You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Kinicky <ki...@gmail.com> on 2009/05/25 15:19:06 UTC
login via url parameters
hi everyone,
is it possible to login in JSPWiki by passing the parameters in URL?
i'm tried this: http://
<server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
tks!
Re: login via url parameters
Posted by Brian Burch <br...@PingToo.com>.
Alexey Kakunin wrote:
> One of the implementation for SSO is donewith storing some security token in
> cookies.
> Like:
> 1. Login is done in System1, System1 generated some security token and
> placed it into cookies
> 2. User navigated to System2 (JspWiki in our case) - security filter in
> System2 analized security token in cookies, and perform (if it is possible)
> login with using information in this security token
>
> Spring-Security (for example) has algorithms for SSO implemented.
>
> I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong
As far as I can tell from my own experience, jspWiki ships with a
web.xml that defines certain urls as protected resources within an
"authenticated area". When you go to one of those pages, e.g.
Upload.jsp, the webapp container (tomcat in my case) intercepts the
request and executes LoginForm.jsp according to the <login-config>.
***IF*** (like me) you want to use the standard tomcat single signon
valve, then your login code MUST POST to j_security_check the j_username
and j_password fields provided by the user. If acceptable within the
security realm of the container, then the security valve redirects to
the original protected url.
The tomcat SSO valve does use a browser cookie to recognise a request
for a protected resource within the same, or a different container. If
you trash your cookies, SSO doesn't remember you.
So, I conclude that if you are using tomcat and the standard SSO valve,
whatever code you have that knows the userid and password MUST POST
j_username and j_password to a url of "j_security_check" to get
authenticated. However, if that POST hasn't been triggered by
<login-config> intercepting the protected resource, I don't know how you
will achieve the automatic redirect back to your desired page.
I guess you need to look at the tomcat source for j_security_check.
Good luck!
Brian
Re: login via url parameters
Posted by Alexey Kakunin <ak...@emdev.ru>.
One of the implementation for SSO is donewith storing some security token in
cookies.
Like:
1. Login is done in System1, System1 generated some security token and
placed it into cookies
2. User navigated to System2 (JspWiki in our case) - security filter in
System2 analized security token in cookies, and perform (if it is possible)
login with using information in this security token
Spring-Security (for example) has algorithms for SSO implemented.
I'm afraid JspWiki has no SSO implemented out-of-box - but, I may be wrong
2009/5/25 Kinicky <ki...@gmail.com>
> yes i know about this security issue.
>
> i'm trying to implement SSO with another system and this other system asks
> for the parameters. i can use post to do the SSO but i didnt succeed so i'm
> just trying the GET method now because is more clear and easy to test.
>
> On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith <
> andrew.r.jaquith@gmail.com
> > wrote:
>
> > This is a very bad idea. Among other things, the GET is likely to be
> > logged, which means the user's password will be exposed and recorded.
> >
> > What are you trying to do?
> >
> > Andrew
> >
> >
> > On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:
> >
> > hi everyone,
> >>
> >> is it possible to login in JSPWiki by passing the parameters in URL?
> >>
> >> i'm tried this: http://
> >> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
> >>
> >> tks!
> >>
> >
>
--
With Best Regards,
Alexey Kakunin, EmDev Limited
Professional Software Development:
http://www.emdev.ru
Re: login via url parameters
Posted by Kinicky <ki...@gmail.com>.
yes i know about this security issue.
i'm trying to implement SSO with another system and this other system asks
for the parameters. i can use post to do the SSO but i didnt succeed so i'm
just trying the GET method now because is more clear and easy to test.
On Mon, May 25, 2009 at 10:24 AM, Andrew Jaquith <andrew.r.jaquith@gmail.com
> wrote:
> This is a very bad idea. Among other things, the GET is likely to be
> logged, which means the user's password will be exposed and recorded.
>
> What are you trying to do?
>
> Andrew
>
>
> On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:
>
> hi everyone,
>>
>> is it possible to login in JSPWiki by passing the parameters in URL?
>>
>> i'm tried this: http://
>> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
>>
>> tks!
>>
>
Re: login via url parameters
Posted by Andrew Jaquith <an...@gmail.com>.
This is a very bad idea. Among other things, the GET is likely to be
logged, which means the user's password will be exposed and recorded.
What are you trying to do?
Andrew
On May 25, 2009, at 9:19, Kinicky <ki...@gmail.com> wrote:
> hi everyone,
>
> is it possible to login in JSPWiki by passing the parameters in URL?
>
> i'm tried this: http://
> <server>/JSPWiki/Login.jsp?j_username=<username>&j_password=<password>
>
> tks!