You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@click.apache.org by Ivan Furdi <iv...@uniplus.hr> on 2010/03/26 08:48:38 UTC
Authentication with "injection"
Hi all,
I am making an application with click framework which will be called
from other application with GET request.
The development is going fluently (nice work on click framework btw) but
I'm stuck at the step where I have
to call the click application from other app. I'm using form based
authentication and i protected needed resources
but now when i call app "from outside" I always get login screen.
I know that's the normal behaviour but I want to ask if there's some way
to skip login screen using supplied
request parameters? (for example username and password). I know this is
not very secure but i need it for
a test.
I'm a bit green in security area so if someone can recommend some topics
to study I would be very thankful.
Regards, /
/Ivan
Re: Authentication with "injection"
Posted by Bob Schellink <sa...@gmail.com>.
Hi Ivan,
On 26/03/2010 06:48 PM, Ivan Furdi wrote:
> I know that's the normal behaviour but I want to ask if there's some way
> to skip login screen using supplied
> request parameters? (for example username and password). I know this is
> not very secure but i need it for
> a test.
This will depend on your security framework. If you are using JEE security then you will be
dependent on the servlet container whether it provides a way to programmatically login via request
parameters. For Tomcat see this email which explains about creating a Filter to fake out certain API
to make the login work:
http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg41324.html
You could also try and simulate a login from the remote site (do a post to /j_security_check), grab
the JSESSIONID cookie, and set it as a cookie for your next request to the server.
Alternative options are to use a different Security framework such as Spring Security or Apache
Shiro. They allow you to programmatically login.
You can find links to these projects here:
http://click.apache.org/docs/user-guide/html/ch05.html#alternatve-security-solutions
Before rolling to production, ensure the site login page is accessed through HTTPS so that the
username/password is not sent as cleartext.
>
> I'm a bit green in security area so if someone can recommend some topics
> to study I would be very thankful.
The login side of security in JEE is not as simple as it should be. The upcoming Servlet 3.0 spec
addresses some of this by adding login/logout API to the ServletRequest:
Let me know if you have other questions.
kind regards
bob