Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

Re: servlet sendRedirect() to j_security_check problem (remember
me)

Adam Hardy

2003-12-03

Replies:

Matt,
are you really managing to post a form to j_security_check without
invoking it first, or is that some sort of black magic you've cooked up?

Or have I just misunderstood what Chris said?

Adam

On 12/03/2003 09:24 PM Matt Raible wrote:
> Chris,
>
> I found your post at
> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/
> msg111700.html and I'm cc'ing the list in case anyone else is
> interested in this info (I'm not subscribed).
>
> I've actually improved the "Remember Me" feature a fair amount since I
> posted to the Tomcat User list. The sendRedirect works, however, it
> (in some browsers) puts the URL (with password) into the address bar.  
> This isn't a big deal IMO since it's the user that just logged in and
> they don't mind seeing their own passwords. However, the URL tends to
> show up in server log files which can be a security hole. Because of
> this, I changed to using an HTTP Post with Jakarta Common's HttpClient.
> I also moved my form-login-page and form-error-page into a "security"
> folder and then set my cookies for the /appname/security path rather
> than / - this makes it so the user/pass cookies are more secure and can
> only be retrieved when logging in, rather than for any URL in the site.
>
> That being said, I've updated one of my sample apps with these changes
> and you can download it if you'd like:
>
> http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse
>
> Here's my updated LoginServlet that does an Http Post instead of a Get:
>
> http://tinyurl.com/xl80
>
> HTH,
>
> Matt
>
> On Dec 3, 2003, at 12:52 PM, Chris Ward wrote:
>
>>
>> Hi Matt,
>>
>> Sorry for sending unsolicited email but I've been looking at some
>> of your postings to Tomcat-User and wondered if I could ask a
>> couple of questions. I've tried posting to list but had no response
>> from anyone there.
>>
>> Specifically, it's regarding your "remember me" login stuff. If this
>> is a pain feel free to ignore this email.
>>
>>
>> Best regards
>> Chris
>>
>> p.s. My question the list was under the subject
>> "servlet sendRedirect() to j_security_check problem"


--
struts 1.1 + tomcat 5.0.14 + java 1.4.2
Linux 2.4.20 RH9

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)



©2008 junlu.com - Jax Systems, LLC, U.S.A.