You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Matt Raible <ma...@raibledesigns.com> on 2002/02/18 19:20:53 UTC

RE: container managed security and login action?

I was able to change the code from:

 

RequestDispatcher rd = request.getRequestDispatcher(req);

      rd.forward(request, response);

            

To:

 

      response.sendRedirect(response.encodeRedirectURL(req));

 

And now it (kinda) works - it hits j_security_check at least.  Now the
problem I am experiencing is (1) sometimes the URL w/ password shows up
in the URL, and (2) sometimes == shows up in the password, and this
causes a 500 Internal Server Error.

 

I am using Tomcat 4.0.1.  

 

Thanks,

 

Matt

 

 

-----Original Message-----
From: Matt Raible [mailto:matt@raibledesigns.com] 
Sent: Monday, February 18, 2002 10:33 AM
To: 'Michelle Popovits'
Subject: RE: container managed security and login action?

 

Michelle,

 

I tried using your sample LoginAction.java class to do what you're
doing.  However, I get the following error from Tomcat:

 


Apache Tomcat/4.0.1 - HTTP Status 404 - /j_security_check

  _____  


type Status report

message /j_security_check

description The requested resource (/j_security_check) is not available.

 

My class is printing out the following correct values (I'm not
encrypting the password yet):

 

Req: 'j_security_check?j_username=admin&j_password=onpoint'

 

When I do this with regular container-managed authentication - it works
fine.  Any ideas?

 

Thanks,

 

Matt

 

-----Original Message-----
From: Michelle Popovits [mailto:Michelle.Popovits@worldinsure.com] 
Sent: Monday, February 18, 2002 6:37 AM
To: 'matt@raibledesigns.com'
Subject: RE: container managed security and login action?

 

Hi Matt,

 

I haven't actually been involved in the encryption part.  I just provide
the place where the functionality will be added later.

 

Regards,

Michelle

-----Original Message-----
From: Matt Raible [mailto:matt@raibledesigns.com]
Sent: Saturday, February 16, 2002 8:08 PM
To: Michelle.Popovits@worldinsure.com
Subject: RE: container managed security and login action?

In reference to a Struts Mailing List posting at:

 
<http://www.mail-archive.com/struts-user@jakarta.apache.org/msg22257.htm
l>
http://www.mail-archive.com/struts-user@jakarta.apache.org/msg22257.html

I'm wondering how you are encrypting your passwords - I have found the
following encoding routines, but apparently - they are very weak.

Thanks,

Matt

/**

 *      Encode a string using Base64 encoding

 *      This is weak encoding in that anyone can use the decodeString

 *      routine to reverse the encoding.

 */

public static String encodeString(String str)

throws IOException

{

        sun.misc.BASE64Encoder encoder = new
sun.misc.BASE64Encoder();

        String encodedStr = new
String(encoder.encodeBuffer(str.getBytes()));

        return (encodedStr);

}

/**

 *      Decode a string

 */

public static String decodeString(String str)

throws IOException

{

        sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();

        String value = new String(dec.decodeBuffer(str));

        return (value);

}