So, to make form-based authentication work, I need to have one page
which simultaneously acts as a) my root page (marked as secure), b) the
"you need to log in first" page, and c) the login failed page. This
page needs to figure out which of the three states it is in and display
(at least in my case) wholly different content. Yuck.
Don't get me wrong; I really like the role-based security J2EE offers,
but the form-based login process is seriously deficient.
Membership-based sites are a common pattern, so there is no reason we
should have to resort to ugly hacks like the one suggested. I would
rather manage my own authentication with a jsp and a JavaBean since the
code is much cleaner. Also, I can automatically log in newly created
accounts without forcing them back to the login screen (yet another
deficiency).
Yes, my "bold statement" was intended to be flippant :-)
Jeff
>-----Original Message-----
>From: Bono, Chris [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, January 31, 2001 3:45 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Is LoginServlet bad practice?
>
>
>>>1) Provide a login page. Every membership-oriented site on
>>>the internet
>>>provides a login form on their front page (e.g. www.aol.com,
>>>www.hotmail.com). Form-based login only lets you
>>>authenticate when you
>>>transition to a protected page.
>
>You can get around this issue by having your login page
>actually be that front page and have it initially invoked.
>
>>>2) Allow the user to try again on the "bad password" page. The user
>>>must hit "back" on their browser (or click on another link that takes
>>>them to the protected page).
>
>And this one by having the "bad password" page to be that same page.
>The user won't know what is going on behind the scenes.
>
>
>>>Umm, maybe because J2EE security services SUCK? :-)
>
>That is a bold statement considering security is one of the
>key features of J2EE.
>I am curious to hear others opinions on this issue.
>
>Chris
>
>>>-----Original Message-----
>>>From: Jeff Schnitzer [mailto:[EMAIL PROTECTED]]
>>>Sent: Wednesday, January 31, 2001 5:18 PM
>>>To: [EMAIL PROTECTED]
>>>Subject: Re: Is LoginServlet bad practice?
>>>
>>>
>>>Umm, maybe because J2EE security services SUCK? :-)
>>>
>>>Somebody didn't really think out the specification very well.
>>>Form-based login is a step up from boring old http
>authentication, but
>>>it doesn't go nearly far enough. You can't:
>>>
>>>1) Provide a login page. Every membership-oriented site on
>>>the internet
>>>provides a login form on their front page (e.g. www.aol.com,
>>>www.hotmail.com). Form-based login only lets you
>>>authenticate when you
>>>transition to a protected page.
>>>
>>>2) Allow the user to try again on the "bad password" page. The user
>>>must hit "back" on their browser (or click on another link that takes
>>>them to the protected page).
>>>
>>>The form-based login might work ok for an e-commerce app, where
>>>authentication is only required on the transition to the
>>>checkout page,
>>>but the web is a lot more than just that. This deficiency
>in the j2ee
>>>spec is the only reason I have any server-dependent code in my app at
>>>all.
>>>
>>>Jeff
>>>
>>>>-----Original Message-----
>>>>From: Dave Wolf [mailto:[EMAIL PROTECTED]]
>>>>Sent: Wednesday, January 31, 2001 9:28 AM
>>>>To: [EMAIL PROTECTED]
>>>>Subject: Re: Is LoginServlet bad practice?
>>>>
>>>>
>>>>But why write a line of code when J2EE security services
>>>>provide this all to
>>>>you.
>>>>
>>>>Dave Wolf
>>>>Internet Applications Division
>>>>Sybase
>>>>
>>>>----- Original Message -----
>>>>From: "Rahman, Zahid" <[EMAIL PROTECTED]>
>>>>To: <[EMAIL PROTECTED]>
>>>>Sent: Wednesday, January 31, 2001 12:03 PM
>>>>Subject: Re: Is LoginServlet bad practice?
>>>>
>>>>
>>>>> Not my opinion,
>>>>>
>>>>> With regard to internal staff changing the servlet ?
>>>>>
>>>>> For instance what you are going to do if the staff take
>>>you physical
>>>>machine
>>>>> then what you going to do ?
>>>>>
>>>>> Interesting point though. Not much you can do when the
>>>>servlet methods are
>>>>> specified and common to all servlets Not much you can do ?
>>>>>
>>>>> The key point here is internal staff changing code ?
>>>>>
>>>>> Regards
>>>>> Zahid
>>>>> > -----Original Message-----
>>>>> > From: Bono, Chris [SMTP:[EMAIL PROTECTED]]
>>>>> > Sent: Wednesday, January 31, 2001 3:30 PM
>>>>> > To: [EMAIL PROTECTED]
>>>>> > Subject: Re: Is LoginServlet bad practice?
>>>>> >
>>>>> > Why not use J2EE security?
>>>>> >
>>>>> > -----Original Message-----
>>>>> > From: Carlos Otero Barros
>[mailto:[EMAIL PROTECTED]]
>>>>> > Sent: Wednesday, January 31, 2001 8:31 AM
>>>>> > To: [EMAIL PROTECTED]
>>>>> > Subject: Is LoginServlet bad practice?
>>>>> >
>>>>> >
>>>>> > Hi All!
>>>>> >
>>>>> > Recently I have been envolved in a discussion about the
>>>>convenience of
>>>>> > encapsulating login process in a separate servlet. Namely
>>>>LoginServlet.
>>>>> > My opinion is this is a bad practice from a security
>>>point of view.
>>>>> > Internal personel could substitute the LoginServlet with
>>>any other
>>>>> > simple servlet with the same methods() and take the
>>>whole web site
>>>>> > unsecured.
>>>>> >
>>>>> > Your opinion?
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> >
>>>>===============================================================
>>>>===========
>>>>> > =
>>>>> > To unsubscribe, send email to [EMAIL PROTECTED] and
>>>>include in the
>>>>> > body
>>>>> > of the message "signoff EJB-INTEREST". For general help,
>>>>send email to
>>>>> > [EMAIL PROTECTED] and include in the body of the
>>>>message "help".
>>>>> >
>>>>> >
>>>>===============================================================
>>>>===========
>>>>> > =
>>>>> > To unsubscribe, send email to [EMAIL PROTECTED] and
>>>>include in the
>>>>> > body
>>>>> > of the message "signoff EJB-INTEREST". For general help,
>>>>send email to
>>>>> > [EMAIL PROTECTED] and include in the body of the
>>>>message "help".
>>>>>
>>>>>
>>>>===============================================================
>>>>============
>>>>> To unsubscribe, send email to [EMAIL PROTECTED] and
>>>>include in the
>>>>body
>>>>> of the message "signoff EJB-INTEREST". For general help,
>>>>send email to
>>>>> [EMAIL PROTECTED] and include in the body of the
>>>message "help".
>>>>>
>>>>>
>>>>
>>>>===============================================================
>>>>============
>>>>To unsubscribe, send email to [EMAIL PROTECTED] and
>>>>include in the body
>>>>of the message "signoff EJB-INTEREST". For general help,
>>>send email to
>>>>[EMAIL PROTECTED] and include in the body of the message "help".
>>>>
>>>>
>>>
>>>==============================================================
>>>=============
>>>To unsubscribe, send email to [EMAIL PROTECTED] and
>>>include in the body
>>>of the message "signoff EJB-INTEREST". For general help,
>>>send email to
>>>[EMAIL PROTECTED] and include in the body of the message "help".
>>>
>
>===============================================================
>============
>To unsubscribe, send email to [EMAIL PROTECTED] and
>include in the body
>of the message "signoff EJB-INTEREST". For general help, send email to
>[EMAIL PROTECTED] and include in the body of the message "help".
>
>
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
