This is how Roller currently works - as a workaround for the fact that you can't forward to the j_security_check servlet. You can only redirect and we use a LoginServlet.java to redirect to this URL in case the user wants their password programmatically encrypted. The easiest way to solve this problem is to turn on encryption.
I plan to start working on a solution this week for the next version of Roller. Matt On 8/8/05, Mikolaj Rydzewski <[EMAIL PROTECTED]> wrote: > Hello, > > I'm a new user of roller blogger. I'm not sure if the following case is > true because of my misconfiguration or design flaw in roller. > > While processing login form roller redirects user using get method with > clear text login and password in url! The following is a capture from > liveHttpHeaders firefox plugin: > > 1. login form submission > POST /roller/auth/ > [ login form data ] > > 2. here it goes: redirect with clear text sensitive data: > HTTP/1.x 302 Moved Temporarily > Location: > http://server/roller/j_security_check?j_username=login&j_password=pass&j_uri= > > > 3. the following is placed in webserver's log > GET /roller/j_security_check?j_username=login&j_password=pass&j_uri= > HTTP/1.1 > > 4. > HTTP/1.x 302 Moved Temporarily > Location: http://server/roller/login-redirect.jsp > > 5. > GET /roller/login-redirect.jsp HTTP/1.1 > > 6. and finally we can blog > HTTP/1.x 302 Moved Temporarily > Location: > http://server/roller/editor/weblog.do?method=create&rmk=tabbedmenu.weblog&rmik=tabbedmenu.weblog.newEntry > > > > Of course passwords are stored in webserver's log too. > > Is it my misconfiguration? My setup is rather simple, I guess. Tomcat > 5.5.x is running roller webapp on host A. Site is available via apache > 2.0.54 on host B, which uses mod_rewrite to proxy requests to tomcat. > They're both FreeBSD 5.4, Tomcat runs on JDK 1.4.2. > > -- > Mikolaj Rydzewski <[EMAIL PROTECTED]> http://ceti.pl/~miki/ > PGP KeyID: 8b12ab02 > There are three kinds of people: men, women and unix. > > > >
