Hi, the problem with this code is that you are using response.sendRedirect. This is not acceptable as this causes the username and password to be in plain text in the log files of the Tomcat (and Apache). And of course it must be on the HTTPS.
The server-side redirect is the only way, as response.sendRedirect can not be done with POST, only GET. I am beginning to regret my decision to use spring security...but it is too late in the project. Any other ideas? Anyone? -Borut 2009/3/28 Otho <[email protected]>: > My old solution which worked fine with the little glitch I described in my > last post. The problem might be in the session.invalidate(); > > �...@inject > private Request request; > > �...@inject > private Response response; > > �...@property > private String username; > > �...@property > private String password; > > �...@component(id = "loginForm") > private Form loginForm; > > Object onValidate..... > > void onSuccessFromLoginForm() throws IOException > { > request.getSession(false).invalidate(); > > StringBuffer path = new StringBuffer(request.getContextPath()) > .append(Constants.J_SPRING_SECURITY_CHECK) > .append("?") > .append(Constants.J_USERNAME).append("=").append(username) > .append("&") > .append(Constants.J_PASSWORD).append("=").append(password); > response.sendRedirect(path.toString()); > } > > public class Constants > { > public static final String J_USERNAME = "j_username"; > > public static final String J_PASSWORD = "j_password"; > > public static final String J_SPRING_SECURITY_CHECK = > "/j_spring_security_check"; > > public static final String J_SPRING_SECURITY_LOGOUT = > "/j_spring_security_logout"; > } > > 2009/3/27 Borut Bolčina <[email protected]> > >> I am using tapestry-spring-security. It works ok, but I am trying to >> spice up the login form with captcha if user has failed to login 5 >> times (like google account). >> >> The form uses action="${loginCheckUrl}" method="POST" and is a regular >> html form (not t:form). But I need it to be t:form to put some >> validation logic into onValidate method and later on in onSuccess >> method a forward to /j_spring_security_check. >> >> But forwarding with >> requestDispatcher.forward(requestGlobals.getHTTPServletRequest(), >> requestGlobals.getHTTPServletResponse()); >> >> causes an exception. >> >> There must be a solution?! >> >> -Borut >> >> >> 2009/3/27 Peter Lundberg <[email protected]>: >> > Jean Luc... >> > >> > Did you have a look at tapestry-spring-security? The repositry is at >> > >> http://www.localhost.nu/java/mvn/nu/localhost/tapestry/tapestry-spring-secur >> > ity/ but the project site seams to be down. It is rough on the edges, but >> > works well and is not to hard to understand the code. >> > >> > It would be great if this got into more mainstream somewhere so it is >> easy >> > to add robust authorization to the applications we build almost all >> have >> > it and will sooner or later need the things that spring-security provide. >> > >> > Appfuse also has an integration you could look at if you have not done so >> > already. http://code.google.com/p/tapestry5-appfuse/ >> > >> > Excuse me if this was covered already in the thread. >> > >> > Br >> > Peter >> > >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
