You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by "Ate Douma (JIRA)" <je...@jakarta.apache.org> on 2005/04/09 13:17:16 UTC

[jira] Commented: (JS2-229) Authentication without Javascript enabled

     [ http://issues.apache.org/jira/browse/JS2-229?page=comments#action_62493 ]
     
Ate Douma commented on JS2-229:
-------------------------------

Although I would like to be able to remove the Javascript requirement for the active Login functionality,
I wouldn't replace it with your solution because:
- It is less secure
  using a redirect with the username and password as query string parameters will make it much easier
  to hack into your account
- Some web/application servers *require* that the j_security_check action is accessed using form POST.
  It may work with the server (version) you have tested it against, but it may break on others.
  I know this for sure because I tested that out before I implemented the active Login as it is right now.

I'm sorry, but I don't think active Login can be implement (portable and secure) without requiring Javascript.
If you can't enforce that I suggest falling back to using an "old" style login form and providing only a link
to a secure page for "login" which users can click to enter their login account. 

> Authentication without Javascript enabled
> -----------------------------------------
>
>          Key: JS2-229
>          URL: http://issues.apache.org/jira/browse/JS2-229
>      Project: Jetspeed 2
>         Type: Bug
>   Components: Security
>     Versions: 2.0-M2
>  Environment: jdk1.4.2_06, tomcat-5.0.30, win2000pro
>     Reporter: Artem Grinshtein
>     Priority: Minor
>  Attachments: patch.txt
>
> you can't login without Javascript enabled. HTML output of LoginServlet contains a 'invisible' form and javascript to submit it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org