Re: [Acegisecurity-developer] Form-based login does not work when disabling cookie?

Wed, 14 May 2008 14:51:33 -0700 

Hi,

That is definitely an issue. Thanks for reporting it. I've opened an 
issue here:

http://jira.springframework.org/browse/SEC-834

Luke.


高田 賢 wrote:
> Hi all,
> 
> I've just started to learn  spring security to migrate from acegi and  
> faced some url rewriting problem.
> My sample tutorial won't let me log in when I disable cookie.
> 
> I changed applicationContext-security.xml like this:
> 
>      <http auto-config="true">
>          <intercept-url pattern="/secure/extreme/**"  
> access="ROLE_SUPERVISOR"/>
>          <intercept-url pattern="/secure/**"  
> access="IS_AUTHENTICATED_REMEMBERED" />
>          <form-login login-page="/login.jsp"/>
>      </http>
> 
> session-fixation-protection defaults to 'migrateSession'.
> 
> I also changed some links in index.jsp in order to get  jsessionid  
> appended.
> 
> <p><a href="<%= response.encodeURL("secure/index.jsp") %>">Secure  
> page</a></p>
> <p><a href="<%= response.encodeURL("secure/extreme/index.jsp")  
> %>">Extremely secure page</a></p>
> 
> 
> What happend is that every time I succeeded in authentication, the app  
> redirected to the login page with a new
> session id.
> 
> If you change session-fixation-protection attribute value to 'none',  
> you can log in as normally.
> 
> Below are the HTTP response headers.  Look at 'Set-Cookie' and  
> 'Location'.  The application tries to set a new id to
> cookie, whereas the redirection url still holds an old one.
> 
> 
> Is there a missing configuration point or should I raise a JIRA issue  
> as a bug?
> 
> Satoshi
> 
> 
> 



-- 
SpringSource
http://www.springsource.com

Registered in England and Wales: No. 5187766 Registered Office: A2
Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Reply via email to