... or try http://securityfilter.sourceforge.net in my case it works fine. You don't need those "tricks", may put login box on your home page, or any other page, no need to request a protected page before logging in ...
___________________________________________ Renato Romano Sistemi e Telematica S.p.A. Calata Grazie - Via Al Molo Giano 16127 - GENOVA (ITALY) e-mail: [EMAIL PROTECTED] Phone: +39 10 2712603 Mob. +39 335 5864021 ___________________________________________ -----Messaggio originale----- Da: Andoni [mailto:[EMAIL PROTECTED] Inviato: mercoledì 20 ottobre 2004 12.29 A: Tomcat Users List Oggetto: Re: Access to j_security_check directly Hi, This is an age-old problem, if you ever find a complete answer let me know. As for 95% complete answers here goes: 1. Your biggest problem is bookmarks. You need to always load you login page inside a frame. A single HTML page with a single frame can work fine, that way they'll bookmark xxx.com/jsp/index.html instead of xxx.com/jsp/login.jsp. This will mean that they will still always call the secure page even if they have book-marked the login screen. 2. The second problem is the back button. You need to use a JSP for your login screen and use the session.isNew() method to check if the session is being started by your login screen. If not then you should redirect to your single-framed page. 3. You can also re-direct with a custom error page from the error you receive to the single framed page. 4. Search the history of this list and find more suggestions. This question has come up several times over the years and usually gets some responses. I am using j_security_check in all my production apps. and with a combination of measures in place it works fine. I do suggest that you work out *Exactly* what is going on before trying to proceed as false assumptions can have your head spinning :-) Hope that helps, Andoni OConchubhair. ----- Original Message ----- From: "Ben" <[EMAIL PROTECTED]> To: "Tomcat" <[EMAIL PROTECTED]> Sent: Wednesday, October 20, 2004 1:58 AM Subject: Access to j_security_check directly > Hi > > How can I deal with users that access to j_security_check directly? I > have used the error-code 400 and redirect the users to the index page > but the system doesn't recognise the them as logged in users. > > Any help? Thanks. > > Cheers, > Ben > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
