Remember Me in Tomcat 5

[Matt Raible <ma...@raibledesigns.com>]

I have a "Remember Me" feature that I've been using in my webapps, and
I'm having a hard time figuring out how to make it work (securely) on
Tomcat 5.  It works fine on Tomcat 4. Let me first explain how it works.

1. I put login.jsp and loginerror.jsp in a "security" folder at the root
of my webapp.
2. I add form-based authentication configuration to web.xml - where
/security/login.jsp and /security/loginerror.jsp are my form-login-page
and form-error-page.
3. I have a LoginServlet that is the "action" of my form in login.jsp.
This servlet sets cookies for the user's username, password and a
rememberMe flag (if they want to be remembered).  It sets the cookies on
the request.getContextPath()+"/security/" path.  This means that these
cookies will only be accessible when this URL is present.
4. I have a LoginFilter that maps to "/security/*" that determines if
the user wants to be remembered, and if so, forwards them to the
LoginServlet with the "j_username" and "j_password" as part of the URL.

This all works great on Tomcat 4.1.x.  On Tomcat 5, the form-login-page
is presented via a forward, instead of a redirect like Tomcat 4.  So I
had to add a <dispatcher>FORWARD</dispatcher> to my LoginFilter mapping
in order to get the filter to be invoked.  This was easy enough.

The problem I'm experiencing now is that I can't get access to the
rememberMe-related cookies in my Filter because they are set on the path
"/myApp/security/" instead of "/".  I could move the paths for my
cookies to be "/" - but then anyone that logs in has access to those
cookies - and if my app allows JavaScript, they could probably write
some code to get user's passwords.  Anyone know of an easier workaround?

Matt



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org