Re: j_security_check - Bookmarking the login page. A teaser!

Wed, 19 Nov 2003 07:58:09 -0800

The bookmarking of the login page is a well known issue. However, without dumping CMS there seems to be little to do but resort to a few hacks ;(

Our hack pt1:
Add to the top of the login page a redirect to a sensible entry point for the app:
<% if (request.getSession(false).isNew()) response.sendRedirect("/index.jsp"); %>

Our hack pt2:
Add an error page that catches the 'illegal direct reference to login page' (or whatever it is). Use this error page to redirect to a sensible entry point to the app.
eg:
<% Object badUri = request.getAttribute("javax.servlet.error.request_uri");
Object errorCode = request.getAttribute("javax.servlet.error.status_code");
if ("/j_security_check".equalsIgnoreCase(badUri.toString())
&& "400".equals(errorCode.toString())) {
response.sendRedirect("/index.jsp");
return;
}
%>

Pt 2 also catches things like a user sitting on the login page until the session times out.

HTH,

Jon



David Legg wrote:

Hi Adoni,

No... you are not alone. I've been there too!

My half hearted solution was to simply display a message on the login page
asking them not to bookmark it.  I think the proper solution would be to
allow developers to specify a 'default' url along with the login and error
urls.  This page could then be displayed instead of the error page when
there is no saved target url.

You will probably also come across another non-obvious problem to do with
form-based security.  When people use download accelerators like 'GetRight'
etc these programs attempt to download a given url.  Unfortunately if the
item they are trying to download falls under your protected region Tomcat
will present them with the login page instead of the resource they were
after.  This will happen even if you have successfully logged in because as
far as Tomcat is concerned the request came from a new and as yet not logged
in session.

Regards,

David Legg
Web Analyst - 3Dlabs

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to