[ http://issues.apache.org/jira/browse/JS2-229?page=comments#action_62493 ] Ate Douma commented on JS2-229: -------------------------------
Although I would like to be able to remove the Javascript requirement for the active Login functionality, I wouldn't replace it with your solution because: - It is less secure using a redirect with the username and password as query string parameters will make it much easier to hack into your account - Some web/application servers *require* that the j_security_check action is accessed using form POST. It may work with the server (version) you have tested it against, but it may break on others. I know this for sure because I tested that out before I implemented the active Login as it is right now. I'm sorry, but I don't think active Login can be implement (portable and secure) without requiring Javascript. If you can't enforce that I suggest falling back to using an "old" style login form and providing only a link to a secure page for "login" which users can click to enter their login account. > Authentication without Javascript enabled > ----------------------------------------- > > Key: JS2-229 > URL: http://issues.apache.org/jira/browse/JS2-229 > Project: Jetspeed 2 > Type: Bug > Components: Security > Versions: 2.0-M2 > Environment: jdk1.4.2_06, tomcat-5.0.30, win2000pro > Reporter: Artem Grinshtein > Priority: Minor > Attachments: patch.txt > > you can't login without Javascript enabled. HTML output of LoginServlet > contains a 'invisible' form and javascript to submit it. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
