Among many options proposed by Craig, I personally like the
"Get Some New Users" option. Wouldn't it be wonderful to
be able to work in the environment we have a such option. :-)
I will be more than happy to hear about if there is such working
environment.
To return from the digressiion, I am not awaring the initial issue
of this thread so that I may missing the point here. But I do not
see any big issue whether we use the BASIC or FORM-based
authenthication from the SECURITY perspective. Both of them
transmitted in the clear text which is more critical issue to me.
I am not saying that we do not have solution for that though.
Since user authentication is still performed by the servlet
container either way we go, we can put some code to trace
the accessing object which is the only and valid way to
access the login page. Then, we can prevent the accessing
from the user's bookmark. Does it make sense to you?
As I mentioned before, I maybe missing something here. So
I still don't see why this has to be an issue.
Pae
>
>
> On Fri, 5 Oct 2001, Willie Vu wrote:
>
> > Date: Fri, 5 Oct 2001 12:14:27 +0800
> > From: Willie Vu <[EMAIL PROTECTED]>
> > To: Craig R. McClanahan <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > Subject: RE: Question on FORM based authentication in Tomcat 4.0
> >
> > Thanks for your prompt reply Craig.
> >
> > Your advice leads me to another question. OK, say I don't do that. I let
> > Tomcat handle the login for me. However, you can bookmark the login page
> > that Tomcat forwards them to. In this case, there is no way to stop users
> > from access the login page directly. Tomcat will not have a previous
> > request to forward user to. It results an error. How should I resolve this
> > problem then?
> >
>
> It seems that you only have the following options:
>
> * Tell your users "don't do that" and they listen.
>
> * Tell your users "don't do that", and they don't listen, so they
> keep getting errors.
>
> * Switch to BASIC authentication so they cannot cause this kind of grief.
>
> * Figure out a solution that works with the particular servlet container
> you first deploy your application on (i.e. assume you can get Tomcat to
> do what you think you want :-), but then have to redo everything when
> you switch to a new container later.
>
> * Use application-managed security instead of container-managed security.
>
> * Get some new users :-)
>
> Look ... the world is not a perfect place. Form based authentication is
> GUARANTEED to cause portability problems if users insist on abusing it
> (becuase it was specifically designed to emulate an existing web based
> design pattern that is incredibly widely used). If you can't train users
> not to abuse it, you are MUCH better off not using form-based
> authentication at all.
>
> > Regards,
> >
> > Willie
> >
>
> Craig
>
>
> >
> >
> > > -----Original Message-----
> > > From: craigmcc@localhost [mailto:craigmcc@localhost]On Behalf Of Craig
> > > R. McClanahan
> > > Sent: Friday, October 05, 2001 11:56 AM
> > > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > > Subject: Re: Question on FORM based authentication in Tomcat 4.0
> > >
> > >
> > >
> > >
> > > On Fri, 5 Oct 2001, Willie Vu wrote:
> > >
> > > > Date: Fri, 5 Oct 2001 11:27:59 +0800
> > > > From: Willie Vu <[EMAIL PROTECTED]>
> > > > Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Question on FORM based authentication in Tomcat 4.0
> > > >
> > > > I would like to achieve the following:
> > > >
> > > > - allow user to login directly without first accessing a protected area.
> > > > After successful login, I want to forward the user to a default
> > > mypage.jsp.
> > > >
> > > > To do the above, I have to detect if login page is accessed
> > > directly. If
> > > > so, I need to force in the default mypage.jsp. In Tomcat
> > > 3.2.1, there is
> > > > the session attribute "tomcat.auth.originalLocation" where I
> > > can force in
> > > > the default page. However, in Tomcat 4.0, a new Note API is
> > > employed. It
> > > > hides internal attributes from external use. So, the only hook -
> > > > "tomcat.auth.originalLocation", is not available in Tomcat 4.0.
> > > >
> > > > I know that Servlet 2.3 spec doesn't spell out how to handle
> > > direct access
> > > > to the login page. I scan through the mail archive and notice a lot of
> > > > people want to do this. Can someone give us a sound solution?
> > > >
> > >
> > > It's not a solution ... just advice if you want your app to work ...
> > > don't do that.
> > >
> > > My advice during development: make your app work with BASIC
> > > authentication (where there is no such thing as a login page). That is
> > > *exactly* the model that form-based login was designed to emulate. Then,
> > > just before release production, add the <form-login-page> and
> > > <form-error-page> directives pointing at the appropriate pges.
> > >
> > > If you don't design for that pattern, then you are just fighting what
> > > container managed security is all about (which is a total waste of time),
> > > and you are probably better off doing your own login management (instead
> > > of using container managed security). There is absolutely no way you are
> > > going to be happy if you expect users to attempt to bookmark, or link to,
> > > the login page directly.
> > >
> > >
> > > > Regards,
> > > >
> > > > Willie
> > > >
> > >
> > > Craig McClanahan
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
>
