is anyone doing this at all? And if so how? Thanks, John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based security and Remember Me
I seached the archive and only saw one message pertaining to this. Is anyone doing this at all? And if so how? Thanks, John - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? John -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 3:23 PM To: Tomcat Users List Subject: RE: Form based security and Remember Me Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based security and Remember Me
From: John Trollinger [EMAIL PROTECTED] Sent: Thursday, February 20, 2003 12:31 PM Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? This was touched on before, but the basic problem is that a Servlet does not have a portable way of actually setting the authentication details necessary for you to do what you want to do. What you want to do, essentially, is have a servlet do your authentication before in order to bypass the containers inherent authentication mechanism. But, the API doesn't let you do this. Which means you have to implement all of your own security some other way. Which is a drag. Regards, Will Hartung ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Form based security and Remember Me
A thought (just started following the thread). I can see a problem, in that the cookies may never get initialised because of the use of the checkbox. If the checkbox hasn't been selected, you'll always receive null from the form. Would suggest using a radio button instead, where the parameter will always return a value (null is definitely an error). Hope this is relevant to the thread Bill -Original Message- From: John Trollinger [mailto:[EMAIL PROTECTED]] Sent: Friday, 21 February 2003 7:32 AM To: 'Tomcat Users List' Subject: RE: Form based security and Remember Me But does this work with Form based authenticaiton and realms... How do you let the realm know that the user remembered so the login can be bypassed? John -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 20, 2003 3:23 PM To: Tomcat Users List Subject: RE: Form based security and Remember Me Howdy, I'm not doing this, and I'm one of those people who cleans their cache every time their browser is closed (12Ghosts auto wash is among the greatest tools I've ever seen for any computing purpose, ever), so Remember Me functionality doesn't typically work for me, but... Is anyone doing this at all? And if so how? Assuming remember me is a checkbox, e.g. input type=checkbox name=rememberUserRemember Me/input Then something like: String rememberUserString = request.getParameter(rememeberUser); if((rememebrUserString != null) (rememeberUserString.equalsIgnoreCase(true)) { // Create cookie Cookie userInfoCookie = new Cookie(...); response.addCookie(userInfoCookie); } Then other pages in the app attempt to retrieve the cookie (using request.getCookies() and iterating through the cookies. You can retrieve the information in a fairly cross-browser, server-independent way. You can also set attributes in the session (HttpSession.setAttribute(myUserName, username) or whatever) or do it in many other ways. Yoav Shapira Millennium ChemInformatics This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]