You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chuck Williams <ch...@allthingslocal.com> on 2005/03/01 08:24:45 UTC
What is the best way to create a secure manual-submission authentication
form?
I'm using form-based authentication in Tomcat 5.5 and would like to have
a user-initiated login action, in addition to container-initiated logins
triggered by security-constraints.
My site implements both personalization for all pages and security for
sensitive pages. I'd like to have a single sign-on for both
personalization and security, with personalization persisting
indefinitely while security-access has a session-timeout. I'm planning
to use a separate cookie for the personalization, created after any
authentication. The authentication and sensitive pages should all be
limited to https access, while the non-sensitive pages are accessed via
http.
Non-sensitive pages do not have security-constraints as users are not
required to login. If not logged in, the user sees a default
unpersonalized view. A user may wish to manually specify a login to
acquire his or her personalized view of a non-sensitive page. Is there
any way to achieve this?
I can think of indirect partial solutions. E.g., link to a protected
jsp page that takes as a parameter the desired non-sensitive page (e.g.,
the home page) and forwards to this page. This could work assuming I
want just a button or link for the user-initiated login action (causing
the attempt to access the security-constrained forwarding page to post
the login-page). However, what if I would like to have a login-form
directly on the page from which the user can initiate the
authentication? Is this possible?
I tried placing. a copy of the form on the form-login-page onto the home
page, and then submitted this form from the home page after a
session-timeout from a prior session (that had been authenticated by a
container-initiated posting of the form-login-page). The home-page form
submission achieved the new authentication, but forwarded the request to
the sensitive page that had been accessed in the earlier session's
container-initiated authentication! That seems to be a bug.
I would appreciate any advice on how to best achieve this.
A corollary issue is that I'd like the submission of any login form to
be made over https to protect the password, even if the page containing
the login form was accessed via http. Can the solution to the above
achieve this as well?
Thanks for any advice,
Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org