Chris, Resin has two extensions that makes this easy j_uri and j_use_cookie_auth. But I think we are both using tomcat which doesn't have any extensions for this scenario. Here is how i do it and have seen done many places. You post your logins, not to j_security_check, but to somewhere else; or maybe write a login servlet to handle the login after you create and store the remember-me cookie before sending a redirect to j_security_check. Doing it this way gives you greater flexibility especially if you want to do things with JAAS such as store Principal in the session. I think that roller uses a LoginServlet so you can have a look at their code.
A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a "secret key" only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. On , 2004-01-13 at 16:32, Chris Ruegger wrote: > Craig, > Ok fair enough. If the spec says it is undefined, that what is one to do? > Keep in mind I'm trying to do the right thing here and build an application > where people can logon AND I can send them a cookie to remember their user > ID. > What is the propery way to do this under J2EE/Struts? Apparently I'm not > allowed > to intercept calls to j_security_check so I should be doing something else? > That's fine, > lots of web sites do this, how should I be doing it? > Thanks, > Chris > > ----- Original Message ----- > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Tuesday, January 13, 2004 6:16 PM > Subject: Re: handling form based authentication w/ remember-me cookie > > > > Quoting [EMAIL PROTECTED]: > > > > > > > > Are Servlet filters supposed to be called for both GET and POST > > > methods? They seem to be getting called for GETs only on Tomcat 5. > > > -Chris > > > > For filters mapped to ordinary application URLs, the filter should indeed > get > > mapped on both GET and POST methods. For filters you attempt to put on > > "/j_security_check" you are totally outside the bounds of the servlet > > specification, and the only thing you can assume is that the behavior is > > undefined. > > > > Personally, I consider it a bug that Tomcat 5 invokes filters on this, > even if > > it's just on a GET. > > > > Craig McClanahan > > > > > > > > > > > > > > -----Original Message----- > > > > From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] > > > > Sent: Tuesday, January 13, 2004 03:57 PM > > > > To: 'Struts Users Mailing List' > > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > Hi Max, > > > > > > > > I haven't tested it either. I read it about this in "IBM WebSphere > V5.0 > > > > Security handbook (page 64)". > > > > > > > > Regards, > > > > Dipak Parmar > > > > > > > > > > > > -----Original Message----- > > > > From: Max Cooper [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, January 12, 2004 10:42 PM > > > > To: Struts Users Mailing List; [EMAIL PROTECTED] > > > > Subject: Re: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > Dipak, > > > > > > > > Are you certain that the filter will be invoked on the > /j_security_check > > > > request when container-based security is used? I have not tested this, > but > > > > it would not surprise me to find that some containers do not execute > > > filters > > > > on /j_security_check requests. I don't know if the Servlet Spec says > > > > anything about this case. > > > > > > > > Chris, > > > > > > > > Another alternative to the original problem of security with "remember > me" > > > > functionality will be available soon. A patch has been submitted to my > > > > SecurityFilter project (http://www.securityfilter.org/) to support > > > "remember > > > > me" functionality. The integration should be complete soon, and a beta > > > > release will be made available once the integration is complete. > > > > SecurityFilter works very much like container-managed security > otherwise, > > > > including the configuration format (except that you declare the > > > constraints > > > > in a separate config file rather than web.xml). > > > > > > > > -Max > > > > > > > > ----- Original Message ----- > > > > From: "Parmar, Dipakkumar" <[EMAIL PROTECTED]> > > > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > > > Sent: Monday, January 12, 2004 7:43 AM > > > > Subject: RE: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > > Hi Chris, > > > > > > > > > > You can do this using Servlet Filter. What you need to do is write > > > > > postLoginFilter that maps to the j_security_check url. > > > > > > > > > > In doFilter method, you can write your post login code after > > > > > j_security_check done is work. > > > > > > > > > > Something like: > > > > > public void doFilter(.....) > > > > > > > > > > // let the j_security_check to do it's work > > > > > chain.doFilter(request, response) > > > > > > > > > > // do you post login stuff here > > > > > > > > > > Regards, > > > > > Dipak Parmar > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Chris Ruegger [mailto:[EMAIL PROTECTED] > > > > > Sent: Monday, January 12, 2004 9:53 AM > > > > > To: Struts Users Mailing List > > > > > Subject: handling form based authentication w/ remember-me cookie > > > > > > > > > > > > > > > I am using Struts and building a logon page to do Form-based > > > > authentication > > > > > under Tomcat. I want to also have a checkbox for the user to check > that > > > > says > > > > > "remember me" so that I can send them a cookie. I'm not sure how to > > > > > "intercept" > > > > > the form values because I have to post to j_security_check. How can > I > > > get > > > > > the > > > > > check-box value, set up the cookie, and send them to > j_security_check > > > with > > > > > struts? > > > > > > > > > > Thanks > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- ******************* Nadeem Bitar Software Engineer IzuCode, LLC ******************* --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
