: Christopher Schultz
Sent: Sunday, March 17, 2024 10:57 AM
To: users@tomcat.apache.org
Subject: Re: [EXT]Re: 404 for j_security_check
[You don't often get email from ch...@christopherschultz.net. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Rick,
On 3/15/24 13:49
Sent: Sunday, March 17, 2024 10:57 AM
To: users@tomcat.apache.org
Subject: Re: [EXT]Re: 404 for j_security_check
[You don't often get email from ch...@christopherschultz.net. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Rick,
On 3/15/24 13:49, Rick Noel wrote
Sent: Friday, March 15, 2024 12:19 PM
To: users@tomcat.apache.org
Subject: [EXT]Re: 404 for j_security_check
[You don't often get email from ch...@christopherschultz.net. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
Rick,
On 3/14/24 15:37, Rick Noel wrote
l
Systems Programmer | Westwood One
rn...@westwoodone.com
-Original Message-
From: Christopher Schultz
Sent: Friday, March 15, 2024 12:19 PM
To: users@tomcat.apache.org
Subject: [EXT]Re: 404 for j_security_check
[You don't often get email from ch...@christopherschultz.net. Learn wh
Rick,
On 3/14/24 15:37, Rick Noel wrote:
After moving from tomcat 9 to tomcat 10 after a user successfully
logs in and then hits a restricted page, the login page is hit again
but on this second login hit I get 404 page not found
This is actually expected, since j_security_check is only
After moving from tomcat 9 to tomcat 10after a user successfully logs in
and then hits a restricted page, the login page is hit again but on this
second login hit I get 404 page not found
How do I set the correct path in my login jsp so that j_security_check is
found?
BTW I actually
Recently, my web application has started having issues with the login
process.
I use Tomcat form authentication against a mysql database. That has been
working fine for years. But recently, there has been an increase in odd
behaviours, particularly getting stuck at the j_security_check page
Helge,
On 7/22/23 11:03, Wiemann, Helge (ESI) wrote:
we are using Tomcat 9 and the still the JDBC Realm for authentication.
Our starting URL (which is protected) ends with “/boot1#index”
The form authentication is then processed through the common url
j_security_check.
But after
On 7/22/23 12:03, Mark Thomas wrote:
Your target URL is invalid. No user agent should be sending the
fragment (#index) part of the URL. At best Tomcat will ignore it. Later
versions may even reject it (I have a memory of that but don't have easy
acces to the source code to check right now).
22 Jul 2023 17:03:50 Wiemann, Helge (ESI)
:
Hi all,
we are using Tomcat 9 and the still the JDBC Realm for authentication.
Our starting URL (which is protected) ends with “/boot1#index”
The form authentication is then processed through the common url
j_security_check.
But after
Hi all,
we are using Tomcat 9 and the still the JDBC Realm for authentication.
Our starting URL (which is protected) ends with "/boot1#index"
The form authentication is then processed through the common url
j_security_check.
But after a successful login, he is not redirecting to &q
1 May 2018 at 16:20, Dirk Ooms <dir...@gmail.com
> >> <mailto:dir...@gmail.com>> wrote:
> >>
> >> apologies for the incomplete info. it is tomcat 9.0.6
> >>
> >> i will try to set up a test case and get back to you.
> >>
> >>
.com
>> <mailto:dir...@gmail.com>> wrote:
>>
>> apologies for the incomplete info. it is tomcat 9.0.6
>>
>> i will try to set up a test case and get back to you.
>>
>> dirk
>>
>>
>> On 1 May 2018 at 16:07, Mark Thomas
o:ma...@apache.org>> wrote:
>
> On 01/05/18 14:36, Dirk Ooms wrote:
> > Hello,
> >
> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >
> > in tomcat5.5 when a
che.org> wrote:
>
>> On 01/05/18 14:36, Dirk Ooms wrote:
>> > Hello,
>> >
>> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
>> j_security_check.
>> >
>> > in tomcat5.5 when a user was not logged in and he/she requested a url,
.5 to tomcat9 and i'm using
> j_security_check.
> >
> > in tomcat5.5 when a user was not logged in and he/she requested a url,
> the
> > login page was returned and after logging in the user was given the
> > requested resource. when i requested request.getRequestURI() i
On 01/05/18 14:36, Dirk Ooms wrote:
> Hello,
>
> i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
>
> in tomcat5.5 when a user was not logged in and he/she requested a url, the
> login page was returned and after logging in the user was given the
&g
Hello,
i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
in tomcat5.5 when a user was not logged in and he/she requested a url, the
login page was returned and after logging in the user was given the
requested resource. when i requested request.getRequestURI() in my code
On 12 March 2014 20:40, Christopher Schultz ch...@christopherschultz.netwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neeraj,
On 3/12/14, 10:47 AM, Neeraj Sinha wrote:
Thanks. Actually in the realm implementation, I make a call to backend
authenticate () method which validates
Hi Chris,
On 12 March 2014 00:37, Christopher Schultz ch...@christopherschultz.netwrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neeraj,
On 3/8/14, 2:06 AM, Neeraj Sinha wrote:
Chris,
On 7 March 2014 21:43, Christopher Schultz
ch...@christopherschultz.netwrote:
Neeraj,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neeraj,
On 3/12/14, 10:47 AM, Neeraj Sinha wrote:
Thanks. Actually in the realm implementation, I make a call to backend
authenticate () method which validates various login rules and if any of
them fails, it returns false and the user is not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Neeraj,
On 3/8/14, 2:06 AM, Neeraj Sinha wrote:
Chris,
On 7 March 2014 21:43, Christopher Schultz
ch...@christopherschultz.netwrote:
Neeraj,
On 3/6/14, 4:34 AM, Neeraj Sinha wrote:
I have a jsp application and my tomcat version is
page of the application.
Just to let you know, the main login page of the application is
*login.jsp* which is configured in *web.xml *and it is called
whenever any protected resource is requested. It has username and
password fields and it's action is *j_security_check*.
Now my problem
is requested. It has username and
password fields and it's action is *j_security_check*.
Now my problem is how to pass unlock_code, the 3rd parameter of
*unlock.jsp* to *FormAuthenticator *using the action
*j_security_check*?
I have implementations of *authenticate* method in *LockOutRealm
is configured in *web.xml *and it is called whenever any protected resource
is requested. It has username and password fields and it's action is
*j_security_check*.
Now my problem is how to pass unlock_code, the 3rd parameter of *unlock.jsp*
to *FormAuthenticator *using the action
.
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Sunday, December 01, 2013 4:05 PM
To: Tomcat Users List
Subject: Re: j_security_check error
J. Brian Hall wrote:
I’m using Tomcat and a MySQL database that contains
usernames/passwords/roles for form-based authentication
). However, an unsuccessful login
followed by attempting to login with the correct username/password leads to
an HTTP Status 404 j_security_check error that says the requested resource
is not available. Does anyone know what may be wrong? Here are the details
of my configuration.
Software
to error.jsp (from login.jsp). However, an unsuccessful login
followed by attempting to login with the correct username/password leads to
an HTTP Status 404 j_security_check error that says the requested resource
is not available. Does anyone know what may be wrong? Here are the details
of my
On 2/25/2013 2:54 AM, Tanmoy Chatterjee wrote:
Hello,
Tech Stack:
Tomcat: 6.0.35
Java: 1.6.0_18
OS: RHEL 5.3
I am using j_security_check (JNDIRealm - LDAP authentication).
On failure I am sending the user to a common error.jsp in the application. On
successful
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Tanmoy,
On 2/25/13 12:54 AM, Tanmoy Chatterjee wrote:
Hello, Tech Stack: Tomcat: 6.0.35 Java: 1.6.0_18 OS: RHEL 5.3
I am using j_security_check (JNDIRealm - LDAP authentication).
On failure I am sending the user to a common error.jsp
Hello,
Tech Stack:
Tomcat: 6.0.35
Java: 1.6.0_18
OS: RHEL 5.3
I am using j_security_check (JNDIRealm - LDAP authentication).
On failure I am sending the user to a common error.jsp in the application. On
successful authentication of-course the page requested is displayed
Anyone?
On 14/01/13 17:24, Watts, Timothy wrote:
Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server is permitted (and is
not an XSS attack)?
We have a tomcat server T running a tomcat webapp that uses
/mod_proxy.html#proxypreservehost
Set this to on
Set proxyName=A anf proxyPort=80 on the connector in server.xml
HTH,
Mark
On 14/01/13 17:24, Watts, Timothy wrote:
Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server
hostname) is a widely-used
thing, and
I have never heard of this kind of issue before.
May be something specific to j_security_check, I just don't know.
If you stop editing the request headers, and forward the requests via
ProxyPass, do you
get this problem also ?
I will try -
A RewriteRule
On 18/01/13 11:45, Mark Thomas wrote:
On 18/01/2013 11:07, Tim Watts wrote:
Anyone?
Hi Mark,
Tomcat doesn't give two hoots about the origin header.
Curious - I wonder how me editing it helped? Unless it caused some
knockon somewhere.
It does care
about the Host header.
That would
On 18/01/2013 12:01, Tim Watts wrote:
On 18/01/13 11:45, Mark Thomas wrote:
On 18/01/2013 11:07, Tim Watts wrote:
Anyone?
Hi Mark,
Tomcat doesn't give two hoots about the origin header.
Curious - I wonder how me editing it helped? Unless it caused some
knockon somewhere.
Tomcat
Hi,
Is there a way to *tell* j_security_check that an Origin: header set
(during the login POST request) to a remote server is permitted (and is
not an XSS attack)?
We have a tomcat server T running a tomcat webapp that uses
j_security_check to auth users
(Excuse me - I am
I got the responsibility of maintaining a legacy web-application running on
Tomcat 5.5.36 and using the *j_security_check* feature for
user-authentication.
One problem scenario I am looking into:
When you first start the browser and logon to the application, everything
works OK
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Rop,
On 12/21/12 4:01 PM, rop wrote:
I got the responsibility of maintaining a legacy web-application
running on Tomcat 5.5.36 and using the *j_security_check* feature
for user-authentication.
Obligatory warning: Tomcat 5.5.x is no longer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 10/16/2011 1:55 PM, Chema wrote:
Frankly, if you're using Spring Security, I'd stick with it. I
myself am thinking of making the switch.
Yes, I tried it and like it , but I need Single Sign On support and
the solutions what
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 10/15/2011 4:18 PM, Chema wrote:
This is one of the reasons I switched to SecurityFilter: there is
a
FlexibleRealmInterface that passes-in the HttpServletRequest that
was used to attempt authentication. That allows you to get nice
Frankly, if you're using Spring Security, I'd stick with it. I myself
am thinking of making the switch.
Yes, I tried it and like it , but I need Single Sign On support and the
solutions what Spring Security offers are complicated to implement by me
On 13/10/2011 20:53, Caldarale, Charles R wrote:
If you want to do programmatic security in addition to declarative security,
Or use the Servlet 3.0 APIs, supported by Tomcat.
p
signature.asc
Description: OpenPGP digital signature
This is one of the reasons I switched to SecurityFilter: there is a
FlexibleRealmInterface that passes-in the HttpServletRequest that was
used to attempt authentication. That allows you to get nice things
like the ip address of the request for logging.
I'm interested on what are talking
From: Chema [mailto:demablo...@gmail.com]
Subject: Re: filters on j_security_check
where I can find info about SecurityFilter ?
The first hit on Google...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended
Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know
how can I apply filters to j_security_check to verify the status of login
before continue with my authentication process.
I was thinking to use valves, but I read on internet that valves will be
replaced with Filters
On 13/10/2011 15:09, Alejandro Soto wrote:
Hi, my name is Alejandro, I am working with Tomcat 7.0.20 and I need to know
how can I apply filters to j_security_check to verify the status of login
before continue with my authentication process.
You can't use Filters because the Authentication
Hi, thanks for reply, well, what i need is to know if the authentication was
successful or not, I want to get the status of that authentication, I just
need to know that status and has to be before the authentication mechanism
continues.
I am trying to invoke j_security_check from inside another
From: Alejandro Soto [mailto:smalejan...@gmail.com]
Subject: Re: filters on j_security_check
what i need is to know if the authentication was successful or not
What are you going to do with said information?
I just need to know that status and has to be before the authentication
Hi Chuck, call j_security_check from inside another servlet is just an idea,
why is bad idea?
If possible, I don't want a custom Realm, I want to use the authentication
mechanism of the container (JDBCRealm), use something like this:
.
Context context = (Context
From: Alejandro Soto [mailto:smalejan...@gmail.com]
Subject: Re: filters on j_security_check
call j_security_check from inside another servlet is
just an idea, why is bad idea?
Because it's not supported by the spec; please read SRV.12. If you want to do
programmatic security in addition
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 10/13/2011 2:11 PM, Caldarale, Charles R wrote:
From: Alejandro Soto [mailto:smalejan...@gmail.com] Subject: Re:
filters on j_security_check
what i need is to know if the authentication was successful or
not
What are you going
Hi,
I am using a servlet to intercept form based authentication in order to insert
attribute into the request and then to redirect the request to j_security_check
using RequestDispatcher.
But I'm getting a 404 page with the following error:
type Status report
message /myApp
From: Chen Paz [mailto:chen@expand.com]
Subject: j_security_check and RequestDispatcher forward
I am using a servlet to intercept form based authentication in order
to insert attribute into the request and then to redirect the request
to j_security_check using RequestDispatcher.
I
Filter is not possible. AFAIK you can not use filter before j_security_check in
Tomcat...
-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Monday, August 15, 2011 4:50 PM
To: Tomcat Users List
Subject: RE: j_security_check and RequestDispatcher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 8/15/2011 9:49 AM, Caldarale, Charles R wrote:
From: Chen Paz [mailto:chen@expand.com] Subject:
j_security_check and RequestDispatcher forward
I am using a servlet to intercept form based authentication in
order to insert
2011/8/15 Chen Paz chen@expand.com:
Hi,
I am using a servlet to intercept form based authentication in order to
insert attribute into the request
What parameter do you want to insert into the request ?
I don't know, but maybe you can do the same with a custom realm
Or, using by Spring
...@christopherschultz.net wrote:
Shaun,
On 8/23/2010 4:56 AM, Shaun Senecal wrote:
I'm using FORM authentication, and everything seems to be working
(logins are accepted, etc), except when there was an error the URL
changes in the users browser to point to j_security_check.
This is expected
in the users browser to point to j_security_check.
This is expected.
The
contents of the redirect to j_security_check contains login.html, so
the user is able to login as expected, but my error=true query
string is not passed along.
How are you checking? If you are forwarding to a .html page, you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Shaun,
On 8/23/2010 4:56 AM, Shaun Senecal wrote:
I'm using FORM authentication, and everything seems to be working
(logins are accepted, etc), except when there was an error the URL
changes in the users browser to point to j_security_check
to be working
(logins are accepted, etc), except when there was an error the URL
changes in the users browser to point to j_security_check.
This is expected.
The
contents of the redirect to j_security_check contains login.html, so
the user is able to login as expected, but my error=true query
string
I'm using FORM authentication, and everything seems to be working
(logins are accepted, etc), except when there was an error the URL
changes in the users browser to point to j_security_check. The
contents of the redirect to j_security_check contains login.html, so
the user is able to login
remove this flash everything seems to work OK.
Is there a possibility that j_security_check type of authentication
conflicts with flash swf file? Who knows...
I know about the problem with re-authentication and I solved it in a way
that whenever a user goes to login.jsp page again (this means
On 21/12/2009 21:50, vpapado wrote:
Hello,
I have a problem authenticating my users with j_security_check interworking
with a flash on my login.jsp page.
Here is how things go:
I use j_security_check method to authenticate my users.
As a result, I have assigned a login.jsp page where I have
Hello,
I have a problem authenticating my users with j_security_check interworking
with a flash on my login.jsp page.
Here is how things go:
I use j_security_check method to authenticate my users.
As a result, I have assigned a login.jsp page where I have a login form and
at the top
Try resetting your browser, meaning fully close it, or try from a
different browser. Same result? I sometimes get the exact same
(/./j_security_check) is not available. when i have had my
browser open on the doc for while and re-authenticate. Same thing
happens on my cisco call manager when i
Hello,
Thank you for fast reply.
I try everything. Open in different browser, etc.
But the whole login procedure seems to result to error from Tomcat when I
have my flash on the login.jsp page.
When I remove this flash everything seems to work OK.
Is there a possibility that j_security_check
Hi,
I have a problem.
I have a web aplication (java,jsp) with j_security_check but the user that
i use to authenticate need change por other in the Simpleprincipal for
j_security_check store in the session as the primary user.
Is posible?
thanks,
Sorry for my inglish.
--
View this message
On 15/12/2009 10:03, peibel80 wrote:
Hi,
I have a problem.
I have a web aplication (java,jsp) with j_security_check but the user that
i use to authenticate need change por other in the Simpleprincipal for
j_security_check store in the session as the primary user.
Is posible?
I don't
Pid Ster wrote:
On 15/12/2009 10:03, peibel80 wrote:
Hi,
I have a problem.
I have a web aplication (java,jsp) with j_security_check but the user
that
i use to authenticate need change por other in the Simpleprincipal for
j_security_check store in the session as the primary user
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peibel,
On 12/15/2009 8:03 AM, peibel80 wrote:
I have a web application (java,jsp) with j_security_check but the user
that
i use to authenticate need change por other in the Simpleprincipal for
j_security_check store in the session as the primary
What is anote? I am quite understanding its definition..
thanks
2009/9/23 Filip Hanik - Dev Lists devli...@hanik.com
j_security_check is stored as a note with the user session, but that data
is not being replicated.
Filip
On 09/17/2009 12:05 AM, Rex Wang wrote:
Dear Tomcat,
I meet
From: Rex Wang [mailto:rwo...@gmail.com]
Subject: Re: what does j_security_check do in clustering?
What is anote? I am quite understanding its definition..
Look at the code. The notes field in a StandardSession is just a Hashtable
containing an arbitrary set of key/value pairs, some
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rex,
On 9/24/2009 3:15 AM, Rex Wang wrote:
What is anote? I am quite understanding its definition..
Just to clarify Chuck's comments: a note has nothing to do with the
Servlet API. It's an implementation detail specific to Tomcat where,
among
Thanks a lot to all your guys!!
-Rex
2009/9/24 Christopher Schultz ch...@christopherschultz.net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rex,
On 9/24/2009 3:15 AM, Rex Wang wrote:
What is anote? I am quite understanding its definition..
Just to clarify Chuck's comments: a note
j_security_check is stored as a note with the user session, but that
data is not being replicated.
Filip
On 09/17/2009 12:05 AM, Rex Wang wrote:
Dear Tomcat,
I meet a problem when config a web project which using the form based
security in clustering.
When I set session affinity = true
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Filip,
On 9/23/2009 10:12 AM, Filip Hanik - Dev Lists wrote:
j_security_check is stored as a note with the user session, but that
data is not being replicated.
So, the session notes specifically are not replicated?
That seems to indicate
On 09/23/2009 11:40 AM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Filip,
On 9/23/2009 10:12 AM, Filip Hanik - Dev Lists wrote:
j_security_check is stored as a note with the user session, but that
data is not being replicated.
So, the session notes
.
Technically, I believe that Tomcat requires a session in order to store
your original request so it can be re-played after successful
authentication. In that case, I would have expected the session to be
replicated across the cluster before the request for j_security_check
was submitted.
Could you please
replication is
configured between your Tomcat instance's is key.
I guess the j_security_check is not implemented by session. so the
session
replication does not work for security check, right?
I thought it did - hence my question about whether you were using
clustering or just load balancing
is key.
I guess the j_security_check is not implemented by session. so the session
replication does not work for security check, right?
I thought it did - hence my question about whether you were using
clustering or just load balancing.
So the sticky session is the precondition of tomcat
Dear Tomcat,
I meet a problem when config a web project which using the form based
security in clustering.
When I set session affinity = true in my front http server, the security
check was done in single node, there is no problem with that.
But if I set affinity = false, the requests from the
Rex Wang wrote:
Dear Tomcat,
I meet a problem when config a web project which using the form based
security in clustering.
Clustering or load-balancing? Whether or not session replication is
configured between your Tomcat instance's is key.
When I set session affinity = true in my front
guess the j_security_check is not implemented by session. so the session
replication does not work for security check, right?
and I see the following in tomcat document:
To run session replication in your Tomcat 6.0 container, the following steps
should be completed:
- All your session
You should check to see if you are able to get the parameters when the
request(s) is send via a get vs. a post.
--- On Wed, 5/6/09, Sanjay Manchiganti ms4san...@yahoo.com wrote:
From: Sanjay Manchiganti ms4san...@yahoo.com
Subject: Re: j_security_check/j_username/j_password issue in Tomcat
Subject: RE: j_security_check/j_username/j_password issue in Tomcat Version
6.0.18
From: Sanjay Manchiganti [mailto:ms4san...@yahoo.com]
Subject: j_security_check/j_username/j_password issue in Tomcat Version
6.0.18
Did anything change in terms of j_securitycheck / container managed
Hello All,
I've deployed two apps(say A and B) into two instances of Tomcat running on
port 8080 and 8081. They both have been enabled for form based
authentication.
Step 1: When a user tries to access the application A he is shown a
userid/password page(Alogin.jsp) with all the j_xxx
=org.apache.catalina.valves.RequestDumperValve /
you will get to the values in the request. Of course enabling this valve won't
cut if for production.
--- On Tue, 5/5/09, Sanjay Manchiganti ms4san...@yahoo.com wrote:
From: Sanjay Manchiganti ms4san...@yahoo.com
Subject: j_security_check/j_username/j_password
From: Sanjay Manchiganti [mailto:ms4san...@yahoo.com]
Subject: j_security_check/j_username/j_password issue in Tomcat Version
6.0.18
Did anything change in terms of j_securitycheck / container managed
security between these two versions of tomcat?
What two versions? The only one you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/10/2009 5:44 PM, Gregor Schneider wrote:
Mark,
On Tue, Mar 10, 2009 at 8:23 PM, Mark Thomas ma...@apache.org wrote:
Ditch FORM auth, use DIGEST.
I'm afraid I don't see how to combine DIGEST with a Login-form - and
that's a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/10/2009 3:24 PM, Caldarale, Charles R wrote:
From: Gregor Schneider [mailto:rc4...@googlemail.com]
Subject: j_security_check SSL
is there any way to achieve encryption for the
Login-process without a valid SSL-cert?
Note
Hi guys. I'm following this loosely, along with some other threads.
There is another one going on right now which also talks about
authentication, hijacking JSESSIONID etc..
Gregor, what is not very clear to me, and maybe you want to do a wrapup,
is what exactly you are - and are not - trying
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 3/13/2009 10:38 AM, André Warnier wrote:
Unless I am mistaken, I don't think that using HTTPS in order to protect
the user-id/password from eavesdropping by some miscreant, you
necessarily have to have a Verisign certificate for each
Chris,
On Fri, Mar 13, 2009 at 3:26 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
Just to be clear, it's the session creation that is sensitive to SSL,
not the actual login (authentication step). If your session exists and
is visible to non-secure communications before
that intercepts all HTTPS traffic and redirects it to
HTTP. This will make sure that anyone attempting to use HTTPS for the
fun of it will end up seeing a non-secure page. This will not affect
calls to j_security_check.
- - Modify your login page to invalidate the session and redirect to HTTP
if HTTPS
Hi André,
first: Please forgive me my late answer also to your PM, however, I
was really busy here so that I didn't find any time to answer in an
appropriate (aka detailed) manner.
So here we go:
Customers
When talking about customers, I'm actually talking about our staff
from
Chris,
On Fri, Mar 13, 2009 at 5:14 PM, Christopher Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 11:42 AM, Gregor Schneider wrote:
So would following scenario work?
- login using form-based login via https
- when
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gregor,
On 3/13/2009 1:58 PM, Gregor Schneider wrote:
So will I then be able to access the HttpSession-object created when
inside HTTPS (login-page) when I'm querying it from within a JSP
served via plain HTTP?
No, the session will be created in
And another one:
AFAIK, when using Form-based Authentication, the parameters for
j_security_check are send in a readable manner over the wire, thus
prone for an attack.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
However, that means that one has to buy one
Gregor Schneider wrote:
And another one:
AFAIK, when using Form-based Authentication, the parameters for
j_security_check are send in a readable manner over the wire, thus
prone for an attack.
Correct.
Therefore, it is recommended to use SSL-encription for the Form-Loginpage.
Correct
1 - 100 of 305 matches
Mail list logo
