I created a filter that rejects the "get" request method to the j_security_check (in my login page I use "post" method). So if the users access to j_security_check, my filter responses with a resource not found code.
It seems to be working find. Cheers On Wed, 20 Oct 2004 11:29:22 +0100, Andoni <[EMAIL PROTECTED]> wrote: > Hi, > > This is an age-old problem, if you ever find a complete answer let me know. > > As for 95% complete answers here goes: > > 1. Your biggest problem is bookmarks. You need to always load you login page > inside a frame. A single HTML page with a single frame can work fine, that > way they'll bookmark xxx.com/jsp/index.html instead of > xxx.com/jsp/login.jsp. This will mean that they will still always call the > secure page even if they have book-marked the login screen. > > 2. The second problem is the back button. You need to use a JSP for your > login screen and use the session.isNew() method to check if the session is > being started by your login screen. If not then you should redirect to your > single-framed page. > > 3. You can also re-direct with a custom error page from the error you > receive to the single framed page. > > 4. Search the history of this list and find more suggestions. This question > has come up several times over the years and usually gets some responses. I > am using j_security_check in all my production apps. and with a combination > of measures in place it works fine. I do suggest that you work out > *Exactly* what is going on before trying to proceed as false assumptions can > have your head spinning :-) > > Hope that helps, > Andoni OConchubhair. > > > > > ----- Original Message ----- > From: "Ben" <[EMAIL PROTECTED]> > To: "Tomcat" <[EMAIL PROTECTED]> > Sent: Wednesday, October 20, 2004 1:58 AM > Subject: Access to j_security_check directly > > > Hi > > > > How can I deal with users that access to j_security_check directly? I > > have used the error-code 400 and redirect the users to the index page > > but the system doesn't recognise the them as logged in users. > > > > Any help? Thanks. > > > > Cheers, > > Ben > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
