I created a filter that rejects the "get" request method to the
j_security_check (in my login page I use "post" method). So if the
users access to j_security_check, my filter responses with a resource
not found code.

It seems to be working find.

Cheers


On Wed, 20 Oct 2004 11:29:22 +0100, Andoni <andonilist@(protected):
> Hi,
>
> This is an age-old problem, if you ever find a complete answer let me know.
>
> As for 95% complete answers here goes:
>
> 1. Your biggest problem is bookmarks. You need to always load you login page
> inside a frame. A single HTML page with a single frame can work fine, that
> way they'll bookmark xxx.com/jsp/index.html instead of
> xxx.com/jsp/login.jsp. This will mean that they will still always call the
> secure page even if they have book-marked the login screen.
>
> 2. The second problem is the back button. You need to use a JSP for your
> login screen and use the session.isNew() method to check if the session is
> being started by your login screen. If not then you should redirect to your
> single-framed page.
>
> 3. You can also re-direct with a custom error page from the error you
> receive to the single framed page.
>
> 4. Search the history of this list and find more suggestions. This question
> has come up several times over the years and usually gets some responses. I
> am using j_security_check in all my production apps. and with a combination
> of measures in place it works fine. I do suggest that you work out
> *Exactly* what is going on before trying to proceed as false assumptions can
> have your head spinning :-)
>
> Hope that helps,
> Andoni OConchubhair.
>
>
>
>
> ----- Original Message -----
> From: "Ben" <newreaders@(protected)>
> To: "Tomcat" <tomcat-user@(protected)>
> Sent: Wednesday, October 20, 2004 1:58 AM
> Subject: Access to j_security_check directly
>
> > Hi
> >
> > How can I deal with users that access to j_security_check directly? I
> > have used the error-code 400 and redirect the users to the index page
> > but the system doesn't recognise the them as logged in users.
> >
> > Any help? Thanks.
> >
> > Cheers,
> > Ben
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> > For additional commands, e-mail: tomcat-user-help@(protected)
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)