You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@jspwiki.apache.org by Kinicky <ki...@gmail.com> on 2009/05/25 15:19:06 UTC

login via url parameters

hi everyone,

is it possible to login in JSPWiki by passing the parameters in URL?

i'm tried this: http://
<server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>

tks!

Re: login via url parameters

Posted by Brian Burch <br...@PingToo.com>.

Alexey Kakunin wrote:
> One of the implementation for SSO is donewith storing some security token in
> cookies.
> Like:
> 1. Login is done in System1, System1 generated some security token and
> placed it into cookies
> 2. User navigated to System2 (JspWiki in our case) - security filter in
> System2 analized security token in cookies, and perform (if it is possible)
> login with using information in this security token
> 
> Spring-Security (for example) has algorithms for SSO implemented.
> 
> I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong

As far as I can tell from my own experience, jspWiki ships with a 
web.xml that defines certain urls as protected resources within an 
"authenticated area". When you go to one of those pages, e.g. 
Upload.jsp, the webapp container (tomcat in my case) intercepts the 
request and executes LoginForm.jsp according to the <login-config>.

***IF*** (like me) you want to use the standard tomcat single signon 
valve, then your login code MUST POST to j_security_check the j_username 
and j_password fields provided by the user. If acceptable within the 
security realm of the container, then the security valve redirects to 
the original protected url.

The tomcat SSO valve does use a browser cookie to recognise a request 
for a protected resource within the same, or a different container. If 
you trash your cookies, SSO doesn't remember you.

So, I conclude that if you are using tomcat and the standard SSO valve, 
whatever code you have that knows the userid and password MUST POST 
j_username and j_password to a url of "j_security_check" to get 
authenticated. However, if that POST hasn't been triggered by 
<login-config> intercepting the protected resource, I don't know how you 
will achieve the automatic redirect back to your desired page.

I guess you need to look at the tomcat source for j_security_check.

Good luck!

Brian

Re: login via url parameters

Posted by Alexey Kakunin <ak...@emdev.ru>.

One of the implementation for SSO is donewith storing some security token in
cookies.

Like:
1. Login is done in System1, System1 generated some security token and
placed it into cookies
2. User navigated to System2 (JspWiki in our case) - security filter in
System2 analized security token in cookies, and perform (if it is possible)
login with using information in this security token

Spring-Security (for example) has algorithms for SSO implemented.

I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong

2009/5/25 Kinicky <ki...@gmail.com>

> yes i know about this security issue.
>
> i'm trying to implement SSO with another system and this other system asks
> for the parameters. i can use post to do the SSO but i didnt succeed so i'm
> just trying the GET method now because is more clear and easy to test.
>
> On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith <
> andrew.r.jaquith@gmail.com
> > wrote:
>
> > This is a very bad idea. Among other things, the GET is likely to be
> > logged, which means the user's password will be exposed and recorded.
> >
> > What are you trying to do?
> >
> > Andrew
> >
> >
> > On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:
> >
> >  hi everyone,
> >>
> >> is it possible to login in JSPWiki by passing the parameters in URL?
> >>
> >> i'm tried this: http://
> >> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
> >>
> >> tks!
> >>
> >
>



-- 
With Best Regards,
Alexey Kakunin, EmDev Limited

Professional Software Development:
http://www.emdev.ru

Re: login via url parameters

Posted by Kinicky <ki...@gmail.com>.

yes i know about this security issue.

i'm trying to implement SSO with another system and this other system asks
for the parameters. i can use post to do the SSO but i didnt succeed so i'm
just trying the GET method now because is more clear and easy to test.

On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith <andrew.r.jaquith@gmail.com
> wrote:

> This is a very bad idea. Among other things, the GET is likely to be
> logged, which means the user's password will be exposed and recorded.
>
> What are you trying to do?
>
> Andrew
>
>
> On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:
>
>  hi everyone,
>>
>> is it possible to login in JSPWiki by passing the parameters in URL?
>>
>> i'm tried this: http://
>> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
>>
>> tks!
>>
>

Re: login via url parameters

Posted by Andrew Jaquith <an...@gmail.com>.

This is a very bad idea. Among other things, the GET is likely to be  
logged, which means the user's password will be exposed and recorded.

What are you trying to do?

Andrew

On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:

> hi everyone,
>
> is it possible to login in JSPWiki by passing the parameters in URL?
>
> i'm tried this: http://
> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
>
> tks!