Craig, Ok fair enough. If the spec says it is undefined, that what is one to do? Keep in mind I'm trying to do the right thing here and build an application where people can logon AND I can send them a cookie to remember their user ID. What is the propery way to do this under J2EE/Struts? Apparently I'm not allowed to intercept calls to j_security_check so I should be doing something else? That's fine, lots of web sites do this, how should I be doing it? Thanks, Chris
----- Original Message ----- From: "Craig R. McClanahan" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, January 13, 2004 6:16 PM Subject: Re: handling form based authentication w/ remember-me cookie > Quoting [EMAIL PROTECTED]: > > > > > Are Servlet filters supposed to be called for both GET and POST > > methods? They seem to be getting called for GETs only on Tomcat 5. > > -Chris > > For filters mapped to ordinary application URLs, the filter should indeed get > mapped on both GET and POST methods. For filters you attempt to put on > "/j_security_check" you are totally outside the bounds of the servlet > specification, and the only thing you can assume is that the behavior is > undefined. > > Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if > it's just on a GET. > > Craig McClanahan > > > > > > > > > -----Original Message----- > > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, January 13, 2004 03:57 PM > > > To: 'Struts Users Mailing List' > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > Hi Max, > > > > > > I haven't tested it either. I read it about this in "IBM WebSphere V5.0 > > > Security handbook (page 64)". > > > > > > Regards, > > > Dipak Parmar > > > > > > > > > -----Original Message----- > > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 12, 2004 10:42 PM > > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > > > > Dipak, > > > > > > Are you certain that the filter will be invoked on the /j_security_check > > > request when container-based security is used? I have not tested this, but > > > it would not surprise me to find that some containers do not execute > > filters > > > on /j_security_check requests. I don't know if the Servlet Spec says > > > anything about this case. > > > > > > Chris, > > > > > > Another alternative to the original problem of security with "remember me" > > > functionality will be available soon. A patch has been submitted to my > > > SecurityFilter project (http://www.securityfilter.org/) to support > > "remember > > > me" functionality. The integration should be complete soon, and a beta > > > release will be made available once the integration is complete. > > > SecurityFilter works very much like container-managed security otherwise, > > > including the configuration format (except that you declare the > > constraints > > > in a separate config file rather than web.xml). > > > > > > -Max > > > > > > ----- Original Message ----- > > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > Sent: Monday, January 12, 2004 7:43 AM > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > > > Hi Chris, > > > > > > > > You can do this using Servlet Filter. What you need to do is write > > > > postLoginFilter that maps to the j_security_check url. > > > > > > > > In doFilter method, you can write your post login code after > > > > j_security_check done is work. > > > > > > > > Something like: > > > > public void doFilter(.....) > > > > > > > > // let the j_security_check to do it's work > > > > chain.doFilter(request, response) > > > > > > > > // do you post login stuff here > > > > > > > > Regards, > > > > Dipak Parmar > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, January 12, 2004 9:53 AM > > > > To: Struts Users Mailing List > > > > Subject: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > I am using Struts and building a logon page to do Form-based > > > authentication > > > > under Tomcat. I want to also have a checkbox for the user to check that > > > says > > > > "remember me" so that I can send them a cookie. I'm not sure how to > > > > "intercept" > > > > the form values because I have to post to j_security_check. How can I > > get > > > > the > > > > check-box value, set up the cookie, and send them to j_security_check > > with > > > > struts? > > > > > > > > Thanks > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
