On Sep 29, 2008, at 4:52 PM, Aaron Evans wrote:
Hi David,
I tried this out and it seems to do what I want, so thanks very much.
Sorry to take so long to actually use a feature that I requested!
One question though:
In the LoginProxyServlet, you redirect to:
"/login/redirector?token=" + token.getToken() where the token value is
the username-timestamp.
Is this token request parameter used later on in the chain? It doesn't
seem to affect the behavior of the authentication mechanism or the
security valve.
The reason I ask is if it is informational only, I'd suggest removing
it. In my case, it stays visible for a second or two while our
dashboard loads and it just seems weird to see the username in the
URL.
Anyhow, obviously not a big deal provided it isn't a security issue
(and I'm pretty sure it is not since I tried doing some basic URL
manipulation).
Anyhow, thanks again. I'll also post this comments on the JIRA issue
in case you miss this thread...
Message received on JIRA, also responding here:
It is used but the token does not have to be the user name. I agree,
it would be better to create a generated token with no meaning.
Regardless the tokens will only live for 30 seconds.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
