You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adam Hardy <ah...@cyberspaceroad.com> on 2003/09/28 17:10:52 UTC
form-based login / cookies disabled / JSPs in WEB-INF
I think I have a problem.
I want form-based container-managed authentication on my app.
I also want to allow cookies to be disabled.
And I want to keep my JSPs under WEB-INF for security.
It seems I cannot have these 3 combined, because disabling cookies means
I have to do URL rewriting in the login form action URL, therefore my
login form has to be a JSP and cannot be just plain .html .
But while I do not want any JSPs outside of WEB-INF, I can't configure
my login form to be in WEB-INF.
Is this true, or is there a work-around?
Thanks
Adam
--
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
No, I don't know what more can be said. I think it is just impossible!
We can put men on the moon, but if the browser has cookies disabled ... ;)
The dynamic information, i.e. the original request url, has to be saved
somewhere during the authentication process by the app server.
Cookies are disabled, so it cannot be saved there.
Since cookies are disabled, that means it cannot be saved in a session,
because that just substitutes one bit of dynamic information for another
(the request url for the session id).
Plus the form itself is in a non-dynamic HTML page, so the app server
cannot put it in there either.
On 09/30/2003 06:55 AM Jose Alfonso Martinez wrote:
> I am sorry Adam, I guess you are doing in-container authentification. I know very little about that, thus I cannot say anything... I do my own authentification. You can create a session after the user auth there.
>
> other ideas or comments????
>
> Jose
>
> On Sun, Sep 28, 2003 at 06:50:05PM +0200, Adam Hardy wrote:
>
>>On 09/28/2003 06:09 PM Jose Alfonso Martinez wrote:
>>
>>>Do you really need to maintain a session, even when the user is just
>>>browsing static html files (before logging in)??? If the answer is no,
>>>then you could have an html login form.
>>>
>>
>>Try it! If tomcat doesn't have a session id to store the user's request
>>with when tomcat is stepping in between with the login procedure, then
>>tomcat will not know where the login submission has come from once the
>>user clicks the login form's submit. This leads directly to a
>>j_security_check not available 404 error.
>>
>>Adam
>>
>>--
>>struts 1.1 + tomcat 4.1.27 + java 1.4.2
>>Linux 2.4.20 RH9
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Jose Alfonso Martinez <tr...@linuxcenter.com.mx>.
I am sorry Adam, I guess you are doing in-container authentification. I know very little about that, thus I cannot say anything... I do my own authentification. You can create a session after the user auth there.
other ideas or comments????
Jose
On Sun, Sep 28, 2003 at 06:50:05PM +0200, Adam Hardy wrote:
> On 09/28/2003 06:09 PM Jose Alfonso Martinez wrote:
> >Do you really need to maintain a session, even when the user is just
> >browsing static html files (before logging in)??? If the answer is no,
> >then you could have an html login form.
> >
>
> Try it! If tomcat doesn't have a session id to store the user's request
> with when tomcat is stepping in between with the login procedure, then
> tomcat will not know where the login submission has come from once the
> user clicks the login form's submit. This leads directly to a
> j_security_check not available 404 error.
>
> Adam
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Jose Alfonso Martinez <tr...@linuxcenter.com.mx>.
I am sorry Adam, I guess you are doing in-container authentification. I know very little about that, thus I cannot say anything... I do my own authentification. You can create a session after the user auth there.
other ideas or comments????
Jose
On Sun, Sep 28, 2003 at 06:50:05PM +0200, Adam Hardy wrote:
> On 09/28/2003 06:09 PM Jose Alfonso Martinez wrote:
> >Do you really need to maintain a session, even when the user is just
> >browsing static html files (before logging in)??? If the answer is no,
> >then you could have an html login form.
> >
>
> Try it! If tomcat doesn't have a session id to store the user's request
> with when tomcat is stepping in between with the login procedure, then
> tomcat will not know where the login submission has come from once the
> user clicks the login form's submit. This leads directly to a
> j_security_check not available 404 error.
>
> Adam
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 09/28/2003 06:09 PM Jose Alfonso Martinez wrote:
> Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, then you could have an html login form.
>
Try it! If tomcat doesn't have a session id to store the user's request
with when tomcat is stepping in between with the login procedure, then
tomcat will not know where the login submission has come from once the
user clicks the login form's submit. This leads directly to a
j_security_check not available 404 error.
Adam
--
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 09/28/2003 06:09 PM Jose Alfonso Martinez wrote:
> Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, then you could have an html login form.
>
Try it! If tomcat doesn't have a session id to store the user's request
with when tomcat is stepping in between with the login procedure, then
tomcat will not know where the login submission has come from once the
user clicks the login form's submit. This leads directly to a
j_security_check not available 404 error.
Adam
--
struts 1.1 + tomcat 4.1.27 + java 1.4.2
Linux 2.4.20 RH9
Re: Standard error pages ?
Posted by Tim Funk <fu...@joedog.org>.
http://jakarta.apache.org/tomcat/faq/misc.html#error
-Tim
Mufaddal Khumri wrote:
> Hi,
>
> I am using tomcat 4.1.18. I want to be able to redirect a user to a
> standard error page 500 when someone tries to access a .jsp in my
> webapp. Is there a standard mechanism to do this in tomcat or will i
> have to do:
>
> response.sendRedirect(response.encodeRedirectURL("/mywebapp/error/
> error500.jsp"));
>
> instead is there something like:
>
> response.setError(500);
> response.sendRedirect(); // This would result in a standard 500
> page being displayed instead of the error500.jsp page
> // i write.
>
> Any pointers / code snipets ?
>
Re: Standard error pages ?
Posted by Tim Funk <fu...@joedog.org>.
http://jakarta.apache.org/tomcat/faq/misc.html#error
-Tim
Mufaddal Khumri wrote:
> Hi,
>
> I am using tomcat 4.1.18. I want to be able to redirect a user to a
> standard error page 500 when someone tries to access a .jsp in my
> webapp. Is there a standard mechanism to do this in tomcat or will i
> have to do:
>
> response.sendRedirect(response.encodeRedirectURL("/mywebapp/error/
> error500.jsp"));
>
> instead is there something like:
>
> response.setError(500);
> response.sendRedirect(); // This would result in a standard 500
> page being displayed instead of the error500.jsp page
> // i write.
>
> Any pointers / code snipets ?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Standard error pages ?
Posted by Mufaddal Khumri <mu...@wmotion.com>.
Hi,
I am using tomcat 4.1.18. I want to be able to redirect a user to a
standard error page 500 when someone tries to access a .jsp in my
webapp. Is there a standard mechanism to do this in tomcat or will i
have to do:
response.sendRedirect(response.encodeRedirectURL("/mywebapp/error/
error500.jsp"));
instead is there something like:
response.setError(500);
response.sendRedirect(); // This would result in a standard 500
page being displayed instead of the error500.jsp page
// i write.
Any pointers / code snipets ?
Thanks.
RE: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
Jose, Adam
It's not the best solution, but it should be possible to not set the
SESSIONID in a cookie, but in (a) hidden form field(s). Remember when you do
this, that you need a very strong security encryption. It requires that you
overload the SESSIONID get function, which I think must be possible,
although I didn't try it.
Sjoerd
-----Original Message-----
From: Jose Alfonso Martinez [mailto:trilock@linuxcenter.com.mx]
Sent: zondag 28 september 2003 18:10
To: Tomcat Users List
Adam,
I am in the same issue as you and haven't come out with any workaround
yet...
However, in my site, the login form could be an html because I don't need to
maintain a session until the user has logged-in.
Do you really need to maintain a session, even when the user is just
browsing static html files (before logging in)??? If the answer is no, then
you could have an html login form.
Jose
On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote:
> I think I have a problem.
>
> I want form-based container-managed authentication on my app.
>
> I also want to allow cookies to be disabled.
>
> And I want to keep my JSPs under WEB-INF for security.
>
> It seems I cannot have these 3 combined, because disabling cookies means
> I have to do URL rewriting in the login form action URL, therefore my
> login form has to be a JSP and cannot be just plain .html .
>
> But while I do not want any JSPs outside of WEB-INF, I can't configure
> my login form to be in WEB-INF.
>
> Is this true, or is there a work-around?
>
> Thanks
> Adam
>
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Sjoerd van Leent <sv...@wanadoo.nl>.
Jose, Adam
It's not the best solution, but it should be possible to not set the
SESSIONID in a cookie, but in (a) hidden form field(s). Remember when you do
this, that you need a very strong security encryption. It requires that you
overload the SESSIONID get function, which I think must be possible,
although I didn't try it.
Sjoerd
-----Original Message-----
From: Jose Alfonso Martinez [mailto:trilock@linuxcenter.com.mx]
Sent: zondag 28 september 2003 18:10
To: Tomcat Users List
Adam,
I am in the same issue as you and haven't come out with any workaround
yet...
However, in my site, the login form could be an html because I don't need to
maintain a session until the user has logged-in.
Do you really need to maintain a session, even when the user is just
browsing static html files (before logging in)??? If the answer is no, then
you could have an html login form.
Jose
On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote:
> I think I have a problem.
>
> I want form-based container-managed authentication on my app.
>
> I also want to allow cookies to be disabled.
>
> And I want to keep my JSPs under WEB-INF for security.
>
> It seems I cannot have these 3 combined, because disabling cookies means
> I have to do URL rewriting in the login form action URL, therefore my
> login form has to be a JSP and cannot be just plain .html .
>
> But while I do not want any JSPs outside of WEB-INF, I can't configure
> my login form to be in WEB-INF.
>
> Is this true, or is there a work-around?
>
> Thanks
> Adam
>
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Jose Alfonso Martinez <tr...@linuxcenter.com.mx>.
Adam,
I am in the same issue as you and haven't come out with any workaround yet...
However, in my site, the login form could be an html because I don't need to maintain a session until the user has logged-in.
Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, then you could have an html login form.
Jose
On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote:
> I think I have a problem.
>
> I want form-based container-managed authentication on my app.
>
> I also want to allow cookies to be disabled.
>
> And I want to keep my JSPs under WEB-INF for security.
>
> It seems I cannot have these 3 combined, because disabling cookies means
> I have to do URL rewriting in the login form action URL, therefore my
> login form has to be a JSP and cannot be just plain .html .
>
> But while I do not want any JSPs outside of WEB-INF, I can't configure
> my login form to be in WEB-INF.
>
> Is this true, or is there a work-around?
>
> Thanks
> Adam
>
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: form-based login / cookies disabled / JSPs in WEB-INF
Posted by Jose Alfonso Martinez <tr...@linuxcenter.com.mx>.
Adam,
I am in the same issue as you and haven't come out with any workaround yet...
However, in my site, the login form could be an html because I don't need to maintain a session until the user has logged-in.
Do you really need to maintain a session, even when the user is just browsing static html files (before logging in)??? If the answer is no, then you could have an html login form.
Jose
On Sun, Sep 28, 2003 at 05:10:52PM +0200, Adam Hardy wrote:
> I think I have a problem.
>
> I want form-based container-managed authentication on my app.
>
> I also want to allow cookies to be disabled.
>
> And I want to keep my JSPs under WEB-INF for security.
>
> It seems I cannot have these 3 combined, because disabling cookies means
> I have to do URL rewriting in the login form action URL, therefore my
> login form has to be a JSP and cannot be just plain .html .
>
> But while I do not want any JSPs outside of WEB-INF, I can't configure
> my login form to be in WEB-INF.
>
> Is this true, or is there a work-around?
>
> Thanks
> Adam
>
>
> --
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>