RE: handling form based authentication w/ remember-me cookie
Why not a have cookie field in the database table.. You generate a random string, put that as a cookie on the client. Now when you get that cookie back, check if one of your users have that value stored as a cookie. That's the user. Pretty simple and no exposing users ids or passwords. Pritpal Dhaliwal -Original Message- From: Matt Raible [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 5:28 AM To: Struts Users Mailing List Subject: Re: handling form based authentication w/ remember-me cookie On Jan 14, 2004, at 3:52 AM, Nadeem Bitar wrote: > > A note about storing passwords in cookies. > Encode the password. > Do not store the userid with the password in the cookie, store some id > associated with the user id. You can generate a one-way hash (MD5) of > the contents of the cookie with > a "secret key" only known to the server. This way when you get the > cookie back you can compare it to make sure it wasn't altered. > > Many open source java projects store passwords in cookies insecurely > so beware of that if you are going to use that as reference. I'm guilty of this - do you have code samples (or articles) of how to MD5-ify a String and get it's "secret code?" I've been struggling with this for quite some time - a full example (storing "some id" vs. userid) is even more desirable. Thanks, Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
On Jan 14, 2004, at 3:52 AM, Nadeem Bitar wrote: A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a "secret key" only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. I'm guilty of this - do you have code samples (or articles) of how to MD5-ify a String and get it's "secret code?" I've been struggling with this for quite some time - a full example (storing "some id" vs. userid) is even more desirable. Thanks, Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Chris, Resin has two extensions that makes this easy j_uri and j_use_cookie_auth. But I think we are both using tomcat which doesn't have any extensions for this scenario. Here is how i do it and have seen done many places. You post your logins, not to j_security_check, but to somewhere else; or maybe write a login servlet to handle the login after you create and store the remember-me cookie before sending a redirect to j_security_check. Doing it this way gives you greater flexibility especially if you want to do things with JAAS such as store Principal in the session. I think that roller uses a LoginServlet so you can have a look at their code. A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a "secret key" only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. On , 2004-01-13 at 16:32, Chris Ruegger wrote: > Craig, > Ok fair enough. If the spec says it is undefined, that what is one to do? > Keep in mind I'm trying to do the right thing here and build an application > where people can logon AND I can send them a cookie to remember their user > ID. > What is the propery way to do this under J2EE/Struts? Apparently I'm not > allowed > to intercept calls to j_security_check so I should be doing something else? > That's fine, > lots of web sites do this, how should I be doing it? > Thanks, > Chris > > - Original Message - > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Tuesday, January 13, 2004 6:16 PM > Subject: Re: handling form based authentication w/ remember-me cookie > > > > Quoting [EMAIL PROTECTED]: > > > > > > > > Are Servlet filters supposed to be called for both GET and POST > > > methods? They seem to be getting called for GETs only on Tomcat 5. > > > -Chris > > > > For filters mapped to ordinary application URLs, the filter should indeed > get > > mapped on both GET and POST methods. For filters you attempt to put on > > "/j_security_check" you are totally outside the bounds of the servlet > > specification, and the only thing you can assume is that the behavior is > > undefined. > > > > Personally, I consider it a bug that Tomcat 5 invokes filters on this, > even if > > it's just on a GET. > > > > Craig McClanahan > > > > > > > > > > > > > > -Original Message- > > > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > > > Sent: Tuesday, January 13, 2004 03:57 PM > > > > To: 'Struts Users Mailing List' > > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > Hi Max, > > > > > > > > I haven't tested it either. I read it about this in "IBM WebSphere > V5.0 > > > > Security handbook (page 64)". > > > > > > > > Regards, > > > > Dipak Parmar > > > > > > > > > > > > -Original Message- > > > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, January 12, 2004 10:42 PM > > > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > Dipak, > > > > > > > > Are you certain that the filter will be invoked on the > /j_security_check > > > > request when container-based security is used? I have not tested this, > but > > > > it would not surprise me to find that some containers do not execute > > > filters > > > > on /j_security_check requests. I don't know if the Servlet Spec says > > > > anything about this case. > > > > > > > > Chris, > > > > > > > > Another alternative to the original problem of security with "remember > me" > > > > functionality will be available soon. A patch has been submitted to my > > > > SecurityFilter project (http://www.securityfilter.org/) to support > > > "remember > > > > me" functionality. The integration should be complete soon, and a beta > > > > relea
Re: handling form based authentication w/ remember-me cookie
They should be getting called for both - since they both are a "request". You might try adding the element to trap forwards as well. This is a Servlet 2.4 feature. loginFilter /security/* REQUEST FORWARD On Jan 13, 2004, at 12:19 PM, [EMAIL PROTECTED] wrote: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in "IBM WebSphere V5.0 Security handbook (page 64)". Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with "remember me" functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support "remember me" functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Craig, Ok fair enough. If the spec says it is undefined, that what is one to do? Keep in mind I'm trying to do the right thing here and build an application where people can logon AND I can send them a cookie to remember their user ID. What is the propery way to do this under J2EE/Struts? Apparently I'm not allowed to intercept calls to j_security_check so I should be doing something else? That's fine, lots of web sites do this, how should I be doing it? Thanks, Chris - Original Message - From: "Craig R. McClanahan" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, January 13, 2004 6:16 PM Subject: Re: handling form based authentication w/ remember-me cookie > Quoting [EMAIL PROTECTED]: > > > > > Are Servlet filters supposed to be called for both GET and POST > > methods? They seem to be getting called for GETs only on Tomcat 5. > > -Chris > > For filters mapped to ordinary application URLs, the filter should indeed get > mapped on both GET and POST methods. For filters you attempt to put on > "/j_security_check" you are totally outside the bounds of the servlet > specification, and the only thing you can assume is that the behavior is > undefined. > > Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if > it's just on a GET. > > Craig McClanahan > > > > > > > > > -Original Message- > > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, January 13, 2004 03:57 PM > > > To: 'Struts Users Mailing List' > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > Hi Max, > > > > > > I haven't tested it either. I read it about this in "IBM WebSphere V5.0 > > > Security handbook (page 64)". > > > > > > Regards, > > > Dipak Parmar > > > > > > > > > -Original Message- > > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 12, 2004 10:42 PM > > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > > > > Dipak, > > > > > > Are you certain that the filter will be invoked on the /j_security_check > > > request when container-based security is used? I have not tested this, but > > > it would not surprise me to find that some containers do not execute > > filters > > > on /j_security_check requests. I don't know if the Servlet Spec says > > > anything about this case. > > > > > > Chris, > > > > > > Another alternative to the original problem of security with "remember me" > > > functionality will be available soon. A patch has been submitted to my > > > SecurityFilter project (http://www.securityfilter.org/) to support > > "remember > > > me" functionality. The integration should be complete soon, and a beta > > > release will be made available once the integration is complete. > > > SecurityFilter works very much like container-managed security otherwise, > > > including the configuration format (except that you declare the > > constraints > > > in a separate config file rather than web.xml). > > > > > > -Max > > > > > > - Original Message - > > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > Sent: Monday, January 12, 2004 7:43 AM > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > > > Hi Chris, > > > > > > > > You can do this using Servlet Filter. What you need to do is write > > > > postLoginFilter that maps to the j_security_check url. > > > > > > > > In doFilter method, you can write your post login code after > > > > j_security_check done is work. > > > > > > > > Something like: > > > > public void doFilter(.) > > > > > > > > // let the j_security_check to do it's work > > > > chain.doFilter(request, response) > > > > > > > > // do you post login stuff here > > > > > > > > Regards, > > > > Dipak Parmar > > > > > > > > > > > > > > > &g
Re: handling form based authentication w/ remember-me cookie
It is a huge disappointment that the servlet 2.4 specification didn't address programmatic authentication. Dispatching requests to j_security_check is a pain in many use cases. I really hope that a future version of tomcat would address this even if this didn't make it into the spec this time. On 火, 2004-01-13 at 15:16, Craig R. McClanahan wrote: > Quoting [EMAIL PROTECTED]: > > > > > Are Servlet filters supposed to be called for both GET and POST > > methods? They seem to be getting called for GETs only on Tomcat 5. > > -Chris > > For filters mapped to ordinary application URLs, the filter should indeed get > mapped on both GET and POST methods. For filters you attempt to put on > "/j_security_check" you are totally outside the bounds of the servlet > specification, and the only thing you can assume is that the behavior is > undefined. > > Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if > it's just on a GET. > > Craig McClanahan > > > > > > > > > -Original Message- > > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, January 13, 2004 03:57 PM > > > To: 'Struts Users Mailing List' > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > Hi Max, > > > > > > I haven't tested it either. I read it about this in "IBM WebSphere V5.0 > > > Security handbook (page 64)". > > > > > > Regards, > > > Dipak Parmar > > > > > > > > > -Original Message- > > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 12, 2004 10:42 PM > > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > > > > Dipak, > > > > > > Are you certain that the filter will be invoked on the /j_security_check > > > request when container-based security is used? I have not tested this, but > > > it would not surprise me to find that some containers do not execute > > filters > > > on /j_security_check requests. I don't know if the Servlet Spec says > > > anything about this case. > > > > > > Chris, > > > > > > Another alternative to the original problem of security with "remember me" > > > functionality will be available soon. A patch has been submitted to my > > > SecurityFilter project (http://www.securityfilter.org/) to support > > "remember > > > me" functionality. The integration should be complete soon, and a beta > > > release will be made available once the integration is complete. > > > SecurityFilter works very much like container-managed security otherwise, > > > including the configuration format (except that you declare the > > constraints > > > in a separate config file rather than web.xml). > > > > > > -Max > > > > > > - Original Message - > > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > Sent: Monday, January 12, 2004 7:43 AM > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > > > Hi Chris, > > > > > > > > You can do this using Servlet Filter. What you need to do is write > > > > postLoginFilter that maps to the j_security_check url. > > > > > > > > In doFilter method, you can write your post login code after > > > > j_security_check done is work. > > > > > > > > Something like: > > > > public void doFilter(.) > > > > > > > > // let the j_security_check to do it's work > > > > chain.doFilter(request, response) > > > > > > > > // do you post login stuff here > > > > > > > > Regards, > > > > Dipak Parmar > > > > > > > > > > > > > > > > -Original Message- > > > > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, January 12, 2004 9:53 AM > > > > To: Struts Users Mailing List > > > > Subject: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > I am using Struts and building a logon page to do Form-based > > > authentication > >
Re: handling form based authentication w/ remember-me cookie
Quoting [EMAIL PROTECTED]: > > Are Servlet filters supposed to be called for both GET and POST > methods? They seem to be getting called for GETs only on Tomcat 5. > -Chris For filters mapped to ordinary application URLs, the filter should indeed get mapped on both GET and POST methods. For filters you attempt to put on "/j_security_check" you are totally outside the bounds of the servlet specification, and the only thing you can assume is that the behavior is undefined. Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if it's just on a GET. Craig McClanahan > > > > -Original Message- > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, January 13, 2004 03:57 PM > > To: 'Struts Users Mailing List' > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > Hi Max, > > > > I haven't tested it either. I read it about this in "IBM WebSphere V5.0 > > Security handbook (page 64)". > > > > Regards, > > Dipak Parmar > > > > > > -Original Message- > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 12, 2004 10:42 PM > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > Dipak, > > > > Are you certain that the filter will be invoked on the /j_security_check > > request when container-based security is used? I have not tested this, but > > it would not surprise me to find that some containers do not execute > filters > > on /j_security_check requests. I don't know if the Servlet Spec says > > anything about this case. > > > > Chris, > > > > Another alternative to the original problem of security with "remember me" > > functionality will be available soon. A patch has been submitted to my > > SecurityFilter project (http://www.securityfilter.org/) to support > "remember > > me" functionality. The integration should be complete soon, and a beta > > release will be made available once the integration is complete. > > SecurityFilter works very much like container-managed security otherwise, > > including the configuration format (except that you declare the > constraints > > in a separate config file rather than web.xml). > > > > -Max > > > > - Original Message - > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Monday, January 12, 2004 7:43 AM > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > Hi Chris, > > > > > > You can do this using Servlet Filter. What you need to do is write > > > postLoginFilter that maps to the j_security_check url. > > > > > > In doFilter method, you can write your post login code after > > > j_security_check done is work. > > > > > > Something like: > > > public void doFilter(.) > > > > > > // let the j_security_check to do it's work > > > chain.doFilter(request, response) > > > > > > // do you post login stuff here > > > > > > Regards, > > > Dipak Parmar > > > > > > > > > > > > -Original Message- > > > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > > > Sent: Monday, January 12, 2004 9:53 AM > > > To: Struts Users Mailing List > > > Subject: handling form based authentication w/ remember-me cookie > > > > > > > > > I am using Struts and building a logon page to do Form-based > > authentication > > > under Tomcat. I want to also have a checkbox for the user to check that > > says > > > "remember me" so that I can send them a cookie. I'm not sure how to > > > "intercept" > > > the form values because I have to post to j_security_check. How can I > get > > > the > > > check-box value, set up the cookie, and send them to j_security_check > with > > > struts? > > > > > > Thanks > > > > > > > > > - > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris > -Original Message- > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 13, 2004 03:57 PM > To: 'Struts Users Mailing List' > Subject: RE: handling form based authentication w/ remember-me cookie > > Hi Max, > > I haven't tested it either. I read it about this in "IBM WebSphere V5.0 > Security handbook (page 64)". > > Regards, > Dipak Parmar > > > -Original Message- > From: Max Cooper [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 10:42 PM > To: Struts Users Mailing List; [EMAIL PROTECTED] > Subject: Re: handling form based authentication w/ remember-me cookie > > > Dipak, > > Are you certain that the filter will be invoked on the /j_security_check > request when container-based security is used? I have not tested this, but > it would not surprise me to find that some containers do not execute filters > on /j_security_check requests. I don't know if the Servlet Spec says > anything about this case. > > Chris, > > Another alternative to the original problem of security with "remember me" > functionality will be available soon. A patch has been submitted to my > SecurityFilter project (http://www.securityfilter.org/) to support "remember > me" functionality. The integration should be complete soon, and a beta > release will be made available once the integration is complete. > SecurityFilter works very much like container-managed security otherwise, > including the configuration format (except that you declare the constraints > in a separate config file rather than web.xml). > > -Max > > - Original Message ----- > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Monday, January 12, 2004 7:43 AM > Subject: RE: handling form based authentication w/ remember-me cookie > > > > Hi Chris, > > > > You can do this using Servlet Filter. What you need to do is write > > postLoginFilter that maps to the j_security_check url. > > > > In doFilter method, you can write your post login code after > > j_security_check done is work. > > > > Something like: > > public void doFilter(.) > > > > // let the j_security_check to do it's work > > chain.doFilter(request, response) > > > > // do you post login stuff here > > > > Regards, > > Dipak Parmar > > > > > > > > -Original Message- > > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > > Sent: Monday, January 12, 2004 9:53 AM > > To: Struts Users Mailing List > > Subject: handling form based authentication w/ remember-me cookie > > > > > > I am using Struts and building a logon page to do Form-based > authentication > > under Tomcat. I want to also have a checkbox for the user to check that > says > > "remember me" so that I can send them a cookie. I'm not sure how to > > "intercept" > > the form values because I have to post to j_security_check. How can I get > > the > > check-box value, set up the cookie, and send them to j_security_check with > > struts? > > > > Thanks > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
Hi Max, I haven't tested it either. I read it about this in "IBM WebSphere V5.0 Security handbook (page 64)". Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with "remember me" functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support "remember me" functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie > Hi Chris, > > You can do this using Servlet Filter. What you need to do is write > postLoginFilter that maps to the j_security_check url. > > In doFilter method, you can write your post login code after > j_security_check done is work. > > Something like: > public void doFilter(.) > > // let the j_security_check to do it's work > chain.doFilter(request, response) > > // do you post login stuff here > > Regards, > Dipak Parmar > > > > -Original Message----- > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 9:53 AM > To: Struts Users Mailing List > Subject: handling form based authentication w/ remember-me cookie > > > I am using Struts and building a logon page to do Form-based authentication > under Tomcat. I want to also have a checkbox for the user to check that says > "remember me" so that I can send them a cookie. I'm not sure how to > "intercept" > the form values because I have to post to j_security_check. How can I get > the > check-box value, set up the cookie, and send them to j_security_check with > struts? > > Thanks > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Add 1 Nota Bene: "objects in request scope are lost on a redirect, but remain in scope after a forward..." -Martin - Original Message - From: "Matt Raible" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, January 13, 2004 7:05 AM Subject: Re: handling form based authentication w/ remember-me cookie > > On Jan 13, 2004, at 12:42 AM, Craig R. McClanahan wrote: > > > > Filters are *not* required to be invoked on j_security_check > > invocations. In > > fact, Tomcat won't even enable the "j_security_check" url unless an > > unauthenticated user accesses a protected resource. Basically, I > > believe there > > is no guaranteed-to-be-portable way to implement "remember me" > > functionality on > > the server using container managed security. > > > > Craig > > The Filter I use is mapped to the location of the . > The solution I use does work on both Tomcat 4/5 and Resin, which is > portable enough for me! I did have to add > FORWARD for Tomcat 5 and Resin, where the > login page is displayed using a forward instead of a redirect. > > Matt > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
On Jan 13, 2004, at 12:42 AM, Craig R. McClanahan wrote: Filters are *not* required to be invoked on j_security_check invocations. In fact, Tomcat won't even enable the "j_security_check" url unless an unauthenticated user accesses a protected resource. Basically, I believe there is no guaranteed-to-be-portable way to implement "remember me" functionality on the server using container managed security. Craig The Filter I use is mapped to the location of the . The solution I use does work on both Tomcat 4/5 and Resin, which is portable enough for me! I did have to add FORWARD for Tomcat 5 and Resin, where the login page is displayed using a forward instead of a redirect. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Quoting Matt Raible <[EMAIL PROTECTED]>: > Remember Me functionality with j_security_check has worked fine for me. > I just go to a LoginServlet from my loginForm, which sets cookies and > redirects to j_security_check. Then I map a Filter to check for those > cookies and logs the user in appropriately. More with code at: > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg86636.html > > Complete code is available in my AppFuse application at: > > http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse > > HTH, > > Matt > Filters are *not* required to be invoked on j_security_check invocations. In fact, Tomcat won't even enable the "j_security_check" url unless an unauthenticated user accesses a protected resource. Basically, I believe there is no guaranteed-to-be-portable way to implement "remember me" functionality on the server using container managed security. Craig > On Jan 12, 2004, at 8:41 PM, Max Cooper wrote: > > > Dipak, > > > > Are you certain that the filter will be invoked on the > > /j_security_check > > request when container-based security is used? I have not tested this, > > but > > it would not surprise me to find that some containers do not execute > > filters > > on /j_security_check requests. I don't know if the Servlet Spec says > > anything about this case. > > > > Chris, > > > > Another alternative to the original problem of security with "remember > > me" > > functionality will be available soon. A patch has been submitted to my > > SecurityFilter project (http://www.securityfilter.org/) to support > > "remember > > me" functionality. The integration should be complete soon, and a beta > > release will be made available once the integration is complete. > > SecurityFilter works very much like container-managed security > > otherwise, > > including the configuration format (except that you declare the > > constraints > > in a separate config file rather than web.xml). > > > > -Max > > > > - Original Message - > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Monday, January 12, 2004 7:43 AM > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > >> Hi Chris, > >> > >> You can do this using Servlet Filter. What you need to do is write > >> postLoginFilter that maps to the j_security_check url. > >> > >> In doFilter method, you can write your post login code after > >> j_security_check done is work. > >> > >> Something like: > >> public void doFilter(.) > >> > >> // let the j_security_check to do it's work > >> chain.doFilter(request, response) > >> > >> // do you post login stuff here > >> > >> Regards, > >> Dipak Parmar > >> > >> > >> > >> -Original Message- > >> From: Chris Ruegger [mailto:[EMAIL PROTECTED] > >> Sent: Monday, January 12, 2004 9:53 AM > >> To: Struts Users Mailing List > >> Subject: handling form based authentication w/ remember-me cookie > >> > >> > >> I am using Struts and building a logon page to do Form-based > > authentication > >> under Tomcat. I want to also have a checkbox for the user to check > >> that > > says > >> "remember me" so that I can send them a cookie. I'm not sure how to > >> "intercept" > >> the form values because I have to post to j_security_check. How can I > >> get > >> the > >> check-box value, set up the cookie, and send them to j_security_check > >> with > >> struts? > >> > >> Thanks > >> > >> > >> - > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Remember Me functionality with j_security_check has worked fine for me. I just go to a LoginServlet from my loginForm, which sets cookies and redirects to j_security_check. Then I map a Filter to check for those cookies and logs the user in appropriately. More with code at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg86636.html Complete code is available in my AppFuse application at: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse HTH, Matt On Jan 12, 2004, at 8:41 PM, Max Cooper wrote: Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with "remember me" functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support "remember me" functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with "remember me" functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support "remember me" functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie > Hi Chris, > > You can do this using Servlet Filter. What you need to do is write > postLoginFilter that maps to the j_security_check url. > > In doFilter method, you can write your post login code after > j_security_check done is work. > > Something like: > public void doFilter(.) > > // let the j_security_check to do it's work > chain.doFilter(request, response) > > // do you post login stuff here > > Regards, > Dipak Parmar > > > > -Original Message- > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > Sent: Monday, January 12, 2004 9:53 AM > To: Struts Users Mailing List > Subject: handling form based authentication w/ remember-me cookie > > > I am using Struts and building a logon page to do Form-based authentication > under Tomcat. I want to also have a checkbox for the user to check that says > "remember me" so that I can send them a cookie. I'm not sure how to > "intercept" > the form values because I have to post to j_security_check. How can I get > the > check-box value, set up the cookie, and send them to j_security_check with > struts? > > Thanks > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
I believe this is the easiest way Have the form login go to your own custom action. Have your action forward to the j_security_check, passing the correct request parameters. Set the foward you setup that points to j_security_check to do a redirect=true. Rick Hightower Developer Struts/J2EE training -- http://www.arc-mind.com/strutsCourse.htm Struts/J2EE consulting -- http://www.arc-mind.com/consulting.htm#StrutsMentoring -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
I believe this is the easiest way Have the form login go to your own custom action. Have your action forward to the j_security_check, passing the correct request parameters. Set the foward you setup that points to j_security_check to do a redirect=true. Rick Hightower Developer Struts/J2EE training -- http://www.arc-mind.com/strutsCourse.htm Struts/J2EE consulting -- http://www.arc-mind.com/consulting.htm#StrutsMentoring -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
handling form based authentication w/ remember-me cookie
I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says "remember me" so that I can send them a cookie. I'm not sure how to "intercept" the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks
